]> git.saurik.com Git - wxWidgets.git/blame - src/png/png.c
Applied #15375 to stop event-sending in generic wxSpinCtrl ctor (eco)
[wxWidgets.git] / src / png / png.c
CommitLineData
0272a10d
VZ
1
2/* png.c - location for general purpose libpng functions
3 *
fff5f7d5
VZ
4 * Last changed in libpng 1.6.2 [April 25, 2013]
5 * Copyright (c) 1998-2013 Glenn Randers-Pehrson
0272a10d
VZ
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
b61cc19c
PC
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
0272a10d
VZ
12 */
13
b61cc19c 14#include "pngpriv.h"
0272a10d
VZ
15
16/* Generate a compiler error if there is an old png.h in the search path. */
fff5f7d5 17typedef png_libpng_version_1_6_2 Your_png_h_is_not_version_1_6_2;
0272a10d
VZ
18
19/* Tells libpng that we have already handled the first "num_bytes" bytes
20 * of the PNG file signature. If the PNG data is embedded into another
21 * stream we can set num_bytes = 8 so that libpng will not attempt to read
22 * or write any of the magic bytes before it starts on the IHDR.
23 */
24
25#ifdef PNG_READ_SUPPORTED
26void PNGAPI
fff5f7d5 27png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
0272a10d 28{
970f6abe 29 png_debug(1, "in png_set_sig_bytes");
b61cc19c
PC
30
31 if (png_ptr == NULL)
32 return;
33
0272a10d 34 if (num_bytes > 8)
b61cc19c 35 png_error(png_ptr, "Too many bytes for PNG signature");
0272a10d
VZ
36
37 png_ptr->sig_bytes = (png_byte)(num_bytes < 0 ? 0 : num_bytes);
38}
39
40/* Checks whether the supplied bytes match the PNG signature. We allow
41 * checking less than the full 8-byte signature so that those apps that
42 * already read the first few bytes of a file to determine the file type
43 * can simply check the remaining bytes for extra assurance. Returns
44 * an integer less than, equal to, or greater than zero if sig is found,
45 * respectively, to be less than, to match, or be greater than the correct
9c0d9ce3 46 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
0272a10d
VZ
47 */
48int PNGAPI
9c0d9ce3 49png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
0272a10d
VZ
50{
51 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
9c0d9ce3 52
0272a10d
VZ
53 if (num_to_check > 8)
54 num_to_check = 8;
9c0d9ce3 55
0272a10d
VZ
56 else if (num_to_check < 1)
57 return (-1);
58
59 if (start > 7)
60 return (-1);
61
62 if (start + num_to_check > 8)
63 num_to_check = 8 - start;
64
fff5f7d5 65 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
0272a10d
VZ
66}
67
0272a10d
VZ
68#endif /* PNG_READ_SUPPORTED */
69
70#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
9c0d9ce3
DS
71/* Function to allocate memory for zlib */
72PNG_FUNCTION(voidpf /* PRIVATE */,
73png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
0272a10d 74{
fff5f7d5 75 png_alloc_size_t num_bytes = size;
0272a10d 76
b61cc19c 77 if (png_ptr == NULL)
fff5f7d5 78 return NULL;
9c0d9ce3 79
fff5f7d5 80 if (items >= (~(png_alloc_size_t)0)/size)
0272a10d 81 {
fff5f7d5
VZ
82 png_warning (png_voidcast(png_structrp, png_ptr),
83 "Potential overflow in png_zalloc()");
84 return NULL;
0272a10d 85 }
0272a10d 86
fff5f7d5
VZ
87 num_bytes *= items;
88 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
0272a10d
VZ
89}
90
b61cc19c
PC
91/* Function to free memory for zlib */
92void /* PRIVATE */
0272a10d
VZ
93png_zfree(voidpf png_ptr, voidpf ptr)
94{
fff5f7d5 95 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
0272a10d
VZ
96}
97
98/* Reset the CRC variable to 32 bits of 1's. Care must be taken
99 * in case CRC is > 32 bits to leave the top bits 0.
100 */
101void /* PRIVATE */
fff5f7d5 102png_reset_crc(png_structrp png_ptr)
0272a10d 103{
9c0d9ce3
DS
104 /* The cast is safe because the crc is a 32 bit value. */
105 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
0272a10d
VZ
106}
107
108/* Calculate the CRC over a section of data. We can only pass as
109 * much data to this routine as the largest single buffer size. We
110 * also check that this data will actually be used before going to the
111 * trouble of calculating it.
112 */
113void /* PRIVATE */
fff5f7d5 114png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
0272a10d
VZ
115{
116 int need_crc = 1;
117
fff5f7d5 118 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))
0272a10d
VZ
119 {
120 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
121 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
122 need_crc = 0;
123 }
9c0d9ce3
DS
124
125 else /* critical */
0272a10d
VZ
126 {
127 if (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE)
128 need_crc = 0;
129 }
130
fff5f7d5
VZ
131 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
132 * systems it is a 64 bit value. crc32, however, returns 32 bits so the
133 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
134 * necessary to perform a loop here.
9c0d9ce3
DS
135 */
136 if (need_crc && length > 0)
137 {
138 uLong crc = png_ptr->crc; /* Should never issue a warning */
139
140 do
141 {
fff5f7d5
VZ
142 uInt safe_length = (uInt)length;
143 if (safe_length == 0)
144 safe_length = (uInt)-1; /* evil, but safe */
9c0d9ce3 145
fff5f7d5 146 crc = crc32(crc, ptr, safe_length);
9c0d9ce3 147
fff5f7d5 148 /* The following should never issue compiler warnings; if they do the
9c0d9ce3
DS
149 * target system has characteristics that will probably violate other
150 * assumptions within the libpng code.
151 */
fff5f7d5
VZ
152 ptr += safe_length;
153 length -= safe_length;
9c0d9ce3
DS
154 }
155 while (length > 0);
156
157 /* And the following is always safe because the crc is only 32 bits. */
158 png_ptr->crc = (png_uint_32)crc;
159 }
160}
161
162/* Check a user supplied version number, called from both read and write
fff5f7d5 163 * functions that create a png_struct.
9c0d9ce3
DS
164 */
165int
fff5f7d5 166png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
9c0d9ce3
DS
167{
168 if (user_png_ver)
169 {
170 int i = 0;
171
172 do
173 {
174 if (user_png_ver[i] != png_libpng_ver[i])
175 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
176 } while (png_libpng_ver[i++]);
177 }
178
179 else
180 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
181
182 if (png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH)
183 {
184 /* Libpng 0.90 and later are binary incompatible with libpng 0.89, so
185 * we must recompile any applications that use any older library version.
186 * For versions after libpng 1.0, we will be compatible, so we need
fff5f7d5
VZ
187 * only check the first and third digits (note that when we reach version
188 * 1.10 we will need to check the fourth symbol, namely user_png_ver[3]).
9c0d9ce3
DS
189 */
190 if (user_png_ver == NULL || user_png_ver[0] != png_libpng_ver[0] ||
fff5f7d5
VZ
191 (user_png_ver[0] == '1' && (user_png_ver[2] != png_libpng_ver[2] ||
192 user_png_ver[3] != png_libpng_ver[3])) ||
9c0d9ce3
DS
193 (user_png_ver[0] == '0' && user_png_ver[2] < '9'))
194 {
195#ifdef PNG_WARNINGS_SUPPORTED
196 size_t pos = 0;
197 char m[128];
198
fff5f7d5
VZ
199 pos = png_safecat(m, (sizeof m), pos,
200 "Application built with libpng-");
201 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
202 pos = png_safecat(m, (sizeof m), pos, " but running with ");
203 pos = png_safecat(m, (sizeof m), pos, png_libpng_ver);
9c0d9ce3
DS
204
205 png_warning(png_ptr, m);
206#endif
207
208#ifdef PNG_ERROR_NUMBERS_SUPPORTED
209 png_ptr->flags = 0;
210#endif
211
212 return 0;
213 }
214 }
215
216 /* Success return. */
217 return 1;
0272a10d
VZ
218}
219
fff5f7d5
VZ
220/* Generic function to create a png_struct for either read or write - this
221 * contains the common initialization.
0272a10d 222 */
fff5f7d5
VZ
223PNG_FUNCTION(png_structp /* PRIVATE */,
224png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
225 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
226 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
227{
228 png_struct create_struct;
229# ifdef PNG_SETJMP_SUPPORTED
230 jmp_buf create_jmp_buf;
231# endif
232
233 /* This temporary stack-allocated structure is used to provide a place to
234 * build enough context to allow the user provided memory allocator (if any)
235 * to be called.
236 */
237 memset(&create_struct, 0, (sizeof create_struct));
238
239 /* Added at libpng-1.2.6 */
240# ifdef PNG_USER_LIMITS_SUPPORTED
241 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
242 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
243
244# ifdef PNG_USER_CHUNK_CACHE_MAX
245 /* Added at libpng-1.2.43 and 1.4.0 */
246 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
247# endif
248
249# ifdef PNG_USER_CHUNK_MALLOC_MAX
250 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
251 * in png_struct regardless.
252 */
253 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
254# endif
255# endif
256
257 /* The following two API calls simply set fields in png_struct, so it is safe
258 * to do them now even though error handling is not yet set up.
259 */
260# ifdef PNG_USER_MEM_SUPPORTED
261 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
262# endif
263
264 /* (*error_fn) can return control to the caller after the error_ptr is set,
265 * this will result in a memory leak unless the error_fn does something
266 * extremely sophisticated. The design lacks merit but is implicit in the
267 * API.
268 */
269 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
270
271# ifdef PNG_SETJMP_SUPPORTED
272 if (!setjmp(create_jmp_buf))
273 {
274 /* Temporarily fake out the longjmp information until we have
275 * successfully completed this function. This only works if we have
276 * setjmp() support compiled in, but it is safe - this stuff should
277 * never happen.
278 */
279 create_struct.jmp_buf_ptr = &create_jmp_buf;
280 create_struct.jmp_buf_size = 0; /*stack allocation*/
281 create_struct.longjmp_fn = longjmp;
282# else
283 {
284# endif
285 /* Call the general version checker (shared with read and write code):
286 */
287 if (png_user_version_check(&create_struct, user_png_ver))
288 {
289 png_structrp png_ptr = png_voidcast(png_structrp,
290 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
291
292 if (png_ptr != NULL)
293 {
294 /* png_ptr->zstream holds a back-pointer to the png_struct, so
295 * this can only be done now:
296 */
297 create_struct.zstream.zalloc = png_zalloc;
298 create_struct.zstream.zfree = png_zfree;
299 create_struct.zstream.opaque = png_ptr;
300
301# ifdef PNG_SETJMP_SUPPORTED
302 /* Eliminate the local error handling: */
303 create_struct.jmp_buf_ptr = NULL;
304 create_struct.jmp_buf_size = 0;
305 create_struct.longjmp_fn = 0;
306# endif
307
308 *png_ptr = create_struct;
309
310 /* This is the successful return point */
311 return png_ptr;
312 }
313 }
314 }
315
316 /* A longjmp because of a bug in the application storage allocator or a
317 * simple failure to allocate the png_struct.
318 */
319 return NULL;
320}
321
322/* Allocate the memory for an info_struct for the application. */
9c0d9ce3 323PNG_FUNCTION(png_infop,PNGAPI
fff5f7d5 324png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
0272a10d 325{
fff5f7d5 326 png_inforp info_ptr;
0272a10d 327
970f6abe 328 png_debug(1, "in png_create_info_struct");
b61cc19c
PC
329
330 if (png_ptr == NULL)
fff5f7d5
VZ
331 return NULL;
332
333 /* Use the internal API that does not (or at least should not) error out, so
334 * that this call always returns ok. The application typically sets up the
335 * error handling *after* creating the info_struct because this is the way it
336 * has always been done in 'example.c'.
337 */
338 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
339 (sizeof *info_ptr)));
b61cc19c 340
0272a10d 341 if (info_ptr != NULL)
fff5f7d5 342 memset(info_ptr, 0, (sizeof *info_ptr));
0272a10d 343
fff5f7d5 344 return info_ptr;
0272a10d
VZ
345}
346
347/* This function frees the memory associated with a single info struct.
348 * Normally, one would use either png_destroy_read_struct() or
349 * png_destroy_write_struct() to free an info struct, but this may be
fff5f7d5
VZ
350 * useful for some applications. From libpng 1.6.0 this function is also used
351 * internally to implement the png_info release part of the 'struct' destroy
352 * APIs. This ensures that all possible approaches free the same data (all of
353 * it).
0272a10d
VZ
354 */
355void PNGAPI
fff5f7d5 356png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
0272a10d 357{
fff5f7d5 358 png_inforp info_ptr = NULL;
0272a10d 359
970f6abe 360 png_debug(1, "in png_destroy_info_struct");
b61cc19c
PC
361
362 if (png_ptr == NULL)
363 return;
364
0272a10d
VZ
365 if (info_ptr_ptr != NULL)
366 info_ptr = *info_ptr_ptr;
367
368 if (info_ptr != NULL)
369 {
fff5f7d5
VZ
370 /* Do this first in case of an error below; if the app implements its own
371 * memory management this can lead to png_free calling png_error, which
372 * will abort this routine and return control to the app error handler.
373 * An infinite loop may result if it then tries to free the same info
374 * ptr.
375 */
0272a10d 376 *info_ptr_ptr = NULL;
fff5f7d5
VZ
377
378 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
379 memset(info_ptr, 0, (sizeof *info_ptr));
380 png_free(png_ptr, info_ptr);
0272a10d
VZ
381 }
382}
383
384/* Initialize the info structure. This is now an internal function (0.89)
385 * and applications using it are urged to use png_create_info_struct()
fff5f7d5
VZ
386 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
387 * is just a memset).
388 *
389 * NOTE: it is almost inconceivable that this API is used because it bypasses
390 * the user-memory mechanism and the user error handling/warning mechanisms in
391 * those cases where it does anything other than a memset.
0272a10d 392 */
fff5f7d5
VZ
393PNG_FUNCTION(void,PNGAPI
394png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
395 PNG_DEPRECATED)
0272a10d 396{
fff5f7d5 397 png_inforp info_ptr = *ptr_ptr;
0272a10d 398
970f6abe 399 png_debug(1, "in png_info_init_3");
0272a10d 400
b61cc19c
PC
401 if (info_ptr == NULL)
402 return;
403
fff5f7d5 404 if ((sizeof (png_info)) > png_info_struct_size)
b61cc19c 405 {
fff5f7d5
VZ
406 *ptr_ptr = NULL;
407 /* The following line is why this API should not be used: */
408 free(info_ptr);
409 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
410 (sizeof *info_ptr)));
b61cc19c
PC
411 *ptr_ptr = info_ptr;
412 }
0272a10d 413
b61cc19c 414 /* Set everything to 0 */
fff5f7d5 415 memset(info_ptr, 0, (sizeof *info_ptr));
0272a10d
VZ
416}
417
fff5f7d5 418/* The following API is not called internally */
0272a10d 419void PNGAPI
fff5f7d5 420png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
0272a10d
VZ
421 int freer, png_uint_32 mask)
422{
970f6abe 423 png_debug(1, "in png_data_freer");
b61cc19c 424
0272a10d
VZ
425 if (png_ptr == NULL || info_ptr == NULL)
426 return;
b61cc19c 427
970f6abe 428 if (freer == PNG_DESTROY_WILL_FREE_DATA)
0272a10d 429 info_ptr->free_me |= mask;
9c0d9ce3 430
970f6abe 431 else if (freer == PNG_USER_WILL_FREE_DATA)
0272a10d 432 info_ptr->free_me &= ~mask;
9c0d9ce3 433
0272a10d 434 else
fff5f7d5 435 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
0272a10d 436}
0272a10d
VZ
437
438void PNGAPI
fff5f7d5 439png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
0272a10d
VZ
440 int num)
441{
970f6abe 442 png_debug(1, "in png_free_data");
b61cc19c 443
0272a10d
VZ
444 if (png_ptr == NULL || info_ptr == NULL)
445 return;
446
b61cc19c
PC
447#ifdef PNG_TEXT_SUPPORTED
448 /* Free text item num or (if num == -1) all text items */
449 if ((mask & PNG_FREE_TEXT) & info_ptr->free_me)
0272a10d 450 {
b61cc19c
PC
451 if (num != -1)
452 {
453 if (info_ptr->text && info_ptr->text[num].key)
454 {
455 png_free(png_ptr, info_ptr->text[num].key);
456 info_ptr->text[num].key = NULL;
457 }
458 }
9c0d9ce3 459
b61cc19c
PC
460 else
461 {
462 int i;
463 for (i = 0; i < info_ptr->num_text; i++)
464 png_free_data(png_ptr, info_ptr, PNG_FREE_TEXT, i);
465 png_free(png_ptr, info_ptr->text);
466 info_ptr->text = NULL;
467 info_ptr->num_text=0;
468 }
0272a10d 469 }
0272a10d
VZ
470#endif
471
b61cc19c
PC
472#ifdef PNG_tRNS_SUPPORTED
473 /* Free any tRNS entry */
474 if ((mask & PNG_FREE_TRNS) & info_ptr->free_me)
475 {
476 png_free(png_ptr, info_ptr->trans_alpha);
477 info_ptr->trans_alpha = NULL;
478 info_ptr->valid &= ~PNG_INFO_tRNS;
479 }
0272a10d
VZ
480#endif
481
b61cc19c
PC
482#ifdef PNG_sCAL_SUPPORTED
483 /* Free any sCAL entry */
484 if ((mask & PNG_FREE_SCAL) & info_ptr->free_me)
485 {
b61cc19c
PC
486 png_free(png_ptr, info_ptr->scal_s_width);
487 png_free(png_ptr, info_ptr->scal_s_height);
488 info_ptr->scal_s_width = NULL;
489 info_ptr->scal_s_height = NULL;
b61cc19c
PC
490 info_ptr->valid &= ~PNG_INFO_sCAL;
491 }
0272a10d
VZ
492#endif
493
b61cc19c
PC
494#ifdef PNG_pCAL_SUPPORTED
495 /* Free any pCAL entry */
496 if ((mask & PNG_FREE_PCAL) & info_ptr->free_me)
497 {
498 png_free(png_ptr, info_ptr->pcal_purpose);
499 png_free(png_ptr, info_ptr->pcal_units);
500 info_ptr->pcal_purpose = NULL;
501 info_ptr->pcal_units = NULL;
502 if (info_ptr->pcal_params != NULL)
503 {
fff5f7d5
VZ
504 unsigned int i;
505 for (i = 0; i < info_ptr->pcal_nparams; i++)
b61cc19c
PC
506 {
507 png_free(png_ptr, info_ptr->pcal_params[i]);
508 info_ptr->pcal_params[i] = NULL;
509 }
510 png_free(png_ptr, info_ptr->pcal_params);
511 info_ptr->pcal_params = NULL;
512 }
513 info_ptr->valid &= ~PNG_INFO_pCAL;
514 }
0272a10d
VZ
515#endif
516
b61cc19c 517#ifdef PNG_iCCP_SUPPORTED
fff5f7d5 518 /* Free any profile entry */
b61cc19c
PC
519 if ((mask & PNG_FREE_ICCP) & info_ptr->free_me)
520 {
521 png_free(png_ptr, info_ptr->iccp_name);
522 png_free(png_ptr, info_ptr->iccp_profile);
523 info_ptr->iccp_name = NULL;
524 info_ptr->iccp_profile = NULL;
525 info_ptr->valid &= ~PNG_INFO_iCCP;
526 }
0272a10d
VZ
527#endif
528
b61cc19c
PC
529#ifdef PNG_sPLT_SUPPORTED
530 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
531 if ((mask & PNG_FREE_SPLT) & info_ptr->free_me)
0272a10d 532 {
b61cc19c 533 if (num != -1)
0272a10d 534 {
b61cc19c
PC
535 if (info_ptr->splt_palettes)
536 {
537 png_free(png_ptr, info_ptr->splt_palettes[num].name);
538 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
539 info_ptr->splt_palettes[num].name = NULL;
540 info_ptr->splt_palettes[num].entries = NULL;
541 }
542 }
9c0d9ce3 543
b61cc19c
PC
544 else
545 {
546 if (info_ptr->splt_palettes_num)
547 {
548 int i;
fff5f7d5
VZ
549 for (i = 0; i < info_ptr->splt_palettes_num; i++)
550 png_free_data(png_ptr, info_ptr, PNG_FREE_SPLT, (int)i);
b61cc19c
PC
551
552 png_free(png_ptr, info_ptr->splt_palettes);
553 info_ptr->splt_palettes = NULL;
554 info_ptr->splt_palettes_num = 0;
555 }
556 info_ptr->valid &= ~PNG_INFO_sPLT;
0272a10d
VZ
557 }
558 }
0272a10d
VZ
559#endif
560
fff5f7d5 561#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
b61cc19c 562 if ((mask & PNG_FREE_UNKN) & info_ptr->free_me)
0272a10d 563 {
b61cc19c
PC
564 if (num != -1)
565 {
566 if (info_ptr->unknown_chunks)
567 {
568 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
569 info_ptr->unknown_chunks[num].data = NULL;
570 }
571 }
9c0d9ce3 572
b61cc19c
PC
573 else
574 {
575 int i;
0272a10d 576
b61cc19c
PC
577 if (info_ptr->unknown_chunks_num)
578 {
9c0d9ce3 579 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
fff5f7d5 580 png_free_data(png_ptr, info_ptr, PNG_FREE_UNKN, (int)i);
0272a10d 581
b61cc19c
PC
582 png_free(png_ptr, info_ptr->unknown_chunks);
583 info_ptr->unknown_chunks = NULL;
584 info_ptr->unknown_chunks_num = 0;
585 }
586 }
0272a10d 587 }
0272a10d
VZ
588#endif
589
b61cc19c
PC
590#ifdef PNG_hIST_SUPPORTED
591 /* Free any hIST entry */
592 if ((mask & PNG_FREE_HIST) & info_ptr->free_me)
593 {
594 png_free(png_ptr, info_ptr->hist);
595 info_ptr->hist = NULL;
596 info_ptr->valid &= ~PNG_INFO_hIST;
597 }
0272a10d
VZ
598#endif
599
b61cc19c
PC
600 /* Free any PLTE entry that was internally allocated */
601 if ((mask & PNG_FREE_PLTE) & info_ptr->free_me)
602 {
fff5f7d5 603 png_free(png_ptr, info_ptr->palette);
b61cc19c
PC
604 info_ptr->palette = NULL;
605 info_ptr->valid &= ~PNG_INFO_PLTE;
606 info_ptr->num_palette = 0;
607 }
0272a10d 608
b61cc19c
PC
609#ifdef PNG_INFO_IMAGE_SUPPORTED
610 /* Free any image bits attached to the info structure */
611 if ((mask & PNG_FREE_ROWS) & info_ptr->free_me)
612 {
613 if (info_ptr->row_pointers)
614 {
fff5f7d5
VZ
615 png_uint_32 row;
616 for (row = 0; row < info_ptr->height; row++)
b61cc19c
PC
617 {
618 png_free(png_ptr, info_ptr->row_pointers[row]);
619 info_ptr->row_pointers[row] = NULL;
620 }
621 png_free(png_ptr, info_ptr->row_pointers);
622 info_ptr->row_pointers = NULL;
623 }
624 info_ptr->valid &= ~PNG_INFO_IDAT;
625 }
0272a10d
VZ
626#endif
627
9c0d9ce3
DS
628 if (num != -1)
629 mask &= ~PNG_FREE_MUL;
630
631 info_ptr->free_me &= ~mask;
0272a10d 632}
0272a10d
VZ
633#endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
634
635/* This function returns a pointer to the io_ptr associated with the user
636 * functions. The application should free any memory associated with this
637 * pointer before png_write_destroy() or png_read_destroy() are called.
638 */
639png_voidp PNGAPI
fff5f7d5 640png_get_io_ptr(png_const_structrp png_ptr)
0272a10d 641{
b61cc19c
PC
642 if (png_ptr == NULL)
643 return (NULL);
9c0d9ce3 644
0272a10d
VZ
645 return (png_ptr->io_ptr);
646}
647
648#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
9c0d9ce3 649# ifdef PNG_STDIO_SUPPORTED
0272a10d
VZ
650/* Initialize the default input/output functions for the PNG file. If you
651 * use your own read or write routines, you can call either png_set_read_fn()
652 * or png_set_write_fn() instead of png_init_io(). If you have defined
9c0d9ce3
DS
653 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
654 * function of your own because "FILE *" isn't necessarily available.
0272a10d
VZ
655 */
656void PNGAPI
fff5f7d5 657png_init_io(png_structrp png_ptr, png_FILE_p fp)
0272a10d 658{
970f6abe 659 png_debug(1, "in png_init_io");
b61cc19c
PC
660
661 if (png_ptr == NULL)
662 return;
663
0272a10d
VZ
664 png_ptr->io_ptr = (png_voidp)fp;
665}
9c0d9ce3 666# endif
0272a10d 667
fff5f7d5
VZ
668#ifdef PNG_SAVE_INT_32_SUPPORTED
669/* The png_save_int_32 function assumes integers are stored in two's
670 * complement format. If this isn't the case, then this routine needs to
671 * be modified to write data in two's complement format. Note that,
672 * the following works correctly even if png_int_32 has more than 32 bits
673 * (compare the more complex code required on read for sign extension.)
674 */
675void PNGAPI
676png_save_int_32(png_bytep buf, png_int_32 i)
677{
678 buf[0] = (png_byte)((i >> 24) & 0xff);
679 buf[1] = (png_byte)((i >> 16) & 0xff);
680 buf[2] = (png_byte)((i >> 8) & 0xff);
681 buf[3] = (png_byte)(i & 0xff);
682}
683#endif
684
9c0d9ce3 685# ifdef PNG_TIME_RFC1123_SUPPORTED
0272a10d
VZ
686/* Convert the supplied time into an RFC 1123 string suitable for use in
687 * a "Creation Time" or other text-based time string.
688 */
fff5f7d5
VZ
689int PNGAPI
690png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
0272a10d
VZ
691{
692 static PNG_CONST char short_months[12][4] =
693 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
694 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
695
fff5f7d5
VZ
696 if (out == NULL)
697 return 0;
0272a10d 698
72281370
DS
699 if (ptime->year > 9999 /* RFC1123 limitation */ ||
700 ptime->month == 0 || ptime->month > 12 ||
701 ptime->day == 0 || ptime->day > 31 ||
702 ptime->hour > 23 || ptime->minute > 59 ||
703 ptime->second > 60)
fff5f7d5 704 return 0;
72281370 705
0272a10d 706 {
9c0d9ce3 707 size_t pos = 0;
72281370 708 char number_buf[5]; /* enough for a four-digit year */
9c0d9ce3 709
fff5f7d5 710# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
9c0d9ce3
DS
711# define APPEND_NUMBER(format, value)\
712 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
fff5f7d5 713# define APPEND(ch) if (pos < 28) out[pos++] = (ch)
9c0d9ce3 714
72281370 715 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
9c0d9ce3 716 APPEND(' ');
72281370 717 APPEND_STRING(short_months[(ptime->month - 1)]);
9c0d9ce3
DS
718 APPEND(' ');
719 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
720 APPEND(' ');
72281370 721 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
9c0d9ce3 722 APPEND(':');
72281370 723 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
9c0d9ce3 724 APPEND(':');
72281370 725 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
9c0d9ce3
DS
726 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
727
728# undef APPEND
729# undef APPEND_NUMBER
730# undef APPEND_STRING
0272a10d 731 }
9c0d9ce3 732
fff5f7d5 733 return 1;
0272a10d 734}
fff5f7d5
VZ
735
736# if PNG_LIBPNG_VER < 10700
737/* To do: remove the following from libpng-1.7 */
738/* Original API that uses a private buffer in png_struct.
739 * Deprecated because it causes png_struct to carry a spurious temporary
740 * buffer (png_struct::time_buffer), better to have the caller pass this in.
741 */
742png_const_charp PNGAPI
743png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
744{
745 if (png_ptr != NULL)
746 {
747 /* The only failure above if png_ptr != NULL is from an invalid ptime */
748 if (!png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime))
749 png_warning(png_ptr, "Ignoring invalid time value");
750
751 else
752 return png_ptr->time_buffer;
753 }
754
755 return NULL;
756}
757# endif
9c0d9ce3 758# endif /* PNG_TIME_RFC1123_SUPPORTED */
0272a10d
VZ
759
760#endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
761
9c0d9ce3 762png_const_charp PNGAPI
fff5f7d5 763png_get_copyright(png_const_structrp png_ptr)
0272a10d 764{
9c0d9ce3 765 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
b61cc19c 766#ifdef PNG_STRING_COPYRIGHT
9c0d9ce3 767 return PNG_STRING_COPYRIGHT
b61cc19c 768#else
9c0d9ce3
DS
769# ifdef __STDC__
770 return PNG_STRING_NEWLINE \
fff5f7d5
VZ
771 "libpng version 1.6.2 - April 25, 2013" PNG_STRING_NEWLINE \
772 "Copyright (c) 1998-2013 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
b61cc19c
PC
773 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
774 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
9c0d9ce3
DS
775 PNG_STRING_NEWLINE;
776# else
fff5f7d5
VZ
777 return "libpng version 1.6.2 - April 25, 2013\
778 Copyright (c) 1998-2013 Glenn Randers-Pehrson\
b61cc19c 779 Copyright (c) 1996-1997 Andreas Dilger\
9c0d9ce3
DS
780 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
781# endif
b61cc19c 782#endif
0272a10d
VZ
783}
784
785/* The following return the library version as a short string in the
786 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
787 * used with your application, print out PNG_LIBPNG_VER_STRING, which
788 * is defined in png.h.
789 * Note: now there is no difference between png_get_libpng_ver() and
790 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
791 * it is guaranteed that png.c uses the correct version of png.h.
792 */
9c0d9ce3 793png_const_charp PNGAPI
fff5f7d5 794png_get_libpng_ver(png_const_structrp png_ptr)
0272a10d
VZ
795{
796 /* Version of *.c files used when building libpng */
9c0d9ce3 797 return png_get_header_ver(png_ptr);
0272a10d
VZ
798}
799
9c0d9ce3 800png_const_charp PNGAPI
fff5f7d5 801png_get_header_ver(png_const_structrp png_ptr)
0272a10d
VZ
802{
803 /* Version of *.h files used when building libpng */
9c0d9ce3
DS
804 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
805 return PNG_LIBPNG_VER_STRING;
0272a10d
VZ
806}
807
9c0d9ce3 808png_const_charp PNGAPI
fff5f7d5 809png_get_header_version(png_const_structrp png_ptr)
0272a10d
VZ
810{
811 /* Returns longer string containing both version and date */
9c0d9ce3 812 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
b61cc19c 813#ifdef __STDC__
9c0d9ce3
DS
814 return PNG_HEADER_VERSION_STRING
815# ifndef PNG_READ_SUPPORTED
0272a10d 816 " (NO READ SUPPORT)"
9c0d9ce3
DS
817# endif
818 PNG_STRING_NEWLINE;
b61cc19c 819#else
9c0d9ce3 820 return PNG_HEADER_VERSION_STRING;
b61cc19c 821#endif
0272a10d
VZ
822}
823
fff5f7d5 824#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
0272a10d 825int PNGAPI
fff5f7d5 826png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
0272a10d 827{
b61cc19c 828 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
9c0d9ce3
DS
829 png_const_bytep p, p_end;
830
fff5f7d5 831 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
9c0d9ce3
DS
832 return PNG_HANDLE_CHUNK_AS_DEFAULT;
833
834 p_end = png_ptr->chunk_list;
835 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
836
837 /* The code is the fifth byte after each four byte string. Historically this
fff5f7d5
VZ
838 * code was always searched from the end of the list, this is no longer
839 * necessary because the 'set' routine handles duplicate entries correcty.
9c0d9ce3
DS
840 */
841 do /* num_chunk_list > 0, so at least one */
842 {
843 p -= 5;
fff5f7d5
VZ
844
845 if (!memcmp(chunk_name, p, 4))
9c0d9ce3
DS
846 return p[4];
847 }
848 while (p > p_end);
849
fff5f7d5
VZ
850 /* This means that known chunks should be processed and unknown chunks should
851 * be handled according to the value of png_ptr->unknown_default; this can be
852 * confusing because, as a result, there are two levels of defaulting for
853 * unknown chunks.
854 */
9c0d9ce3
DS
855 return PNG_HANDLE_CHUNK_AS_DEFAULT;
856}
857
fff5f7d5 858#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
9c0d9ce3 859int /* PRIVATE */
fff5f7d5 860png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
9c0d9ce3
DS
861{
862 png_byte chunk_string[5];
863
864 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
865 return png_handle_as_unknown(png_ptr, chunk_string);
0272a10d 866}
fff5f7d5
VZ
867#endif /* READ_UNKNOWN_CHUNKS */
868#endif /* SET_UNKNOWN_CHUNKS */
0272a10d 869
b61cc19c 870#ifdef PNG_READ_SUPPORTED
0272a10d
VZ
871/* This function, added to libpng-1.0.6g, is untested. */
872int PNGAPI
fff5f7d5 873png_reset_zstream(png_structrp png_ptr)
0272a10d 874{
b61cc19c
PC
875 if (png_ptr == NULL)
876 return Z_STREAM_ERROR;
9c0d9ce3 877
fff5f7d5 878 /* WARNING: this resets the window bits to the maximum! */
0272a10d
VZ
879 return (inflateReset(&png_ptr->zstream));
880}
b61cc19c 881#endif /* PNG_READ_SUPPORTED */
0272a10d
VZ
882
883/* This function was added to libpng-1.0.7 */
884png_uint_32 PNGAPI
885png_access_version_number(void)
886{
887 /* Version of *.c files used when building libpng */
9c0d9ce3 888 return((png_uint_32)PNG_LIBPNG_VER);
0272a10d
VZ
889}
890
891
0272a10d
VZ
892
893#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
fff5f7d5
VZ
894/* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
895 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
896 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
897 */
898void /* PRIVATE */
899png_zstream_error(png_structrp png_ptr, int ret)
900{
901 /* Translate 'ret' into an appropriate error string, priority is given to the
902 * one in zstream if set. This always returns a string, even in cases like
903 * Z_OK or Z_STREAM_END where the error code is a success code.
904 */
905 if (png_ptr->zstream.msg == NULL) switch (ret)
906 {
907 default:
908 case Z_OK:
909 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
910 break;
911
912 case Z_STREAM_END:
913 /* Normal exit */
914 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
915 break;
916
917 case Z_NEED_DICT:
918 /* This means the deflate stream did not have a dictionary; this
919 * indicates a bogus PNG.
920 */
921 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
922 break;
923
924 case Z_ERRNO:
925 /* gz APIs only: should not happen */
926 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
927 break;
928
929 case Z_STREAM_ERROR:
930 /* internal libpng error */
931 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
932 break;
933
934 case Z_DATA_ERROR:
935 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
936 break;
937
938 case Z_MEM_ERROR:
939 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
940 break;
941
942 case Z_BUF_ERROR:
943 /* End of input or output; not a problem if the caller is doing
944 * incremental read or write.
945 */
946 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
947 break;
948
949 case Z_VERSION_ERROR:
950 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
951 break;
952
953 case PNG_UNEXPECTED_ZLIB_RETURN:
954 /* Compile errors here mean that zlib now uses the value co-opted in
955 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
956 * and change pngpriv.h. Note that this message is "... return",
957 * whereas the default/Z_OK one is "... return code".
958 */
959 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
960 break;
961 }
962}
963
9c0d9ce3
DS
964/* png_convert_size: a PNGAPI but no longer in png.h, so deleted
965 * at libpng 1.5.5!
966 */
970f6abe
VZ
967
968/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
fff5f7d5
VZ
969#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
970static int
971png_colorspace_check_gamma(png_const_structrp png_ptr,
972 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
973 /* This is called to check a new gamma value against an existing one. The
974 * routine returns false if the new gamma value should not be written.
975 *
976 * 'from' says where the new gamma value comes from:
977 *
978 * 0: the new gamma value is the libpng estimate for an ICC profile
979 * 1: the new gamma value comes from a gAMA chunk
980 * 2: the new gamma value comes from an sRGB chunk
981 */
970f6abe 982{
fff5f7d5 983 png_fixed_point gtest;
970f6abe 984
fff5f7d5
VZ
985 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
986 (!png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) ||
987 png_gamma_significant(gtest)))
988 {
989 /* Either this is an sRGB image, in which case the calculated gamma
990 * approximation should match, or this is an image with a profile and the
991 * value libpng calculates for the gamma of the profile does not match the
992 * value recorded in the file. The former, sRGB, case is an error, the
993 * latter is just a warning.
994 */
995 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
996 {
997 png_chunk_report(png_ptr, "gamma value does not match sRGB",
998 PNG_CHUNK_ERROR);
999 /* Do not overwrite an sRGB value */
1000 return from == 2;
1001 }
b61cc19c 1002
fff5f7d5
VZ
1003 else /* sRGB tag not involved */
1004 {
1005 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1006 PNG_CHUNK_WARNING);
1007 return from == 1;
1008 }
1009 }
1010
1011 return 1;
1012}
970f6abe 1013
fff5f7d5
VZ
1014void /* PRIVATE */
1015png_colorspace_set_gamma(png_const_structrp png_ptr,
1016 png_colorspacerp colorspace, png_fixed_point gAMA)
1017{
1018 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1019 * occur. Since the fixed point representation is assymetrical it is
1020 * possible for 1/gamma to overflow the limit of 21474 and this means the
1021 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1022 * safety the limits here are a little narrower. The values are 0.00016 to
1023 * 6250.0, which are truly ridiculous gamma values (and will produce
1024 * displays that are all black or all white.)
1025 *
1026 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1027 * handling code, which only required the value to be >0.
9c0d9ce3 1028 */
fff5f7d5
VZ
1029 png_const_charp errmsg;
1030
1031 if (gAMA < 16 || gAMA > 625000000)
1032 errmsg = "gamma value out of range";
1033
1034# ifdef PNG_READ_gAMA_SUPPORTED
1035 /* Allow the application to set the gamma value more than once */
1036 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1037 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1038 errmsg = "duplicate";
1039# endif
9c0d9ce3 1040
fff5f7d5
VZ
1041 /* Do nothing if the colorspace is already invalid */
1042 else if (colorspace->flags & PNG_COLORSPACE_INVALID)
1043 return;
1044
1045 else
970f6abe 1046 {
fff5f7d5
VZ
1047 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1/*from gAMA*/))
1048 {
1049 /* Store this gamma value. */
1050 colorspace->gamma = gAMA;
1051 colorspace->flags |=
1052 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1053 }
1054
1055 /* At present if the check_gamma test fails the gamma of the colorspace is
1056 * not updated however the colorspace is not invalidated. This
1057 * corresponds to the case where the existing gamma comes from an sRGB
1058 * chunk or profile. An error message has already been output.
1059 */
1060 return;
970f6abe 1061 }
9c0d9ce3 1062
fff5f7d5
VZ
1063 /* Error exit - errmsg has been set. */
1064 colorspace->flags |= PNG_COLORSPACE_INVALID;
1065 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1066}
1067
1068void /* PRIVATE */
1069png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1070{
1071 if (info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID)
970f6abe 1072 {
fff5f7d5
VZ
1073 /* Everything is invalid */
1074 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1075 PNG_INFO_iCCP);
1076
1077# ifdef PNG_COLORSPACE_SUPPORTED
1078 /* Clean up the iCCP profile now if it won't be used. */
1079 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1080# else
1081 PNG_UNUSED(png_ptr)
1082# endif
970f6abe 1083 }
9c0d9ce3 1084
fff5f7d5 1085 else
970f6abe 1086 {
fff5f7d5
VZ
1087# ifdef PNG_COLORSPACE_SUPPORTED
1088 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1089 * it; this allows a PNG to contain a profile which matches sRGB and
1090 * yet still have that profile retrievable by the application.
1091 */
1092 if (info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB)
1093 info_ptr->valid |= PNG_INFO_sRGB;
970f6abe 1094
fff5f7d5
VZ
1095 else
1096 info_ptr->valid &= ~PNG_INFO_sRGB;
970f6abe 1097
fff5f7d5
VZ
1098 if (info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS)
1099 info_ptr->valid |= PNG_INFO_cHRM;
1100
1101 else
1102 info_ptr->valid &= ~PNG_INFO_cHRM;
1103# endif
1104
1105 if (info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA)
1106 info_ptr->valid |= PNG_INFO_gAMA;
1107
1108 else
1109 info_ptr->valid &= ~PNG_INFO_gAMA;
970f6abe 1110 }
fff5f7d5 1111}
970f6abe 1112
fff5f7d5
VZ
1113#ifdef PNG_READ_SUPPORTED
1114void /* PRIVATE */
1115png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1116{
1117 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1118 return;
1119
1120 info_ptr->colorspace = png_ptr->colorspace;
1121 png_colorspace_sync_info(png_ptr, info_ptr);
970f6abe 1122}
fff5f7d5
VZ
1123#endif
1124#endif
9c0d9ce3 1125
fff5f7d5 1126#ifdef PNG_COLORSPACE_SUPPORTED
9c0d9ce3
DS
1127/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1128 * cHRM, as opposed to using chromaticities. These internal APIs return
1129 * non-zero on a parameter error. The X, Y and Z values are required to be
1130 * positive and less than 1.0.
1131 */
fff5f7d5
VZ
1132static int
1133png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
9c0d9ce3
DS
1134{
1135 png_int_32 d, dwhite, whiteX, whiteY;
1136
fff5f7d5
VZ
1137 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1138 if (!png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d)) return 1;
1139 if (!png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d)) return 1;
9c0d9ce3 1140 dwhite = d;
fff5f7d5
VZ
1141 whiteX = XYZ->red_X;
1142 whiteY = XYZ->red_Y;
9c0d9ce3 1143
fff5f7d5
VZ
1144 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1145 if (!png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d)) return 1;
1146 if (!png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d)) return 1;
9c0d9ce3 1147 dwhite += d;
fff5f7d5
VZ
1148 whiteX += XYZ->green_X;
1149 whiteY += XYZ->green_Y;
9c0d9ce3 1150
fff5f7d5
VZ
1151 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1152 if (!png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d)) return 1;
1153 if (!png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d)) return 1;
9c0d9ce3 1154 dwhite += d;
fff5f7d5
VZ
1155 whiteX += XYZ->blue_X;
1156 whiteY += XYZ->blue_Y;
9c0d9ce3 1157
fff5f7d5 1158 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
9c0d9ce3
DS
1159 * thus:
1160 */
1161 if (!png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite)) return 1;
1162 if (!png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite)) return 1;
1163
1164 return 0;
1165}
1166
fff5f7d5
VZ
1167static int
1168png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
9c0d9ce3
DS
1169{
1170 png_fixed_point red_inverse, green_inverse, blue_scale;
1171 png_fixed_point left, right, denominator;
1172
1173 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1174 * have end points with 0 tristimulus values (these are impossible end
1175 * points, but they are used to cover the possible colors.)
1176 */
fff5f7d5
VZ
1177 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1178 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1179 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1180 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1181 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1182 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1183 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1184 if (xy->whitey < 0 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
9c0d9ce3
DS
1185
1186 /* The reverse calculation is more difficult because the original tristimulus
1187 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1188 * derived values were recorded in the cHRM chunk;
1189 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1190 * therefore an arbitrary ninth value has to be introduced to undo the
1191 * original transformations.
1192 *
1193 * Think of the original end-points as points in (X,Y,Z) space. The
1194 * chromaticity values (c) have the property:
1195 *
1196 * C
1197 * c = ---------
1198 * X + Y + Z
1199 *
1200 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1201 * three chromaticity values (x,y,z) for each end-point obey the
1202 * relationship:
1203 *
1204 * x + y + z = 1
1205 *
1206 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1207 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1208 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1209 * and chromaticity is the intersection of the vector from the origin to the
1210 * (X,Y,Z) value with the chromaticity plane.
1211 *
1212 * To fully invert the chromaticity calculation we would need the three
1213 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1214 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1215 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1216 * given all three of the scale factors since:
1217 *
1218 * color-C = color-c * color-scale
1219 * white-C = red-C + green-C + blue-C
1220 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1221 *
1222 * But cHRM records only white-x and white-y, so we have lost the white scale
1223 * factor:
1224 *
1225 * white-C = white-c*white-scale
1226 *
1227 * To handle this the inverse transformation makes an arbitrary assumption
1228 * about white-scale:
1229 *
1230 * Assume: white-Y = 1.0
1231 * Hence: white-scale = 1/white-y
1232 * Or: red-Y + green-Y + blue-Y = 1.0
1233 *
1234 * Notice the last statement of the assumption gives an equation in three of
1235 * the nine values we want to calculate. 8 more equations come from the
1236 * above routine as summarised at the top above (the chromaticity
1237 * calculation):
1238 *
1239 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1240 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1241 *
1242 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1243 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1244 * determinants, however this is not as bad as it seems because only 28 of
1245 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1246 * Cramer's rule is notoriously numerically unstable because the determinant
1247 * calculation involves the difference of large, but similar, numbers. It is
1248 * difficult to be sure that the calculation is stable for real world values
1249 * and it is certain that it becomes unstable where the end points are close
1250 * together.
1251 *
fff5f7d5
VZ
1252 * So this code uses the perhaps slightly less optimal but more
1253 * understandable and totally obvious approach of calculating color-scale.
9c0d9ce3
DS
1254 *
1255 * This algorithm depends on the precision in white-scale and that is
1256 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1257 * accuracy inherent in the cHRM chunk drops off substantially.
1258 *
1259 * libpng arithmetic: a simple invertion of the above equations
1260 * ------------------------------------------------------------
1261 *
1262 * white_scale = 1/white-y
1263 * white-X = white-x * white-scale
1264 * white-Y = 1.0
1265 * white-Z = (1 - white-x - white-y) * white_scale
1266 *
1267 * white-C = red-C + green-C + blue-C
1268 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1269 *
1270 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1271 * all the coefficients are now known:
1272 *
1273 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1274 * = white-x/white-y
1275 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1276 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1277 * = (1 - white-x - white-y)/white-y
1278 *
1279 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1280 * three equations together to get an alternative third:
1281 *
1282 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1283 *
1284 * So now we have a Cramer's rule solution where the determinants are just
1285 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1286 * multiplication of three coefficients so we can't guarantee to avoid
1287 * overflow in the libpng fixed point representation. Using Cramer's rule in
1288 * floating point is probably a good choice here, but it's not an option for
1289 * fixed point. Instead proceed to simplify the first two equations by
1290 * eliminating what is likely to be the largest value, blue-scale:
1291 *
1292 * blue-scale = white-scale - red-scale - green-scale
1293 *
1294 * Hence:
1295 *
1296 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1297 * (white-x - blue-x)*white-scale
1298 *
1299 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1300 * 1 - blue-y*white-scale
1301 *
1302 * And now we can trivially solve for (red-scale,green-scale):
1303 *
1304 * green-scale =
1305 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1306 * -----------------------------------------------------------
1307 * green-x - blue-x
1308 *
1309 * red-scale =
1310 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1311 * ---------------------------------------------------------
1312 * red-y - blue-y
1313 *
1314 * Hence:
1315 *
1316 * red-scale =
1317 * ( (green-x - blue-x) * (white-y - blue-y) -
1318 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1319 * -------------------------------------------------------------------------
1320 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1321 *
1322 * green-scale =
1323 * ( (red-y - blue-y) * (white-x - blue-x) -
1324 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1325 * -------------------------------------------------------------------------
1326 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1327 *
1328 * Accuracy:
1329 * The input values have 5 decimal digits of accuracy. The values are all in
1330 * the range 0 < value < 1, so simple products are in the same range but may
1331 * need up to 10 decimal digits to preserve the original precision and avoid
1332 * underflow. Because we are using a 32-bit signed representation we cannot
1333 * match this; the best is a little over 9 decimal digits, less than 10.
1334 *
1335 * The approach used here is to preserve the maximum precision within the
1336 * signed representation. Because the red-scale calculation above uses the
1337 * difference between two products of values that must be in the range -1..+1
1338 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1339 * factor is irrelevant in the calculation because it is applied to both
1340 * numerator and denominator.
1341 *
1342 * Note that the values of the differences of the products of the
1343 * chromaticities in the above equations tend to be small, for example for
1344 * the sRGB chromaticities they are:
1345 *
1346 * red numerator: -0.04751
1347 * green numerator: -0.08788
1348 * denominator: -0.2241 (without white-y multiplication)
1349 *
1350 * The resultant Y coefficients from the chromaticities of some widely used
1351 * color space definitions are (to 15 decimal places):
1352 *
1353 * sRGB
1354 * 0.212639005871510 0.715168678767756 0.072192315360734
1355 * Kodak ProPhoto
1356 * 0.288071128229293 0.711843217810102 0.000085653960605
1357 * Adobe RGB
1358 * 0.297344975250536 0.627363566255466 0.075291458493998
1359 * Adobe Wide Gamut RGB
1360 * 0.258728243040113 0.724682314948566 0.016589442011321
1361 */
fff5f7d5
VZ
1362 /* By the argument, above overflow should be impossible here. The return
1363 * value of 2 indicates an internal error to the caller.
1364 */
1365 if (!png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7))
1366 return 2;
1367 if (!png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7))
1368 return 2;
1369 denominator = left - right;
1370
1371 /* Now find the red numerator. */
1372 if (!png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7))
1373 return 2;
1374 if (!png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7))
1375 return 2;
1376
1377 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1378 * chunk values. This calculation actually returns the reciprocal of the
1379 * scale value because this allows us to delay the multiplication of white-y
1380 * into the denominator, which tends to produce a small number.
1381 */
1382 if (!png_muldiv(&red_inverse, xy->whitey, denominator, left-right) ||
1383 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1384 return 1;
1385
1386 /* Similarly for green_inverse: */
1387 if (!png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7))
1388 return 2;
1389 if (!png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7))
1390 return 2;
1391 if (!png_muldiv(&green_inverse, xy->whitey, denominator, left-right) ||
1392 green_inverse <= xy->whitey)
1393 return 1;
1394
1395 /* And the blue scale, the checks above guarantee this can't overflow but it
1396 * can still produce 0 for extreme cHRM values.
1397 */
1398 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1399 png_reciprocal(green_inverse);
1400 if (blue_scale <= 0) return 1;
1401
1402
1403 /* And fill in the png_XYZ: */
1404 if (!png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse)) return 1;
1405 if (!png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse)) return 1;
1406 if (!png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1407 red_inverse))
1408 return 1;
1409
1410 if (!png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse))
1411 return 1;
1412 if (!png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse))
1413 return 1;
1414 if (!png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1415 green_inverse))
1416 return 1;
1417
1418 if (!png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1)) return 1;
1419 if (!png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1)) return 1;
1420 if (!png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1421 PNG_FP_1))
1422 return 1;
1423
1424 return 0; /*success*/
1425}
1426
1427static int
1428png_XYZ_normalize(png_XYZ *XYZ)
1429{
1430 png_int_32 Y;
1431
1432 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1433 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1434 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1435 return 1;
1436
1437 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1438 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1439 * relying on addition of two positive values producing a negative one is not
1440 * safe.
1441 */
1442 Y = XYZ->red_Y;
1443 if (0x7fffffff - Y < XYZ->green_X) return 1;
1444 Y += XYZ->green_Y;
1445 if (0x7fffffff - Y < XYZ->blue_X) return 1;
1446 Y += XYZ->blue_Y;
1447
1448 if (Y != PNG_FP_1)
1449 {
1450 if (!png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y)) return 1;
1451 if (!png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y)) return 1;
1452 if (!png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y)) return 1;
1453
1454 if (!png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y)) return 1;
1455 if (!png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y)) return 1;
1456 if (!png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y)) return 1;
1457
1458 if (!png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y)) return 1;
1459 if (!png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y)) return 1;
1460 if (!png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y)) return 1;
1461 }
1462
1463 return 0;
1464}
1465
1466static int
1467png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1468{
1469 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1470 return !(PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1471 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1472 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1473 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1474 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1475 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1476 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1477 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta));
1478}
1479
1480/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1481 * chunk chromaticities. Earlier checks used to simply look for the overflow
1482 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1483 * because the chromaticity values are not all distinct.) Despite this it is
1484 * theoretically possible to produce chromaticities that are apparently valid
1485 * but that rapidly degrade to invalid, potentially crashing, sets because of
1486 * arithmetic inaccuracies when calculations are performed on them. The new
1487 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1488 * within a small percentage of the original.
1489 */
1490static int
1491png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1492{
1493 int result;
1494 png_xy xy_test;
1495
1496 /* As a side-effect this routine also returns the XYZ endpoints. */
1497 result = png_XYZ_from_xy(XYZ, xy);
1498 if (result) return result;
1499
1500 result = png_xy_from_XYZ(&xy_test, XYZ);
1501 if (result) return result;
1502
1503 if (png_colorspace_endpoints_match(xy, &xy_test,
1504 5/*actually, the math is pretty accurate*/))
1505 return 0;
1506
1507 /* Too much slip */
1508 return 1;
1509}
1510
1511/* This is the check going the other way. The XYZ is modified to normalize it
1512 * (another side-effect) and the xy chromaticities are returned.
1513 */
1514static int
1515png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1516{
1517 int result;
1518 png_XYZ XYZtemp;
1519
1520 result = png_XYZ_normalize(XYZ);
1521 if (result) return result;
1522
1523 result = png_xy_from_XYZ(xy, XYZ);
1524 if (result) return result;
1525
1526 XYZtemp = *XYZ;
1527 return png_colorspace_check_xy(&XYZtemp, xy);
1528}
1529
1530/* Used to check for an endpoint match against sRGB */
1531static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1532{
1533 /* color x y */
1534 /* red */ 64000, 33000,
1535 /* green */ 30000, 60000,
1536 /* blue */ 15000, 6000,
1537 /* white */ 31270, 32900
1538};
1539
1540static int
1541png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1542 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1543 int preferred)
1544{
1545 if (colorspace->flags & PNG_COLORSPACE_INVALID)
1546 return 0;
1547
1548 /* The consistency check is performed on the chromaticities; this factors out
1549 * variations because of the normalization (or not) of the end point Y
1550 * values.
1551 */
1552 if (preferred < 2 && (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS))
1553 {
1554 /* The end points must be reasonably close to any we already have. The
1555 * following allows an error of up to +/-.001
1556 */
1557 if (!png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 100))
1558 {
1559 colorspace->flags |= PNG_COLORSPACE_INVALID;
1560 png_benign_error(png_ptr, "inconsistent chromaticities");
1561 return 0; /* failed */
1562 }
1563
1564 /* Only overwrite with preferred values */
1565 if (!preferred)
1566 return 1; /* ok, but no change */
1567 }
1568
1569 colorspace->end_points_xy = *xy;
1570 colorspace->end_points_XYZ = *XYZ;
1571 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1572
1573 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1574 * on this test.
1575 */
1576 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000))
1577 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1578
1579 else
1580 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1581 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1582
1583 return 2; /* ok and changed */
1584}
1585
1586int /* PRIVATE */
1587png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1588 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1589{
1590 /* We must check the end points to ensure they are reasonable - in the past
1591 * color management systems have crashed as a result of getting bogus
1592 * colorant values, while this isn't the fault of libpng it is the
1593 * responsibility of libpng because PNG carries the bomb and libpng is in a
1594 * position to protect against it.
1595 */
1596 png_XYZ XYZ;
1597
1598 switch (png_colorspace_check_xy(&XYZ, xy))
1599 {
1600 case 0: /* success */
1601 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1602 preferred);
1603
1604 case 1:
1605 /* We can't invert the chromaticities so we can't produce value XYZ
1606 * values. Likely as not a color management system will fail too.
1607 */
1608 colorspace->flags |= PNG_COLORSPACE_INVALID;
1609 png_benign_error(png_ptr, "invalid chromaticities");
1610 break;
1611
1612 default:
1613 /* libpng is broken; this should be a warning but if it happens we
1614 * want error reports so for the moment it is an error.
1615 */
1616 colorspace->flags |= PNG_COLORSPACE_INVALID;
1617 png_error(png_ptr, "internal error checking chromaticities");
1618 break;
1619 }
1620
1621 return 0; /* failed */
1622}
1623
1624int /* PRIVATE */
1625png_colorspace_set_endpoints(png_const_structrp png_ptr,
1626 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1627{
1628 png_XYZ XYZ = *XYZ_in;
1629 png_xy xy;
1630
1631 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1632 {
1633 case 0:
1634 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1635 preferred);
1636
1637 case 1:
1638 /* End points are invalid. */
1639 colorspace->flags |= PNG_COLORSPACE_INVALID;
1640 png_benign_error(png_ptr, "invalid end points");
1641 break;
1642
1643 default:
1644 colorspace->flags |= PNG_COLORSPACE_INVALID;
1645 png_error(png_ptr, "internal error checking chromaticities");
1646 break;
1647 }
1648
1649 return 0; /* failed */
1650}
1651
1652#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1653/* Error message generation */
1654static char
1655png_icc_tag_char(png_uint_32 byte)
1656{
1657 byte &= 0xff;
1658 if (byte >= 32 && byte <= 126)
1659 return (char)byte;
1660 else
1661 return '?';
1662}
1663
1664static void
1665png_icc_tag_name(char *name, png_uint_32 tag)
1666{
1667 name[0] = '\'';
1668 name[1] = png_icc_tag_char(tag >> 24);
1669 name[2] = png_icc_tag_char(tag >> 16);
1670 name[3] = png_icc_tag_char(tag >> 8);
1671 name[4] = png_icc_tag_char(tag );
1672 name[5] = '\'';
1673}
1674
1675static int
1676is_ICC_signature_char(png_alloc_size_t it)
1677{
1678 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1679 (it >= 97 && it <= 122);
1680}
1681
1682static int is_ICC_signature(png_alloc_size_t it)
1683{
1684 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1685 is_ICC_signature_char((it >> 16) & 0xff) &&
1686 is_ICC_signature_char((it >> 8) & 0xff) &&
1687 is_ICC_signature_char(it & 0xff);
1688}
1689
1690static int
1691png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1692 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1693{
1694 size_t pos;
1695 char message[196]; /* see below for calculation */
1696
1697 if (colorspace != NULL)
1698 colorspace->flags |= PNG_COLORSPACE_INVALID;
1699
1700 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1701 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1702 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1703 if (is_ICC_signature(value))
1704 {
1705 /* So 'value' is at most 4 bytes and the following cast is safe */
1706 png_icc_tag_name(message+pos, (png_uint_32)value);
1707 pos += 6; /* total +8; less than the else clause */
1708 message[pos++] = ':';
1709 message[pos++] = ' ';
1710 }
1711# ifdef PNG_WARNINGS_SUPPORTED
1712 else
1713 {
1714 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1715
1716 pos = png_safecat(message, (sizeof message), pos,
1717 png_format_number(number, number+(sizeof number),
1718 PNG_NUMBER_FORMAT_x, value));
1719 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1720 }
1721# endif
1722 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1723 pos = png_safecat(message, (sizeof message), pos, reason);
1724
1725 /* This is recoverable, but make it unconditionally an app_error on write to
1726 * avoid writing invalid ICC profiles into PNG files. (I.e. we handle them
1727 * on read, with a warning, but on write unless the app turns off
1728 * application errors the PNG won't be written.)
1729 */
1730 png_chunk_report(png_ptr, message,
1731 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1732
1733 return 0;
1734}
1735#endif /* sRGB || iCCP */
1736
1737#ifdef PNG_sRGB_SUPPORTED
1738int /* PRIVATE */
1739png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1740 int intent)
1741{
1742 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1743 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1744 * because ICC profiles store values adapted to a D50 environment; it is
1745 * expected that the ICC profile mediaWhitePointTag will be D50, see the
1746 * checks and code elsewhere to understand this better.
1747 *
1748 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1749 * coefficients of (6968,23435,2366), which are reduced (because they add up
1750 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1751 * libpng has traditionally used (and are the best values given the 15bit
1752 * algorithm used by the rgb to gray code.)
1753 */
1754 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1755 {
1756 /* color X Y Z */
1757 /* red */ 41239, 21264, 1933,
1758 /* green */ 35758, 71517, 11919,
1759 /* blue */ 18048, 7219, 95053
1760 };
1761
1762 /* Do nothing if the colorspace is already invalidated. */
1763 if (colorspace->flags & PNG_COLORSPACE_INVALID)
1764 return 0;
1765
1766 /* Check the intent, then check for existing settings. It is valid for the
1767 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1768 * be consistent with the correct values. If, however, this function is
1769 * called below because an iCCP chunk matches sRGB then it is quite
1770 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1771 * an incorrect calculation based on the values in the profile - this does
1772 * *not* invalidate the profile (though it still produces an error, which can
1773 * be ignored.)
1774 */
1775 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1776 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1777 (unsigned)intent, "invalid sRGB rendering intent");
1778
1779 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1780 colorspace->rendering_intent != intent)
1781 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1782 (unsigned)intent, "inconsistent rendering intents");
1783
1784 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1785 {
1786 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1787 return 0;
1788 }
1789
1790 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1791 * warn but overwrite the value with the correct one.
1792 */
1793 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1794 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1795 100))
1796 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1797 PNG_CHUNK_ERROR);
1798
1799 /* This check is just done for the error reporting - the routine always
1800 * returns true when the 'from' argument corresponds to sRGB (2).
1801 */
1802 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1803 2/*from sRGB*/);
1804
1805 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1806 colorspace->rendering_intent = (png_uint_16)intent;
1807 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1808
1809 /* endpoints */
1810 colorspace->end_points_xy = sRGB_xy;
1811 colorspace->end_points_XYZ = sRGB_XYZ;
1812 colorspace->flags |=
1813 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1814
1815 /* gamma */
1816 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1817 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1818
1819 /* Finally record that we have an sRGB profile */
1820 colorspace->flags |=
1821 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1822
1823 return 1; /* set */
1824}
1825#endif /* sRGB */
1826
1827#ifdef PNG_iCCP_SUPPORTED
1828/* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1829 * is XYZ(0.9642,1.0,0.8249), which scales to:
1830 *
1831 * (63189.8112, 65536, 54060.6464)
1832 */
1833static const png_byte D50_nCIEXYZ[12] =
1834 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1835
1836int /* PRIVATE */
1837png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1838 png_const_charp name, png_uint_32 profile_length)
1839{
1840 if (profile_length < 132)
1841 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1842 "too short");
1843
1844 if (profile_length & 3)
1845 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1846 "invalid length");
1847
1848 return 1;
1849}
1850
1851int /* PRIVATE */
1852png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
1853 png_const_charp name, png_uint_32 profile_length,
1854 png_const_bytep profile/* first 132 bytes only */, int color_type)
1855{
1856 png_uint_32 temp;
1857
1858 /* Length check; this cannot be ignored in this code because profile_length
1859 * is used later to check the tag table, so even if the profile seems over
1860 * long profile_length from the caller must be correct. The caller can fix
1861 * this up on read or write by just passing in the profile header length.
1862 */
1863 temp = png_get_uint_32(profile);
1864 if (temp != profile_length)
1865 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1866 "length does not match profile");
1867
1868 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
1869 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
1870 profile_length < 132+12*temp) /* truncated tag table */
1871 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1872 "tag count too large");
1873
1874 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
1875 * 16 bits.
1876 */
1877 temp = png_get_uint_32(profile+64);
1878 if (temp >= 0xffff) /* The ICC limit */
1879 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1880 "invalid rendering intent");
1881
1882 /* This is just a warning because the profile may be valid in future
1883 * versions.
1884 */
1885 if (temp >= PNG_sRGB_INTENT_LAST)
1886 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
1887 "intent outside defined range");
1888
1889 /* At this point the tag table can't be checked because it hasn't necessarily
1890 * been loaded; however, various header fields can be checked. These checks
1891 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
1892 * restricts the profiles that can be passed in an iCCP chunk (they must be
1893 * appropriate to processing PNG data!)
1894 */
1895
1896 /* Data checks (could be skipped). These checks must be independent of the
1897 * version number; however, the version number doesn't accomodate changes in
1898 * the header fields (just the known tags and the interpretation of the
1899 * data.)
1900 */
1901 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
1902 if (temp != 0x61637370)
1903 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1904 "invalid signature");
1905
1906 /* Currently the PCS illuminant/adopted white point (the computational
1907 * white point) are required to be D50,
1908 * however the profile contains a record of the illuminant so perhaps ICC
1909 * expects to be able to change this in the future (despite the rationale in
1910 * the introduction for using a fixed PCS adopted white.) Consequently the
1911 * following is just a warning.
1912 */
1913 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
1914 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
1915 "PCS illuminant is not D50");
1916
1917 /* The PNG spec requires this:
1918 * "If the iCCP chunk is present, the image samples conform to the colour
1919 * space represented by the embedded ICC profile as defined by the
1920 * International Color Consortium [ICC]. The colour space of the ICC profile
1921 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
1922 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
1923 * and 4)."
1924 *
1925 * This checking code ensures the embedded profile (on either read or write)
1926 * conforms to the specification requirements. Notice that an ICC 'gray'
1927 * color-space profile contains the information to transform the monochrome
1928 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
1929 * should be used in preference to the standard libpng K channel replication
1930 * into R, G and B channels.
1931 *
1932 * Previously it was suggested that an RGB profile on grayscale data could be
1933 * handled. However it it is clear that using an RGB profile in this context
1934 * must be an error - there is no specification of what it means. Thus it is
1935 * almost certainly more correct to ignore the profile.
1936 */
1937 temp = png_get_uint_32(profile+16); /* data colour space field */
1938 switch (temp)
1939 {
1940 case 0x52474220: /* 'RGB ' */
1941 if (!(color_type & PNG_COLOR_MASK_COLOR))
1942 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1943 "RGB color space not permitted on grayscale PNG");
1944 break;
1945
1946 case 0x47524159: /* 'GRAY' */
1947 if (color_type & PNG_COLOR_MASK_COLOR)
1948 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1949 "Gray color space not permitted on RGB PNG");
1950 break;
1951
1952 default:
1953 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1954 "invalid ICC profile color space");
1955 }
1956
1957 /* It is up to the application to check that the profile class matches the
1958 * application requirements; the spec provides no guidance, but it's pretty
1959 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
1960 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
1961 * cases. Issue an error for device link or abstract profiles - these don't
1962 * contain the records necessary to transform the color-space to anything
1963 * other than the target device (and not even that for an abstract profile).
1964 * Profiles of these classes may not be embedded in images.
1965 */
1966 temp = png_get_uint_32(profile+12); /* profile/device class */
1967 switch (temp)
1968 {
1969 case 0x73636E72: /* 'scnr' */
1970 case 0x6D6E7472: /* 'mntr' */
1971 case 0x70727472: /* 'prtr' */
1972 case 0x73706163: /* 'spac' */
1973 /* All supported */
1974 break;
1975
1976 case 0x61627374: /* 'abst' */
1977 /* May not be embedded in an image */
1978 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1979 "invalid embedded Abstract ICC profile");
1980
1981 case 0x6C696E6B: /* 'link' */
1982 /* DeviceLink profiles cannnot be interpreted in a non-device specific
1983 * fashion, if an app uses the AToB0Tag in the profile the results are
1984 * undefined unless the result is sent to the intended device,
1985 * therefore a DeviceLink profile should not be found embedded in a
1986 * PNG.
1987 */
1988 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1989 "unexpected DeviceLink ICC profile class");
1990
1991 case 0x6E6D636C: /* 'nmcl' */
1992 /* A NamedColor profile is also device specific, however it doesn't
1993 * contain an AToB0 tag that is open to misintrepretation. Almost
1994 * certainly it will fail the tests below.
1995 */
1996 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
1997 "unexpected NamedColor ICC profile class");
1998 break;
1999
2000 default:
2001 /* To allow for future enhancements to the profile accept unrecognized
2002 * profile classes with a warning, these then hit the test below on the
2003 * tag content to ensure they are backward compatible with one of the
2004 * understood profiles.
2005 */
2006 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2007 "unrecognized ICC profile class");
2008 break;
2009 }
2010
2011 /* For any profile other than a device link one the PCS must be encoded
2012 * either in XYZ or Lab.
9c0d9ce3 2013 */
fff5f7d5
VZ
2014 temp = png_get_uint_32(profile+20);
2015 switch (temp)
2016 {
2017 case 0x58595A20: /* 'XYZ ' */
2018 case 0x4C616220: /* 'Lab ' */
2019 break;
9c0d9ce3 2020
fff5f7d5
VZ
2021 default:
2022 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2023 "unexpected ICC PCS encoding");
2024 }
9c0d9ce3 2025
fff5f7d5
VZ
2026 return 1;
2027}
2028
2029int /* PRIVATE */
2030png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2031 png_const_charp name, png_uint_32 profile_length,
2032 png_const_bytep profile /* header plus whole tag table */)
2033{
2034 png_uint_32 tag_count = png_get_uint_32(profile+128);
2035 png_uint_32 itag;
2036 png_const_bytep tag = profile+132; /* The first tag */
2037
2038 /* First scan all the tags in the table and add bits to the icc_info value
2039 * (temporarily in 'tags').
9c0d9ce3 2040 */
fff5f7d5
VZ
2041 for (itag=0; itag < tag_count; ++itag, tag += 12)
2042 {
2043 png_uint_32 tag_id = png_get_uint_32(tag+0);
2044 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2045 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2046
2047 /* The ICC specification does not exclude zero length tags, therefore the
2048 * start might actually be anywhere if there is no data, but this would be
2049 * a clear abuse of the intent of the standard so the start is checked for
2050 * being in range. All defined tag types have an 8 byte header - a 4 byte
2051 * type signature then 0.
2052 */
2053 if ((tag_start & 3) != 0)
2054 {
2055 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
2056 * only a warning here because libpng does not care about the
2057 * alignment.
2058 */
2059 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2060 "ICC profile tag start not a multiple of 4");
2061 }
9c0d9ce3 2062
fff5f7d5
VZ
2063 /* This is a hard error; potentially it can cause read outside the
2064 * profile.
2065 */
2066 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2067 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2068 "ICC profile tag outside profile");
2069 }
9c0d9ce3 2070
fff5f7d5
VZ
2071 return 1; /* success, maybe with warnings */
2072}
2073
2074#ifdef PNG_sRGB_SUPPORTED
2075/* Information about the known ICC sRGB profiles */
2076static const struct
2077{
2078 png_uint_32 adler, crc, length;
2079 png_uint_32 md5[4];
2080 png_byte have_md5;
2081 png_byte is_broken;
2082 png_uint_16 intent;
2083
2084# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2085# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2086 { adler, crc, length, md5, broke, intent },
2087
2088} png_sRGB_checks[] =
2089{
2090 /* This data comes from contrib/tools/checksum-icc run on downloads of
2091 * all four ICC sRGB profiles from www.color.org.
9c0d9ce3 2092 */
fff5f7d5
VZ
2093 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2094 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2095 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2096 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2097
2098 /* ICC sRGB v2 perceptual no black-compensation: */
2099 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2100 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2101 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2102
2103 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2104 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2105 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2106
2107 /* ICC sRGB v4 perceptual */
2108 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2109 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2110 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2111
2112 /* The following profiles have no known MD5 checksum. If there is a match
2113 * on the (empty) MD5 the other fields are used to attempt a match and
2114 * a warning is produced. The first two of these profiles have a 'cprt' tag
2115 * which suggests that they were also made by Hewlett Packard.
2116 */
2117 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2118 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2119 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2120
2121 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2122 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2123 * so the white point is recorded as the un-adapted value.) The profiles
2124 * below only differ in one byte - the intent - and are basically the same as
2125 * the previous profile except for the mediaWhitePointTag error and a missing
2126 * chromaticAdaptationTag.
2127 */
2128 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2129 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2130 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
9c0d9ce3 2131
fff5f7d5
VZ
2132 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2133 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2134 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2135};
9c0d9ce3 2136
fff5f7d5
VZ
2137static int
2138png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2139 png_const_bytep profile, uLong adler)
2140{
2141 /* The quick check is to verify just the MD5 signature and trust the
2142 * rest of the data. Because the profile has already been verified for
2143 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2144 * field too, so if the profile has been edited with an intent not defined
2145 * by sRGB (but maybe defined by a later ICC specification) the read of
2146 * the profile will fail at that point.
2147 */
2148 png_uint_32 length = 0;
2149 png_uint_32 intent = 0x10000; /* invalid */
2150#if PNG_sRGB_PROFILE_CHECKS > 1
2151 uLong crc = 0; /* the value for 0 length data */
2152#endif
2153 unsigned int i;
9c0d9ce3 2154
fff5f7d5
VZ
2155 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2156 {
2157 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2158 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2159 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2160 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2161 {
2162 /* This may be one of the old HP profiles without an MD5, in that
2163 * case we can only use the length and Adler32 (note that these
2164 * are not used by default if there is an MD5!)
2165 */
2166# if PNG_sRGB_PROFILE_CHECKS == 0
2167 if (png_sRGB_checks[i].have_md5)
2168 return 1+png_sRGB_checks[i].is_broken;
2169# endif
9c0d9ce3 2170
fff5f7d5
VZ
2171 /* Profile is unsigned or more checks have been configured in. */
2172 if (length == 0)
2173 {
2174 length = png_get_uint_32(profile);
2175 intent = png_get_uint_32(profile+64);
2176 }
9c0d9ce3 2177
fff5f7d5
VZ
2178 /* Length *and* intent must match */
2179 if (length == png_sRGB_checks[i].length &&
2180 intent == png_sRGB_checks[i].intent)
2181 {
2182 /* Now calculate the adler32 if not done already. */
2183 if (adler == 0)
2184 {
2185 adler = adler32(0, NULL, 0);
2186 adler = adler32(adler, profile, length);
2187 }
2188
2189 if (adler == png_sRGB_checks[i].adler)
2190 {
2191 /* These basic checks suggest that the data has not been
2192 * modified, but if the check level is more than 1 perform
2193 * our own crc32 checksum on the data.
2194 */
2195# if PNG_sRGB_PROFILE_CHECKS > 1
2196 if (crc == 0)
2197 {
2198 crc = crc32(0, NULL, 0);
2199 crc = crc32(crc, profile, length);
2200 }
2201
2202 /* So this check must pass for the 'return' below to happen.
2203 */
2204 if (crc == png_sRGB_checks[i].crc)
2205# endif
2206 {
2207 if (png_sRGB_checks[i].is_broken)
2208 {
2209 /* These profiles are known to have bad data that may cause
2210 * problems if they are used, therefore attempt to
2211 * discourage their use, skip the 'have_md5' warning below,
2212 * which is made irrelevant by this error.
2213 */
2214 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2215 PNG_CHUNK_ERROR);
2216 }
2217
2218 /* Warn that this being done; this isn't even an error since
2219 * the profile is perfectly valid, but it would be nice if
2220 * people used the up-to-date ones.
2221 */
2222 else if (!png_sRGB_checks[i].have_md5)
2223 {
2224 png_chunk_report(png_ptr,
2225 "out-of-date sRGB profile with no signature",
2226 PNG_CHUNK_WARNING);
2227 }
2228
2229 return 1+png_sRGB_checks[i].is_broken;
2230 }
2231 }
2232 }
2233
2234# if PNG_sRGB_PROFILE_CHECKS > 0
2235 /* The signature matched, but the profile had been changed in some
2236 * way. This is an apparent violation of the ICC terms of use and,
2237 * anyway, probably indicates a data error or uninformed hacking.
2238 */
2239 if (png_sRGB_checks[i].have_md5)
2240 png_benign_error(png_ptr,
2241 "copyright violation: edited ICC profile ignored");
2242# endif
2243 }
2244 }
2245
2246 return 0; /* no match */
9c0d9ce3 2247}
fff5f7d5 2248#endif
9c0d9ce3 2249
fff5f7d5
VZ
2250#ifdef PNG_sRGB_SUPPORTED
2251void /* PRIVATE */
2252png_icc_set_sRGB(png_const_structrp png_ptr,
2253 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
9c0d9ce3 2254{
fff5f7d5
VZ
2255 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2256 * the sRGB information.
2257 */
2258 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler))
2259 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2260 (int)/*already checked*/png_get_uint_32(profile+64));
2261}
2262#endif /* PNG_READ_sRGB_SUPPORTED */
9c0d9ce3 2263
fff5f7d5
VZ
2264int /* PRIVATE */
2265png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2266 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2267 int color_type)
2268{
2269 if (colorspace->flags & PNG_COLORSPACE_INVALID)
2270 return 0;
9c0d9ce3 2271
fff5f7d5
VZ
2272 if (png_icc_check_length(png_ptr, colorspace, name, profile_length) &&
2273 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2274 color_type) &&
2275 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2276 profile))
2277 {
2278# ifdef PNG_sRGB_SUPPORTED
2279 /* If no sRGB support, don't try storing sRGB information */
2280 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2281# endif
2282 return 1;
9c0d9ce3
DS
2283 }
2284
fff5f7d5 2285 /* Failure case */
9c0d9ce3
DS
2286 return 0;
2287}
fff5f7d5
VZ
2288#endif /* iCCP */
2289
2290#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2291void /* PRIVATE */
2292png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2293{
2294 /* Set the rgb_to_gray coefficients from the colorspace. */
2295 if (!png_ptr->rgb_to_gray_coefficients_set &&
2296 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2297 {
2298 /* png_set_background has not been called, get the coefficients from the Y
2299 * values of the colorspace colorants.
2300 */
2301 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2302 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2303 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2304 png_fixed_point total = r+g+b;
2305
2306 if (total > 0 &&
2307 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2308 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2309 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2310 r+g+b <= 32769)
2311 {
2312 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2313 * all of the coefficients were rounded up. Handle this by
2314 * reducing the *largest* coefficient by 1; this matches the
2315 * approach used for the default coefficients in pngrtran.c
2316 */
2317 int add = 0;
2318
2319 if (r+g+b > 32768)
2320 add = -1;
2321 else if (r+g+b < 32768)
2322 add = 1;
2323
2324 if (add != 0)
2325 {
2326 if (g >= r && g >= b)
2327 g += add;
2328 else if (r >= g && r >= b)
2329 r += add;
2330 else
2331 b += add;
2332 }
2333
2334 /* Check for an internal error. */
2335 if (r+g+b != 32768)
2336 png_error(png_ptr,
2337 "internal error handling cHRM coefficients");
2338
2339 else
2340 {
2341 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2342 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2343 }
2344 }
2345
2346 /* This is a png_error at present even though it could be ignored -
2347 * it should never happen, but it is important that if it does, the
2348 * bug is fixed.
2349 */
2350 else
2351 png_error(png_ptr, "internal error handling cHRM->XYZ");
2352 }
2353}
9c0d9ce3 2354#endif
b61cc19c 2355
fff5f7d5
VZ
2356#endif /* COLORSPACE */
2357
b61cc19c 2358void /* PRIVATE */
fff5f7d5 2359png_check_IHDR(png_const_structrp png_ptr,
b61cc19c
PC
2360 png_uint_32 width, png_uint_32 height, int bit_depth,
2361 int color_type, int interlace_type, int compression_type,
2362 int filter_type)
2363{
2364 int error = 0;
2365
2366 /* Check for width and height valid values */
2367 if (width == 0)
2368 {
2369 png_warning(png_ptr, "Image width is zero in IHDR");
2370 error = 1;
2371 }
2372
2373 if (height == 0)
2374 {
2375 png_warning(png_ptr, "Image height is zero in IHDR");
2376 error = 1;
2377 }
2378
9c0d9ce3
DS
2379# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2380 if (width > png_ptr->user_width_max)
2381
2382# else
b61cc19c 2383 if (width > PNG_USER_WIDTH_MAX)
9c0d9ce3 2384# endif
b61cc19c
PC
2385 {
2386 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2387 error = 1;
2388 }
2389
9c0d9ce3
DS
2390# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2391 if (height > png_ptr->user_height_max)
2392# else
b61cc19c 2393 if (height > PNG_USER_HEIGHT_MAX)
9c0d9ce3 2394# endif
b61cc19c
PC
2395 {
2396 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2397 error = 1;
2398 }
2399
2400 if (width > PNG_UINT_31_MAX)
2401 {
2402 png_warning(png_ptr, "Invalid image width in IHDR");
2403 error = 1;
2404 }
2405
9c0d9ce3 2406 if (height > PNG_UINT_31_MAX)
b61cc19c
PC
2407 {
2408 png_warning(png_ptr, "Invalid image height in IHDR");
2409 error = 1;
2410 }
2411
9c0d9ce3 2412 if (width > (PNG_UINT_32_MAX
b61cc19c 2413 >> 3) /* 8-byte RGBA pixels */
9c0d9ce3 2414 - 48 /* bigrowbuf hack */
b61cc19c
PC
2415 - 1 /* filter byte */
2416 - 7*8 /* rounding of width to multiple of 8 pixels */
2417 - 8) /* extra max_pixel_depth pad */
2418 png_warning(png_ptr, "Width is too large for libpng to process pixels");
2419
2420 /* Check other values */
2421 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2422 bit_depth != 8 && bit_depth != 16)
2423 {
2424 png_warning(png_ptr, "Invalid bit depth in IHDR");
2425 error = 1;
2426 }
2427
2428 if (color_type < 0 || color_type == 1 ||
2429 color_type == 5 || color_type > 6)
2430 {
2431 png_warning(png_ptr, "Invalid color type in IHDR");
2432 error = 1;
2433 }
2434
2435 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2436 ((color_type == PNG_COLOR_TYPE_RGB ||
2437 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2438 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2439 {
2440 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2441 error = 1;
2442 }
2443
2444 if (interlace_type >= PNG_INTERLACE_LAST)
2445 {
2446 png_warning(png_ptr, "Unknown interlace method in IHDR");
2447 error = 1;
2448 }
2449
2450 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2451 {
2452 png_warning(png_ptr, "Unknown compression method in IHDR");
2453 error = 1;
2454 }
2455
9c0d9ce3 2456# ifdef PNG_MNG_FEATURES_SUPPORTED
b61cc19c
PC
2457 /* Accept filter_method 64 (intrapixel differencing) only if
2458 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2459 * 2. Libpng did not read a PNG signature (this filter_method is only
2460 * used in PNG datastreams that are embedded in MNG datastreams) and
2461 * 3. The application called png_permit_mng_features with a mask that
2462 * included PNG_FLAG_MNG_FILTER_64 and
2463 * 4. The filter_method is 64 and
2464 * 5. The color_type is RGB or RGBA
2465 */
2466 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) &&
2467 png_ptr->mng_features_permitted)
2468 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2469
2470 if (filter_type != PNG_FILTER_TYPE_BASE)
2471 {
2472 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) &&
9c0d9ce3
DS
2473 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2474 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2475 (color_type == PNG_COLOR_TYPE_RGB ||
2476 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
b61cc19c
PC
2477 {
2478 png_warning(png_ptr, "Unknown filter method in IHDR");
2479 error = 1;
2480 }
2481
2482 if (png_ptr->mode & PNG_HAVE_PNG_SIGNATURE)
2483 {
2484 png_warning(png_ptr, "Invalid filter method in IHDR");
2485 error = 1;
2486 }
2487 }
2488
9c0d9ce3 2489# else
b61cc19c
PC
2490 if (filter_type != PNG_FILTER_TYPE_BASE)
2491 {
2492 png_warning(png_ptr, "Unknown filter method in IHDR");
2493 error = 1;
2494 }
9c0d9ce3 2495# endif
b61cc19c
PC
2496
2497 if (error == 1)
2498 png_error(png_ptr, "Invalid IHDR data");
2499}
9c0d9ce3
DS
2500
2501#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2502/* ASCII to fp functions */
2503/* Check an ASCII formated floating point value, see the more detailed
2504 * comments in pngpriv.h
2505 */
2506/* The following is used internally to preserve the sticky flags */
2507#define png_fp_add(state, flags) ((state) |= (flags))
2508#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2509
2510int /* PRIVATE */
2511png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2512 png_size_tp whereami)
2513{
2514 int state = *statep;
2515 png_size_t i = *whereami;
2516
2517 while (i < size)
2518 {
2519 int type;
2520 /* First find the type of the next character */
2521 switch (string[i])
2522 {
2523 case 43: type = PNG_FP_SAW_SIGN; break;
2524 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2525 case 46: type = PNG_FP_SAW_DOT; break;
2526 case 48: type = PNG_FP_SAW_DIGIT; break;
2527 case 49: case 50: case 51: case 52:
2528 case 53: case 54: case 55: case 56:
2529 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2530 case 69:
2531 case 101: type = PNG_FP_SAW_E; break;
2532 default: goto PNG_FP_End;
2533 }
2534
2535 /* Now deal with this type according to the current
2536 * state, the type is arranged to not overlap the
2537 * bits of the PNG_FP_STATE.
2538 */
2539 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2540 {
2541 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2542 if (state & PNG_FP_SAW_ANY)
2543 goto PNG_FP_End; /* not a part of the number */
2544
2545 png_fp_add(state, type);
2546 break;
2547
2548 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2549 /* Ok as trailer, ok as lead of fraction. */
2550 if (state & PNG_FP_SAW_DOT) /* two dots */
2551 goto PNG_FP_End;
2552
2553 else if (state & PNG_FP_SAW_DIGIT) /* trailing dot? */
2554 png_fp_add(state, type);
2555
2556 else
2557 png_fp_set(state, PNG_FP_FRACTION | type);
2558
2559 break;
2560
2561 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2562 if (state & PNG_FP_SAW_DOT) /* delayed fraction */
2563 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2564
2565 png_fp_add(state, type | PNG_FP_WAS_VALID);
2566
2567 break;
2568
2569 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2570 if ((state & PNG_FP_SAW_DIGIT) == 0)
2571 goto PNG_FP_End;
2572
2573 png_fp_set(state, PNG_FP_EXPONENT);
2574
2575 break;
2576
2577 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2578 goto PNG_FP_End; ** no sign in fraction */
2579
2580 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2581 goto PNG_FP_End; ** Because SAW_DOT is always set */
2582
2583 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2584 png_fp_add(state, type | PNG_FP_WAS_VALID);
2585 break;
2586
2587 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2588 /* This is correct because the trailing '.' on an
2589 * integer is handled above - so we can only get here
2590 * with the sequence ".E" (with no preceding digits).
2591 */
2592 if ((state & PNG_FP_SAW_DIGIT) == 0)
2593 goto PNG_FP_End;
2594
2595 png_fp_set(state, PNG_FP_EXPONENT);
2596
2597 break;
2598
2599 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2600 if (state & PNG_FP_SAW_ANY)
2601 goto PNG_FP_End; /* not a part of the number */
2602
2603 png_fp_add(state, PNG_FP_SAW_SIGN);
2604
2605 break;
2606
2607 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2608 goto PNG_FP_End; */
2609
2610 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2611 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2612
2613 break;
2614
2615 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2616 goto PNG_FP_End; */
2617
2618 default: goto PNG_FP_End; /* I.e. break 2 */
2619 }
2620
2621 /* The character seems ok, continue. */
2622 ++i;
2623 }
2624
2625PNG_FP_End:
2626 /* Here at the end, update the state and return the correct
2627 * return code.
2628 */
2629 *statep = state;
2630 *whereami = i;
2631
2632 return (state & PNG_FP_SAW_DIGIT) != 0;
2633}
2634
2635
2636/* The same but for a complete string. */
2637int
2638png_check_fp_string(png_const_charp string, png_size_t size)
2639{
2640 int state=0;
2641 png_size_t char_index=0;
2642
2643 if (png_check_fp_number(string, size, &state, &char_index) &&
2644 (char_index == size || string[char_index] == 0))
2645 return state /* must be non-zero - see above */;
2646
2647 return 0; /* i.e. fail */
2648}
2649#endif /* pCAL or sCAL */
2650
fff5f7d5 2651#ifdef PNG_sCAL_SUPPORTED
9c0d9ce3
DS
2652# ifdef PNG_FLOATING_POINT_SUPPORTED
2653/* Utility used below - a simple accurate power of ten from an integral
2654 * exponent.
2655 */
2656static double
2657png_pow10(int power)
2658{
2659 int recip = 0;
2660 double d = 1;
2661
2662 /* Handle negative exponent with a reciprocal at the end because
2663 * 10 is exact whereas .1 is inexact in base 2
2664 */
2665 if (power < 0)
2666 {
2667 if (power < DBL_MIN_10_EXP) return 0;
2668 recip = 1, power = -power;
2669 }
2670
2671 if (power > 0)
2672 {
2673 /* Decompose power bitwise. */
2674 double mult = 10;
2675 do
2676 {
2677 if (power & 1) d *= mult;
2678 mult *= mult;
2679 power >>= 1;
2680 }
2681 while (power > 0);
2682
2683 if (recip) d = 1/d;
2684 }
2685 /* else power is 0 and d is 1 */
2686
2687 return d;
2688}
2689
2690/* Function to format a floating point value in ASCII with a given
2691 * precision.
2692 */
2693void /* PRIVATE */
fff5f7d5 2694png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
9c0d9ce3
DS
2695 double fp, unsigned int precision)
2696{
2697 /* We use standard functions from math.h, but not printf because
2698 * that would require stdio. The caller must supply a buffer of
2699 * sufficient size or we will png_error. The tests on size and
2700 * the space in ascii[] consumed are indicated below.
2701 */
2702 if (precision < 1)
2703 precision = DBL_DIG;
2704
2705 /* Enforce the limit of the implementation precision too. */
2706 if (precision > DBL_DIG+1)
2707 precision = DBL_DIG+1;
2708
2709 /* Basic sanity checks */
2710 if (size >= precision+5) /* See the requirements below. */
2711 {
2712 if (fp < 0)
2713 {
2714 fp = -fp;
2715 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2716 --size;
2717 }
2718
2719 if (fp >= DBL_MIN && fp <= DBL_MAX)
2720 {
2721 int exp_b10; /* A base 10 exponent */
2722 double base; /* 10^exp_b10 */
2723
2724 /* First extract a base 10 exponent of the number,
2725 * the calculation below rounds down when converting
2726 * from base 2 to base 10 (multiply by log10(2) -
2727 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2728 * be increased. Note that the arithmetic shift
2729 * performs a floor() unlike C arithmetic - using a
2730 * C multiply would break the following for negative
2731 * exponents.
2732 */
2733 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2734
2735 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2736
2737 /* Avoid underflow here. */
2738 base = png_pow10(exp_b10); /* May underflow */
2739
2740 while (base < DBL_MIN || base < fp)
2741 {
2742 /* And this may overflow. */
2743 double test = png_pow10(exp_b10+1);
2744
2745 if (test <= DBL_MAX)
2746 ++exp_b10, base = test;
2747
2748 else
2749 break;
2750 }
2751
2752 /* Normalize fp and correct exp_b10, after this fp is in the
2753 * range [.1,1) and exp_b10 is both the exponent and the digit
2754 * *before* which the decimal point should be inserted
2755 * (starting with 0 for the first digit). Note that this
2756 * works even if 10^exp_b10 is out of range because of the
2757 * test on DBL_MAX above.
2758 */
2759 fp /= base;
2760 while (fp >= 1) fp /= 10, ++exp_b10;
2761
2762 /* Because of the code above fp may, at this point, be
2763 * less than .1, this is ok because the code below can
2764 * handle the leading zeros this generates, so no attempt
2765 * is made to correct that here.
2766 */
2767
2768 {
2769 int czero, clead, cdigits;
2770 char exponent[10];
2771
2772 /* Allow up to two leading zeros - this will not lengthen
2773 * the number compared to using E-n.
2774 */
2775 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2776 {
2777 czero = -exp_b10; /* PLUS 2 digits: TOTAL 3 */
2778 exp_b10 = 0; /* Dot added below before first output. */
2779 }
2780 else
2781 czero = 0; /* No zeros to add */
2782
2783 /* Generate the digit list, stripping trailing zeros and
2784 * inserting a '.' before a digit if the exponent is 0.
2785 */
2786 clead = czero; /* Count of leading zeros */
2787 cdigits = 0; /* Count of digits in list. */
2788
2789 do
2790 {
2791 double d;
2792
2793 fp *= 10;
2794 /* Use modf here, not floor and subtract, so that
2795 * the separation is done in one step. At the end
2796 * of the loop don't break the number into parts so
2797 * that the final digit is rounded.
2798 */
2799 if (cdigits+czero-clead+1 < (int)precision)
2800 fp = modf(fp, &d);
2801
2802 else
2803 {
2804 d = floor(fp + .5);
2805
2806 if (d > 9)
2807 {
2808 /* Rounding up to 10, handle that here. */
2809 if (czero > 0)
2810 {
2811 --czero, d = 1;
2812 if (cdigits == 0) --clead;
2813 }
2814 else
2815 {
2816 while (cdigits > 0 && d > 9)
2817 {
2818 int ch = *--ascii;
2819
2820 if (exp_b10 != (-1))
2821 ++exp_b10;
2822
2823 else if (ch == 46)
2824 {
2825 ch = *--ascii, ++size;
2826 /* Advance exp_b10 to '1', so that the
2827 * decimal point happens after the
2828 * previous digit.
2829 */
2830 exp_b10 = 1;
2831 }
2832
2833 --cdigits;
2834 d = ch - 47; /* I.e. 1+(ch-48) */
2835 }
2836
2837 /* Did we reach the beginning? If so adjust the
2838 * exponent but take into account the leading
2839 * decimal point.
2840 */
2841 if (d > 9) /* cdigits == 0 */
2842 {
2843 if (exp_b10 == (-1))
2844 {
2845 /* Leading decimal point (plus zeros?), if
2846 * we lose the decimal point here it must
2847 * be reentered below.
2848 */
2849 int ch = *--ascii;
2850
2851 if (ch == 46)
2852 ++size, exp_b10 = 1;
2853
2854 /* Else lost a leading zero, so 'exp_b10' is
2855 * still ok at (-1)
2856 */
2857 }
2858 else
2859 ++exp_b10;
2860
2861 /* In all cases we output a '1' */
2862 d = 1;
2863 }
2864 }
2865 }
2866 fp = 0; /* Guarantees termination below. */
2867 }
2868
2869 if (d == 0)
2870 {
2871 ++czero;
2872 if (cdigits == 0) ++clead;
2873 }
2874 else
2875 {
2876 /* Included embedded zeros in the digit count. */
2877 cdigits += czero - clead;
2878 clead = 0;
2879
2880 while (czero > 0)
2881 {
2882 /* exp_b10 == (-1) means we just output the decimal
2883 * place - after the DP don't adjust 'exp_b10' any
2884 * more!
2885 */
2886 if (exp_b10 != (-1))
2887 {
2888 if (exp_b10 == 0) *ascii++ = 46, --size;
2889 /* PLUS 1: TOTAL 4 */
2890 --exp_b10;
2891 }
2892 *ascii++ = 48, --czero;
2893 }
2894
2895 if (exp_b10 != (-1))
2896 {
2897 if (exp_b10 == 0) *ascii++ = 46, --size; /* counted
2898 above */
2899 --exp_b10;
2900 }
2901 *ascii++ = (char)(48 + (int)d), ++cdigits;
2902 }
2903 }
2904 while (cdigits+czero-clead < (int)precision && fp > DBL_MIN);
2905
2906 /* The total output count (max) is now 4+precision */
2907
2908 /* Check for an exponent, if we don't need one we are
2909 * done and just need to terminate the string. At
2910 * this point exp_b10==(-1) is effectively if flag - it got
2911 * to '-1' because of the decrement after outputing
2912 * the decimal point above (the exponent required is
2913 * *not* -1!)
2914 */
2915 if (exp_b10 >= (-1) && exp_b10 <= 2)
2916 {
2917 /* The following only happens if we didn't output the
2918 * leading zeros above for negative exponent, so this
2919 * doest add to the digit requirement. Note that the
2920 * two zeros here can only be output if the two leading
2921 * zeros were *not* output, so this doesn't increase
2922 * the output count.
2923 */
2924 while (--exp_b10 >= 0) *ascii++ = 48;
2925
2926 *ascii = 0;
2927
2928 /* Total buffer requirement (including the '\0') is
2929 * 5+precision - see check at the start.
2930 */
2931 return;
2932 }
2933
2934 /* Here if an exponent is required, adjust size for
2935 * the digits we output but did not count. The total
2936 * digit output here so far is at most 1+precision - no
2937 * decimal point and no leading or trailing zeros have
2938 * been output.
2939 */
2940 size -= cdigits;
2941
2942 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */
2943
2944 /* The following use of an unsigned temporary avoids ambiguities in
2945 * the signed arithmetic on exp_b10 and permits GCC at least to do
2946 * better optimization.
2947 */
2948 {
2949 unsigned int uexp_b10;
2950
2951 if (exp_b10 < 0)
2952 {
2953 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
2954 uexp_b10 = -exp_b10;
2955 }
2956
2957 else
2958 uexp_b10 = exp_b10;
2959
2960 cdigits = 0;
2961
2962 while (uexp_b10 > 0)
2963 {
2964 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
2965 uexp_b10 /= 10;
2966 }
2967 }
2968
2969 /* Need another size check here for the exponent digits, so
2970 * this need not be considered above.
2971 */
2972 if ((int)size > cdigits)
2973 {
2974 while (cdigits > 0) *ascii++ = exponent[--cdigits];
2975
2976 *ascii = 0;
2977
2978 return;
2979 }
2980 }
2981 }
2982 else if (!(fp >= DBL_MIN))
2983 {
2984 *ascii++ = 48; /* '0' */
2985 *ascii = 0;
2986 return;
2987 }
2988 else
2989 {
2990 *ascii++ = 105; /* 'i' */
2991 *ascii++ = 110; /* 'n' */
2992 *ascii++ = 102; /* 'f' */
2993 *ascii = 0;
2994 return;
2995 }
2996 }
2997
2998 /* Here on buffer too small. */
2999 png_error(png_ptr, "ASCII conversion buffer too small");
3000}
3001
3002# endif /* FLOATING_POINT */
3003
3004# ifdef PNG_FIXED_POINT_SUPPORTED
3005/* Function to format a fixed point value in ASCII.
3006 */
3007void /* PRIVATE */
fff5f7d5
VZ
3008png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3009 png_size_t size, png_fixed_point fp)
9c0d9ce3
DS
3010{
3011 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3012 * trailing \0, 13 characters:
3013 */
3014 if (size > 12)
3015 {
3016 png_uint_32 num;
3017
3018 /* Avoid overflow here on the minimum integer. */
3019 if (fp < 0)
3020 *ascii++ = 45, --size, num = -fp;
3021 else
3022 num = fp;
3023
3024 if (num <= 0x80000000) /* else overflowed */
3025 {
3026 unsigned int ndigits = 0, first = 16 /* flag value */;
3027 char digits[10];
3028
3029 while (num)
3030 {
3031 /* Split the low digit off num: */
3032 unsigned int tmp = num/10;
3033 num -= tmp*10;
3034 digits[ndigits++] = (char)(48 + num);
3035 /* Record the first non-zero digit, note that this is a number
3036 * starting at 1, it's not actually the array index.
3037 */
3038 if (first == 16 && num > 0)
3039 first = ndigits;
3040 num = tmp;
3041 }
3042
3043 if (ndigits > 0)
3044 {
3045 while (ndigits > 5) *ascii++ = digits[--ndigits];
3046 /* The remaining digits are fractional digits, ndigits is '5' or
3047 * smaller at this point. It is certainly not zero. Check for a
3048 * non-zero fractional digit:
3049 */
3050 if (first <= 5)
3051 {
3052 unsigned int i;
3053 *ascii++ = 46; /* decimal point */
3054 /* ndigits may be <5 for small numbers, output leading zeros
3055 * then ndigits digits to first:
3056 */
3057 i = 5;
3058 while (ndigits < i) *ascii++ = 48, --i;
3059 while (ndigits >= first) *ascii++ = digits[--ndigits];
3060 /* Don't output the trailing zeros! */
3061 }
3062 }
3063 else
3064 *ascii++ = 48;
3065
3066 /* And null terminate the string: */
3067 *ascii = 0;
3068 return;
3069 }
3070 }
3071
3072 /* Here on buffer too small. */
3073 png_error(png_ptr, "ASCII conversion buffer too small");
3074}
3075# endif /* FIXED_POINT */
3076#endif /* READ_SCAL */
3077
3078#if defined(PNG_FLOATING_POINT_SUPPORTED) && \
fff5f7d5
VZ
3079 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3080 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3081 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3082 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3083 (defined(PNG_sCAL_SUPPORTED) && \
3084 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
9c0d9ce3 3085png_fixed_point
fff5f7d5 3086png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
9c0d9ce3
DS
3087{
3088 double r = floor(100000 * fp + .5);
3089
3090 if (r > 2147483647. || r < -2147483648.)
3091 png_fixed_error(png_ptr, text);
3092
3093 return (png_fixed_point)r;
3094}
3095#endif
3096
3097#if defined(PNG_READ_GAMMA_SUPPORTED) || \
fff5f7d5 3098 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
9c0d9ce3
DS
3099/* muldiv functions */
3100/* This API takes signed arguments and rounds the result to the nearest
3101 * integer (or, for a fixed point number - the standard argument - to
3102 * the nearest .00001). Overflow and divide by zero are signalled in
3103 * the result, a boolean - true on success, false on overflow.
3104 */
3105int
3106png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3107 png_int_32 divisor)
3108{
3109 /* Return a * times / divisor, rounded. */
3110 if (divisor != 0)
3111 {
3112 if (a == 0 || times == 0)
3113 {
3114 *res = 0;
3115 return 1;
3116 }
3117 else
3118 {
3119#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3120 double r = a;
3121 r *= times;
3122 r /= divisor;
3123 r = floor(r+.5);
3124
3125 /* A png_fixed_point is a 32-bit integer. */
3126 if (r <= 2147483647. && r >= -2147483648.)
3127 {
3128 *res = (png_fixed_point)r;
3129 return 1;
3130 }
3131#else
3132 int negative = 0;
3133 png_uint_32 A, T, D;
3134 png_uint_32 s16, s32, s00;
3135
3136 if (a < 0)
3137 negative = 1, A = -a;
3138 else
3139 A = a;
3140
3141 if (times < 0)
3142 negative = !negative, T = -times;
3143 else
3144 T = times;
3145
3146 if (divisor < 0)
3147 negative = !negative, D = -divisor;
3148 else
3149 D = divisor;
3150
3151 /* Following can't overflow because the arguments only
3152 * have 31 bits each, however the result may be 32 bits.
3153 */
3154 s16 = (A >> 16) * (T & 0xffff) +
3155 (A & 0xffff) * (T >> 16);
3156 /* Can't overflow because the a*times bit is only 30
3157 * bits at most.
3158 */
3159 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3160 s00 = (A & 0xffff) * (T & 0xffff);
3161
3162 s16 = (s16 & 0xffff) << 16;
3163 s00 += s16;
3164
3165 if (s00 < s16)
3166 ++s32; /* carry */
3167
3168 if (s32 < D) /* else overflow */
3169 {
3170 /* s32.s00 is now the 64-bit product, do a standard
3171 * division, we know that s32 < D, so the maximum
3172 * required shift is 31.
3173 */
3174 int bitshift = 32;
3175 png_fixed_point result = 0; /* NOTE: signed */
3176
3177 while (--bitshift >= 0)
3178 {
3179 png_uint_32 d32, d00;
3180
3181 if (bitshift > 0)
3182 d32 = D >> (32-bitshift), d00 = D << bitshift;
3183
3184 else
3185 d32 = 0, d00 = D;
3186
3187 if (s32 > d32)
3188 {
3189 if (s00 < d00) --s32; /* carry */
3190 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3191 }
3192
3193 else
3194 if (s32 == d32 && s00 >= d00)
3195 s32 = 0, s00 -= d00, result += 1<<bitshift;
3196 }
3197
3198 /* Handle the rounding. */
3199 if (s00 >= (D >> 1))
3200 ++result;
3201
3202 if (negative)
3203 result = -result;
3204
3205 /* Check for overflow. */
3206 if ((negative && result <= 0) || (!negative && result >= 0))
3207 {
3208 *res = result;
3209 return 1;
3210 }
3211 }
3212#endif
3213 }
3214 }
3215
3216 return 0;
3217}
3218#endif /* READ_GAMMA || INCH_CONVERSIONS */
3219
3220#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3221/* The following is for when the caller doesn't much care about the
3222 * result.
3223 */
3224png_fixed_point
fff5f7d5 3225png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
9c0d9ce3
DS
3226 png_int_32 divisor)
3227{
3228 png_fixed_point result;
3229
3230 if (png_muldiv(&result, a, times, divisor))
3231 return result;
3232
3233 png_warning(png_ptr, "fixed point overflow ignored");
3234 return 0;
3235}
3236#endif
3237
fff5f7d5 3238#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
9c0d9ce3
DS
3239/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3240png_fixed_point
3241png_reciprocal(png_fixed_point a)
3242{
3243#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3244 double r = floor(1E10/a+.5);
3245
3246 if (r <= 2147483647. && r >= -2147483648.)
3247 return (png_fixed_point)r;
3248#else
3249 png_fixed_point res;
3250
3251 if (png_muldiv(&res, 100000, 100000, a))
3252 return res;
3253#endif
3254
3255 return 0; /* error/overflow */
3256}
3257
fff5f7d5
VZ
3258/* This is the shared test on whether a gamma value is 'significant' - whether
3259 * it is worth doing gamma correction.
3260 */
3261int /* PRIVATE */
3262png_gamma_significant(png_fixed_point gamma_val)
3263{
3264 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3265 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3266}
3267#endif
3268
3269#ifdef PNG_READ_GAMMA_SUPPORTED
9c0d9ce3
DS
3270/* A local convenience routine. */
3271static png_fixed_point
3272png_product2(png_fixed_point a, png_fixed_point b)
3273{
3274 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3275#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3276 double r = a * 1E-5;
3277 r *= b;
3278 r = floor(r+.5);
3279
3280 if (r <= 2147483647. && r >= -2147483648.)
3281 return (png_fixed_point)r;
3282#else
3283 png_fixed_point res;
3284
3285 if (png_muldiv(&res, a, b, 100000))
3286 return res;
3287#endif
3288
3289 return 0; /* overflow */
3290}
3291
3292/* The inverse of the above. */
3293png_fixed_point
3294png_reciprocal2(png_fixed_point a, png_fixed_point b)
3295{
3296 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3297#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3298 double r = 1E15/a;
3299 r /= b;
3300 r = floor(r+.5);
3301
3302 if (r <= 2147483647. && r >= -2147483648.)
3303 return (png_fixed_point)r;
3304#else
3305 /* This may overflow because the range of png_fixed_point isn't symmetric,
3306 * but this API is only used for the product of file and screen gamma so it
3307 * doesn't matter that the smallest number it can produce is 1/21474, not
3308 * 1/100000
3309 */
3310 png_fixed_point res = png_product2(a, b);
3311
3312 if (res != 0)
3313 return png_reciprocal(res);
3314#endif
3315
3316 return 0; /* overflow */
3317}
3318#endif /* READ_GAMMA */
3319
9c0d9ce3
DS
3320#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3321#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3322/* Fixed point gamma.
fff5f7d5
VZ
3323 *
3324 * The code to calculate the tables used below can be found in the shell script
3325 * contrib/tools/intgamma.sh
9c0d9ce3
DS
3326 *
3327 * To calculate gamma this code implements fast log() and exp() calls using only
3328 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3329 * or 16-bit sample values.
3330 *
3331 * The tables used here were calculated using simple 'bc' programs, but C double
fff5f7d5 3332 * precision floating point arithmetic would work fine.
9c0d9ce3
DS
3333 *
3334 * 8-bit log table
3335 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3336 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3337 * mantissa. The numbers are 32-bit fractions.
3338 */
fff5f7d5 3339static const png_uint_32
9c0d9ce3
DS
3340png_8bit_l2[128] =
3341{
9c0d9ce3
DS
3342 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3343 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3344 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3345 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3346 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3347 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3348 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3349 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3350 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3351 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3352 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3353 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3354 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3355 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3356 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3357 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3358 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3359 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3360 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3361 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3362 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3363 24347096U, 0U
72281370 3364
9c0d9ce3
DS
3365#if 0
3366 /* The following are the values for 16-bit tables - these work fine for the
3367 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3368 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3369 * use these all the shifts below must be adjusted appropriately.
3370 */
3371 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3372 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3373 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3374 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3375 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3376 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3377 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3378 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3379 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3380 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3381 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3382 1119, 744, 372
3383#endif
3384};
3385
fff5f7d5 3386static png_int_32
9c0d9ce3
DS
3387png_log8bit(unsigned int x)
3388{
3389 unsigned int lg2 = 0;
3390 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3391 * because the log is actually negate that means adding 1. The final
3392 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
fff5f7d5 3393 * input), return -1 for the overflow (log 0) case, - so the result is
9c0d9ce3
DS
3394 * always at most 19 bits.
3395 */
3396 if ((x &= 0xff) == 0)
fff5f7d5 3397 return -1;
9c0d9ce3
DS
3398
3399 if ((x & 0xf0) == 0)
3400 lg2 = 4, x <<= 4;
3401
3402 if ((x & 0xc0) == 0)
3403 lg2 += 2, x <<= 2;
3404
3405 if ((x & 0x80) == 0)
3406 lg2 += 1, x <<= 1;
3407
3408 /* result is at most 19 bits, so this cast is safe: */
3409 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3410}
3411
3412/* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3413 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3414 * get an approximation then multiply the approximation by a correction factor
3415 * determined by the remaining up to 8 bits. This requires an additional step
3416 * in the 16-bit case.
3417 *
3418 * We want log2(value/65535), we have log2(v'/255), where:
3419 *
3420 * value = v' * 256 + v''
3421 * = v' * f
3422 *
3423 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3424 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3425 * than 258. The final factor also needs to correct for the fact that our 8-bit
3426 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3427 *
3428 * This gives a final formula using a calculated value 'x' which is value/v' and
3429 * scaling by 65536 to match the above table:
3430 *
3431 * log2(x/257) * 65536
3432 *
3433 * Since these numbers are so close to '1' we can use simple linear
3434 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3435 * (result 367.179). The values used below are scaled by a further 64 to give
3436 * 16-bit precision in the interpolation:
3437 *
3438 * Start (256): -23591
3439 * Zero (257): 0
3440 * End (258): 23499
3441 */
fff5f7d5 3442static png_int_32
9c0d9ce3
DS
3443png_log16bit(png_uint_32 x)
3444{
3445 unsigned int lg2 = 0;
3446
3447 /* As above, but now the input has 16 bits. */
3448 if ((x &= 0xffff) == 0)
fff5f7d5 3449 return -1;
9c0d9ce3
DS
3450
3451 if ((x & 0xff00) == 0)
3452 lg2 = 8, x <<= 8;
3453
3454 if ((x & 0xf000) == 0)
3455 lg2 += 4, x <<= 4;
3456
3457 if ((x & 0xc000) == 0)
3458 lg2 += 2, x <<= 2;
3459
3460 if ((x & 0x8000) == 0)
3461 lg2 += 1, x <<= 1;
3462
3463 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3464 * value.
3465 */
3466 lg2 <<= 28;
3467 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3468
3469 /* Now we need to interpolate the factor, this requires a division by the top
3470 * 8 bits. Do this with maximum precision.
3471 */
3472 x = ((x << 16) + (x >> 9)) / (x >> 8);
3473
3474 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3475 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3476 * 16 bits to interpolate to get the low bits of the result. Round the
3477 * answer. Note that the end point values are scaled by 64 to retain overall
3478 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3479 * the overall scaling by 6-12. Round at every step.
3480 */
3481 x -= 1U << 24;
3482
3483 if (x <= 65536U) /* <= '257' */
3484 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3485
3486 else
3487 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3488
3489 /* Safe, because the result can't have more than 20 bits: */
3490 return (png_int_32)((lg2 + 2048) >> 12);
3491}
3492
3493/* The 'exp()' case must invert the above, taking a 20-bit fixed point
3494 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3495 * each case only the low 16 bits are relevant - the fraction - since the
3496 * integer bits (the top 4) simply determine a shift.
3497 *
3498 * The worst case is the 16-bit distinction between 65535 and 65534, this
fff5f7d5 3499 * requires perhaps spurious accuracty in the decoding of the logarithm to
9c0d9ce3
DS
3500 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3501 * of getting this accuracy in practice.
3502 *
3503 * To deal with this the following exp() function works out the exponent of the
3504 * frational part of the logarithm by using an accurate 32-bit value from the
3505 * top four fractional bits then multiplying in the remaining bits.
3506 */
fff5f7d5 3507static const png_uint_32
9c0d9ce3
DS
3508png_32bit_exp[16] =
3509{
9c0d9ce3
DS
3510 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3511 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3512 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3513 2553802834U, 2445529972U, 2341847524U, 2242560872U
3514};
3515
3516/* Adjustment table; provided to explain the numbers in the code below. */
fff5f7d5 3517#if 0
9c0d9ce3
DS
3518for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3519 11 44937.64284865548751208448
3520 10 45180.98734845585101160448
3521 9 45303.31936980687359311872
3522 8 45364.65110595323018870784
3523 7 45395.35850361789624614912
3524 6 45410.72259715102037508096
3525 5 45418.40724413220722311168
3526 4 45422.25021786898173001728
3527 3 45424.17186732298419044352
3528 2 45425.13273269940811464704
3529 1 45425.61317555035558641664
3530 0 45425.85339951654943850496
3531#endif
3532
fff5f7d5 3533static png_uint_32
9c0d9ce3
DS
3534png_exp(png_fixed_point x)
3535{
3536 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3537 {
3538 /* Obtain a 4-bit approximation */
3539 png_uint_32 e = png_32bit_exp[(x >> 12) & 0xf];
3540
3541 /* Incorporate the low 12 bits - these decrease the returned value by
3542 * multiplying by a number less than 1 if the bit is set. The multiplier
3543 * is determined by the above table and the shift. Notice that the values
3544 * converge on 45426 and this is used to allow linear interpolation of the
3545 * low bits.
3546 */
3547 if (x & 0x800)
3548 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3549
3550 if (x & 0x400)
3551 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3552
3553 if (x & 0x200)
3554 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3555
3556 if (x & 0x100)
3557 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3558
3559 if (x & 0x080)
3560 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3561
3562 if (x & 0x040)
3563 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3564
3565 /* And handle the low 6 bits in a single block. */
3566 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3567
3568 /* Handle the upper bits of x. */
3569 e >>= x >> 16;
3570 return e;
3571 }
3572
3573 /* Check for overflow */
3574 if (x <= 0)
3575 return png_32bit_exp[0];
3576
3577 /* Else underflow */
3578 return 0;
3579}
3580
fff5f7d5 3581static png_byte
9c0d9ce3
DS
3582png_exp8bit(png_fixed_point lg2)
3583{
3584 /* Get a 32-bit value: */
3585 png_uint_32 x = png_exp(lg2);
3586
3587 /* Convert the 32-bit value to 0..255 by multiplying by 256-1, note that the
3588 * second, rounding, step can't overflow because of the first, subtraction,
3589 * step.
3590 */
3591 x -= x >> 8;
3592 return (png_byte)((x + 0x7fffffU) >> 24);
3593}
3594
fff5f7d5 3595static png_uint_16
9c0d9ce3
DS
3596png_exp16bit(png_fixed_point lg2)
3597{
3598 /* Get a 32-bit value: */
3599 png_uint_32 x = png_exp(lg2);
3600
3601 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3602 x -= x >> 16;
3603 return (png_uint_16)((x + 32767U) >> 16);
3604}
3605#endif /* FLOATING_ARITHMETIC */
3606
3607png_byte
3608png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3609{
3610 if (value > 0 && value < 255)
3611 {
3612# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3613 double r = floor(255*pow(value/255.,gamma_val*.00001)+.5);
3614 return (png_byte)r;
3615# else
3616 png_int_32 lg2 = png_log8bit(value);
3617 png_fixed_point res;
3618
3619 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1))
3620 return png_exp8bit(res);
3621
3622 /* Overflow. */
3623 value = 0;
3624# endif
3625 }
3626
3627 return (png_byte)value;
3628}
3629
3630png_uint_16
3631png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3632{
3633 if (value > 0 && value < 65535)
3634 {
3635# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3636 double r = floor(65535*pow(value/65535.,gamma_val*.00001)+.5);
3637 return (png_uint_16)r;
3638# else
3639 png_int_32 lg2 = png_log16bit(value);
3640 png_fixed_point res;
3641
3642 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1))
3643 return png_exp16bit(res);
3644
3645 /* Overflow. */
3646 value = 0;
3647# endif
3648 }
3649
3650 return (png_uint_16)value;
3651}
3652
3653/* This does the right thing based on the bit_depth field of the
3654 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3655 * is nominally a 16-bit value if bit depth is 8 then the result is
3656 * 8-bit (as are the arguments.)
3657 */
3658png_uint_16 /* PRIVATE */
fff5f7d5 3659png_gamma_correct(png_structrp png_ptr, unsigned int value,
9c0d9ce3
DS
3660 png_fixed_point gamma_val)
3661{
3662 if (png_ptr->bit_depth == 8)
3663 return png_gamma_8bit_correct(value, gamma_val);
3664
3665 else
3666 return png_gamma_16bit_correct(value, gamma_val);
3667}
3668
9c0d9ce3 3669/* Internal function to build a single 16-bit table - the table consists of
fff5f7d5 3670 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
9c0d9ce3
DS
3671 * to shift the input values right (or 16-number_of_signifiant_bits).
3672 *
3673 * The caller is responsible for ensuring that the table gets cleaned up on
3674 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3675 * should be somewhere that will be cleaned.
3676 */
3677static void
fff5f7d5 3678png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
9c0d9ce3
DS
3679 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3680{
3681 /* Various values derived from 'shift': */
3682 PNG_CONST unsigned int num = 1U << (8U - shift);
3683 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3684 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift);
3685 unsigned int i;
3686
3687 png_uint_16pp table = *ptable =
fff5f7d5 3688 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
9c0d9ce3
DS
3689
3690 for (i = 0; i < num; i++)
3691 {
3692 png_uint_16p sub_table = table[i] =
fff5f7d5 3693 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
9c0d9ce3
DS
3694
3695 /* The 'threshold' test is repeated here because it can arise for one of
3696 * the 16-bit tables even if the others don't hit it.
3697 */
3698 if (png_gamma_significant(gamma_val))
3699 {
3700 /* The old code would overflow at the end and this would cause the
3701 * 'pow' function to return a result >1, resulting in an
3702 * arithmetic error. This code follows the spec exactly; ig is
3703 * the recovered input sample, it always has 8-16 bits.
3704 *
3705 * We want input * 65535/max, rounded, the arithmetic fits in 32
3706 * bits (unsigned) so long as max <= 32767.
3707 */
3708 unsigned int j;
3709 for (j = 0; j < 256; j++)
3710 {
3711 png_uint_32 ig = (j << (8-shift)) + i;
3712# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3713 /* Inline the 'max' scaling operation: */
3714 double d = floor(65535*pow(ig/(double)max, gamma_val*.00001)+.5);
3715 sub_table[j] = (png_uint_16)d;
3716# else
3717 if (shift)
3718 ig = (ig * 65535U + max_by_2)/max;
3719
3720 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3721# endif
3722 }
3723 }
3724 else
3725 {
3726 /* We must still build a table, but do it the fast way. */
3727 unsigned int j;
3728
3729 for (j = 0; j < 256; j++)
3730 {
3731 png_uint_32 ig = (j << (8-shift)) + i;
3732
3733 if (shift)
3734 ig = (ig * 65535U + max_by_2)/max;
3735
3736 sub_table[j] = (png_uint_16)ig;
3737 }
3738 }
3739 }
3740}
3741
3742/* NOTE: this function expects the *inverse* of the overall gamma transformation
3743 * required.
3744 */
3745static void
fff5f7d5 3746png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
9c0d9ce3
DS
3747 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val)
3748{
3749 PNG_CONST unsigned int num = 1U << (8U - shift);
3750 PNG_CONST unsigned int max = (1U << (16U - shift))-1U;
3751 unsigned int i;
3752 png_uint_32 last;
3753
3754 png_uint_16pp table = *ptable =
fff5f7d5 3755 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
9c0d9ce3 3756
fff5f7d5
VZ
3757 /* 'num' is the number of tables and also the number of low bits of low
3758 * bits of the input 16-bit value used to select a table. Each table is
3759 * itself index by the high 8 bits of the value.
9c0d9ce3
DS
3760 */
3761 for (i = 0; i < num; i++)
3762 table[i] = (png_uint_16p)png_malloc(png_ptr,
fff5f7d5 3763 256 * (sizeof (png_uint_16)));
9c0d9ce3
DS
3764
3765 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
3766 * pow(out,g) is an *input* value. 'last' is the last input value set.
3767 *
3768 * In the loop 'i' is used to find output values. Since the output is
3769 * 8-bit there are only 256 possible values. The tables are set up to
3770 * select the closest possible output value for each input by finding
3771 * the input value at the boundary between each pair of output values
3772 * and filling the table up to that boundary with the lower output
3773 * value.
3774 *
3775 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
3776 * values the code below uses a 16-bit value in i; the values start at
3777 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
3778 * entries are filled with 255). Start i at 128 and fill all 'last'
3779 * table entries <= 'max'
3780 */
3781 last = 0;
3782 for (i = 0; i < 255; ++i) /* 8-bit output value */
3783 {
3784 /* Find the corresponding maximum input value */
3785 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
3786
3787 /* Find the boundary value in 16 bits: */
3788 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
3789
3790 /* Adjust (round) to (16-shift) bits: */
3791 bound = (bound * max + 32768U)/65535U + 1U;
3792
3793 while (last < bound)
3794 {
3795 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
3796 last++;
3797 }
3798 }
3799
3800 /* And fill in the final entries. */
3801 while (last < (num << 8))
3802 {
3803 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
3804 last++;
3805 }
3806}
3807
3808/* Build a single 8-bit table: same as the 16-bit case but much simpler (and
3809 * typically much faster). Note that libpng currently does no sBIT processing
fff5f7d5 3810 * (apparently contrary to the spec) so a 256 entry table is always generated.
9c0d9ce3
DS
3811 */
3812static void
fff5f7d5 3813png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
9c0d9ce3
DS
3814 PNG_CONST png_fixed_point gamma_val)
3815{
3816 unsigned int i;
3817 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
3818
3819 if (png_gamma_significant(gamma_val)) for (i=0; i<256; i++)
3820 table[i] = png_gamma_8bit_correct(i, gamma_val);
3821
3822 else for (i=0; i<256; ++i)
3823 table[i] = (png_byte)i;
3824}
3825
3826/* Used from png_read_destroy and below to release the memory used by the gamma
3827 * tables.
3828 */
3829void /* PRIVATE */
fff5f7d5 3830png_destroy_gamma_table(png_structrp png_ptr)
9c0d9ce3
DS
3831{
3832 png_free(png_ptr, png_ptr->gamma_table);
3833 png_ptr->gamma_table = NULL;
3834
3835 if (png_ptr->gamma_16_table != NULL)
3836 {
3837 int i;
3838 int istop = (1 << (8 - png_ptr->gamma_shift));
3839 for (i = 0; i < istop; i++)
3840 {
3841 png_free(png_ptr, png_ptr->gamma_16_table[i]);
3842 }
3843 png_free(png_ptr, png_ptr->gamma_16_table);
3844 png_ptr->gamma_16_table = NULL;
3845 }
3846
3847#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3848 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
3849 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
3850 png_free(png_ptr, png_ptr->gamma_from_1);
3851 png_ptr->gamma_from_1 = NULL;
3852 png_free(png_ptr, png_ptr->gamma_to_1);
3853 png_ptr->gamma_to_1 = NULL;
3854
3855 if (png_ptr->gamma_16_from_1 != NULL)
3856 {
3857 int i;
3858 int istop = (1 << (8 - png_ptr->gamma_shift));
3859 for (i = 0; i < istop; i++)
3860 {
3861 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
3862 }
3863 png_free(png_ptr, png_ptr->gamma_16_from_1);
3864 png_ptr->gamma_16_from_1 = NULL;
3865 }
3866 if (png_ptr->gamma_16_to_1 != NULL)
3867 {
3868 int i;
3869 int istop = (1 << (8 - png_ptr->gamma_shift));
3870 for (i = 0; i < istop; i++)
3871 {
3872 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
3873 }
3874 png_free(png_ptr, png_ptr->gamma_16_to_1);
3875 png_ptr->gamma_16_to_1 = NULL;
3876 }
3877#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
3878}
3879
3880/* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
3881 * tables, we don't make a full table if we are reducing to 8-bit in
3882 * the future. Note also how the gamma_16 tables are segmented so that
3883 * we don't need to allocate > 64K chunks for a full 16-bit table.
3884 */
3885void /* PRIVATE */
fff5f7d5 3886png_build_gamma_table(png_structrp png_ptr, int bit_depth)
9c0d9ce3
DS
3887{
3888 png_debug(1, "in png_build_gamma_table");
3889
3890 /* Remove any existing table; this copes with multiple calls to
3891 * png_read_update_info. The warning is because building the gamma tables
3892 * multiple times is a performance hit - it's harmless but the ability to call
3893 * png_read_update_info() multiple times is new in 1.5.6 so it seems sensible
3894 * to warn if the app introduces such a hit.
3895 */
3896 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
3897 {
3898 png_warning(png_ptr, "gamma table being rebuilt");
3899 png_destroy_gamma_table(png_ptr);
3900 }
3901
3902 if (bit_depth <= 8)
3903 {
3904 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
fff5f7d5 3905 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
9c0d9ce3
DS
3906 png_ptr->screen_gamma) : PNG_FP_1);
3907
3908#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3909 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
3910 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
3911 if (png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY))
3912 {
3913 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
fff5f7d5 3914 png_reciprocal(png_ptr->colorspace.gamma));
9c0d9ce3
DS
3915
3916 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
3917 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
fff5f7d5 3918 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
9c0d9ce3
DS
3919 }
3920#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
3921 }
3922 else
3923 {
3924 png_byte shift, sig_bit;
3925
3926 if (png_ptr->color_type & PNG_COLOR_MASK_COLOR)
3927 {
3928 sig_bit = png_ptr->sig_bit.red;
3929
3930 if (png_ptr->sig_bit.green > sig_bit)
3931 sig_bit = png_ptr->sig_bit.green;
3932
3933 if (png_ptr->sig_bit.blue > sig_bit)
3934 sig_bit = png_ptr->sig_bit.blue;
3935 }
3936 else
3937 sig_bit = png_ptr->sig_bit.gray;
3938
3939 /* 16-bit gamma code uses this equation:
3940 *
3941 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
3942 *
3943 * Where 'iv' is the input color value and 'ov' is the output value -
3944 * pow(iv, gamma).
3945 *
fff5f7d5 3946 * Thus the gamma table consists of up to 256 256 entry tables. The table
9c0d9ce3
DS
3947 * is selected by the (8-gamma_shift) most significant of the low 8 bits of
3948 * the color value then indexed by the upper 8 bits:
3949 *
3950 * table[low bits][high 8 bits]
3951 *
3952 * So the table 'n' corresponds to all those 'iv' of:
3953 *
3954 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
3955 *
3956 */
3957 if (sig_bit > 0 && sig_bit < 16U)
3958 shift = (png_byte)(16U - sig_bit); /* shift == insignificant bits */
3959
3960 else
3961 shift = 0; /* keep all 16 bits */
3962
3963 if (png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8))
3964 {
3965 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
3966 * the significant bits in the *input* when the output will
3967 * eventually be 8 bits. By default it is 11.
3968 */
3969 if (shift < (16U - PNG_MAX_GAMMA_8))
3970 shift = (16U - PNG_MAX_GAMMA_8);
3971 }
3972
3973 if (shift > 8U)
3974 shift = 8U; /* Guarantees at least one table! */
3975
3976 png_ptr->gamma_shift = shift;
3977
3978#ifdef PNG_16BIT_SUPPORTED
3979 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
3980 * PNG_COMPOSE). This effectively smashed the background calculation for
3981 * 16-bit output because the 8-bit table assumes the result will be reduced
3982 * to 8 bits.
3983 */
3984 if (png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8))
3985#endif
3986 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
fff5f7d5 3987 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
9c0d9ce3
DS
3988 png_ptr->screen_gamma) : PNG_FP_1);
3989
3990#ifdef PNG_16BIT_SUPPORTED
3991 else
3992 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
fff5f7d5 3993 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
9c0d9ce3
DS
3994 png_ptr->screen_gamma) : PNG_FP_1);
3995#endif
3996
3997#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3998 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
3999 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4000 if (png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY))
4001 {
4002 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
fff5f7d5 4003 png_reciprocal(png_ptr->colorspace.gamma));
9c0d9ce3
DS
4004
4005 /* Notice that the '16 from 1' table should be full precision, however
4006 * the lookup on this table still uses gamma_shift, so it can't be.
4007 * TODO: fix this.
4008 */
4009 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4010 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
fff5f7d5 4011 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
9c0d9ce3
DS
4012 }
4013#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4014 }
4015}
4016#endif /* READ_GAMMA */
fff5f7d5
VZ
4017
4018/* HARDWARE OPTION SUPPORT */
4019#ifdef PNG_SET_OPTION_SUPPORTED
4020int PNGAPI
4021png_set_option(png_structrp png_ptr, int option, int onoff)
4022{
4023 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4024 (option & 1) == 0)
4025 {
4026 int mask = 3 << option;
4027 int setting = (2 + (onoff != 0)) << option;
4028 int current = png_ptr->options;
4029
4030 png_ptr->options = (png_byte)((current & ~mask) | setting);
4031
4032 return (current & mask) >> option;
4033 }
4034
4035 return PNG_OPTION_INVALID;
4036}
4037#endif
4038
4039/* sRGB support */
4040#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4041 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4042/* sRGB conversion tables; these are machine generated with the code in
4043 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4044 * specification (see the article at http://en.wikipedia.org/wiki/SRGB)
4045 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4046 * The sRGB to linear table is exact (to the nearest 16 bit linear fraction).
4047 * The inverse (linear to sRGB) table has accuracies as follows:
4048 *
4049 * For all possible (255*65535+1) input values:
4050 *
4051 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4052 *
4053 * For the input values corresponding to the 65536 16-bit values:
4054 *
4055 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4056 *
4057 * In all cases the inexact readings are off by one.
4058 */
4059
4060#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4061/* The convert-to-sRGB table is only currently required for read. */
4062const png_uint_16 png_sRGB_table[256] =
4063{
4064 0,20,40,60,80,99,119,139,
4065 159,179,199,219,241,264,288,313,
4066 340,367,396,427,458,491,526,562,
4067 599,637,677,718,761,805,851,898,
4068 947,997,1048,1101,1156,1212,1270,1330,
4069 1391,1453,1517,1583,1651,1720,1790,1863,
4070 1937,2013,2090,2170,2250,2333,2418,2504,
4071 2592,2681,2773,2866,2961,3058,3157,3258,
4072 3360,3464,3570,3678,3788,3900,4014,4129,
4073 4247,4366,4488,4611,4736,4864,4993,5124,
4074 5257,5392,5530,5669,5810,5953,6099,6246,
4075 6395,6547,6700,6856,7014,7174,7335,7500,
4076 7666,7834,8004,8177,8352,8528,8708,8889,
4077 9072,9258,9445,9635,9828,10022,10219,10417,
4078 10619,10822,11028,11235,11446,11658,11873,12090,
4079 12309,12530,12754,12980,13209,13440,13673,13909,
4080 14146,14387,14629,14874,15122,15371,15623,15878,
4081 16135,16394,16656,16920,17187,17456,17727,18001,
4082 18277,18556,18837,19121,19407,19696,19987,20281,
4083 20577,20876,21177,21481,21787,22096,22407,22721,
4084 23038,23357,23678,24002,24329,24658,24990,25325,
4085 25662,26001,26344,26688,27036,27386,27739,28094,
4086 28452,28813,29176,29542,29911,30282,30656,31033,
4087 31412,31794,32179,32567,32957,33350,33745,34143,
4088 34544,34948,35355,35764,36176,36591,37008,37429,
4089 37852,38278,38706,39138,39572,40009,40449,40891,
4090 41337,41785,42236,42690,43147,43606,44069,44534,
4091 45002,45473,45947,46423,46903,47385,47871,48359,
4092 48850,49344,49841,50341,50844,51349,51858,52369,
4093 52884,53401,53921,54445,54971,55500,56032,56567,
4094 57105,57646,58190,58737,59287,59840,60396,60955,
4095 61517,62082,62650,63221,63795,64372,64952,65535
4096};
4097
4098#endif /* simplified read only */
4099
4100/* The base/delta tables are required for both read and write (but currently
4101 * only the simplified versions.)
4102 */
4103const png_uint_16 png_sRGB_base[512] =
4104{
4105 128,1782,3383,4644,5675,6564,7357,8074,
4106 8732,9346,9921,10463,10977,11466,11935,12384,
4107 12816,13233,13634,14024,14402,14769,15125,15473,
4108 15812,16142,16466,16781,17090,17393,17690,17981,
4109 18266,18546,18822,19093,19359,19621,19879,20133,
4110 20383,20630,20873,21113,21349,21583,21813,22041,
4111 22265,22487,22707,22923,23138,23350,23559,23767,
4112 23972,24175,24376,24575,24772,24967,25160,25352,
4113 25542,25730,25916,26101,26284,26465,26645,26823,
4114 27000,27176,27350,27523,27695,27865,28034,28201,
4115 28368,28533,28697,28860,29021,29182,29341,29500,
4116 29657,29813,29969,30123,30276,30429,30580,30730,
4117 30880,31028,31176,31323,31469,31614,31758,31902,
4118 32045,32186,32327,32468,32607,32746,32884,33021,
4119 33158,33294,33429,33564,33697,33831,33963,34095,
4120 34226,34357,34486,34616,34744,34873,35000,35127,
4121 35253,35379,35504,35629,35753,35876,35999,36122,
4122 36244,36365,36486,36606,36726,36845,36964,37083,
4123 37201,37318,37435,37551,37668,37783,37898,38013,
4124 38127,38241,38354,38467,38580,38692,38803,38915,
4125 39026,39136,39246,39356,39465,39574,39682,39790,
4126 39898,40005,40112,40219,40325,40431,40537,40642,
4127 40747,40851,40955,41059,41163,41266,41369,41471,
4128 41573,41675,41777,41878,41979,42079,42179,42279,
4129 42379,42478,42577,42676,42775,42873,42971,43068,
4130 43165,43262,43359,43456,43552,43648,43743,43839,
4131 43934,44028,44123,44217,44311,44405,44499,44592,
4132 44685,44778,44870,44962,45054,45146,45238,45329,
4133 45420,45511,45601,45692,45782,45872,45961,46051,
4134 46140,46229,46318,46406,46494,46583,46670,46758,
4135 46846,46933,47020,47107,47193,47280,47366,47452,
4136 47538,47623,47709,47794,47879,47964,48048,48133,
4137 48217,48301,48385,48468,48552,48635,48718,48801,
4138 48884,48966,49048,49131,49213,49294,49376,49458,
4139 49539,49620,49701,49782,49862,49943,50023,50103,
4140 50183,50263,50342,50422,50501,50580,50659,50738,
4141 50816,50895,50973,51051,51129,51207,51285,51362,
4142 51439,51517,51594,51671,51747,51824,51900,51977,
4143 52053,52129,52205,52280,52356,52432,52507,52582,
4144 52657,52732,52807,52881,52956,53030,53104,53178,
4145 53252,53326,53400,53473,53546,53620,53693,53766,
4146 53839,53911,53984,54056,54129,54201,54273,54345,
4147 54417,54489,54560,54632,54703,54774,54845,54916,
4148 54987,55058,55129,55199,55269,55340,55410,55480,
4149 55550,55620,55689,55759,55828,55898,55967,56036,
4150 56105,56174,56243,56311,56380,56448,56517,56585,
4151 56653,56721,56789,56857,56924,56992,57059,57127,
4152 57194,57261,57328,57395,57462,57529,57595,57662,
4153 57728,57795,57861,57927,57993,58059,58125,58191,
4154 58256,58322,58387,58453,58518,58583,58648,58713,
4155 58778,58843,58908,58972,59037,59101,59165,59230,
4156 59294,59358,59422,59486,59549,59613,59677,59740,
4157 59804,59867,59930,59993,60056,60119,60182,60245,
4158 60308,60370,60433,60495,60558,60620,60682,60744,
4159 60806,60868,60930,60992,61054,61115,61177,61238,
4160 61300,61361,61422,61483,61544,61605,61666,61727,
4161 61788,61848,61909,61969,62030,62090,62150,62211,
4162 62271,62331,62391,62450,62510,62570,62630,62689,
4163 62749,62808,62867,62927,62986,63045,63104,63163,
4164 63222,63281,63340,63398,63457,63515,63574,63632,
4165 63691,63749,63807,63865,63923,63981,64039,64097,
4166 64155,64212,64270,64328,64385,64443,64500,64557,
4167 64614,64672,64729,64786,64843,64900,64956,65013,
4168 65070,65126,65183,65239,65296,65352,65409,65465
4169};
4170
4171const png_byte png_sRGB_delta[512] =
4172{
4173 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4174 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4175 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4176 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4177 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4178 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4179 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4180 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4181 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4182 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4183 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4184 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4185 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4186 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4187 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4188 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4189 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4190 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4191 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4192 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4193 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4194 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4195 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4196 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4197 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4198 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4199 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4200 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4201 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4202 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4203 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4204 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4205};
4206#endif /* SIMPLIFIED READ/WRITE sRGB support */
4207
4208/* SIMPLIFIED READ/WRITE SUPPORT */
4209#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4210 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4211static int
4212png_image_free_function(png_voidp argument)
4213{
4214 png_imagep image = png_voidcast(png_imagep, argument);
4215 png_controlp cp = image->opaque;
4216 png_control c;
4217
4218 /* Double check that we have a png_ptr - it should be impossible to get here
4219 * without one.
4220 */
4221 if (cp->png_ptr == NULL)
4222 return 0;
4223
4224 /* First free any data held in the control structure. */
4225# ifdef PNG_STDIO_SUPPORTED
4226 if (cp->owned_file)
4227 {
4228 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4229 cp->owned_file = 0;
4230
4231 /* Ignore errors here. */
4232 if (fp != NULL)
4233 {
4234 cp->png_ptr->io_ptr = NULL;
4235 (void)fclose(fp);
4236 }
4237 }
4238# endif
4239
4240 /* Copy the control structure so that the original, allocated, version can be
4241 * safely freed. Notice that a png_error here stops the remainder of the
4242 * cleanup, but this is probably fine because that would indicate bad memory
4243 * problems anyway.
4244 */
4245 c = *cp;
4246 image->opaque = &c;
4247 png_free(c.png_ptr, cp);
4248
4249 /* Then the structures, calling the correct API. */
4250 if (c.for_write)
4251 {
4252# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4253 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4254# else
4255 png_error(c.png_ptr, "simplified write not supported");
4256# endif
4257 }
4258 else
4259 {
4260# ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4261 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4262# else
4263 png_error(c.png_ptr, "simplified read not supported");
4264# endif
4265 }
4266
4267 /* Success. */
4268 return 1;
4269}
4270
4271void PNGAPI
4272png_image_free(png_imagep image)
4273{
4274 /* Safely call the real function, but only if doing so is safe at this point
4275 * (if not inside an error handling context). Otherwise assume
4276 * png_safe_execute will call this API after the return.
4277 */
4278 if (image != NULL && image->opaque != NULL &&
4279 image->opaque->error_buf == NULL)
4280 {
4281 /* Ignore errors here: */
4282 (void)png_safe_execute(image, png_image_free_function, image);
4283 image->opaque = NULL;
4284 }
4285}
4286
4287int /* PRIVATE */
4288png_image_error(png_imagep image, png_const_charp error_message)
4289{
4290 /* Utility to log an error. */
4291 png_safecat(image->message, (sizeof image->message), 0, error_message);
4292 image->warning_or_error |= PNG_IMAGE_ERROR;
4293 png_image_free(image);
4294 return 0;
4295}
4296
4297#endif /* SIMPLIFIED READ/WRITE */
0272a10d 4298#endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */