]> git.saurik.com Git - wxWidgets.git/blob - src/png/pngpread.c
Fix crash in wxDC::GetMultiLineTextExtent() after last commit.
[wxWidgets.git] / src / png / pngpread.c
1
2 /* pngpread.c - read a png file in push mode
3 *
4 * Last changed in libpng 1.5.7 [December 15, 2011]
5 * Copyright (c) 1998-2011 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE 0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE 2
22 #define PNG_SKIP_MODE 3
23 #define PNG_READ_tEXt_MODE 4
24 #define PNG_READ_zTXt_MODE 5
25 #define PNG_READ_DONE_MODE 6
26 #define PNG_READ_iTXt_MODE 7
27 #define PNG_ERROR_MODE 8
28
29 void PNGAPI
30 png_process_data(png_structp png_ptr, png_infop info_ptr,
31 png_bytep buffer, png_size_t buffer_size)
32 {
33 if (png_ptr == NULL || info_ptr == NULL)
34 return;
35
36 png_push_restore_buffer(png_ptr, buffer, buffer_size);
37
38 while (png_ptr->buffer_size)
39 {
40 png_process_some_data(png_ptr, info_ptr);
41 }
42 }
43
44 png_size_t PNGAPI
45 png_process_data_pause(png_structp png_ptr, int save)
46 {
47 if (png_ptr != NULL)
48 {
49 /* It's easiest for the caller if we do the save, then the caller doesn't
50 * have to supply the same data again:
51 */
52 if (save)
53 png_push_save_buffer(png_ptr);
54 else
55 {
56 /* This includes any pending saved bytes: */
57 png_size_t remaining = png_ptr->buffer_size;
58 png_ptr->buffer_size = 0;
59
60 /* So subtract the saved buffer size, unless all the data
61 * is actually 'saved', in which case we just return 0
62 */
63 if (png_ptr->save_buffer_size < remaining)
64 return remaining - png_ptr->save_buffer_size;
65 }
66 }
67
68 return 0;
69 }
70
71 png_uint_32 PNGAPI
72 png_process_data_skip(png_structp png_ptr)
73 {
74 png_uint_32 remaining = 0;
75
76 if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE &&
77 png_ptr->skip_length > 0)
78 {
79 /* At the end of png_process_data the buffer size must be 0 (see the loop
80 * above) so we can detect a broken call here:
81 */
82 if (png_ptr->buffer_size != 0)
83 png_error(png_ptr,
84 "png_process_data_skip called inside png_process_data");
85
86 /* If is impossible for there to be a saved buffer at this point -
87 * otherwise we could not be in SKIP mode. This will also happen if
88 * png_process_skip is called inside png_process_data (but only very
89 * rarely.)
90 */
91 if (png_ptr->save_buffer_size != 0)
92 png_error(png_ptr, "png_process_data_skip called with saved data");
93
94 remaining = png_ptr->skip_length;
95 png_ptr->skip_length = 0;
96 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
97 }
98
99 return remaining;
100 }
101
102 /* What we do with the incoming data depends on what we were previously
103 * doing before we ran out of data...
104 */
105 void /* PRIVATE */
106 png_process_some_data(png_structp png_ptr, png_infop info_ptr)
107 {
108 if (png_ptr == NULL)
109 return;
110
111 switch (png_ptr->process_mode)
112 {
113 case PNG_READ_SIG_MODE:
114 {
115 png_push_read_sig(png_ptr, info_ptr);
116 break;
117 }
118
119 case PNG_READ_CHUNK_MODE:
120 {
121 png_push_read_chunk(png_ptr, info_ptr);
122 break;
123 }
124
125 case PNG_READ_IDAT_MODE:
126 {
127 png_push_read_IDAT(png_ptr);
128 break;
129 }
130
131 #ifdef PNG_READ_tEXt_SUPPORTED
132 case PNG_READ_tEXt_MODE:
133 {
134 png_push_read_tEXt(png_ptr, info_ptr);
135 break;
136 }
137
138 #endif
139 #ifdef PNG_READ_zTXt_SUPPORTED
140 case PNG_READ_zTXt_MODE:
141 {
142 png_push_read_zTXt(png_ptr, info_ptr);
143 break;
144 }
145
146 #endif
147 #ifdef PNG_READ_iTXt_SUPPORTED
148 case PNG_READ_iTXt_MODE:
149 {
150 png_push_read_iTXt(png_ptr, info_ptr);
151 break;
152 }
153
154 #endif
155 case PNG_SKIP_MODE:
156 {
157 png_push_crc_finish(png_ptr);
158 break;
159 }
160
161 default:
162 {
163 png_ptr->buffer_size = 0;
164 break;
165 }
166 }
167 }
168
169 /* Read any remaining signature bytes from the stream and compare them with
170 * the correct PNG signature. It is possible that this routine is called
171 * with bytes already read from the signature, either because they have been
172 * checked by the calling application, or because of multiple calls to this
173 * routine.
174 */
175 void /* PRIVATE */
176 png_push_read_sig(png_structp png_ptr, png_infop info_ptr)
177 {
178 png_size_t num_checked = png_ptr->sig_bytes,
179 num_to_check = 8 - num_checked;
180
181 if (png_ptr->buffer_size < num_to_check)
182 {
183 num_to_check = png_ptr->buffer_size;
184 }
185
186 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
187 num_to_check);
188 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
189
190 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
191 {
192 if (num_checked < 4 &&
193 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
194 png_error(png_ptr, "Not a PNG file");
195
196 else
197 png_error(png_ptr, "PNG file corrupted by ASCII conversion");
198 }
199 else
200 {
201 if (png_ptr->sig_bytes >= 8)
202 {
203 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
204 }
205 }
206 }
207
208 void /* PRIVATE */
209 png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
210 {
211 png_uint_32 chunk_name;
212
213 /* First we make sure we have enough data for the 4 byte chunk name
214 * and the 4 byte chunk length before proceeding with decoding the
215 * chunk data. To fully decode each of these chunks, we also make
216 * sure we have enough data in the buffer for the 4 byte CRC at the
217 * end of every chunk (except IDAT, which is handled separately).
218 */
219 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
220 {
221 png_byte chunk_length[4];
222 png_byte chunk_tag[4];
223
224 if (png_ptr->buffer_size < 8)
225 {
226 png_push_save_buffer(png_ptr);
227 return;
228 }
229
230 png_push_fill_buffer(png_ptr, chunk_length, 4);
231 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
232 png_reset_crc(png_ptr);
233 png_crc_read(png_ptr, chunk_tag, 4);
234 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
235 png_check_chunk_name(png_ptr, png_ptr->chunk_name);
236 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
237 }
238
239 chunk_name = png_ptr->chunk_name;
240
241 if (chunk_name == png_IDAT)
242 {
243 /* This is here above the if/else case statement below because if the
244 * unknown handling marks 'IDAT' as unknown then the IDAT handling case is
245 * completely skipped.
246 *
247 * TODO: there must be a better way of doing this.
248 */
249 if (png_ptr->mode & PNG_AFTER_IDAT)
250 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
251 }
252
253 if (chunk_name == png_IHDR)
254 {
255 if (png_ptr->push_length != 13)
256 png_error(png_ptr, "Invalid IHDR length");
257
258 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
259 {
260 png_push_save_buffer(png_ptr);
261 return;
262 }
263
264 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
265 }
266
267 else if (chunk_name == png_IEND)
268 {
269 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
270 {
271 png_push_save_buffer(png_ptr);
272 return;
273 }
274
275 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
276
277 png_ptr->process_mode = PNG_READ_DONE_MODE;
278 png_push_have_end(png_ptr, info_ptr);
279 }
280
281 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
282 else if (png_chunk_unknown_handling(png_ptr, chunk_name))
283 {
284 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
285 {
286 png_push_save_buffer(png_ptr);
287 return;
288 }
289
290 if (chunk_name == png_IDAT)
291 png_ptr->mode |= PNG_HAVE_IDAT;
292
293 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length);
294
295 if (chunk_name == png_PLTE)
296 png_ptr->mode |= PNG_HAVE_PLTE;
297
298 else if (chunk_name == png_IDAT)
299 {
300 if (!(png_ptr->mode & PNG_HAVE_IHDR))
301 png_error(png_ptr, "Missing IHDR before IDAT");
302
303 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
304 !(png_ptr->mode & PNG_HAVE_PLTE))
305 png_error(png_ptr, "Missing PLTE before IDAT");
306 }
307 }
308
309 #endif
310 else if (chunk_name == png_PLTE)
311 {
312 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
313 {
314 png_push_save_buffer(png_ptr);
315 return;
316 }
317 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
318 }
319
320 else if (chunk_name == png_IDAT)
321 {
322 /* If we reach an IDAT chunk, this means we have read all of the
323 * header chunks, and we can start reading the image (or if this
324 * is called after the image has been read - we have an error).
325 */
326
327 if (!(png_ptr->mode & PNG_HAVE_IHDR))
328 png_error(png_ptr, "Missing IHDR before IDAT");
329
330 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
331 !(png_ptr->mode & PNG_HAVE_PLTE))
332 png_error(png_ptr, "Missing PLTE before IDAT");
333
334 if (png_ptr->mode & PNG_HAVE_IDAT)
335 {
336 if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT))
337 if (png_ptr->push_length == 0)
338 return;
339
340 if (png_ptr->mode & PNG_AFTER_IDAT)
341 png_benign_error(png_ptr, "Too many IDATs found");
342 }
343
344 png_ptr->idat_size = png_ptr->push_length;
345 png_ptr->mode |= PNG_HAVE_IDAT;
346 png_ptr->process_mode = PNG_READ_IDAT_MODE;
347 png_push_have_info(png_ptr, info_ptr);
348 png_ptr->zstream.avail_out =
349 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
350 png_ptr->iwidth) + 1;
351 png_ptr->zstream.next_out = png_ptr->row_buf;
352 return;
353 }
354
355 #ifdef PNG_READ_gAMA_SUPPORTED
356 else if (png_ptr->chunk_name == png_gAMA)
357 {
358 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
359 {
360 png_push_save_buffer(png_ptr);
361 return;
362 }
363
364 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
365 }
366
367 #endif
368 #ifdef PNG_READ_sBIT_SUPPORTED
369 else if (png_ptr->chunk_name == png_sBIT)
370 {
371 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
372 {
373 png_push_save_buffer(png_ptr);
374 return;
375 }
376
377 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
378 }
379
380 #endif
381 #ifdef PNG_READ_cHRM_SUPPORTED
382 else if (png_ptr->chunk_name == png_cHRM)
383 {
384 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
385 {
386 png_push_save_buffer(png_ptr);
387 return;
388 }
389
390 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
391 }
392
393 #endif
394 #ifdef PNG_READ_sRGB_SUPPORTED
395 else if (chunk_name == png_sRGB)
396 {
397 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
398 {
399 png_push_save_buffer(png_ptr);
400 return;
401 }
402
403 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
404 }
405
406 #endif
407 #ifdef PNG_READ_iCCP_SUPPORTED
408 else if (png_ptr->chunk_name == png_iCCP)
409 {
410 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
411 {
412 png_push_save_buffer(png_ptr);
413 return;
414 }
415
416 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
417 }
418
419 #endif
420 #ifdef PNG_READ_sPLT_SUPPORTED
421 else if (chunk_name == png_sPLT)
422 {
423 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
424 {
425 png_push_save_buffer(png_ptr);
426 return;
427 }
428
429 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
430 }
431
432 #endif
433 #ifdef PNG_READ_tRNS_SUPPORTED
434 else if (chunk_name == png_tRNS)
435 {
436 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
437 {
438 png_push_save_buffer(png_ptr);
439 return;
440 }
441
442 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
443 }
444
445 #endif
446 #ifdef PNG_READ_bKGD_SUPPORTED
447 else if (chunk_name == png_bKGD)
448 {
449 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
450 {
451 png_push_save_buffer(png_ptr);
452 return;
453 }
454
455 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
456 }
457
458 #endif
459 #ifdef PNG_READ_hIST_SUPPORTED
460 else if (chunk_name == png_hIST)
461 {
462 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
463 {
464 png_push_save_buffer(png_ptr);
465 return;
466 }
467
468 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
469 }
470
471 #endif
472 #ifdef PNG_READ_pHYs_SUPPORTED
473 else if (chunk_name == png_pHYs)
474 {
475 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
476 {
477 png_push_save_buffer(png_ptr);
478 return;
479 }
480
481 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
482 }
483
484 #endif
485 #ifdef PNG_READ_oFFs_SUPPORTED
486 else if (chunk_name == png_oFFs)
487 {
488 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
489 {
490 png_push_save_buffer(png_ptr);
491 return;
492 }
493
494 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
495 }
496 #endif
497
498 #ifdef PNG_READ_pCAL_SUPPORTED
499 else if (chunk_name == png_pCAL)
500 {
501 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
502 {
503 png_push_save_buffer(png_ptr);
504 return;
505 }
506
507 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
508 }
509
510 #endif
511 #ifdef PNG_READ_sCAL_SUPPORTED
512 else if (chunk_name == png_sCAL)
513 {
514 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
515 {
516 png_push_save_buffer(png_ptr);
517 return;
518 }
519
520 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
521 }
522
523 #endif
524 #ifdef PNG_READ_tIME_SUPPORTED
525 else if (chunk_name == png_tIME)
526 {
527 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
528 {
529 png_push_save_buffer(png_ptr);
530 return;
531 }
532
533 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
534 }
535
536 #endif
537 #ifdef PNG_READ_tEXt_SUPPORTED
538 else if (chunk_name == png_tEXt)
539 {
540 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
541 {
542 png_push_save_buffer(png_ptr);
543 return;
544 }
545
546 png_push_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
547 }
548
549 #endif
550 #ifdef PNG_READ_zTXt_SUPPORTED
551 else if (chunk_name == png_zTXt)
552 {
553 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
554 {
555 png_push_save_buffer(png_ptr);
556 return;
557 }
558
559 png_push_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
560 }
561
562 #endif
563 #ifdef PNG_READ_iTXt_SUPPORTED
564 else if (chunk_name == png_iTXt)
565 {
566 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
567 {
568 png_push_save_buffer(png_ptr);
569 return;
570 }
571
572 png_push_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
573 }
574
575 #endif
576 else
577 {
578 if (png_ptr->push_length + 4 > png_ptr->buffer_size)
579 {
580 png_push_save_buffer(png_ptr);
581 return;
582 }
583 png_push_handle_unknown(png_ptr, info_ptr, png_ptr->push_length);
584 }
585
586 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
587 }
588
589 void /* PRIVATE */
590 png_push_crc_skip(png_structp png_ptr, png_uint_32 skip)
591 {
592 png_ptr->process_mode = PNG_SKIP_MODE;
593 png_ptr->skip_length = skip;
594 }
595
596 void /* PRIVATE */
597 png_push_crc_finish(png_structp png_ptr)
598 {
599 if (png_ptr->skip_length && png_ptr->save_buffer_size)
600 {
601 png_size_t save_size = png_ptr->save_buffer_size;
602 png_uint_32 skip_length = png_ptr->skip_length;
603
604 /* We want the smaller of 'skip_length' and 'save_buffer_size', but
605 * they are of different types and we don't know which variable has the
606 * fewest bits. Carefully select the smaller and cast it to the type of
607 * the larger - this cannot overflow. Do not cast in the following test
608 * - it will break on either 16 or 64 bit platforms.
609 */
610 if (skip_length < save_size)
611 save_size = (png_size_t)skip_length;
612
613 else
614 skip_length = (png_uint_32)save_size;
615
616 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
617
618 png_ptr->skip_length -= skip_length;
619 png_ptr->buffer_size -= save_size;
620 png_ptr->save_buffer_size -= save_size;
621 png_ptr->save_buffer_ptr += save_size;
622 }
623 if (png_ptr->skip_length && png_ptr->current_buffer_size)
624 {
625 png_size_t save_size = png_ptr->current_buffer_size;
626 png_uint_32 skip_length = png_ptr->skip_length;
627
628 /* We want the smaller of 'skip_length' and 'current_buffer_size', here,
629 * the same problem exists as above and the same solution.
630 */
631 if (skip_length < save_size)
632 save_size = (png_size_t)skip_length;
633
634 else
635 skip_length = (png_uint_32)save_size;
636
637 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
638
639 png_ptr->skip_length -= skip_length;
640 png_ptr->buffer_size -= save_size;
641 png_ptr->current_buffer_size -= save_size;
642 png_ptr->current_buffer_ptr += save_size;
643 }
644 if (!png_ptr->skip_length)
645 {
646 if (png_ptr->buffer_size < 4)
647 {
648 png_push_save_buffer(png_ptr);
649 return;
650 }
651
652 png_crc_finish(png_ptr, 0);
653 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
654 }
655 }
656
657 void PNGCBAPI
658 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
659 {
660 png_bytep ptr;
661
662 if (png_ptr == NULL)
663 return;
664
665 ptr = buffer;
666 if (png_ptr->save_buffer_size)
667 {
668 png_size_t save_size;
669
670 if (length < png_ptr->save_buffer_size)
671 save_size = length;
672
673 else
674 save_size = png_ptr->save_buffer_size;
675
676 png_memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
677 length -= save_size;
678 ptr += save_size;
679 png_ptr->buffer_size -= save_size;
680 png_ptr->save_buffer_size -= save_size;
681 png_ptr->save_buffer_ptr += save_size;
682 }
683 if (length && png_ptr->current_buffer_size)
684 {
685 png_size_t save_size;
686
687 if (length < png_ptr->current_buffer_size)
688 save_size = length;
689
690 else
691 save_size = png_ptr->current_buffer_size;
692
693 png_memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
694 png_ptr->buffer_size -= save_size;
695 png_ptr->current_buffer_size -= save_size;
696 png_ptr->current_buffer_ptr += save_size;
697 }
698 }
699
700 void /* PRIVATE */
701 png_push_save_buffer(png_structp png_ptr)
702 {
703 if (png_ptr->save_buffer_size)
704 {
705 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
706 {
707 png_size_t i, istop;
708 png_bytep sp;
709 png_bytep dp;
710
711 istop = png_ptr->save_buffer_size;
712 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
713 i < istop; i++, sp++, dp++)
714 {
715 *dp = *sp;
716 }
717 }
718 }
719 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
720 png_ptr->save_buffer_max)
721 {
722 png_size_t new_max;
723 png_bytep old_buffer;
724
725 if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
726 (png_ptr->current_buffer_size + 256))
727 {
728 png_error(png_ptr, "Potential overflow of save_buffer");
729 }
730
731 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
732 old_buffer = png_ptr->save_buffer;
733 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr,
734 (png_size_t)new_max);
735
736 if (png_ptr->save_buffer == NULL)
737 {
738 png_free(png_ptr, old_buffer);
739 png_error(png_ptr, "Insufficient memory for save_buffer");
740 }
741
742 png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
743 png_free(png_ptr, old_buffer);
744 png_ptr->save_buffer_max = new_max;
745 }
746 if (png_ptr->current_buffer_size)
747 {
748 png_memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
749 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
750 png_ptr->save_buffer_size += png_ptr->current_buffer_size;
751 png_ptr->current_buffer_size = 0;
752 }
753 png_ptr->save_buffer_ptr = png_ptr->save_buffer;
754 png_ptr->buffer_size = 0;
755 }
756
757 void /* PRIVATE */
758 png_push_restore_buffer(png_structp png_ptr, png_bytep buffer,
759 png_size_t buffer_length)
760 {
761 png_ptr->current_buffer = buffer;
762 png_ptr->current_buffer_size = buffer_length;
763 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
764 png_ptr->current_buffer_ptr = png_ptr->current_buffer;
765 }
766
767 void /* PRIVATE */
768 png_push_read_IDAT(png_structp png_ptr)
769 {
770 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
771 {
772 png_byte chunk_length[4];
773 png_byte chunk_tag[4];
774
775 /* TODO: this code can be commoned up with the same code in push_read */
776 if (png_ptr->buffer_size < 8)
777 {
778 png_push_save_buffer(png_ptr);
779 return;
780 }
781
782 png_push_fill_buffer(png_ptr, chunk_length, 4);
783 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
784 png_reset_crc(png_ptr);
785 png_crc_read(png_ptr, chunk_tag, 4);
786 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
787 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
788
789 if (png_ptr->chunk_name != png_IDAT)
790 {
791 png_ptr->process_mode = PNG_READ_CHUNK_MODE;
792
793 if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
794 png_error(png_ptr, "Not enough compressed data");
795
796 return;
797 }
798
799 png_ptr->idat_size = png_ptr->push_length;
800 }
801
802 if (png_ptr->idat_size && png_ptr->save_buffer_size)
803 {
804 png_size_t save_size = png_ptr->save_buffer_size;
805 png_uint_32 idat_size = png_ptr->idat_size;
806
807 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
808 * are of different types and we don't know which variable has the fewest
809 * bits. Carefully select the smaller and cast it to the type of the
810 * larger - this cannot overflow. Do not cast in the following test - it
811 * will break on either 16 or 64 bit platforms.
812 */
813 if (idat_size < save_size)
814 save_size = (png_size_t)idat_size;
815
816 else
817 idat_size = (png_uint_32)save_size;
818
819 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
820
821 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
822
823 png_ptr->idat_size -= idat_size;
824 png_ptr->buffer_size -= save_size;
825 png_ptr->save_buffer_size -= save_size;
826 png_ptr->save_buffer_ptr += save_size;
827 }
828
829 if (png_ptr->idat_size && png_ptr->current_buffer_size)
830 {
831 png_size_t save_size = png_ptr->current_buffer_size;
832 png_uint_32 idat_size = png_ptr->idat_size;
833
834 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
835 * are of different types and we don't know which variable has the fewest
836 * bits. Carefully select the smaller and cast it to the type of the
837 * larger - this cannot overflow.
838 */
839 if (idat_size < save_size)
840 save_size = (png_size_t)idat_size;
841
842 else
843 idat_size = (png_uint_32)save_size;
844
845 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
846
847 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
848
849 png_ptr->idat_size -= idat_size;
850 png_ptr->buffer_size -= save_size;
851 png_ptr->current_buffer_size -= save_size;
852 png_ptr->current_buffer_ptr += save_size;
853 }
854 if (!png_ptr->idat_size)
855 {
856 if (png_ptr->buffer_size < 4)
857 {
858 png_push_save_buffer(png_ptr);
859 return;
860 }
861
862 png_crc_finish(png_ptr, 0);
863 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
864 png_ptr->mode |= PNG_AFTER_IDAT;
865 }
866 }
867
868 void /* PRIVATE */
869 png_process_IDAT_data(png_structp png_ptr, png_bytep buffer,
870 png_size_t buffer_length)
871 {
872 /* The caller checks for a non-zero buffer length. */
873 if (!(buffer_length > 0) || buffer == NULL)
874 png_error(png_ptr, "No IDAT data (internal error)");
875
876 /* This routine must process all the data it has been given
877 * before returning, calling the row callback as required to
878 * handle the uncompressed results.
879 */
880 png_ptr->zstream.next_in = buffer;
881 png_ptr->zstream.avail_in = (uInt)buffer_length;
882
883 /* Keep going until the decompressed data is all processed
884 * or the stream marked as finished.
885 */
886 while (png_ptr->zstream.avail_in > 0 &&
887 !(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
888 {
889 int ret;
890
891 /* We have data for zlib, but we must check that zlib
892 * has someplace to put the results. It doesn't matter
893 * if we don't expect any results -- it may be the input
894 * data is just the LZ end code.
895 */
896 if (!(png_ptr->zstream.avail_out > 0))
897 {
898 png_ptr->zstream.avail_out =
899 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
900 png_ptr->iwidth) + 1;
901
902 png_ptr->zstream.next_out = png_ptr->row_buf;
903 }
904
905 /* Using Z_SYNC_FLUSH here means that an unterminated
906 * LZ stream (a stream with a missing end code) can still
907 * be handled, otherwise (Z_NO_FLUSH) a future zlib
908 * implementation might defer output and therefore
909 * change the current behavior (see comments in inflate.c
910 * for why this doesn't happen at present with zlib 1.2.5).
911 */
912 ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
913
914 /* Check for any failure before proceeding. */
915 if (ret != Z_OK && ret != Z_STREAM_END)
916 {
917 /* Terminate the decompression. */
918 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
919
920 /* This may be a truncated stream (missing or
921 * damaged end code). Treat that as a warning.
922 */
923 if (png_ptr->row_number >= png_ptr->num_rows ||
924 png_ptr->pass > 6)
925 png_warning(png_ptr, "Truncated compressed data in IDAT");
926
927 else
928 png_error(png_ptr, "Decompression error in IDAT");
929
930 /* Skip the check on unprocessed input */
931 return;
932 }
933
934 /* Did inflate output any data? */
935 if (png_ptr->zstream.next_out != png_ptr->row_buf)
936 {
937 /* Is this unexpected data after the last row?
938 * If it is, artificially terminate the LZ output
939 * here.
940 */
941 if (png_ptr->row_number >= png_ptr->num_rows ||
942 png_ptr->pass > 6)
943 {
944 /* Extra data. */
945 png_warning(png_ptr, "Extra compressed data in IDAT");
946 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
947
948 /* Do no more processing; skip the unprocessed
949 * input check below.
950 */
951 return;
952 }
953
954 /* Do we have a complete row? */
955 if (png_ptr->zstream.avail_out == 0)
956 png_push_process_row(png_ptr);
957 }
958
959 /* And check for the end of the stream. */
960 if (ret == Z_STREAM_END)
961 png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
962 }
963
964 /* All the data should have been processed, if anything
965 * is left at this point we have bytes of IDAT data
966 * after the zlib end code.
967 */
968 if (png_ptr->zstream.avail_in > 0)
969 png_warning(png_ptr, "Extra compression data in IDAT");
970 }
971
972 void /* PRIVATE */
973 png_push_process_row(png_structp png_ptr)
974 {
975 /* 1.5.6: row_info moved out of png_struct to a local here. */
976 png_row_info row_info;
977
978 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
979 row_info.color_type = png_ptr->color_type;
980 row_info.bit_depth = png_ptr->bit_depth;
981 row_info.channels = png_ptr->channels;
982 row_info.pixel_depth = png_ptr->pixel_depth;
983 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
984
985 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
986 {
987 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
988 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
989 png_ptr->prev_row + 1, png_ptr->row_buf[0]);
990 else
991 png_error(png_ptr, "bad adaptive filter value");
992 }
993
994 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
995 * 1.5.6, while the buffer really is this big in current versions of libpng
996 * it may not be in the future, so this was changed just to copy the
997 * interlaced row count:
998 */
999 png_memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
1000
1001 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
1002 if (png_ptr->transformations)
1003 png_do_read_transformations(png_ptr, &row_info);
1004 #endif
1005
1006 /* The transformed pixel depth should match the depth now in row_info. */
1007 if (png_ptr->transformed_pixel_depth == 0)
1008 {
1009 png_ptr->transformed_pixel_depth = row_info.pixel_depth;
1010 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
1011 png_error(png_ptr, "progressive row overflow");
1012 }
1013
1014 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
1015 png_error(png_ptr, "internal progressive row size calculation error");
1016
1017
1018 #ifdef PNG_READ_INTERLACING_SUPPORTED
1019 /* Blow up interlaced rows to full size */
1020 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE))
1021 {
1022 if (png_ptr->pass < 6)
1023 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
1024 png_ptr->transformations);
1025
1026 switch (png_ptr->pass)
1027 {
1028 case 0:
1029 {
1030 int i;
1031 for (i = 0; i < 8 && png_ptr->pass == 0; i++)
1032 {
1033 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1034 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
1035 }
1036
1037 if (png_ptr->pass == 2) /* Pass 1 might be empty */
1038 {
1039 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1040 {
1041 png_push_have_row(png_ptr, NULL);
1042 png_read_push_finish_row(png_ptr);
1043 }
1044 }
1045
1046 if (png_ptr->pass == 4 && png_ptr->height <= 4)
1047 {
1048 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1049 {
1050 png_push_have_row(png_ptr, NULL);
1051 png_read_push_finish_row(png_ptr);
1052 }
1053 }
1054
1055 if (png_ptr->pass == 6 && png_ptr->height <= 4)
1056 {
1057 png_push_have_row(png_ptr, NULL);
1058 png_read_push_finish_row(png_ptr);
1059 }
1060
1061 break;
1062 }
1063
1064 case 1:
1065 {
1066 int i;
1067 for (i = 0; i < 8 && png_ptr->pass == 1; i++)
1068 {
1069 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1070 png_read_push_finish_row(png_ptr);
1071 }
1072
1073 if (png_ptr->pass == 2) /* Skip top 4 generated rows */
1074 {
1075 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1076 {
1077 png_push_have_row(png_ptr, NULL);
1078 png_read_push_finish_row(png_ptr);
1079 }
1080 }
1081
1082 break;
1083 }
1084
1085 case 2:
1086 {
1087 int i;
1088
1089 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1090 {
1091 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1092 png_read_push_finish_row(png_ptr);
1093 }
1094
1095 for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1096 {
1097 png_push_have_row(png_ptr, NULL);
1098 png_read_push_finish_row(png_ptr);
1099 }
1100
1101 if (png_ptr->pass == 4) /* Pass 3 might be empty */
1102 {
1103 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1104 {
1105 png_push_have_row(png_ptr, NULL);
1106 png_read_push_finish_row(png_ptr);
1107 }
1108 }
1109
1110 break;
1111 }
1112
1113 case 3:
1114 {
1115 int i;
1116
1117 for (i = 0; i < 4 && png_ptr->pass == 3; i++)
1118 {
1119 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1120 png_read_push_finish_row(png_ptr);
1121 }
1122
1123 if (png_ptr->pass == 4) /* Skip top two generated rows */
1124 {
1125 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1126 {
1127 png_push_have_row(png_ptr, NULL);
1128 png_read_push_finish_row(png_ptr);
1129 }
1130 }
1131
1132 break;
1133 }
1134
1135 case 4:
1136 {
1137 int i;
1138
1139 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1140 {
1141 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1142 png_read_push_finish_row(png_ptr);
1143 }
1144
1145 for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1146 {
1147 png_push_have_row(png_ptr, NULL);
1148 png_read_push_finish_row(png_ptr);
1149 }
1150
1151 if (png_ptr->pass == 6) /* Pass 5 might be empty */
1152 {
1153 png_push_have_row(png_ptr, NULL);
1154 png_read_push_finish_row(png_ptr);
1155 }
1156
1157 break;
1158 }
1159
1160 case 5:
1161 {
1162 int i;
1163
1164 for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1165 {
1166 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1167 png_read_push_finish_row(png_ptr);
1168 }
1169
1170 if (png_ptr->pass == 6) /* Skip top generated row */
1171 {
1172 png_push_have_row(png_ptr, NULL);
1173 png_read_push_finish_row(png_ptr);
1174 }
1175
1176 break;
1177 }
1178
1179 default:
1180 case 6:
1181 {
1182 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1183 png_read_push_finish_row(png_ptr);
1184
1185 if (png_ptr->pass != 6)
1186 break;
1187
1188 png_push_have_row(png_ptr, NULL);
1189 png_read_push_finish_row(png_ptr);
1190 }
1191 }
1192 }
1193 else
1194 #endif
1195 {
1196 png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1197 png_read_push_finish_row(png_ptr);
1198 }
1199 }
1200
1201 void /* PRIVATE */
1202 png_read_push_finish_row(png_structp png_ptr)
1203 {
1204 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1205
1206 /* Start of interlace block */
1207 static PNG_CONST png_byte FARDATA png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1208
1209 /* Offset to next interlace block */
1210 static PNG_CONST png_byte FARDATA png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1211
1212 /* Start of interlace block in the y direction */
1213 static PNG_CONST png_byte FARDATA png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1214
1215 /* Offset to next interlace block in the y direction */
1216 static PNG_CONST png_byte FARDATA png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1217
1218 /* Height of interlace block. This is not currently used - if you need
1219 * it, uncomment it here and in png.h
1220 static PNG_CONST png_byte FARDATA png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1221 */
1222
1223 png_ptr->row_number++;
1224 if (png_ptr->row_number < png_ptr->num_rows)
1225 return;
1226
1227 #ifdef PNG_READ_INTERLACING_SUPPORTED
1228 if (png_ptr->interlaced)
1229 {
1230 png_ptr->row_number = 0;
1231 png_memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1232
1233 do
1234 {
1235 png_ptr->pass++;
1236 if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1237 (png_ptr->pass == 3 && png_ptr->width < 3) ||
1238 (png_ptr->pass == 5 && png_ptr->width < 2))
1239 png_ptr->pass++;
1240
1241 if (png_ptr->pass > 7)
1242 png_ptr->pass--;
1243
1244 if (png_ptr->pass >= 7)
1245 break;
1246
1247 png_ptr->iwidth = (png_ptr->width +
1248 png_pass_inc[png_ptr->pass] - 1 -
1249 png_pass_start[png_ptr->pass]) /
1250 png_pass_inc[png_ptr->pass];
1251
1252 if (png_ptr->transformations & PNG_INTERLACE)
1253 break;
1254
1255 png_ptr->num_rows = (png_ptr->height +
1256 png_pass_yinc[png_ptr->pass] - 1 -
1257 png_pass_ystart[png_ptr->pass]) /
1258 png_pass_yinc[png_ptr->pass];
1259
1260 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1261 }
1262 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1263 }
1264
1265 #ifdef PNG_READ_tEXt_SUPPORTED
1266 void /* PRIVATE */
1267 png_push_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32
1268 length)
1269 {
1270 if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND))
1271 {
1272 PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */
1273 png_error(png_ptr, "Out of place tEXt");
1274 /* NOT REACHED */
1275 }
1276
1277 #ifdef PNG_MAX_MALLOC_64K
1278 png_ptr->skip_length = 0; /* This may not be necessary */
1279
1280 if (length > (png_uint_32)65535L) /* Can't hold entire string in memory */
1281 {
1282 png_warning(png_ptr, "tEXt chunk too large to fit in memory");
1283 png_ptr->skip_length = length - (png_uint_32)65535L;
1284 length = (png_uint_32)65535L;
1285 }
1286 #endif
1287
1288 png_ptr->current_text = (png_charp)png_malloc(png_ptr,
1289 (png_size_t)(length + 1));
1290 png_ptr->current_text[length] = '\0';
1291 png_ptr->current_text_ptr = png_ptr->current_text;
1292 png_ptr->current_text_size = (png_size_t)length;
1293 png_ptr->current_text_left = (png_size_t)length;
1294 png_ptr->process_mode = PNG_READ_tEXt_MODE;
1295 }
1296
1297 void /* PRIVATE */
1298 png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr)
1299 {
1300 if (png_ptr->buffer_size && png_ptr->current_text_left)
1301 {
1302 png_size_t text_size;
1303
1304 if (png_ptr->buffer_size < png_ptr->current_text_left)
1305 text_size = png_ptr->buffer_size;
1306
1307 else
1308 text_size = png_ptr->current_text_left;
1309
1310 png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size);
1311 png_ptr->current_text_left -= text_size;
1312 png_ptr->current_text_ptr += text_size;
1313 }
1314 if (!(png_ptr->current_text_left))
1315 {
1316 png_textp text_ptr;
1317 png_charp text;
1318 png_charp key;
1319 int ret;
1320
1321 if (png_ptr->buffer_size < 4)
1322 {
1323 png_push_save_buffer(png_ptr);
1324 return;
1325 }
1326
1327 png_push_crc_finish(png_ptr);
1328
1329 #ifdef PNG_MAX_MALLOC_64K
1330 if (png_ptr->skip_length)
1331 return;
1332 #endif
1333
1334 key = png_ptr->current_text;
1335
1336 for (text = key; *text; text++)
1337 /* Empty loop */ ;
1338
1339 if (text < key + png_ptr->current_text_size)
1340 text++;
1341
1342 text_ptr = (png_textp)png_malloc(png_ptr, png_sizeof(png_text));
1343 text_ptr->compression = PNG_TEXT_COMPRESSION_NONE;
1344 text_ptr->key = key;
1345 text_ptr->itxt_length = 0;
1346 text_ptr->lang = NULL;
1347 text_ptr->lang_key = NULL;
1348 text_ptr->text = text;
1349
1350 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
1351
1352 png_free(png_ptr, key);
1353 png_free(png_ptr, text_ptr);
1354 png_ptr->current_text = NULL;
1355
1356 if (ret)
1357 png_warning(png_ptr, "Insufficient memory to store text chunk");
1358 }
1359 }
1360 #endif
1361
1362 #ifdef PNG_READ_zTXt_SUPPORTED
1363 void /* PRIVATE */
1364 png_push_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32
1365 length)
1366 {
1367 if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND))
1368 {
1369 PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */
1370 png_error(png_ptr, "Out of place zTXt");
1371 /* NOT REACHED */
1372 }
1373
1374 #ifdef PNG_MAX_MALLOC_64K
1375 /* We can't handle zTXt chunks > 64K, since we don't have enough space
1376 * to be able to store the uncompressed data. Actually, the threshold
1377 * is probably around 32K, but it isn't as definite as 64K is.
1378 */
1379 if (length > (png_uint_32)65535L)
1380 {
1381 png_warning(png_ptr, "zTXt chunk too large to fit in memory");
1382 png_push_crc_skip(png_ptr, length);
1383 return;
1384 }
1385 #endif
1386
1387 png_ptr->current_text = (png_charp)png_malloc(png_ptr,
1388 (png_size_t)(length + 1));
1389 png_ptr->current_text[length] = '\0';
1390 png_ptr->current_text_ptr = png_ptr->current_text;
1391 png_ptr->current_text_size = (png_size_t)length;
1392 png_ptr->current_text_left = (png_size_t)length;
1393 png_ptr->process_mode = PNG_READ_zTXt_MODE;
1394 }
1395
1396 void /* PRIVATE */
1397 png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr)
1398 {
1399 if (png_ptr->buffer_size && png_ptr->current_text_left)
1400 {
1401 png_size_t text_size;
1402
1403 if (png_ptr->buffer_size < (png_uint_32)png_ptr->current_text_left)
1404 text_size = png_ptr->buffer_size;
1405
1406 else
1407 text_size = png_ptr->current_text_left;
1408
1409 png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size);
1410 png_ptr->current_text_left -= text_size;
1411 png_ptr->current_text_ptr += text_size;
1412 }
1413 if (!(png_ptr->current_text_left))
1414 {
1415 png_textp text_ptr;
1416 png_charp text;
1417 png_charp key;
1418 int ret;
1419 png_size_t text_size, key_size;
1420
1421 if (png_ptr->buffer_size < 4)
1422 {
1423 png_push_save_buffer(png_ptr);
1424 return;
1425 }
1426
1427 png_push_crc_finish(png_ptr);
1428
1429 key = png_ptr->current_text;
1430
1431 for (text = key; *text; text++)
1432 /* Empty loop */ ;
1433
1434 /* zTXt can't have zero text */
1435 if (text >= key + png_ptr->current_text_size)
1436 {
1437 png_ptr->current_text = NULL;
1438 png_free(png_ptr, key);
1439 return;
1440 }
1441
1442 text++;
1443
1444 if (*text != PNG_TEXT_COMPRESSION_zTXt) /* Check compression byte */
1445 {
1446 png_ptr->current_text = NULL;
1447 png_free(png_ptr, key);
1448 return;
1449 }
1450
1451 text++;
1452
1453 png_ptr->zstream.next_in = (png_bytep)text;
1454 png_ptr->zstream.avail_in = (uInt)(png_ptr->current_text_size -
1455 (text - key));
1456 png_ptr->zstream.next_out = png_ptr->zbuf;
1457 png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
1458
1459 key_size = text - key;
1460 text_size = 0;
1461 text = NULL;
1462 ret = Z_STREAM_END;
1463
1464 while (png_ptr->zstream.avail_in)
1465 {
1466 ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
1467 if (ret != Z_OK && ret != Z_STREAM_END)
1468 {
1469 inflateReset(&png_ptr->zstream);
1470 png_ptr->zstream.avail_in = 0;
1471 png_ptr->current_text = NULL;
1472 png_free(png_ptr, key);
1473 png_free(png_ptr, text);
1474 return;
1475 }
1476
1477 if (!(png_ptr->zstream.avail_out) || ret == Z_STREAM_END)
1478 {
1479 if (text == NULL)
1480 {
1481 text = (png_charp)png_malloc(png_ptr,
1482 (png_ptr->zbuf_size
1483 - png_ptr->zstream.avail_out + key_size + 1));
1484
1485 png_memcpy(text + key_size, png_ptr->zbuf,
1486 png_ptr->zbuf_size - png_ptr->zstream.avail_out);
1487
1488 png_memcpy(text, key, key_size);
1489
1490 text_size = key_size + png_ptr->zbuf_size -
1491 png_ptr->zstream.avail_out;
1492
1493 *(text + text_size) = '\0';
1494 }
1495
1496 else
1497 {
1498 png_charp tmp;
1499
1500 tmp = text;
1501 text = (png_charp)png_malloc(png_ptr, text_size +
1502 (png_ptr->zbuf_size
1503 - png_ptr->zstream.avail_out + 1));
1504
1505 png_memcpy(text, tmp, text_size);
1506 png_free(png_ptr, tmp);
1507
1508 png_memcpy(text + text_size, png_ptr->zbuf,
1509 png_ptr->zbuf_size - png_ptr->zstream.avail_out);
1510
1511 text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out;
1512 *(text + text_size) = '\0';
1513 }
1514
1515 if (ret != Z_STREAM_END)
1516 {
1517 png_ptr->zstream.next_out = png_ptr->zbuf;
1518 png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
1519 }
1520 }
1521 else
1522 {
1523 break;
1524 }
1525
1526 if (ret == Z_STREAM_END)
1527 break;
1528 }
1529
1530 inflateReset(&png_ptr->zstream);
1531 png_ptr->zstream.avail_in = 0;
1532
1533 if (ret != Z_STREAM_END)
1534 {
1535 png_ptr->current_text = NULL;
1536 png_free(png_ptr, key);
1537 png_free(png_ptr, text);
1538 return;
1539 }
1540
1541 png_ptr->current_text = NULL;
1542 png_free(png_ptr, key);
1543 key = text;
1544 text += key_size;
1545
1546 text_ptr = (png_textp)png_malloc(png_ptr,
1547 png_sizeof(png_text));
1548 text_ptr->compression = PNG_TEXT_COMPRESSION_zTXt;
1549 text_ptr->key = key;
1550 text_ptr->itxt_length = 0;
1551 text_ptr->lang = NULL;
1552 text_ptr->lang_key = NULL;
1553 text_ptr->text = text;
1554
1555 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
1556
1557 png_free(png_ptr, key);
1558 png_free(png_ptr, text_ptr);
1559
1560 if (ret)
1561 png_warning(png_ptr, "Insufficient memory to store text chunk");
1562 }
1563 }
1564 #endif
1565
1566 #ifdef PNG_READ_iTXt_SUPPORTED
1567 void /* PRIVATE */
1568 png_push_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32
1569 length)
1570 {
1571 if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND))
1572 {
1573 PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */
1574 png_error(png_ptr, "Out of place iTXt");
1575 /* NOT REACHED */
1576 }
1577
1578 #ifdef PNG_MAX_MALLOC_64K
1579 png_ptr->skip_length = 0; /* This may not be necessary */
1580
1581 if (length > (png_uint_32)65535L) /* Can't hold entire string in memory */
1582 {
1583 png_warning(png_ptr, "iTXt chunk too large to fit in memory");
1584 png_ptr->skip_length = length - (png_uint_32)65535L;
1585 length = (png_uint_32)65535L;
1586 }
1587 #endif
1588
1589 png_ptr->current_text = (png_charp)png_malloc(png_ptr,
1590 (png_size_t)(length + 1));
1591 png_ptr->current_text[length] = '\0';
1592 png_ptr->current_text_ptr = png_ptr->current_text;
1593 png_ptr->current_text_size = (png_size_t)length;
1594 png_ptr->current_text_left = (png_size_t)length;
1595 png_ptr->process_mode = PNG_READ_iTXt_MODE;
1596 }
1597
1598 void /* PRIVATE */
1599 png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr)
1600 {
1601
1602 if (png_ptr->buffer_size && png_ptr->current_text_left)
1603 {
1604 png_size_t text_size;
1605
1606 if (png_ptr->buffer_size < png_ptr->current_text_left)
1607 text_size = png_ptr->buffer_size;
1608
1609 else
1610 text_size = png_ptr->current_text_left;
1611
1612 png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size);
1613 png_ptr->current_text_left -= text_size;
1614 png_ptr->current_text_ptr += text_size;
1615 }
1616
1617 if (!(png_ptr->current_text_left))
1618 {
1619 png_textp text_ptr;
1620 png_charp key;
1621 int comp_flag;
1622 png_charp lang;
1623 png_charp lang_key;
1624 png_charp text;
1625 int ret;
1626
1627 if (png_ptr->buffer_size < 4)
1628 {
1629 png_push_save_buffer(png_ptr);
1630 return;
1631 }
1632
1633 png_push_crc_finish(png_ptr);
1634
1635 #ifdef PNG_MAX_MALLOC_64K
1636 if (png_ptr->skip_length)
1637 return;
1638 #endif
1639
1640 key = png_ptr->current_text;
1641
1642 for (lang = key; *lang; lang++)
1643 /* Empty loop */ ;
1644
1645 if (lang < key + png_ptr->current_text_size - 3)
1646 lang++;
1647
1648 comp_flag = *lang++;
1649 lang++; /* Skip comp_type, always zero */
1650
1651 for (lang_key = lang; *lang_key; lang_key++)
1652 /* Empty loop */ ;
1653
1654 lang_key++; /* Skip NUL separator */
1655
1656 text=lang_key;
1657
1658 if (lang_key < key + png_ptr->current_text_size - 1)
1659 {
1660 for (; *text; text++)
1661 /* Empty loop */ ;
1662 }
1663
1664 if (text < key + png_ptr->current_text_size)
1665 text++;
1666
1667 text_ptr = (png_textp)png_malloc(png_ptr,
1668 png_sizeof(png_text));
1669
1670 text_ptr->compression = comp_flag + 2;
1671 text_ptr->key = key;
1672 text_ptr->lang = lang;
1673 text_ptr->lang_key = lang_key;
1674 text_ptr->text = text;
1675 text_ptr->text_length = 0;
1676 text_ptr->itxt_length = png_strlen(text);
1677
1678 ret = png_set_text_2(png_ptr, info_ptr, text_ptr, 1);
1679
1680 png_ptr->current_text = NULL;
1681
1682 png_free(png_ptr, text_ptr);
1683 if (ret)
1684 png_warning(png_ptr, "Insufficient memory to store iTXt chunk");
1685 }
1686 }
1687 #endif
1688
1689 /* This function is called when we haven't found a handler for this
1690 * chunk. If there isn't a problem with the chunk itself (ie a bad chunk
1691 * name or a critical chunk), the chunk is (currently) silently ignored.
1692 */
1693 void /* PRIVATE */
1694 png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32
1695 length)
1696 {
1697 png_uint_32 skip = 0;
1698 png_uint_32 chunk_name = png_ptr->chunk_name;
1699
1700 if (PNG_CHUNK_CRITICAL(chunk_name))
1701 {
1702 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
1703 if (png_chunk_unknown_handling(png_ptr, chunk_name) !=
1704 PNG_HANDLE_CHUNK_ALWAYS
1705 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1706 && png_ptr->read_user_chunk_fn == NULL
1707 #endif
1708 )
1709 #endif
1710 png_chunk_error(png_ptr, "unknown critical chunk");
1711
1712 PNG_UNUSED(info_ptr) /* To quiet some compiler warnings */
1713 }
1714
1715 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
1716 /* TODO: the code below is apparently just using the
1717 * png_struct::unknown_chunk member as a temporarily variable, it should be
1718 * possible to eliminate both it and the temporary buffer.
1719 */
1720 if (png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS)
1721 {
1722 #ifdef PNG_MAX_MALLOC_64K
1723 if (length > 65535)
1724 {
1725 png_warning(png_ptr, "unknown chunk too large to fit in memory");
1726 skip = length - 65535;
1727 length = 65535;
1728 }
1729 #endif
1730 /* This is just a record for the user; libpng doesn't use the character
1731 * form of the name.
1732 */
1733 PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
1734
1735 /* The following cast should be safe because of the check above. */
1736 png_ptr->unknown_chunk.size = (png_size_t)length;
1737
1738 if (length == 0)
1739 png_ptr->unknown_chunk.data = NULL;
1740
1741 else
1742 {
1743 png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr,
1744 png_ptr->unknown_chunk.size);
1745 png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data,
1746 png_ptr->unknown_chunk.size);
1747 }
1748
1749 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1750 if (png_ptr->read_user_chunk_fn != NULL)
1751 {
1752 /* Callback to user unknown chunk handler */
1753 int ret;
1754 ret = (*(png_ptr->read_user_chunk_fn))
1755 (png_ptr, &png_ptr->unknown_chunk);
1756
1757 if (ret < 0)
1758 png_chunk_error(png_ptr, "error in user chunk");
1759
1760 if (ret == 0)
1761 {
1762 if (PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
1763 if (png_chunk_unknown_handling(png_ptr, chunk_name) !=
1764 PNG_HANDLE_CHUNK_ALWAYS)
1765 png_chunk_error(png_ptr, "unknown critical chunk");
1766 png_set_unknown_chunks(png_ptr, info_ptr,
1767 &png_ptr->unknown_chunk, 1);
1768 }
1769 }
1770
1771 else
1772 #endif
1773 png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1);
1774 png_free(png_ptr, png_ptr->unknown_chunk.data);
1775 png_ptr->unknown_chunk.data = NULL;
1776 }
1777
1778 else
1779 #endif
1780 skip=length;
1781 png_push_crc_skip(png_ptr, skip);
1782 }
1783
1784 void /* PRIVATE */
1785 png_push_have_info(png_structp png_ptr, png_infop info_ptr)
1786 {
1787 if (png_ptr->info_fn != NULL)
1788 (*(png_ptr->info_fn))(png_ptr, info_ptr);
1789 }
1790
1791 void /* PRIVATE */
1792 png_push_have_end(png_structp png_ptr, png_infop info_ptr)
1793 {
1794 if (png_ptr->end_fn != NULL)
1795 (*(png_ptr->end_fn))(png_ptr, info_ptr);
1796 }
1797
1798 void /* PRIVATE */
1799 png_push_have_row(png_structp png_ptr, png_bytep row)
1800 {
1801 if (png_ptr->row_fn != NULL)
1802 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1803 (int)png_ptr->pass);
1804 }
1805
1806 #ifdef PNG_READ_INTERLACING_SUPPORTED
1807 void PNGAPI
1808 png_progressive_combine_row (png_structp png_ptr, png_bytep old_row,
1809 png_const_bytep new_row)
1810 {
1811 if (png_ptr == NULL)
1812 return;
1813
1814 /* new_row is a flag here - if it is NULL then the app callback was called
1815 * from an empty row (see the calls to png_struct::row_fn below), otherwise
1816 * it must be png_ptr->row_buf+1
1817 */
1818 if (new_row != NULL)
1819 png_combine_row(png_ptr, old_row, 1/*display*/);
1820 }
1821 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1822
1823 void PNGAPI
1824 png_set_progressive_read_fn(png_structp png_ptr, png_voidp progressive_ptr,
1825 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1826 png_progressive_end_ptr end_fn)
1827 {
1828 if (png_ptr == NULL)
1829 return;
1830
1831 png_ptr->info_fn = info_fn;
1832 png_ptr->row_fn = row_fn;
1833 png_ptr->end_fn = end_fn;
1834
1835 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1836 }
1837
1838 png_voidp PNGAPI
1839 png_get_progressive_ptr(png_const_structp png_ptr)
1840 {
1841 if (png_ptr == NULL)
1842 return (NULL);
1843
1844 return png_ptr->io_ptr;
1845 }
1846 #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */