X-Git-Url: https://git.saurik.com/wxWidgets.git/blobdiff_plain/0272a10d2e6d5323422c4c8600fe47ccac0df182..1437c7fba67d0276fd14e2be839c0492b087444b:/src/png/pngpread.c diff --git a/src/png/pngpread.c b/src/png/pngpread.c index 66b31bcd14..e33b4286fa 100644 --- a/src/png/pngpread.c +++ b/src/png/pngpread.c @@ -1,19 +1,22 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.20 September 8, 2007 - * For conditions of distribution and use, see copyright notice in png.h - * Copyright (c) 1998-2007 Glenn Randers-Pehrson + * Last changed in libpng 1.4.3 [June 26, 2010] + * Copyright (c) 1998-2010 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) + * + * This code is released under the libpng license. + * For conditions of distribution and use, see the disclaimer + * and license in png.h */ -#define PNG_INTERNAL +#define PNG_NO_PEDANTIC_WARNINGS #include "png.h" - #ifdef PNG_PROGRESSIVE_READ_SUPPORTED +#include "pngpriv.h" -/* push model modes */ +/* Push model modes */ #define PNG_READ_SIG_MODE 0 #define PNG_READ_CHUNK_MODE 1 #define PNG_READ_IDAT_MODE 2 @@ -28,7 +31,9 @@ void PNGAPI png_process_data(png_structp png_ptr, png_infop info_ptr, png_bytep buffer, png_size_t buffer_size) { - if(png_ptr == NULL) return; + if (png_ptr == NULL || info_ptr == NULL) + return; + png_push_restore_buffer(png_ptr, buffer, buffer_size); while (png_ptr->buffer_size) @@ -43,7 +48,9 @@ png_process_data(png_structp png_ptr, png_infop info_ptr, void /* PRIVATE */ png_process_some_data(png_structp png_ptr, png_infop info_ptr) { - if(png_ptr == NULL) return; + if (png_ptr == NULL) + return; + switch (png_ptr->process_mode) { case PNG_READ_SIG_MODE: @@ -51,42 +58,49 @@ png_process_some_data(png_structp png_ptr, png_infop info_ptr) png_push_read_sig(png_ptr, info_ptr); break; } + case PNG_READ_CHUNK_MODE: { png_push_read_chunk(png_ptr, info_ptr); break; } + case PNG_READ_IDAT_MODE: { png_push_read_IDAT(png_ptr); break; } -#if defined(PNG_READ_tEXt_SUPPORTED) + +#ifdef PNG_READ_tEXt_SUPPORTED case PNG_READ_tEXt_MODE: { png_push_read_tEXt(png_ptr, info_ptr); break; } + #endif -#if defined(PNG_READ_zTXt_SUPPORTED) +#ifdef PNG_READ_zTXt_SUPPORTED case PNG_READ_zTXt_MODE: { png_push_read_zTXt(png_ptr, info_ptr); break; } + #endif -#if defined(PNG_READ_iTXt_SUPPORTED) +#ifdef PNG_READ_iTXt_SUPPORTED case PNG_READ_iTXt_MODE: { png_push_read_iTXt(png_ptr, info_ptr); break; } + #endif case PNG_SKIP_MODE: { png_push_crc_finish(png_ptr); break; } + default: { png_ptr->buffer_size = 0; @@ -114,7 +128,7 @@ png_push_read_sig(png_structp png_ptr, png_infop info_ptr) png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), num_to_check); - png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes+num_to_check); + png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) { @@ -136,63 +150,62 @@ png_push_read_sig(png_structp png_ptr, png_infop info_ptr) void /* PRIVATE */ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) { -#ifdef PNG_USE_LOCAL_ARRAYS - PNG_CONST PNG_IHDR; - PNG_CONST PNG_IDAT; - PNG_CONST PNG_IEND; - PNG_CONST PNG_PLTE; -#if defined(PNG_READ_bKGD_SUPPORTED) - PNG_CONST PNG_bKGD; + PNG_IHDR; + PNG_IDAT; + PNG_IEND; + PNG_PLTE; +#ifdef PNG_READ_bKGD_SUPPORTED + PNG_bKGD; #endif -#if defined(PNG_READ_cHRM_SUPPORTED) - PNG_CONST PNG_cHRM; +#ifdef PNG_READ_cHRM_SUPPORTED + PNG_cHRM; #endif -#if defined(PNG_READ_gAMA_SUPPORTED) - PNG_CONST PNG_gAMA; +#ifdef PNG_READ_gAMA_SUPPORTED + PNG_gAMA; #endif -#if defined(PNG_READ_hIST_SUPPORTED) - PNG_CONST PNG_hIST; +#ifdef PNG_READ_hIST_SUPPORTED + PNG_hIST; #endif -#if defined(PNG_READ_iCCP_SUPPORTED) - PNG_CONST PNG_iCCP; +#ifdef PNG_READ_iCCP_SUPPORTED + PNG_iCCP; #endif -#if defined(PNG_READ_iTXt_SUPPORTED) - PNG_CONST PNG_iTXt; +#ifdef PNG_READ_iTXt_SUPPORTED + PNG_iTXt; #endif -#if defined(PNG_READ_oFFs_SUPPORTED) - PNG_CONST PNG_oFFs; +#ifdef PNG_READ_oFFs_SUPPORTED + PNG_oFFs; #endif -#if defined(PNG_READ_pCAL_SUPPORTED) - PNG_CONST PNG_pCAL; +#ifdef PNG_READ_pCAL_SUPPORTED + PNG_pCAL; #endif -#if defined(PNG_READ_pHYs_SUPPORTED) - PNG_CONST PNG_pHYs; +#ifdef PNG_READ_pHYs_SUPPORTED + PNG_pHYs; #endif -#if defined(PNG_READ_sBIT_SUPPORTED) - PNG_CONST PNG_sBIT; +#ifdef PNG_READ_sBIT_SUPPORTED + PNG_sBIT; #endif -#if defined(PNG_READ_sCAL_SUPPORTED) - PNG_CONST PNG_sCAL; +#ifdef PNG_READ_sCAL_SUPPORTED + PNG_sCAL; #endif -#if defined(PNG_READ_sRGB_SUPPORTED) - PNG_CONST PNG_sRGB; +#ifdef PNG_READ_sRGB_SUPPORTED + PNG_sRGB; #endif -#if defined(PNG_READ_sPLT_SUPPORTED) - PNG_CONST PNG_sPLT; +#ifdef PNG_READ_sPLT_SUPPORTED + PNG_sPLT; #endif -#if defined(PNG_READ_tEXt_SUPPORTED) - PNG_CONST PNG_tEXt; +#ifdef PNG_READ_tEXt_SUPPORTED + PNG_tEXt; #endif -#if defined(PNG_READ_tIME_SUPPORTED) - PNG_CONST PNG_tIME; +#ifdef PNG_READ_tIME_SUPPORTED + PNG_tIME; #endif -#if defined(PNG_READ_tRNS_SUPPORTED) - PNG_CONST PNG_tRNS; +#ifdef PNG_READ_tRNS_SUPPORTED + PNG_tRNS; #endif -#if defined(PNG_READ_zTXt_SUPPORTED) - PNG_CONST PNG_zTXt; +#ifdef PNG_READ_zTXt_SUPPORTED + PNG_zTXt; #endif -#endif /* PNG_USE_LOCAL_ARRAYS */ + /* First we make sure we have enough data for the 4 byte chunk name * and the 4 byte chunk length before proceeding with decoding the * chunk data. To fully decode each of these chunks, we also make @@ -210,25 +223,31 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); + png_check_chunk_name(png_ptr, png_ptr->chunk_name); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; } - if (!png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) - if(png_ptr->mode & PNG_AFTER_IDAT) + if (!png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) + if (png_ptr->mode & PNG_AFTER_IDAT) png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) { + if (png_ptr->push_length != 13) + png_error(png_ptr, "Invalid IHDR length"); + if (png_ptr->push_length + 4 > png_ptr->buffer_size) { png_push_save_buffer(png_ptr); return; } + png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); } + else if (!png_memcmp(png_ptr->chunk_name, png_IEND, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -236,11 +255,13 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); png_ptr->process_mode = PNG_READ_DONE_MODE; png_push_have_end(png_ptr, info_ptr); } + #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED else if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name)) { @@ -249,20 +270,26 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + if (!png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) png_ptr->mode |= PNG_HAVE_IDAT; + png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length); + if (!png_memcmp(png_ptr->chunk_name, png_PLTE, 4)) png_ptr->mode |= PNG_HAVE_PLTE; + else if (!png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) { if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before IDAT"); + else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && !(png_ptr->mode & PNG_HAVE_PLTE)) png_error(png_ptr, "Missing PLTE before IDAT"); } } + #endif else if (!png_memcmp(png_ptr->chunk_name, png_PLTE, 4)) { @@ -273,37 +300,43 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) } png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); } - else if (!png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) + + else if (!png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) { /* If we reach an IDAT chunk, this means we have read all of the * header chunks, and we can start reading the image (or if this * is called after the image has been read - we have an error). */ - if (!(png_ptr->mode & PNG_HAVE_IHDR)) - png_error(png_ptr, "Missing IHDR before IDAT"); - else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && - !(png_ptr->mode & PNG_HAVE_PLTE)) - png_error(png_ptr, "Missing PLTE before IDAT"); + + if (!(png_ptr->mode & PNG_HAVE_IHDR)) + png_error(png_ptr, "Missing IHDR before IDAT"); + + else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && + !(png_ptr->mode & PNG_HAVE_PLTE)) + png_error(png_ptr, "Missing PLTE before IDAT"); if (png_ptr->mode & PNG_HAVE_IDAT) { if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT)) - if (png_ptr->push_length == 0) - return; + if (png_ptr->push_length == 0) + return; if (png_ptr->mode & PNG_AFTER_IDAT) - png_error(png_ptr, "Too many IDAT's found"); + png_benign_error(png_ptr, "Too many IDATs found"); } png_ptr->idat_size = png_ptr->push_length; png_ptr->mode |= PNG_HAVE_IDAT; png_ptr->process_mode = PNG_READ_IDAT_MODE; png_push_have_info(png_ptr, info_ptr); - png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes; + png_ptr->zstream.avail_out = + (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, + png_ptr->iwidth) + 1; png_ptr->zstream.next_out = png_ptr->row_buf; return; } -#if defined(PNG_READ_gAMA_SUPPORTED) + +#ifdef PNG_READ_gAMA_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_gAMA, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -311,10 +344,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_sBIT_SUPPORTED) +#ifdef PNG_READ_sBIT_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_sBIT, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -322,10 +357,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_cHRM_SUPPORTED) +#ifdef PNG_READ_cHRM_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_cHRM, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -333,10 +370,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_sRGB_SUPPORTED) +#ifdef PNG_READ_sRGB_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_sRGB, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -344,10 +383,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_iCCP_SUPPORTED) +#ifdef PNG_READ_iCCP_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_iCCP, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -355,10 +396,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_sPLT_SUPPORTED) +#ifdef PNG_READ_sPLT_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_sPLT, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -366,10 +409,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_tRNS_SUPPORTED) +#ifdef PNG_READ_tRNS_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_tRNS, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -377,10 +422,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_bKGD_SUPPORTED) +#ifdef PNG_READ_bKGD_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_bKGD, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -388,10 +435,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_hIST_SUPPORTED) +#ifdef PNG_READ_hIST_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_hIST, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -399,10 +448,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_pHYs_SUPPORTED) +#ifdef PNG_READ_pHYs_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_pHYs, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -410,10 +461,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_oFFs_SUPPORTED) +#ifdef PNG_READ_oFFs_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_oFFs, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -421,10 +474,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); } #endif -#if defined(PNG_READ_pCAL_SUPPORTED) + +#ifdef PNG_READ_pCAL_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_pCAL, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -432,10 +487,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_sCAL_SUPPORTED) +#ifdef PNG_READ_sCAL_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_sCAL, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -443,10 +500,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_tIME_SUPPORTED) +#ifdef PNG_READ_tIME_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_tIME, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -454,10 +513,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_tEXt_SUPPORTED) +#ifdef PNG_READ_tEXt_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_tEXt, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -465,10 +526,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_push_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_zTXt_SUPPORTED) +#ifdef PNG_READ_zTXt_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_zTXt, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -476,10 +539,12 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_push_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); } + #endif -#if defined(PNG_READ_iTXt_SUPPORTED) +#ifdef PNG_READ_iTXt_SUPPORTED else if (!png_memcmp(png_ptr->chunk_name, png_iTXt, 4)) { if (png_ptr->push_length + 4 > png_ptr->buffer_size) @@ -487,8 +552,10 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) png_push_save_buffer(png_ptr); return; } + png_push_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); } + #endif else { @@ -563,7 +630,9 @@ png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) { png_bytep ptr; - if(png_ptr == NULL) return; + if (png_ptr == NULL) + return; + ptr = buffer; if (png_ptr->save_buffer_size) { @@ -587,6 +656,7 @@ png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) if (length < png_ptr->current_buffer_size) save_size = length; + else save_size = png_ptr->current_buffer_size; @@ -604,7 +674,7 @@ png_push_save_buffer(png_structp png_ptr) { if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) { - png_size_t i,istop; + png_size_t i, istop; png_bytep sp; png_bytep dp; @@ -627,10 +697,16 @@ png_push_save_buffer(png_structp png_ptr) { png_error(png_ptr, "Potential overflow of save_buffer"); } + new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; - png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, - (png_uint_32)new_max); + png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, + (png_size_t)new_max); + if (png_ptr->save_buffer == NULL) + { + png_free(png_ptr, old_buffer); + png_error(png_ptr, "Insufficient memory for save_buffer"); + } png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; @@ -659,9 +735,7 @@ png_push_restore_buffer(png_structp png_ptr, png_bytep buffer, void /* PRIVATE */ png_push_read_IDAT(png_structp png_ptr) { -#ifdef PNG_USE_LOCAL_ARRAYS - PNG_CONST PNG_IDAT; -#endif + PNG_IDAT; if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER)) { png_byte chunk_length[4]; @@ -673,12 +747,12 @@ png_push_read_IDAT(png_structp png_ptr) } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; - if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) + if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) { png_ptr->process_mode = PNG_READ_CHUNK_MODE; if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) @@ -695,16 +769,18 @@ png_push_read_IDAT(png_structp png_ptr) if (png_ptr->idat_size < (png_uint_32)png_ptr->save_buffer_size) { save_size = (png_size_t)png_ptr->idat_size; - /* check for overflow */ - if((png_uint_32)save_size != png_ptr->idat_size) + + /* Check for overflow */ + if ((png_uint_32)save_size != png_ptr->idat_size) png_error(png_ptr, "save_size overflowed in pngpread"); } else save_size = png_ptr->save_buffer_size; png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); - if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) - png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); + + png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); + png_ptr->idat_size -= save_size; png_ptr->buffer_size -= save_size; png_ptr->save_buffer_size -= save_size; @@ -717,16 +793,17 @@ png_push_read_IDAT(png_structp png_ptr) if (png_ptr->idat_size < (png_uint_32)png_ptr->current_buffer_size) { save_size = (png_size_t)png_ptr->idat_size; - /* check for overflow */ - if((png_uint_32)save_size != png_ptr->idat_size) + + /* Check for overflow */ + if ((png_uint_32)save_size != png_ptr->idat_size) png_error(png_ptr, "save_size overflowed in pngpread"); } else save_size = png_ptr->current_buffer_size; png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); - if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) - png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); + + png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); png_ptr->idat_size -= save_size; png_ptr->buffer_size -= save_size; @@ -751,57 +828,101 @@ void /* PRIVATE */ png_process_IDAT_data(png_structp png_ptr, png_bytep buffer, png_size_t buffer_length) { - int ret; - - if ((png_ptr->flags & PNG_FLAG_ZLIB_FINISHED) && buffer_length) - png_error(png_ptr, "Extra compression data"); + /* The caller checks for a non-zero buffer length. */ + if (!(buffer_length > 0) || buffer == NULL) + png_error(png_ptr, "No IDAT data (internal error)"); + /* This routine must process all the data it has been given + * before returning, calling the row callback as required to + * handle the uncompressed results. + */ png_ptr->zstream.next_in = buffer; png_ptr->zstream.avail_in = (uInt)buffer_length; - for(;;) + + /* Keep going until the decompressed data is all processed + * or the stream marked as finished. + */ + while (png_ptr->zstream.avail_in > 0 && + !(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) { - ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); - if (ret != Z_OK) + int ret; + + /* We have data for zlib, but we must check that zlib + * has somewhere to put the results. It doesn't matter + * if we don't expect any results -- it may be the input + * data is just the LZ end code. + */ + if (!(png_ptr->zstream.avail_out > 0)) { - if (ret == Z_STREAM_END) - { - if (png_ptr->zstream.avail_in) - png_error(png_ptr, "Extra compressed data"); - if (!(png_ptr->zstream.avail_out)) - { - png_push_process_row(png_ptr); - } + png_ptr->zstream.avail_out = + (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, + png_ptr->iwidth) + 1; + png_ptr->zstream.next_out = png_ptr->row_buf; + } - png_ptr->mode |= PNG_AFTER_IDAT; - png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; - break; - } - else if (ret == Z_BUF_ERROR) - break; + /* Using Z_SYNC_FLUSH here means that an unterminated + * LZ stream can still be handled (a stream with a missing + * end code), otherwise (Z_NO_FLUSH) a future zlib + * implementation might defer output and, therefore, + * change the current behavior. (See comments in inflate.c + * for why this doesn't happen at present with zlib 1.2.5.) + */ + ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH); + + /* Check for any failure before proceeding. */ + if (ret != Z_OK && ret != Z_STREAM_END) + { + /* Terminate the decompression. */ + png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; + + /* This may be a truncated stream (missing or + * damaged end code). Treat that as a warning. + */ + if (png_ptr->row_number >= png_ptr->num_rows || + png_ptr->pass > 6) + png_warning(png_ptr, "Truncated compressed data in IDAT"); else - png_error(png_ptr, "Decompression Error"); + png_error(png_ptr, "Decompression error in IDAT"); + + /* Skip the check on unprocessed input */ + return; } - if (!(png_ptr->zstream.avail_out)) + + /* Did inflate output any data? */ + if (png_ptr->zstream.next_out != png_ptr->row_buf) { - if (( -#if defined(PNG_READ_INTERLACING_SUPPORTED) - png_ptr->interlaced && png_ptr->pass > 6) || - (!png_ptr->interlaced && -#endif - png_ptr->row_number == png_ptr->num_rows)) + /* Is this unexpected data after the last row? + * If it is, artificially terminate the LZ output + * here. + */ + if (png_ptr->row_number >= png_ptr->num_rows || + png_ptr->pass > 6) { - if (png_ptr->zstream.avail_in) - png_warning(png_ptr, "Too much data in IDAT chunks"); - png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; - break; + /* Extra data. */ + png_warning(png_ptr, "Extra compressed data in IDAT"); + png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; + /* Do no more processing; skip the unprocessed + * input check below. + */ + return; } - png_push_process_row(png_ptr); - png_ptr->zstream.avail_out = (uInt)png_ptr->irowbytes; - png_ptr->zstream.next_out = png_ptr->row_buf; + + /* Do we have a complete row? */ + if (png_ptr->zstream.avail_out == 0) + png_push_process_row(png_ptr); } - else - break; + + /* And check for the end of the stream. */ + if (ret == Z_STREAM_END) + png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; } + + /* All the data should have been processed, if anything + * is left at this point we have bytes of IDAT data + * after the zlib end code. + */ + if (png_ptr->zstream.avail_in > 0) + png_warning(png_ptr, "Extra compression data"); } void /* PRIVATE */ @@ -817,23 +938,22 @@ png_push_process_row(png_structp png_ptr) png_ptr->row_info.width); png_read_filter_row(png_ptr, &(png_ptr->row_info), - png_ptr->row_buf + 1, png_ptr->prev_row + 1, - (int)(png_ptr->row_buf[0])); + png_ptr->row_buf + 1, png_ptr->prev_row + 1, + (int)(png_ptr->row_buf[0])); - png_memcpy_check(png_ptr, png_ptr->prev_row, png_ptr->row_buf, - png_ptr->rowbytes + 1); + png_memcpy(png_ptr->prev_row, png_ptr->row_buf, png_ptr->rowbytes + 1); if (png_ptr->transformations || (png_ptr->flags&PNG_FLAG_STRIP_ALPHA)) png_do_read_transformations(png_ptr); -#if defined(PNG_READ_INTERLACING_SUPPORTED) - /* blow up interlaced rows to full size */ +#ifdef PNG_READ_INTERLACING_SUPPORTED + /* Blow up interlaced rows to full size */ if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE)) { if (png_ptr->pass < 6) /* old interface (pre-1.0.9): png_do_read_interlace(&(png_ptr->row_info), - png_ptr->row_buf + 1, png_ptr->pass, png_ptr->transformations); + png_ptr->row_buf + 1, png_ptr->pass, png_ptr->transformations); */ png_do_read_interlace(png_ptr); @@ -845,31 +965,36 @@ png_push_process_row(png_structp png_ptr) for (i = 0; i < 8 && png_ptr->pass == 0; i++) { png_push_have_row(png_ptr, png_ptr->row_buf + 1); - png_read_push_finish_row(png_ptr); /* updates png_ptr->pass */ + png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ } - if (png_ptr->pass == 2) /* pass 1 might be empty */ + + if (png_ptr->pass == 2) /* Pass 1 might be empty */ { for (i = 0; i < 4 && png_ptr->pass == 2; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } } + if (png_ptr->pass == 4 && png_ptr->height <= 4) { for (i = 0; i < 2 && png_ptr->pass == 4; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } } + if (png_ptr->pass == 6 && png_ptr->height <= 4) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } + break; } + case 1: { int i; @@ -878,99 +1003,121 @@ png_push_process_row(png_structp png_ptr) png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); } - if (png_ptr->pass == 2) /* skip top 4 generated rows */ + + if (png_ptr->pass == 2) /* Skip top 4 generated rows */ { for (i = 0; i < 4 && png_ptr->pass == 2; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } } + break; } + case 2: { int i; + for (i = 0; i < 4 && png_ptr->pass == 2; i++) { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); } + for (i = 0; i < 4 && png_ptr->pass == 2; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } - if (png_ptr->pass == 4) /* pass 3 might be empty */ + + if (png_ptr->pass == 4) /* Pass 3 might be empty */ { for (i = 0; i < 2 && png_ptr->pass == 4; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } } + break; } + case 3: { int i; + for (i = 0; i < 4 && png_ptr->pass == 3; i++) { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); } - if (png_ptr->pass == 4) /* skip top two generated rows */ + + if (png_ptr->pass == 4) /* Skip top two generated rows */ { for (i = 0; i < 2 && png_ptr->pass == 4; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } } + break; } + case 4: { int i; + for (i = 0; i < 2 && png_ptr->pass == 4; i++) { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); } + for (i = 0; i < 2 && png_ptr->pass == 4; i++) { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } - if (png_ptr->pass == 6) /* pass 5 might be empty */ + + if (png_ptr->pass == 6) /* Pass 5 might be empty */ { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } + break; } + case 5: { int i; + for (i = 0; i < 2 && png_ptr->pass == 5; i++) { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); } - if (png_ptr->pass == 6) /* skip top generated row */ + + if (png_ptr->pass == 6) /* Skip top generated row */ { - png_push_have_row(png_ptr, png_bytep_NULL); + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } + break; } case 6: { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); + if (png_ptr->pass != 6) break; - png_push_have_row(png_ptr, png_bytep_NULL); + + png_push_have_row(png_ptr, NULL); png_read_push_finish_row(png_ptr); } } @@ -986,35 +1133,34 @@ png_push_process_row(png_structp png_ptr) void /* PRIVATE */ png_read_push_finish_row(png_structp png_ptr) { -#ifdef PNG_USE_LOCAL_ARRAYS - /* arrays to facilitate easy interlacing - use pass (0 - 6) as index */ + /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ - /* start of interlace block */ + /* Start of interlace block */ PNG_CONST int FARDATA png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; - /* offset to next interlace block */ + /* Offset to next interlace block */ PNG_CONST int FARDATA png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; - /* start of interlace block in the y direction */ + /* Start of interlace block in the y direction */ PNG_CONST int FARDATA png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; - /* offset to next interlace block in the y direction */ + /* Offset to next interlace block in the y direction */ PNG_CONST int FARDATA png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; /* Height of interlace block. This is not currently used - if you need * it, uncomment it here and in png.h PNG_CONST int FARDATA png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; */ -#endif png_ptr->row_number++; if (png_ptr->row_number < png_ptr->num_rows) return; +#ifdef PNG_READ_INTERLACING_SUPPORTED if (png_ptr->interlaced) { png_ptr->row_number = 0; - png_memset_check(png_ptr, png_ptr->prev_row, 0, + png_memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); do { @@ -1026,6 +1172,7 @@ png_read_push_finish_row(png_structp png_ptr) if (png_ptr->pass > 7) png_ptr->pass--; + if (png_ptr->pass >= 7) break; @@ -1034,9 +1181,6 @@ png_read_push_finish_row(png_structp png_ptr) png_pass_start[png_ptr->pass]) / png_pass_inc[png_ptr->pass]; - png_ptr->irowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, - png_ptr->iwidth) + 1; - if (png_ptr->transformations & PNG_INTERLACE) break; @@ -1047,9 +1191,10 @@ png_read_push_finish_row(png_structp png_ptr) } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); } +#endif /* PNG_READ_INTERLACING_SUPPORTED */ } -#if defined(PNG_READ_tEXt_SUPPORTED) +#ifdef PNG_READ_tEXt_SUPPORTED void /* PRIVATE */ png_push_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -1057,7 +1202,7 @@ png_push_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND)) { png_error(png_ptr, "Out of place tEXt"); - info_ptr = info_ptr; /* to quiet some compiler warnings */ + info_ptr = info_ptr; /* To quiet some compiler warnings */ } #ifdef PNG_MAX_MALLOC_64K @@ -1072,7 +1217,7 @@ png_push_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 #endif png_ptr->current_text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(length+1)); + (png_size_t)(length + 1)); png_ptr->current_text[length] = '\0'; png_ptr->current_text_ptr = png_ptr->current_text; png_ptr->current_text_size = (png_size_t)length; @@ -1089,8 +1234,10 @@ png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr) if (png_ptr->buffer_size < png_ptr->current_text_left) text_size = png_ptr->buffer_size; + else text_size = png_ptr->current_text_left; + png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size); png_ptr->current_text_left -= text_size; png_ptr->current_text_ptr += text_size; @@ -1110,7 +1257,7 @@ png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr) png_push_crc_finish(png_ptr); -#if defined(PNG_MAX_MALLOC_64K) +#ifdef PNG_MAX_MALLOC_64K if (png_ptr->skip_length) return; #endif @@ -1118,13 +1265,13 @@ png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr) key = png_ptr->current_text; for (text = key; *text; text++) - /* empty loop */ ; + /* Empty loop */ ; - if (text != key + png_ptr->current_text_size) + if (text < key + png_ptr->current_text_size) text++; text_ptr = (png_textp)png_malloc(png_ptr, - (png_uint_32)png_sizeof(png_text)); + png_sizeof(png_text)); text_ptr->compression = PNG_TEXT_COMPRESSION_NONE; text_ptr->key = key; #ifdef PNG_iTXt_SUPPORTED @@ -1140,12 +1287,12 @@ png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr) png_ptr->current_text = NULL; if (ret) - png_warning(png_ptr, "Insufficient memory to store text chunk."); + png_warning(png_ptr, "Insufficient memory to store text chunk"); } } #endif -#if defined(PNG_READ_zTXt_SUPPORTED) +#ifdef PNG_READ_zTXt_SUPPORTED void /* PRIVATE */ png_push_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -1153,7 +1300,7 @@ png_push_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND)) { png_error(png_ptr, "Out of place zTXt"); - info_ptr = info_ptr; /* to quiet some compiler warnings */ + info_ptr = info_ptr; /* To quiet some compiler warnings */ } #ifdef PNG_MAX_MALLOC_64K @@ -1170,7 +1317,7 @@ png_push_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 #endif png_ptr->current_text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(length+1)); + (png_size_t)(length + 1)); png_ptr->current_text[length] = '\0'; png_ptr->current_text_ptr = png_ptr->current_text; png_ptr->current_text_size = (png_size_t)length; @@ -1187,8 +1334,10 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) if (png_ptr->buffer_size < (png_uint_32)png_ptr->current_text_left) text_size = png_ptr->buffer_size; + else text_size = png_ptr->current_text_left; + png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size); png_ptr->current_text_left -= text_size; png_ptr->current_text_ptr += text_size; @@ -1212,10 +1361,10 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) key = png_ptr->current_text; for (text = key; *text; text++) - /* empty loop */ ; + /* Empty loop */ ; /* zTXt can't have zero text */ - if (text == key + png_ptr->current_text_size) + if (text >= key + png_ptr->current_text_size) { png_ptr->current_text = NULL; png_free(png_ptr, key); @@ -1224,7 +1373,7 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) text++; - if (*text != PNG_TEXT_COMPRESSION_zTXt) /* check compression byte */ + if (*text != PNG_TEXT_COMPRESSION_zTXt) /* Check compression byte */ { png_ptr->current_text = NULL; png_free(png_ptr, key); @@ -1261,13 +1410,17 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) if (text == NULL) { text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(png_ptr->zbuf_size - png_ptr->zstream.avail_out - + key_size + 1)); + (png_ptr->zbuf_size + - png_ptr->zstream.avail_out + key_size + 1)); + png_memcpy(text + key_size, png_ptr->zbuf, png_ptr->zbuf_size - png_ptr->zstream.avail_out); + png_memcpy(text, key, key_size); + text_size = key_size + png_ptr->zbuf_size - png_ptr->zstream.avail_out; + *(text + text_size) = '\0'; } else @@ -1276,12 +1429,15 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) tmp = text; text = (png_charp)png_malloc(png_ptr, text_size + - (png_uint_32)(png_ptr->zbuf_size - png_ptr->zstream.avail_out - + 1)); + (png_ptr->zbuf_size + - png_ptr->zstream.avail_out + 1)); + png_memcpy(text, tmp, text_size); png_free(png_ptr, tmp); + png_memcpy(text + text_size, png_ptr->zbuf, png_ptr->zbuf_size - png_ptr->zstream.avail_out); + text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out; *(text + text_size) = '\0'; } @@ -1317,7 +1473,7 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) text += key_size; text_ptr = (png_textp)png_malloc(png_ptr, - (png_uint_32)png_sizeof(png_text)); + png_sizeof(png_text)); text_ptr->compression = PNG_TEXT_COMPRESSION_zTXt; text_ptr->key = key; #ifdef PNG_iTXt_SUPPORTED @@ -1332,12 +1488,12 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) png_free(png_ptr, text_ptr); if (ret) - png_warning(png_ptr, "Insufficient memory to store text chunk."); + png_warning(png_ptr, "Insufficient memory to store text chunk"); } } #endif -#if defined(PNG_READ_iTXt_SUPPORTED) +#ifdef PNG_READ_iTXt_SUPPORTED void /* PRIVATE */ png_push_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -1345,7 +1501,7 @@ png_push_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 if (!(png_ptr->mode & PNG_HAVE_IHDR) || (png_ptr->mode & PNG_HAVE_IEND)) { png_error(png_ptr, "Out of place iTXt"); - info_ptr = info_ptr; /* to quiet some compiler warnings */ + info_ptr = info_ptr; /* To quiet some compiler warnings */ } #ifdef PNG_MAX_MALLOC_64K @@ -1360,7 +1516,7 @@ png_push_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 #endif png_ptr->current_text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(length+1)); + (png_size_t)(length + 1)); png_ptr->current_text[length] = '\0'; png_ptr->current_text_ptr = png_ptr->current_text; png_ptr->current_text_size = (png_size_t)length; @@ -1378,8 +1534,10 @@ png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) if (png_ptr->buffer_size < png_ptr->current_text_left) text_size = png_ptr->buffer_size; + else text_size = png_ptr->current_text_left; + png_crc_read(png_ptr, (png_bytep)png_ptr->current_text_ptr, text_size); png_ptr->current_text_left -= text_size; png_ptr->current_text_ptr += text_size; @@ -1402,7 +1560,7 @@ png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) png_push_crc_finish(png_ptr); -#if defined(PNG_MAX_MALLOC_64K) +#ifdef PNG_MAX_MALLOC_64K if (png_ptr->skip_length) return; #endif @@ -1410,26 +1568,33 @@ png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) key = png_ptr->current_text; for (lang = key; *lang; lang++) - /* empty loop */ ; + /* Empty loop */ ; - if (lang != key + png_ptr->current_text_size) + if (lang < key + png_ptr->current_text_size - 3) lang++; comp_flag = *lang++; - lang++; /* skip comp_type, always zero */ + lang++; /* Skip comp_type, always zero */ for (lang_key = lang; *lang_key; lang_key++) - /* empty loop */ ; - lang_key++; /* skip NUL separator */ + /* Empty loop */ ; + + lang_key++; /* Skip NUL separator */ + + text=lang_key; - for (text = lang_key; *text; text++) - /* empty loop */ ; + if (lang_key < key + png_ptr->current_text_size - 1) + { + for (; *text; text++) + /* Empty loop */ ; + } - if (text != key + png_ptr->current_text_size) + if (text < key + png_ptr->current_text_size) text++; text_ptr = (png_textp)png_malloc(png_ptr, - (png_uint_32)png_sizeof(png_text)); + png_sizeof(png_text)); + text_ptr->compression = comp_flag + 2; text_ptr->key = key; text_ptr->lang = lang; @@ -1444,7 +1609,7 @@ png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) png_free(png_ptr, text_ptr); if (ret) - png_warning(png_ptr, "Insufficient memory to store iTXt chunk."); + png_warning(png_ptr, "Insufficient memory to store iTXt chunk"); } } #endif @@ -1457,25 +1622,24 @@ void /* PRIVATE */ png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - png_uint_32 skip=0; - png_check_chunk_name(png_ptr, png_ptr->chunk_name); + png_uint_32 skip = 0; if (!(png_ptr->chunk_name[0] & 0x20)) { -#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) - if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != - PNG_HANDLE_CHUNK_ALWAYS -#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) - && png_ptr->read_user_chunk_fn == NULL +#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED + if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != + PNG_HANDLE_CHUNK_ALWAYS +#ifdef PNG_READ_USER_CHUNKS_SUPPORTED + && png_ptr->read_user_chunk_fn == NULL #endif - ) + ) #endif - png_chunk_error(png_ptr, "unknown critical chunk"); + png_chunk_error(png_ptr, "unknown critical chunk"); - info_ptr = info_ptr; /* to quiet some compiler warnings */ + info_ptr = info_ptr; /* To quiet some compiler warnings */ } -#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) +#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED if (png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) { #ifdef PNG_MAX_MALLOC_64K @@ -1486,37 +1650,53 @@ png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length = (png_uint_32)65535L; } #endif - png_strncpy((png_charp)png_ptr->unknown_chunk.name, - (png_charp)png_ptr->chunk_name, - png_sizeof((png_charp)png_ptr->chunk_name)); - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_memcpy((png_charp)png_ptr->unknown_chunk.name, + (png_charp)png_ptr->chunk_name, + png_sizeof(png_ptr->unknown_chunk.name)); + png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name) - 1] + = '\0'; + png_ptr->unknown_chunk.size = (png_size_t)length; - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); -#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) - if(png_ptr->read_user_chunk_fn != NULL) + + if (length == 0) + png_ptr->unknown_chunk.data = NULL; + + else { - /* callback to user unknown chunk handler */ + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, + (png_size_t)length); + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + } + +#ifdef PNG_READ_USER_CHUNKS_SUPPORTED + if (png_ptr->read_user_chunk_fn != NULL) + { + /* Callback to user unknown chunk handler */ int ret; ret = (*(png_ptr->read_user_chunk_fn)) (png_ptr, &png_ptr->unknown_chunk); + if (ret < 0) png_chunk_error(png_ptr, "error in user chunk"); + if (ret == 0) { if (!(png_ptr->chunk_name[0] & 0x20)) - if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != + if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != PNG_HANDLE_CHUNK_ALWAYS) png_chunk_error(png_ptr, "unknown critical chunk"); png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); } } -#else - png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); + + else #endif + png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); png_free(png_ptr, png_ptr->unknown_chunk.data); png_ptr->unknown_chunk.data = NULL; } + else #endif skip=length; @@ -1549,11 +1729,12 @@ void PNGAPI png_progressive_combine_row (png_structp png_ptr, png_bytep old_row, png_bytep new_row) { -#ifdef PNG_USE_LOCAL_ARRAYS PNG_CONST int FARDATA png_pass_dsp_mask[7] = {0xff, 0x0f, 0xff, 0x33, 0xff, 0x55, 0xff}; -#endif - if(png_ptr == NULL) return; + + if (png_ptr == NULL) + return; + if (new_row != NULL) /* new_row must == png_ptr->row_buf here. */ png_combine_row(png_ptr, old_row, png_pass_dsp_mask[png_ptr->pass]); } @@ -1563,7 +1744,9 @@ png_set_progressive_read_fn(png_structp png_ptr, png_voidp progressive_ptr, png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, png_progressive_end_ptr end_fn) { - if(png_ptr == NULL) return; + if (png_ptr == NULL) + return; + png_ptr->info_fn = info_fn; png_ptr->row_fn = row_fn; png_ptr->end_fn = end_fn; @@ -1574,7 +1757,9 @@ png_set_progressive_read_fn(png_structp png_ptr, png_voidp progressive_ptr, png_voidp PNGAPI png_get_progressive_ptr(png_structp png_ptr) { - if(png_ptr == NULL) return (NULL); + if (png_ptr == NULL) + return (NULL); + return png_ptr->io_ptr; } #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */