2 /* pngpread.c - read a png file in push mode 
   4  * Last changed in libpng 1.5.6 [November 3, 2011] 
   5  * Copyright (c) 1998-2011 Glenn Randers-Pehrson 
   6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 
   7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 
   9  * This code is released under the libpng license. 
  10  * For conditions of distribution and use, see the disclaimer 
  11  * and license in png.h 
  16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED 
  18 /* Push model modes */ 
  19 #define PNG_READ_SIG_MODE   0 
  20 #define PNG_READ_CHUNK_MODE 1 
  21 #define PNG_READ_IDAT_MODE  2 
  22 #define PNG_SKIP_MODE       3 
  23 #define PNG_READ_tEXt_MODE  4 
  24 #define PNG_READ_zTXt_MODE  5 
  25 #define PNG_READ_DONE_MODE  6 
  26 #define PNG_READ_iTXt_MODE  7 
  27 #define PNG_ERROR_MODE      8 
  30 png_process_data(png_structp png_ptr
, png_infop info_ptr
, 
  31     png_bytep buffer
, png_size_t buffer_size
) 
  33    if (png_ptr 
== NULL 
|| info_ptr 
== NULL
) 
  36    png_push_restore_buffer(png_ptr
, buffer
, buffer_size
); 
  38    while (png_ptr
->buffer_size
) 
  40       png_process_some_data(png_ptr
, info_ptr
); 
  45 png_process_data_pause(png_structp png_ptr
, int save
) 
  49       /* It's easiest for the caller if we do the save, then the caller doesn't 
  50        * have to supply the same data again: 
  53          png_push_save_buffer(png_ptr
); 
  56          /* This includes any pending saved bytes: */ 
  57          png_size_t remaining 
= png_ptr
->buffer_size
; 
  58          png_ptr
->buffer_size 
= 0; 
  60          /* So subtract the saved buffer size, unless all the data 
  61           * is actually 'saved', in which case we just return 0 
  63          if (png_ptr
->save_buffer_size 
< remaining
) 
  64             return remaining 
- png_ptr
->save_buffer_size
; 
  72 png_process_data_skip(png_structp png_ptr
) 
  74    png_uint_32 remaining 
= 0; 
  76    if (png_ptr 
!= NULL 
&& png_ptr
->process_mode 
== PNG_SKIP_MODE 
&& 
  77       png_ptr
->skip_length 
> 0) 
  79       /* At the end of png_process_data the buffer size must be 0 (see the loop 
  80        * above) so we can detect a broken call here: 
  82       if (png_ptr
->buffer_size 
!= 0) 
  84             "png_process_data_skip called inside png_process_data"); 
  86       /* If is impossible for there to be a saved buffer at this point - 
  87        * otherwise we could not be in SKIP mode.  This will also happen if 
  88        * png_process_skip is called inside png_process_data (but only very 
  91       if (png_ptr
->save_buffer_size 
!= 0) 
  92          png_error(png_ptr
, "png_process_data_skip called with saved data"); 
  94       remaining 
= png_ptr
->skip_length
; 
  95       png_ptr
->skip_length 
= 0; 
  96       png_ptr
->process_mode 
= PNG_READ_CHUNK_MODE
; 
 102 /* What we do with the incoming data depends on what we were previously 
 103  * doing before we ran out of data... 
 106 png_process_some_data(png_structp png_ptr
, png_infop info_ptr
) 
 111    switch (png_ptr
->process_mode
) 
 113       case PNG_READ_SIG_MODE
: 
 115          png_push_read_sig(png_ptr
, info_ptr
); 
 119       case PNG_READ_CHUNK_MODE
: 
 121          png_push_read_chunk(png_ptr
, info_ptr
); 
 125       case PNG_READ_IDAT_MODE
: 
 127          png_push_read_IDAT(png_ptr
); 
 131 #ifdef PNG_READ_tEXt_SUPPORTED 
 132       case PNG_READ_tEXt_MODE
: 
 134          png_push_read_tEXt(png_ptr
, info_ptr
); 
 139 #ifdef PNG_READ_zTXt_SUPPORTED 
 140       case PNG_READ_zTXt_MODE
: 
 142          png_push_read_zTXt(png_ptr
, info_ptr
); 
 147 #ifdef PNG_READ_iTXt_SUPPORTED 
 148       case PNG_READ_iTXt_MODE
: 
 150          png_push_read_iTXt(png_ptr
, info_ptr
); 
 157          png_push_crc_finish(png_ptr
); 
 163          png_ptr
->buffer_size 
= 0; 
 169 /* Read any remaining signature bytes from the stream and compare them with 
 170  * the correct PNG signature.  It is possible that this routine is called 
 171  * with bytes already read from the signature, either because they have been 
 172  * checked by the calling application, or because of multiple calls to this 
 176 png_push_read_sig(png_structp png_ptr
, png_infop info_ptr
) 
 178    png_size_t num_checked 
= png_ptr
->sig_bytes
, 
 179              num_to_check 
= 8 - num_checked
; 
 181    if (png_ptr
->buffer_size 
< num_to_check
) 
 183       num_to_check 
= png_ptr
->buffer_size
; 
 186    png_push_fill_buffer(png_ptr
, &(info_ptr
->signature
[num_checked
]), 
 188    png_ptr
->sig_bytes 
= (png_byte
)(png_ptr
->sig_bytes 
+ num_to_check
); 
 190    if (png_sig_cmp(info_ptr
->signature
, num_checked
, num_to_check
)) 
 192       if (num_checked 
< 4 && 
 193           png_sig_cmp(info_ptr
->signature
, num_checked
, num_to_check 
- 4)) 
 194          png_error(png_ptr
, "Not a PNG file"); 
 197          png_error(png_ptr
, "PNG file corrupted by ASCII conversion"); 
 201       if (png_ptr
->sig_bytes 
>= 8) 
 203          png_ptr
->process_mode 
= PNG_READ_CHUNK_MODE
; 
 209 png_push_read_chunk(png_structp png_ptr
, png_infop info_ptr
) 
 211    png_uint_32 chunk_name
; 
 213    /* First we make sure we have enough data for the 4 byte chunk name 
 214     * and the 4 byte chunk length before proceeding with decoding the 
 215     * chunk data.  To fully decode each of these chunks, we also make 
 216     * sure we have enough data in the buffer for the 4 byte CRC at the 
 217     * end of every chunk (except IDAT, which is handled separately). 
 219    if (!(png_ptr
->mode 
& PNG_HAVE_CHUNK_HEADER
)) 
 221       png_byte chunk_length
[4]; 
 222       png_byte chunk_tag
[4]; 
 224       if (png_ptr
->buffer_size 
< 8) 
 226          png_push_save_buffer(png_ptr
); 
 230       png_push_fill_buffer(png_ptr
, chunk_length
, 4); 
 231       png_ptr
->push_length 
= png_get_uint_31(png_ptr
, chunk_length
); 
 232       png_reset_crc(png_ptr
); 
 233       png_crc_read(png_ptr
, chunk_tag
, 4); 
 234       png_ptr
->chunk_name 
= PNG_CHUNK_FROM_STRING(chunk_tag
); 
 235       png_check_chunk_name(png_ptr
, png_ptr
->chunk_name
); 
 236       png_ptr
->mode 
|= PNG_HAVE_CHUNK_HEADER
; 
 239    chunk_name 
= png_ptr
->chunk_name
; 
 241    if (chunk_name 
== png_IDAT
) 
 243       /* This is here above the if/else case statement below because if the 
 244        * unknown handling marks 'IDAT' as unknown then the IDAT handling case is 
 245        * completely skipped. 
 247        * TODO: there must be a better way of doing this. 
 249       if (png_ptr
->mode 
& PNG_AFTER_IDAT
) 
 250          png_ptr
->mode 
|= PNG_HAVE_CHUNK_AFTER_IDAT
; 
 253    if (chunk_name 
== png_IHDR
) 
 255       if (png_ptr
->push_length 
!= 13) 
 256          png_error(png_ptr
, "Invalid IHDR length"); 
 258       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 260          png_push_save_buffer(png_ptr
); 
 264       png_handle_IHDR(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 267    else if (chunk_name 
== png_IEND
) 
 269       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 271          png_push_save_buffer(png_ptr
); 
 275       png_handle_IEND(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 277       png_ptr
->process_mode 
= PNG_READ_DONE_MODE
; 
 278       png_push_have_end(png_ptr
, info_ptr
); 
 281 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 
 282    else if (png_chunk_unknown_handling(png_ptr
, chunk_name
)) 
 284       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 286          png_push_save_buffer(png_ptr
); 
 290       if (chunk_name 
== png_IDAT
) 
 291          png_ptr
->mode 
|= PNG_HAVE_IDAT
; 
 293       png_handle_unknown(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 295       if (chunk_name 
== png_PLTE
) 
 296          png_ptr
->mode 
|= PNG_HAVE_PLTE
; 
 298       else if (chunk_name 
== png_IDAT
) 
 300          if (!(png_ptr
->mode 
& PNG_HAVE_IHDR
)) 
 301             png_error(png_ptr
, "Missing IHDR before IDAT"); 
 303          else if (png_ptr
->color_type 
== PNG_COLOR_TYPE_PALETTE 
&& 
 304              !(png_ptr
->mode 
& PNG_HAVE_PLTE
)) 
 305             png_error(png_ptr
, "Missing PLTE before IDAT"); 
 310    else if (chunk_name 
== png_PLTE
) 
 312       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 314          png_push_save_buffer(png_ptr
); 
 317       png_handle_PLTE(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 320    else if (chunk_name 
== png_IDAT
) 
 322       /* If we reach an IDAT chunk, this means we have read all of the 
 323        * header chunks, and we can start reading the image (or if this 
 324        * is called after the image has been read - we have an error). 
 327       if (!(png_ptr
->mode 
& PNG_HAVE_IHDR
)) 
 328          png_error(png_ptr
, "Missing IHDR before IDAT"); 
 330       else if (png_ptr
->color_type 
== PNG_COLOR_TYPE_PALETTE 
&& 
 331           !(png_ptr
->mode 
& PNG_HAVE_PLTE
)) 
 332          png_error(png_ptr
, "Missing PLTE before IDAT"); 
 334       if (png_ptr
->mode 
& PNG_HAVE_IDAT
) 
 336          if (!(png_ptr
->mode 
& PNG_HAVE_CHUNK_AFTER_IDAT
)) 
 337             if (png_ptr
->push_length 
== 0) 
 340          if (png_ptr
->mode 
& PNG_AFTER_IDAT
) 
 341             png_benign_error(png_ptr
, "Too many IDATs found"); 
 344       png_ptr
->idat_size 
= png_ptr
->push_length
; 
 345       png_ptr
->mode 
|= PNG_HAVE_IDAT
; 
 346       png_ptr
->process_mode 
= PNG_READ_IDAT_MODE
; 
 347       png_push_have_info(png_ptr
, info_ptr
); 
 348       png_ptr
->zstream
.avail_out 
= 
 349           (uInt
) PNG_ROWBYTES(png_ptr
->pixel_depth
, 
 350           png_ptr
->iwidth
) + 1; 
 351       png_ptr
->zstream
.next_out 
= png_ptr
->row_buf
; 
 355 #ifdef PNG_READ_gAMA_SUPPORTED 
 356    else if (png_ptr
->chunk_name 
== png_gAMA
) 
 358       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 360          png_push_save_buffer(png_ptr
); 
 364       png_handle_gAMA(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 368 #ifdef PNG_READ_sBIT_SUPPORTED 
 369    else if (png_ptr
->chunk_name 
== png_sBIT
) 
 371       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 373          png_push_save_buffer(png_ptr
); 
 377       png_handle_sBIT(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 381 #ifdef PNG_READ_cHRM_SUPPORTED 
 382    else if (png_ptr
->chunk_name 
== png_cHRM
) 
 384       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 386          png_push_save_buffer(png_ptr
); 
 390       png_handle_cHRM(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 394 #ifdef PNG_READ_sRGB_SUPPORTED 
 395    else if (chunk_name 
== png_sRGB
) 
 397       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 399          png_push_save_buffer(png_ptr
); 
 403       png_handle_sRGB(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 407 #ifdef PNG_READ_iCCP_SUPPORTED 
 408    else if (png_ptr
->chunk_name 
== png_iCCP
) 
 410       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 412          png_push_save_buffer(png_ptr
); 
 416       png_handle_iCCP(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 420 #ifdef PNG_READ_sPLT_SUPPORTED 
 421    else if (chunk_name 
== png_sPLT
) 
 423       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 425          png_push_save_buffer(png_ptr
); 
 429       png_handle_sPLT(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 433 #ifdef PNG_READ_tRNS_SUPPORTED 
 434    else if (chunk_name 
== png_tRNS
) 
 436       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 438          png_push_save_buffer(png_ptr
); 
 442       png_handle_tRNS(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 446 #ifdef PNG_READ_bKGD_SUPPORTED 
 447    else if (chunk_name 
== png_bKGD
) 
 449       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 451          png_push_save_buffer(png_ptr
); 
 455       png_handle_bKGD(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 459 #ifdef PNG_READ_hIST_SUPPORTED 
 460    else if (chunk_name 
== png_hIST
) 
 462       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 464          png_push_save_buffer(png_ptr
); 
 468       png_handle_hIST(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 472 #ifdef PNG_READ_pHYs_SUPPORTED 
 473    else if (chunk_name 
== png_pHYs
) 
 475       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 477          png_push_save_buffer(png_ptr
); 
 481       png_handle_pHYs(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 485 #ifdef PNG_READ_oFFs_SUPPORTED 
 486    else if (chunk_name 
== png_oFFs
) 
 488       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 490          png_push_save_buffer(png_ptr
); 
 494       png_handle_oFFs(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 498 #ifdef PNG_READ_pCAL_SUPPORTED 
 499    else if (chunk_name 
== png_pCAL
) 
 501       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 503          png_push_save_buffer(png_ptr
); 
 507       png_handle_pCAL(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 511 #ifdef PNG_READ_sCAL_SUPPORTED 
 512    else if (chunk_name 
== png_sCAL
) 
 514       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 516          png_push_save_buffer(png_ptr
); 
 520       png_handle_sCAL(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 524 #ifdef PNG_READ_tIME_SUPPORTED 
 525    else if (chunk_name 
== png_tIME
) 
 527       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 529          png_push_save_buffer(png_ptr
); 
 533       png_handle_tIME(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 537 #ifdef PNG_READ_tEXt_SUPPORTED 
 538    else if (chunk_name 
== png_tEXt
) 
 540       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 542          png_push_save_buffer(png_ptr
); 
 546       png_push_handle_tEXt(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 550 #ifdef PNG_READ_zTXt_SUPPORTED 
 551    else if (chunk_name 
== png_zTXt
) 
 553       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 555          png_push_save_buffer(png_ptr
); 
 559       png_push_handle_zTXt(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 563 #ifdef PNG_READ_iTXt_SUPPORTED 
 564    else if (chunk_name 
== png_iTXt
) 
 566       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 568          png_push_save_buffer(png_ptr
); 
 572       png_push_handle_iTXt(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 578       if (png_ptr
->push_length 
+ 4 > png_ptr
->buffer_size
) 
 580          png_push_save_buffer(png_ptr
); 
 583       png_push_handle_unknown(png_ptr
, info_ptr
, png_ptr
->push_length
); 
 586    png_ptr
->mode 
&= ~PNG_HAVE_CHUNK_HEADER
; 
 590 png_push_crc_skip(png_structp png_ptr
, png_uint_32 skip
) 
 592    png_ptr
->process_mode 
= PNG_SKIP_MODE
; 
 593    png_ptr
->skip_length 
= skip
; 
 597 png_push_crc_finish(png_structp png_ptr
) 
 599    if (png_ptr
->skip_length 
&& png_ptr
->save_buffer_size
) 
 601       png_size_t save_size 
= png_ptr
->save_buffer_size
; 
 602       png_uint_32 skip_length 
= png_ptr
->skip_length
; 
 604       /* We want the smaller of 'skip_length' and 'save_buffer_size', but 
 605        * they are of different types and we don't know which variable has the 
 606        * fewest bits.  Carefully select the smaller and cast it to the type of 
 607        * the larger - this cannot overflow.  Do not cast in the following test 
 608        * - it will break on either 16 or 64 bit platforms. 
 610       if (skip_length 
< save_size
) 
 611          save_size 
= (png_size_t
)skip_length
; 
 614          skip_length 
= (png_uint_32
)save_size
; 
 616       png_calculate_crc(png_ptr
, png_ptr
->save_buffer_ptr
, save_size
); 
 618       png_ptr
->skip_length 
-= skip_length
; 
 619       png_ptr
->buffer_size 
-= save_size
; 
 620       png_ptr
->save_buffer_size 
-= save_size
; 
 621       png_ptr
->save_buffer_ptr 
+= save_size
; 
 623    if (png_ptr
->skip_length 
&& png_ptr
->current_buffer_size
) 
 625       png_size_t save_size 
= png_ptr
->current_buffer_size
; 
 626       png_uint_32 skip_length 
= png_ptr
->skip_length
; 
 628       /* We want the smaller of 'skip_length' and 'current_buffer_size', here, 
 629        * the same problem exists as above and the same solution. 
 631       if (skip_length 
< save_size
) 
 632          save_size 
= (png_size_t
)skip_length
; 
 635          skip_length 
= (png_uint_32
)save_size
; 
 637       png_calculate_crc(png_ptr
, png_ptr
->current_buffer_ptr
, save_size
); 
 639       png_ptr
->skip_length 
-= skip_length
; 
 640       png_ptr
->buffer_size 
-= save_size
; 
 641       png_ptr
->current_buffer_size 
-= save_size
; 
 642       png_ptr
->current_buffer_ptr 
+= save_size
; 
 644    if (!png_ptr
->skip_length
) 
 646       if (png_ptr
->buffer_size 
< 4) 
 648          png_push_save_buffer(png_ptr
); 
 652       png_crc_finish(png_ptr
, 0); 
 653       png_ptr
->process_mode 
= PNG_READ_CHUNK_MODE
; 
 658 png_push_fill_buffer(png_structp png_ptr
, png_bytep buffer
, png_size_t length
) 
 666    if (png_ptr
->save_buffer_size
) 
 668       png_size_t save_size
; 
 670       if (length 
< png_ptr
->save_buffer_size
) 
 674          save_size 
= png_ptr
->save_buffer_size
; 
 676       png_memcpy(ptr
, png_ptr
->save_buffer_ptr
, save_size
); 
 679       png_ptr
->buffer_size 
-= save_size
; 
 680       png_ptr
->save_buffer_size 
-= save_size
; 
 681       png_ptr
->save_buffer_ptr 
+= save_size
; 
 683    if (length 
&& png_ptr
->current_buffer_size
) 
 685       png_size_t save_size
; 
 687       if (length 
< png_ptr
->current_buffer_size
) 
 691          save_size 
= png_ptr
->current_buffer_size
; 
 693       png_memcpy(ptr
, png_ptr
->current_buffer_ptr
, save_size
); 
 694       png_ptr
->buffer_size 
-= save_size
; 
 695       png_ptr
->current_buffer_size 
-= save_size
; 
 696       png_ptr
->current_buffer_ptr 
+= save_size
; 
 701 png_push_save_buffer(png_structp png_ptr
) 
 703    if (png_ptr
->save_buffer_size
) 
 705       if (png_ptr
->save_buffer_ptr 
!= png_ptr
->save_buffer
) 
 711          istop 
= png_ptr
->save_buffer_size
; 
 712          for (i 
= 0, sp 
= png_ptr
->save_buffer_ptr
, dp 
= png_ptr
->save_buffer
; 
 713              i 
< istop
; i
++, sp
++, dp
++) 
 719    if (png_ptr
->save_buffer_size 
+ png_ptr
->current_buffer_size 
> 
 720        png_ptr
->save_buffer_max
) 
 723       png_bytep old_buffer
; 
 725       if (png_ptr
->save_buffer_size 
> PNG_SIZE_MAX 
- 
 726           (png_ptr
->current_buffer_size 
+ 256)) 
 728          png_error(png_ptr
, "Potential overflow of save_buffer"); 
 731       new_max 
= png_ptr
->save_buffer_size 
+ png_ptr
->current_buffer_size 
+ 256; 
 732       old_buffer 
= png_ptr
->save_buffer
; 
 733       png_ptr
->save_buffer 
= (png_bytep
)png_malloc_warn(png_ptr
, 
 734           (png_size_t
)new_max
); 
 736       if (png_ptr
->save_buffer 
== NULL
) 
 738          png_free(png_ptr
, old_buffer
); 
 739          png_error(png_ptr
, "Insufficient memory for save_buffer"); 
 742       png_memcpy(png_ptr
->save_buffer
, old_buffer
, png_ptr
->save_buffer_size
); 
 743       png_free(png_ptr
, old_buffer
); 
 744       png_ptr
->save_buffer_max 
= new_max
; 
 746    if (png_ptr
->current_buffer_size
) 
 748       png_memcpy(png_ptr
->save_buffer 
+ png_ptr
->save_buffer_size
, 
 749          png_ptr
->current_buffer_ptr
, png_ptr
->current_buffer_size
); 
 750       png_ptr
->save_buffer_size 
+= png_ptr
->current_buffer_size
; 
 751       png_ptr
->current_buffer_size 
= 0; 
 753    png_ptr
->save_buffer_ptr 
= png_ptr
->save_buffer
; 
 754    png_ptr
->buffer_size 
= 0; 
 758 png_push_restore_buffer(png_structp png_ptr
, png_bytep buffer
, 
 759    png_size_t buffer_length
) 
 761    png_ptr
->current_buffer 
= buffer
; 
 762    png_ptr
->current_buffer_size 
= buffer_length
; 
 763    png_ptr
->buffer_size 
= buffer_length 
+ png_ptr
->save_buffer_size
; 
 764    png_ptr
->current_buffer_ptr 
= png_ptr
->current_buffer
; 
 768 png_push_read_IDAT(png_structp png_ptr
) 
 770    if (!(png_ptr
->mode 
& PNG_HAVE_CHUNK_HEADER
)) 
 772       png_byte chunk_length
[4]; 
 773       png_byte chunk_tag
[4]; 
 775       /* TODO: this code can be commoned up with the same code in push_read */ 
 776       if (png_ptr
->buffer_size 
< 8) 
 778          png_push_save_buffer(png_ptr
); 
 782       png_push_fill_buffer(png_ptr
, chunk_length
, 4); 
 783       png_ptr
->push_length 
= png_get_uint_31(png_ptr
, chunk_length
); 
 784       png_reset_crc(png_ptr
); 
 785       png_crc_read(png_ptr
, chunk_tag
, 4); 
 786       png_ptr
->chunk_name 
= PNG_CHUNK_FROM_STRING(chunk_tag
); 
 787       png_ptr
->mode 
|= PNG_HAVE_CHUNK_HEADER
; 
 789       if (png_ptr
->chunk_name 
!= png_IDAT
) 
 791          png_ptr
->process_mode 
= PNG_READ_CHUNK_MODE
; 
 793          if (!(png_ptr
->flags 
& PNG_FLAG_ZLIB_FINISHED
)) 
 794             png_error(png_ptr
, "Not enough compressed data"); 
 799       png_ptr
->idat_size 
= png_ptr
->push_length
; 
 802    if (png_ptr
->idat_size 
&& png_ptr
->save_buffer_size
) 
 804       png_size_t save_size 
= png_ptr
->save_buffer_size
; 
 805       png_uint_32 idat_size 
= png_ptr
->idat_size
; 
 807       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 
 808        * are of different types and we don't know which variable has the fewest 
 809        * bits.  Carefully select the smaller and cast it to the type of the 
 810        * larger - this cannot overflow.  Do not cast in the following test - it 
 811        * will break on either 16 or 64 bit platforms. 
 813       if (idat_size 
< save_size
) 
 814          save_size 
= (png_size_t
)idat_size
; 
 817          idat_size 
= (png_uint_32
)save_size
; 
 819       png_calculate_crc(png_ptr
, png_ptr
->save_buffer_ptr
, save_size
); 
 821       png_process_IDAT_data(png_ptr
, png_ptr
->save_buffer_ptr
, save_size
); 
 823       png_ptr
->idat_size 
-= idat_size
; 
 824       png_ptr
->buffer_size 
-= save_size
; 
 825       png_ptr
->save_buffer_size 
-= save_size
; 
 826       png_ptr
->save_buffer_ptr 
+= save_size
; 
 829    if (png_ptr
->idat_size 
&& png_ptr
->current_buffer_size
) 
 831       png_size_t save_size 
= png_ptr
->current_buffer_size
; 
 832       png_uint_32 idat_size 
= png_ptr
->idat_size
; 
 834       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 
 835        * are of different types and we don't know which variable has the fewest 
 836        * bits.  Carefully select the smaller and cast it to the type of the 
 837        * larger - this cannot overflow. 
 839       if (idat_size 
< save_size
) 
 840          save_size 
= (png_size_t
)idat_size
; 
 843          idat_size 
= (png_uint_32
)save_size
; 
 845       png_calculate_crc(png_ptr
, png_ptr
->current_buffer_ptr
, save_size
); 
 847       png_process_IDAT_data(png_ptr
, png_ptr
->current_buffer_ptr
, save_size
); 
 849       png_ptr
->idat_size 
-= idat_size
; 
 850       png_ptr
->buffer_size 
-= save_size
; 
 851       png_ptr
->current_buffer_size 
-= save_size
; 
 852       png_ptr
->current_buffer_ptr 
+= save_size
; 
 854    if (!png_ptr
->idat_size
) 
 856       if (png_ptr
->buffer_size 
< 4) 
 858          png_push_save_buffer(png_ptr
); 
 862       png_crc_finish(png_ptr
, 0); 
 863       png_ptr
->mode 
&= ~PNG_HAVE_CHUNK_HEADER
; 
 864       png_ptr
->mode 
|= PNG_AFTER_IDAT
; 
 869 png_process_IDAT_data(png_structp png_ptr
, png_bytep buffer
, 
 870    png_size_t buffer_length
) 
 872    /* The caller checks for a non-zero buffer length. */ 
 873    if (!(buffer_length 
> 0) || buffer 
== NULL
) 
 874       png_error(png_ptr
, "No IDAT data (internal error)"); 
 876    /* This routine must process all the data it has been given 
 877     * before returning, calling the row callback as required to 
 878     * handle the uncompressed results. 
 880    png_ptr
->zstream
.next_in 
= buffer
; 
 881    png_ptr
->zstream
.avail_in 
= (uInt
)buffer_length
; 
 883    /* Keep going until the decompressed data is all processed 
 884     * or the stream marked as finished. 
 886    while (png_ptr
->zstream
.avail_in 
> 0 && 
 887           !(png_ptr
->flags 
& PNG_FLAG_ZLIB_FINISHED
)) 
 891       /* We have data for zlib, but we must check that zlib 
 892        * has someplace to put the results.  It doesn't matter 
 893        * if we don't expect any results -- it may be the input 
 894        * data is just the LZ end code. 
 896       if (!(png_ptr
->zstream
.avail_out 
> 0)) 
 898          png_ptr
->zstream
.avail_out 
= 
 899              (uInt
) PNG_ROWBYTES(png_ptr
->pixel_depth
, 
 900              png_ptr
->iwidth
) + 1; 
 902          png_ptr
->zstream
.next_out 
= png_ptr
->row_buf
; 
 905       /* Using Z_SYNC_FLUSH here means that an unterminated 
 906        * LZ stream (a stream with a missing end code) can still 
 907        * be handled, otherwise (Z_NO_FLUSH) a future zlib 
 908        * implementation might defer output and therefore 
 909        * change the current behavior (see comments in inflate.c 
 910        * for why this doesn't happen at present with zlib 1.2.5). 
 912       ret 
= inflate(&png_ptr
->zstream
, Z_SYNC_FLUSH
); 
 914       /* Check for any failure before proceeding. */ 
 915       if (ret 
!= Z_OK 
&& ret 
!= Z_STREAM_END
) 
 917          /* Terminate the decompression. */ 
 918          png_ptr
->flags 
|= PNG_FLAG_ZLIB_FINISHED
; 
 920          /* This may be a truncated stream (missing or 
 921           * damaged end code).  Treat that as a warning. 
 923          if (png_ptr
->row_number 
>= png_ptr
->num_rows 
|| 
 925             png_warning(png_ptr
, "Truncated compressed data in IDAT"); 
 928             png_error(png_ptr
, "Decompression error in IDAT"); 
 930          /* Skip the check on unprocessed input */ 
 934       /* Did inflate output any data? */ 
 935       if (png_ptr
->zstream
.next_out 
!= png_ptr
->row_buf
) 
 937          /* Is this unexpected data after the last row? 
 938           * If it is, artificially terminate the LZ output 
 941          if (png_ptr
->row_number 
>= png_ptr
->num_rows 
|| 
 945             png_warning(png_ptr
, "Extra compressed data in IDAT"); 
 946             png_ptr
->flags 
|= PNG_FLAG_ZLIB_FINISHED
; 
 948             /* Do no more processing; skip the unprocessed 
 954          /* Do we have a complete row? */ 
 955          if (png_ptr
->zstream
.avail_out 
== 0) 
 956             png_push_process_row(png_ptr
); 
 959       /* And check for the end of the stream. */ 
 960       if (ret 
== Z_STREAM_END
) 
 961          png_ptr
->flags 
|= PNG_FLAG_ZLIB_FINISHED
; 
 964    /* All the data should have been processed, if anything 
 965     * is left at this point we have bytes of IDAT data 
 966     * after the zlib end code. 
 968    if (png_ptr
->zstream
.avail_in 
> 0) 
 969       png_warning(png_ptr
, "Extra compression data in IDAT"); 
 973 png_push_process_row(png_structp png_ptr
) 
 975    /* 1.5.6: row_info moved out of png_struct to a local here. */ 
 976    png_row_info row_info
; 
 978    row_info
.width 
= png_ptr
->iwidth
; /* NOTE: width of current interlaced row */ 
 979    row_info
.color_type 
= png_ptr
->color_type
; 
 980    row_info
.bit_depth 
= png_ptr
->bit_depth
; 
 981    row_info
.channels 
= png_ptr
->channels
; 
 982    row_info
.pixel_depth 
= png_ptr
->pixel_depth
; 
 983    row_info
.rowbytes 
= PNG_ROWBYTES(row_info
.pixel_depth
, row_info
.width
); 
 985    if (png_ptr
->row_buf
[0] > PNG_FILTER_VALUE_NONE
) 
 987       if (png_ptr
->row_buf
[0] < PNG_FILTER_VALUE_LAST
) 
 988          png_read_filter_row(&row_info
, png_ptr
->row_buf 
+ 1, 
 989             png_ptr
->prev_row 
+ 1, png_ptr
->row_buf
[0]); 
 991          png_error(png_ptr
, "bad adaptive filter value"); 
 994    /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 
 995     * 1.5.6, while the buffer really is this big in current versions of libpng 
 996     * it may not be in the future, so this was changed just to copy the 
 997     * interlaced row count: 
 999    png_memcpy(png_ptr
->prev_row
, png_ptr
->row_buf
, row_info
.rowbytes 
+ 1); 
1001 #ifdef PNG_READ_TRANSFORMS_SUPPORTED 
1002    if (png_ptr
->transformations
) 
1003       png_do_read_transformations(png_ptr
, &row_info
); 
1006    /* The transformed pixel depth should match the depth now in row_info. */ 
1007    if (png_ptr
->transformed_pixel_depth 
== 0) 
1009       png_ptr
->transformed_pixel_depth 
= row_info
.pixel_depth
; 
1010       if (row_info
.pixel_depth 
> png_ptr
->maximum_pixel_depth
) 
1011          png_error(png_ptr
, "progressive row overflow"); 
1014    else if (png_ptr
->transformed_pixel_depth 
!= row_info
.pixel_depth
) 
1015       png_error(png_ptr
, "internal progressive row size calculation error"); 
1018 #ifdef PNG_READ_INTERLACING_SUPPORTED 
1019    /* Blow up interlaced rows to full size */ 
1020    if (png_ptr
->interlaced 
&& (png_ptr
->transformations 
& PNG_INTERLACE
)) 
1022       if (png_ptr
->pass 
< 6) 
1023          png_do_read_interlace(&row_info
, png_ptr
->row_buf 
+ 1, png_ptr
->pass
, 
1024             png_ptr
->transformations
); 
1026     switch (png_ptr
->pass
) 
1031             for (i 
= 0; i 
< 8 && png_ptr
->pass 
== 0; i
++) 
1033                png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1034                png_read_push_finish_row(png_ptr
); /* Updates png_ptr->pass */ 
1037             if (png_ptr
->pass 
== 2) /* Pass 1 might be empty */ 
1039                for (i 
= 0; i 
< 4 && png_ptr
->pass 
== 2; i
++) 
1041                   png_push_have_row(png_ptr
, NULL
); 
1042                   png_read_push_finish_row(png_ptr
); 
1046             if (png_ptr
->pass 
== 4 && png_ptr
->height 
<= 4) 
1048                for (i 
= 0; i 
< 2 && png_ptr
->pass 
== 4; i
++) 
1050                   png_push_have_row(png_ptr
, NULL
); 
1051                   png_read_push_finish_row(png_ptr
); 
1055             if (png_ptr
->pass 
== 6 && png_ptr
->height 
<= 4) 
1057                 png_push_have_row(png_ptr
, NULL
); 
1058                 png_read_push_finish_row(png_ptr
); 
1067             for (i 
= 0; i 
< 8 && png_ptr
->pass 
== 1; i
++) 
1069                png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1070                png_read_push_finish_row(png_ptr
); 
1073             if (png_ptr
->pass 
== 2) /* Skip top 4 generated rows */ 
1075                for (i 
= 0; i 
< 4 && png_ptr
->pass 
== 2; i
++) 
1077                   png_push_have_row(png_ptr
, NULL
); 
1078                   png_read_push_finish_row(png_ptr
); 
1089             for (i 
= 0; i 
< 4 && png_ptr
->pass 
== 2; i
++) 
1091                png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1092                png_read_push_finish_row(png_ptr
); 
1095             for (i 
= 0; i 
< 4 && png_ptr
->pass 
== 2; i
++) 
1097                png_push_have_row(png_ptr
, NULL
); 
1098                png_read_push_finish_row(png_ptr
); 
1101             if (png_ptr
->pass 
== 4) /* Pass 3 might be empty */ 
1103                for (i 
= 0; i 
< 2 && png_ptr
->pass 
== 4; i
++) 
1105                   png_push_have_row(png_ptr
, NULL
); 
1106                   png_read_push_finish_row(png_ptr
); 
1117             for (i 
= 0; i 
< 4 && png_ptr
->pass 
== 3; i
++) 
1119                png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1120                png_read_push_finish_row(png_ptr
); 
1123             if (png_ptr
->pass 
== 4) /* Skip top two generated rows */ 
1125                for (i 
= 0; i 
< 2 && png_ptr
->pass 
== 4; i
++) 
1127                   png_push_have_row(png_ptr
, NULL
); 
1128                   png_read_push_finish_row(png_ptr
); 
1139             for (i 
= 0; i 
< 2 && png_ptr
->pass 
== 4; i
++) 
1141                png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1142                png_read_push_finish_row(png_ptr
); 
1145             for (i 
= 0; i 
< 2 && png_ptr
->pass 
== 4; i
++) 
1147                png_push_have_row(png_ptr
, NULL
); 
1148                png_read_push_finish_row(png_ptr
); 
1151             if (png_ptr
->pass 
== 6) /* Pass 5 might be empty */ 
1153                png_push_have_row(png_ptr
, NULL
); 
1154                png_read_push_finish_row(png_ptr
); 
1164             for (i 
= 0; i 
< 2 && png_ptr
->pass 
== 5; i
++) 
1166                png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1167                png_read_push_finish_row(png_ptr
); 
1170             if (png_ptr
->pass 
== 6) /* Skip top generated row */ 
1172                png_push_have_row(png_ptr
, NULL
); 
1173                png_read_push_finish_row(png_ptr
); 
1182             png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1183             png_read_push_finish_row(png_ptr
); 
1185             if (png_ptr
->pass 
!= 6) 
1188             png_push_have_row(png_ptr
, NULL
); 
1189             png_read_push_finish_row(png_ptr
); 
1196       png_push_have_row(png_ptr
, png_ptr
->row_buf 
+ 1); 
1197       png_read_push_finish_row(png_ptr
); 
1202 png_read_push_finish_row(png_structp png_ptr
) 
1204    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 
1206    /* Start of interlace block */ 
1207    static PNG_CONST png_byte FARDATA png_pass_start
[] = {0, 4, 0, 2, 0, 1, 0}; 
1209    /* Offset to next interlace block */ 
1210    static PNG_CONST png_byte FARDATA png_pass_inc
[] = {8, 8, 4, 4, 2, 2, 1}; 
1212    /* Start of interlace block in the y direction */ 
1213    static PNG_CONST png_byte FARDATA png_pass_ystart
[] = {0, 0, 4, 0, 2, 0, 1}; 
1215    /* Offset to next interlace block in the y direction */ 
1216    static PNG_CONST png_byte FARDATA png_pass_yinc
[] = {8, 8, 8, 4, 4, 2, 2}; 
1218    /* Height of interlace block.  This is not currently used - if you need 
1219     * it, uncomment it here and in png.h 
1220    static PNG_CONST png_byte FARDATA png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 
1223    png_ptr
->row_number
++; 
1224    if (png_ptr
->row_number 
< png_ptr
->num_rows
) 
1227 #ifdef PNG_READ_INTERLACING_SUPPORTED 
1228    if (png_ptr
->interlaced
) 
1230       png_ptr
->row_number 
= 0; 
1231       png_memset(png_ptr
->prev_row
, 0, png_ptr
->rowbytes 
+ 1); 
1236          if ((png_ptr
->pass 
== 1 && png_ptr
->width 
< 5) || 
1237              (png_ptr
->pass 
== 3 && png_ptr
->width 
< 3) || 
1238              (png_ptr
->pass 
== 5 && png_ptr
->width 
< 2)) 
1241          if (png_ptr
->pass 
> 7) 
1244          if (png_ptr
->pass 
>= 7) 
1247          png_ptr
->iwidth 
= (png_ptr
->width 
+ 
1248              png_pass_inc
[png_ptr
->pass
] - 1 - 
1249              png_pass_start
[png_ptr
->pass
]) / 
1250              png_pass_inc
[png_ptr
->pass
]; 
1252          if (png_ptr
->transformations 
& PNG_INTERLACE
) 
1255          png_ptr
->num_rows 
= (png_ptr
->height 
+ 
1256              png_pass_yinc
[png_ptr
->pass
] - 1 - 
1257              png_pass_ystart
[png_ptr
->pass
]) / 
1258              png_pass_yinc
[png_ptr
->pass
]; 
1260       } while (png_ptr
->iwidth 
== 0 || png_ptr
->num_rows 
== 0); 
1262 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 
1265 #ifdef PNG_READ_tEXt_SUPPORTED 
1267 png_push_handle_tEXt(png_structp png_ptr
, png_infop info_ptr
, png_uint_32
 
1270    if (!(png_ptr
->mode 
& PNG_HAVE_IHDR
) || (png_ptr
->mode 
& PNG_HAVE_IEND
)) 
1272          PNG_UNUSED(info_ptr
) /* To quiet some compiler warnings */ 
1273          png_error(png_ptr
, "Out of place tEXt"); 
1277 #ifdef PNG_MAX_MALLOC_64K 
1278    png_ptr
->skip_length 
= 0;  /* This may not be necessary */ 
1280    if (length 
> (png_uint_32
)65535L) /* Can't hold entire string in memory */ 
1282       png_warning(png_ptr
, "tEXt chunk too large to fit in memory"); 
1283       png_ptr
->skip_length 
= length 
- (png_uint_32
)65535L; 
1284       length 
= (png_uint_32
)65535L; 
1288    png_ptr
->current_text 
= (png_charp
)png_malloc(png_ptr
, 
1289        (png_size_t
)(length 
+ 1)); 
1290    png_ptr
->current_text
[length
] = '\0'; 
1291    png_ptr
->current_text_ptr 
= png_ptr
->current_text
; 
1292    png_ptr
->current_text_size 
= (png_size_t
)length
; 
1293    png_ptr
->current_text_left 
= (png_size_t
)length
; 
1294    png_ptr
->process_mode 
= PNG_READ_tEXt_MODE
; 
1298 png_push_read_tEXt(png_structp png_ptr
, png_infop info_ptr
) 
1300    if (png_ptr
->buffer_size 
&& png_ptr
->current_text_left
) 
1302       png_size_t text_size
; 
1304       if (png_ptr
->buffer_size 
< png_ptr
->current_text_left
) 
1305          text_size 
= png_ptr
->buffer_size
; 
1308          text_size 
= png_ptr
->current_text_left
; 
1310       png_crc_read(png_ptr
, (png_bytep
)png_ptr
->current_text_ptr
, text_size
); 
1311       png_ptr
->current_text_left 
-= text_size
; 
1312       png_ptr
->current_text_ptr 
+= text_size
; 
1314    if (!(png_ptr
->current_text_left
)) 
1321       if (png_ptr
->buffer_size 
< 4) 
1323          png_push_save_buffer(png_ptr
); 
1327       png_push_crc_finish(png_ptr
); 
1329 #ifdef PNG_MAX_MALLOC_64K 
1330       if (png_ptr
->skip_length
) 
1334       key 
= png_ptr
->current_text
; 
1336       for (text 
= key
; *text
; text
++) 
1339       if (text 
< key 
+ png_ptr
->current_text_size
) 
1342       text_ptr 
= (png_textp
)png_malloc(png_ptr
, png_sizeof(png_text
)); 
1343       text_ptr
->compression 
= PNG_TEXT_COMPRESSION_NONE
; 
1344       text_ptr
->key 
= key
; 
1345       text_ptr
->itxt_length 
= 0; 
1346       text_ptr
->lang 
= NULL
; 
1347       text_ptr
->lang_key 
= NULL
; 
1348       text_ptr
->text 
= text
; 
1350       ret 
= png_set_text_2(png_ptr
, info_ptr
, text_ptr
, 1); 
1352       png_free(png_ptr
, key
); 
1353       png_free(png_ptr
, text_ptr
); 
1354       png_ptr
->current_text 
= NULL
; 
1357          png_warning(png_ptr
, "Insufficient memory to store text chunk"); 
1362 #ifdef PNG_READ_zTXt_SUPPORTED 
1364 png_push_handle_zTXt(png_structp png_ptr
, png_infop info_ptr
, png_uint_32
 
1367    if (!(png_ptr
->mode 
& PNG_HAVE_IHDR
) || (png_ptr
->mode 
& PNG_HAVE_IEND
)) 
1369       PNG_UNUSED(info_ptr
) /* To quiet some compiler warnings */ 
1370       png_error(png_ptr
, "Out of place zTXt"); 
1374 #ifdef PNG_MAX_MALLOC_64K 
1375    /* We can't handle zTXt chunks > 64K, since we don't have enough space 
1376     * to be able to store the uncompressed data.  Actually, the threshold 
1377     * is probably around 32K, but it isn't as definite as 64K is. 
1379    if (length 
> (png_uint_32
)65535L) 
1381       png_warning(png_ptr
, "zTXt chunk too large to fit in memory"); 
1382       png_push_crc_skip(png_ptr
, length
); 
1387    png_ptr
->current_text 
= (png_charp
)png_malloc(png_ptr
, 
1388        (png_size_t
)(length 
+ 1)); 
1389    png_ptr
->current_text
[length
] = '\0'; 
1390    png_ptr
->current_text_ptr 
= png_ptr
->current_text
; 
1391    png_ptr
->current_text_size 
= (png_size_t
)length
; 
1392    png_ptr
->current_text_left 
= (png_size_t
)length
; 
1393    png_ptr
->process_mode 
= PNG_READ_zTXt_MODE
; 
1397 png_push_read_zTXt(png_structp png_ptr
, png_infop info_ptr
) 
1399    if (png_ptr
->buffer_size 
&& png_ptr
->current_text_left
) 
1401       png_size_t text_size
; 
1403       if (png_ptr
->buffer_size 
< (png_uint_32
)png_ptr
->current_text_left
) 
1404          text_size 
= png_ptr
->buffer_size
; 
1407          text_size 
= png_ptr
->current_text_left
; 
1409       png_crc_read(png_ptr
, (png_bytep
)png_ptr
->current_text_ptr
, text_size
); 
1410       png_ptr
->current_text_left 
-= text_size
; 
1411       png_ptr
->current_text_ptr 
+= text_size
; 
1413    if (!(png_ptr
->current_text_left
)) 
1419       png_size_t text_size
, key_size
; 
1421       if (png_ptr
->buffer_size 
< 4) 
1423          png_push_save_buffer(png_ptr
); 
1427       png_push_crc_finish(png_ptr
); 
1429       key 
= png_ptr
->current_text
; 
1431       for (text 
= key
; *text
; text
++) 
1434       /* zTXt can't have zero text */ 
1435       if (text 
>= key 
+ png_ptr
->current_text_size
) 
1437          png_ptr
->current_text 
= NULL
; 
1438          png_free(png_ptr
, key
); 
1444       if (*text 
!= PNG_TEXT_COMPRESSION_zTXt
) /* Check compression byte */ 
1446          png_ptr
->current_text 
= NULL
; 
1447          png_free(png_ptr
, key
); 
1453       png_ptr
->zstream
.next_in 
= (png_bytep
)text
; 
1454       png_ptr
->zstream
.avail_in 
= (uInt
)(png_ptr
->current_text_size 
- 
1456       png_ptr
->zstream
.next_out 
= png_ptr
->zbuf
; 
1457       png_ptr
->zstream
.avail_out 
= (uInt
)png_ptr
->zbuf_size
; 
1459       key_size 
= text 
- key
; 
1464       while (png_ptr
->zstream
.avail_in
) 
1466          ret 
= inflate(&png_ptr
->zstream
, Z_PARTIAL_FLUSH
); 
1467          if (ret 
!= Z_OK 
&& ret 
!= Z_STREAM_END
) 
1469             inflateReset(&png_ptr
->zstream
); 
1470             png_ptr
->zstream
.avail_in 
= 0; 
1471             png_ptr
->current_text 
= NULL
; 
1472             png_free(png_ptr
, key
); 
1473             png_free(png_ptr
, text
); 
1477          if (!(png_ptr
->zstream
.avail_out
) || ret 
== Z_STREAM_END
) 
1481                text 
= (png_charp
)png_malloc(png_ptr
, 
1483                    - png_ptr
->zstream
.avail_out 
+ key_size 
+ 1)); 
1485                png_memcpy(text 
+ key_size
, png_ptr
->zbuf
, 
1486                    png_ptr
->zbuf_size 
- png_ptr
->zstream
.avail_out
); 
1488                png_memcpy(text
, key
, key_size
); 
1490                text_size 
= key_size 
+ png_ptr
->zbuf_size 
- 
1491                    png_ptr
->zstream
.avail_out
; 
1493                *(text 
+ text_size
) = '\0'; 
1501                text 
= (png_charp
)png_malloc(png_ptr
, text_size 
+ 
1503                    - png_ptr
->zstream
.avail_out 
+ 1)); 
1505                png_memcpy(text
, tmp
, text_size
); 
1506                png_free(png_ptr
, tmp
); 
1508                png_memcpy(text 
+ text_size
, png_ptr
->zbuf
, 
1509                    png_ptr
->zbuf_size 
- png_ptr
->zstream
.avail_out
); 
1511                text_size 
+= png_ptr
->zbuf_size 
- png_ptr
->zstream
.avail_out
; 
1512                *(text 
+ text_size
) = '\0'; 
1515             if (ret 
!= Z_STREAM_END
) 
1517                png_ptr
->zstream
.next_out 
= png_ptr
->zbuf
; 
1518                png_ptr
->zstream
.avail_out 
= (uInt
)png_ptr
->zbuf_size
; 
1526          if (ret 
== Z_STREAM_END
) 
1530       inflateReset(&png_ptr
->zstream
); 
1531       png_ptr
->zstream
.avail_in 
= 0; 
1533       if (ret 
!= Z_STREAM_END
) 
1535          png_ptr
->current_text 
= NULL
; 
1536          png_free(png_ptr
, key
); 
1537          png_free(png_ptr
, text
); 
1541       png_ptr
->current_text 
= NULL
; 
1542       png_free(png_ptr
, key
); 
1546       text_ptr 
= (png_textp
)png_malloc(png_ptr
, 
1547           png_sizeof(png_text
)); 
1548       text_ptr
->compression 
= PNG_TEXT_COMPRESSION_zTXt
; 
1549       text_ptr
->key 
= key
; 
1550       text_ptr
->itxt_length 
= 0; 
1551       text_ptr
->lang 
= NULL
; 
1552       text_ptr
->lang_key 
= NULL
; 
1553       text_ptr
->text 
= text
; 
1555       ret 
= png_set_text_2(png_ptr
, info_ptr
, text_ptr
, 1); 
1557       png_free(png_ptr
, key
); 
1558       png_free(png_ptr
, text_ptr
); 
1561          png_warning(png_ptr
, "Insufficient memory to store text chunk"); 
1566 #ifdef PNG_READ_iTXt_SUPPORTED 
1568 png_push_handle_iTXt(png_structp png_ptr
, png_infop info_ptr
, png_uint_32
 
1571    if (!(png_ptr
->mode 
& PNG_HAVE_IHDR
) || (png_ptr
->mode 
& PNG_HAVE_IEND
)) 
1573       PNG_UNUSED(info_ptr
) /* To quiet some compiler warnings */ 
1574       png_error(png_ptr
, "Out of place iTXt"); 
1578 #ifdef PNG_MAX_MALLOC_64K 
1579    png_ptr
->skip_length 
= 0;  /* This may not be necessary */ 
1581    if (length 
> (png_uint_32
)65535L) /* Can't hold entire string in memory */ 
1583       png_warning(png_ptr
, "iTXt chunk too large to fit in memory"); 
1584       png_ptr
->skip_length 
= length 
- (png_uint_32
)65535L; 
1585       length 
= (png_uint_32
)65535L; 
1589    png_ptr
->current_text 
= (png_charp
)png_malloc(png_ptr
, 
1590        (png_size_t
)(length 
+ 1)); 
1591    png_ptr
->current_text
[length
] = '\0'; 
1592    png_ptr
->current_text_ptr 
= png_ptr
->current_text
; 
1593    png_ptr
->current_text_size 
= (png_size_t
)length
; 
1594    png_ptr
->current_text_left 
= (png_size_t
)length
; 
1595    png_ptr
->process_mode 
= PNG_READ_iTXt_MODE
; 
1599 png_push_read_iTXt(png_structp png_ptr
, png_infop info_ptr
) 
1602    if (png_ptr
->buffer_size 
&& png_ptr
->current_text_left
) 
1604       png_size_t text_size
; 
1606       if (png_ptr
->buffer_size 
< png_ptr
->current_text_left
) 
1607          text_size 
= png_ptr
->buffer_size
; 
1610          text_size 
= png_ptr
->current_text_left
; 
1612       png_crc_read(png_ptr
, (png_bytep
)png_ptr
->current_text_ptr
, text_size
); 
1613       png_ptr
->current_text_left 
-= text_size
; 
1614       png_ptr
->current_text_ptr 
+= text_size
; 
1617    if (!(png_ptr
->current_text_left
)) 
1627       if (png_ptr
->buffer_size 
< 4) 
1629          png_push_save_buffer(png_ptr
); 
1633       png_push_crc_finish(png_ptr
); 
1635 #ifdef PNG_MAX_MALLOC_64K 
1636       if (png_ptr
->skip_length
) 
1640       key 
= png_ptr
->current_text
; 
1642       for (lang 
= key
; *lang
; lang
++) 
1645       if (lang 
< key 
+ png_ptr
->current_text_size 
- 3) 
1648       comp_flag 
= *lang
++; 
1649       lang
++;     /* Skip comp_type, always zero */ 
1651       for (lang_key 
= lang
; *lang_key
; lang_key
++) 
1654       lang_key
++;        /* Skip NUL separator */ 
1658       if (lang_key 
< key 
+ png_ptr
->current_text_size 
- 1) 
1660          for (; *text
; text
++) 
1664       if (text 
< key 
+ png_ptr
->current_text_size
) 
1667       text_ptr 
= (png_textp
)png_malloc(png_ptr
, 
1668           png_sizeof(png_text
)); 
1670       text_ptr
->compression 
= comp_flag 
+ 2; 
1671       text_ptr
->key 
= key
; 
1672       text_ptr
->lang 
= lang
; 
1673       text_ptr
->lang_key 
= lang_key
; 
1674       text_ptr
->text 
= text
; 
1675       text_ptr
->text_length 
= 0; 
1676       text_ptr
->itxt_length 
= png_strlen(text
); 
1678       ret 
= png_set_text_2(png_ptr
, info_ptr
, text_ptr
, 1); 
1680       png_ptr
->current_text 
= NULL
; 
1682       png_free(png_ptr
, text_ptr
); 
1684          png_warning(png_ptr
, "Insufficient memory to store iTXt chunk"); 
1689 /* This function is called when we haven't found a handler for this 
1690  * chunk.  If there isn't a problem with the chunk itself (ie a bad chunk 
1691  * name or a critical chunk), the chunk is (currently) silently ignored. 
1694 png_push_handle_unknown(png_structp png_ptr
, png_infop info_ptr
, png_uint_32
 
1697    png_uint_32 skip 
= 0; 
1698    png_uint_32 chunk_name 
= png_ptr
->chunk_name
; 
1700    if (PNG_CHUNK_CRITICAL(chunk_name
)) 
1702 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED 
1703       if (png_chunk_unknown_handling(png_ptr
, chunk_name
) != 
1704           PNG_HANDLE_CHUNK_ALWAYS
 
1705 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED 
1706           && png_ptr
->read_user_chunk_fn 
== NULL
 
1710          png_chunk_error(png_ptr
, "unknown critical chunk"); 
1712       PNG_UNUSED(info_ptr
) /* To quiet some compiler warnings */ 
1715 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED 
1716    /* TODO: the code below is apparently just using the 
1717     * png_struct::unknown_chunk member as a temporarily variable, it should be 
1718     * possible to eliminate both it and the temporary buffer. 
1720    if (png_ptr
->flags 
& PNG_FLAG_KEEP_UNKNOWN_CHUNKS
) 
1722 #ifdef PNG_MAX_MALLOC_64K 
1725          png_warning(png_ptr
, "unknown chunk too large to fit in memory"); 
1726          skip 
= length 
- 65535; 
1730       /* This is just a record for the user; libpng doesn't use the character 
1733       PNG_CSTRING_FROM_CHUNK(png_ptr
->unknown_chunk
.name
, png_ptr
->chunk_name
); 
1735       /* The following cast should be safe because of the check above. */ 
1736       png_ptr
->unknown_chunk
.size 
= (png_size_t
)length
; 
1739          png_ptr
->unknown_chunk
.data 
= NULL
; 
1743          png_ptr
->unknown_chunk
.data 
= (png_bytep
)png_malloc(png_ptr
, 
1744             png_ptr
->unknown_chunk
.size
); 
1745          png_crc_read(png_ptr
, (png_bytep
)png_ptr
->unknown_chunk
.data
, 
1746             png_ptr
->unknown_chunk
.size
); 
1749 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED 
1750       if (png_ptr
->read_user_chunk_fn 
!= NULL
) 
1752          /* Callback to user unknown chunk handler */ 
1754          ret 
= (*(png_ptr
->read_user_chunk_fn
)) 
1755              (png_ptr
, &png_ptr
->unknown_chunk
); 
1758             png_chunk_error(png_ptr
, "error in user chunk"); 
1762             if (PNG_CHUNK_CRITICAL(png_ptr
->chunk_name
)) 
1763                if (png_chunk_unknown_handling(png_ptr
, chunk_name
) != 
1764                    PNG_HANDLE_CHUNK_ALWAYS
) 
1765                   png_chunk_error(png_ptr
, "unknown critical chunk"); 
1766             png_set_unknown_chunks(png_ptr
, info_ptr
, 
1767                 &png_ptr
->unknown_chunk
, 1); 
1773          png_set_unknown_chunks(png_ptr
, info_ptr
, &png_ptr
->unknown_chunk
, 1); 
1774       png_free(png_ptr
, png_ptr
->unknown_chunk
.data
); 
1775       png_ptr
->unknown_chunk
.data 
= NULL
; 
1781    png_push_crc_skip(png_ptr
, skip
); 
1785 png_push_have_info(png_structp png_ptr
, png_infop info_ptr
) 
1787    if (png_ptr
->info_fn 
!= NULL
) 
1788       (*(png_ptr
->info_fn
))(png_ptr
, info_ptr
); 
1792 png_push_have_end(png_structp png_ptr
, png_infop info_ptr
) 
1794    if (png_ptr
->end_fn 
!= NULL
) 
1795       (*(png_ptr
->end_fn
))(png_ptr
, info_ptr
); 
1799 png_push_have_row(png_structp png_ptr
, png_bytep row
) 
1801    if (png_ptr
->row_fn 
!= NULL
) 
1802       (*(png_ptr
->row_fn
))(png_ptr
, row
, png_ptr
->row_number
, 
1803          (int)png_ptr
->pass
); 
1806 #ifdef PNG_READ_INTERLACING_SUPPORTED 
1808 png_progressive_combine_row (png_structp png_ptr
, png_bytep old_row
, 
1809     png_const_bytep new_row
) 
1811    if (png_ptr 
== NULL
) 
1814    /* new_row is a flag here - if it is NULL then the app callback was called 
1815     * from an empty row (see the calls to png_struct::row_fn below), otherwise 
1816     * it must be png_ptr->row_buf+1 
1818    if (new_row 
!= NULL
) 
1819       png_combine_row(png_ptr
, old_row
, 1/*display*/); 
1821 #endif /* PNG_READ_INTERLACING_SUPPORTED */ 
1824 png_set_progressive_read_fn(png_structp png_ptr
, png_voidp progressive_ptr
, 
1825     png_progressive_info_ptr info_fn
, png_progressive_row_ptr row_fn
, 
1826     png_progressive_end_ptr end_fn
) 
1828    if (png_ptr 
== NULL
) 
1831    png_ptr
->info_fn 
= info_fn
; 
1832    png_ptr
->row_fn 
= row_fn
; 
1833    png_ptr
->end_fn 
= end_fn
; 
1835    png_set_read_fn(png_ptr
, progressive_ptr
, png_push_fill_buffer
); 
1839 png_get_progressive_ptr(png_const_structp png_ptr
) 
1841    if (png_ptr 
== NULL
) 
1844    return png_ptr
->io_ptr
; 
1846 #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */