X-Git-Url: https://git.saurik.com/wxWidgets.git/blobdiff_plain/0272a10d2e6d5323422c4c8600fe47ccac0df182..713129f9d34e3027d2be46b134d2f4c490ad145f:/src/png/pngpread.c diff --git a/src/png/pngpread.c b/src/png/pngpread.c index 66b31bcd14..b06fbadabd 100644 --- a/src/png/pngpread.c +++ b/src/png/pngpread.c @@ -1,16 +1,15 @@ /* pngpread.c - read a png file in push mode * - * Last changed in libpng 1.2.20 September 8, 2007 + * Last changed in libpng 1.2.32 [September 18, 2008] * For conditions of distribution and use, see copyright notice in png.h - * Copyright (c) 1998-2007 Glenn Randers-Pehrson + * Copyright (c) 1998-2008 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) */ #define PNG_INTERNAL #include "png.h" - #ifdef PNG_PROGRESSIVE_READ_SUPPORTED /* push model modes */ @@ -28,7 +27,7 @@ void PNGAPI png_process_data(png_structp png_ptr, png_infop info_ptr, png_bytep buffer, png_size_t buffer_size) { - if(png_ptr == NULL) return; + if (png_ptr == NULL || info_ptr == NULL) return; png_push_restore_buffer(png_ptr, buffer, buffer_size); while (png_ptr->buffer_size) @@ -43,7 +42,7 @@ png_process_data(png_structp png_ptr, png_infop info_ptr, void /* PRIVATE */ png_process_some_data(png_structp png_ptr, png_infop info_ptr) { - if(png_ptr == NULL) return; + if (png_ptr == NULL) return; switch (png_ptr->process_mode) { case PNG_READ_SIG_MODE: @@ -114,7 +113,7 @@ png_push_read_sig(png_structp png_ptr, png_infop info_ptr) png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), num_to_check); - png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes+num_to_check); + png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) { @@ -210,18 +209,21 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); + png_check_chunk_name(png_ptr, png_ptr->chunk_name); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; } - if (!png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) - if(png_ptr->mode & PNG_AFTER_IDAT) + if (!png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) + if (png_ptr->mode & PNG_AFTER_IDAT) png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4)) { + if (png_ptr->push_length != 13) + png_error(png_ptr, "Invalid IHDR length"); if (png_ptr->push_length + 4 > png_ptr->buffer_size) { png_push_save_buffer(png_ptr); @@ -273,7 +275,7 @@ png_push_read_chunk(png_structp png_ptr, png_infop info_ptr) } png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); } - else if (!png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) + else if (!png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) { /* If we reach an IDAT chunk, this means we have read all of the * header chunks, and we can start reading the image (or if this @@ -563,7 +565,7 @@ png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) { png_bytep ptr; - if(png_ptr == NULL) return; + if (png_ptr == NULL) return; ptr = buffer; if (png_ptr->save_buffer_size) { @@ -604,7 +606,7 @@ png_push_save_buffer(png_structp png_ptr) { if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) { - png_size_t i,istop; + png_size_t i, istop; png_bytep sp; png_bytep dp; @@ -673,12 +675,12 @@ png_push_read_IDAT(png_structp png_ptr) } png_push_fill_buffer(png_ptr, chunk_length, 4); - png_ptr->push_length = png_get_uint_31(png_ptr,chunk_length); + png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; - if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) + if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) { png_ptr->process_mode = PNG_READ_CHUNK_MODE; if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) @@ -696,7 +698,7 @@ png_push_read_IDAT(png_structp png_ptr) { save_size = (png_size_t)png_ptr->idat_size; /* check for overflow */ - if((png_uint_32)save_size != png_ptr->idat_size) + if ((png_uint_32)save_size != png_ptr->idat_size) png_error(png_ptr, "save_size overflowed in pngpread"); } else @@ -718,7 +720,7 @@ png_push_read_IDAT(png_structp png_ptr) { save_size = (png_size_t)png_ptr->idat_size; /* check for overflow */ - if((png_uint_32)save_size != png_ptr->idat_size) + if ((png_uint_32)save_size != png_ptr->idat_size) png_error(png_ptr, "save_size overflowed in pngpread"); } else @@ -758,7 +760,7 @@ png_process_IDAT_data(png_structp png_ptr, png_bytep buffer, png_ptr->zstream.next_in = buffer; png_ptr->zstream.avail_in = (uInt)buffer_length; - for(;;) + for (;;) { ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); if (ret != Z_OK) @@ -1072,7 +1074,7 @@ png_push_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 #endif png_ptr->current_text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(length+1)); + (png_uint_32)(length + 1)); png_ptr->current_text[length] = '\0'; png_ptr->current_text_ptr = png_ptr->current_text; png_ptr->current_text_size = (png_size_t)length; @@ -1120,7 +1122,7 @@ png_push_read_tEXt(png_structp png_ptr, png_infop info_ptr) for (text = key; *text; text++) /* empty loop */ ; - if (text != key + png_ptr->current_text_size) + if (text < key + png_ptr->current_text_size) text++; text_ptr = (png_textp)png_malloc(png_ptr, @@ -1170,7 +1172,7 @@ png_push_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 #endif png_ptr->current_text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(length+1)); + (png_uint_32)(length + 1)); png_ptr->current_text[length] = '\0'; png_ptr->current_text_ptr = png_ptr->current_text; png_ptr->current_text_size = (png_size_t)length; @@ -1215,7 +1217,7 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) /* empty loop */ ; /* zTXt can't have zero text */ - if (text == key + png_ptr->current_text_size) + if (text >= key + png_ptr->current_text_size) { png_ptr->current_text = NULL; png_free(png_ptr, key); @@ -1261,8 +1263,8 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) if (text == NULL) { text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(png_ptr->zbuf_size - png_ptr->zstream.avail_out - + key_size + 1)); + (png_uint_32)(png_ptr->zbuf_size + - png_ptr->zstream.avail_out + key_size + 1)); png_memcpy(text + key_size, png_ptr->zbuf, png_ptr->zbuf_size - png_ptr->zstream.avail_out); png_memcpy(text, key, key_size); @@ -1276,8 +1278,8 @@ png_push_read_zTXt(png_structp png_ptr, png_infop info_ptr) tmp = text; text = (png_charp)png_malloc(png_ptr, text_size + - (png_uint_32)(png_ptr->zbuf_size - png_ptr->zstream.avail_out - + 1)); + (png_uint_32)(png_ptr->zbuf_size + - png_ptr->zstream.avail_out + 1)); png_memcpy(text, tmp, text_size); png_free(png_ptr, tmp); png_memcpy(text + text_size, png_ptr->zbuf, @@ -1360,7 +1362,7 @@ png_push_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 #endif png_ptr->current_text = (png_charp)png_malloc(png_ptr, - (png_uint_32)(length+1)); + (png_uint_32)(length + 1)); png_ptr->current_text[length] = '\0'; png_ptr->current_text_ptr = png_ptr->current_text; png_ptr->current_text_size = (png_size_t)length; @@ -1412,7 +1414,7 @@ png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) for (lang = key; *lang; lang++) /* empty loop */ ; - if (lang != key + png_ptr->current_text_size) + if (lang < key + png_ptr->current_text_size - 3) lang++; comp_flag = *lang++; @@ -1422,10 +1424,14 @@ png_push_read_iTXt(png_structp png_ptr, png_infop info_ptr) /* empty loop */ ; lang_key++; /* skip NUL separator */ - for (text = lang_key; *text; text++) - /* empty loop */ ; + text=lang_key; + if (lang_key < key + png_ptr->current_text_size - 1) + { + for (; *text; text++) + /* empty loop */ ; + } - if (text != key + png_ptr->current_text_size) + if (text < key + png_ptr->current_text_size) text++; text_ptr = (png_textp)png_malloc(png_ptr, @@ -1457,22 +1463,21 @@ void /* PRIVATE */ png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - png_uint_32 skip=0; - png_check_chunk_name(png_ptr, png_ptr->chunk_name); + png_uint_32 skip = 0; if (!(png_ptr->chunk_name[0] & 0x20)) { #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) - if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != - PNG_HANDLE_CHUNK_ALWAYS + if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != + PNG_HANDLE_CHUNK_ALWAYS #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) - && png_ptr->read_user_chunk_fn == NULL + && png_ptr->read_user_chunk_fn == NULL #endif - ) + ) #endif - png_chunk_error(png_ptr, "unknown critical chunk"); + png_chunk_error(png_ptr, "unknown critical chunk"); - info_ptr = info_ptr; /* to quiet some compiler warnings */ + info_ptr = info_ptr; /* to quiet some compiler warnings */ } #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) @@ -1486,14 +1491,23 @@ png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length = (png_uint_32)65535L; } #endif - png_strncpy((png_charp)png_ptr->unknown_chunk.name, - (png_charp)png_ptr->chunk_name, - png_sizeof((png_charp)png_ptr->chunk_name)); - png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_memcpy((png_charp)png_ptr->unknown_chunk.name, + (png_charp)png_ptr->chunk_name, + png_sizeof(png_ptr->unknown_chunk.name)); + png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name) - 1] + = '\0'; + png_ptr->unknown_chunk.size = (png_size_t)length; - png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + if (length == 0) + png_ptr->unknown_chunk.data = NULL; + else + { + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, + (png_uint_32)length); + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); + } #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) - if(png_ptr->read_user_chunk_fn != NULL) + if (png_ptr->read_user_chunk_fn != NULL) { /* callback to user unknown chunk handler */ int ret; @@ -1504,16 +1518,16 @@ png_push_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 if (ret == 0) { if (!(png_ptr->chunk_name[0] & 0x20)) - if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != + if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != PNG_HANDLE_CHUNK_ALWAYS) png_chunk_error(png_ptr, "unknown critical chunk"); png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); } } -#else - png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); + else #endif + png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); png_free(png_ptr, png_ptr->unknown_chunk.data); png_ptr->unknown_chunk.data = NULL; } @@ -1553,7 +1567,7 @@ png_progressive_combine_row (png_structp png_ptr, PNG_CONST int FARDATA png_pass_dsp_mask[7] = {0xff, 0x0f, 0xff, 0x33, 0xff, 0x55, 0xff}; #endif - if(png_ptr == NULL) return; + if (png_ptr == NULL) return; if (new_row != NULL) /* new_row must == png_ptr->row_buf here. */ png_combine_row(png_ptr, old_row, png_pass_dsp_mask[png_ptr->pass]); } @@ -1563,7 +1577,7 @@ png_set_progressive_read_fn(png_structp png_ptr, png_voidp progressive_ptr, png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, png_progressive_end_ptr end_fn) { - if(png_ptr == NULL) return; + if (png_ptr == NULL) return; png_ptr->info_fn = info_fn; png_ptr->row_fn = row_fn; png_ptr->end_fn = end_fn; @@ -1574,7 +1588,7 @@ png_set_progressive_read_fn(png_structp png_ptr, png_voidp progressive_ptr, png_voidp PNGAPI png_get_progressive_ptr(png_structp png_ptr) { - if(png_ptr == NULL) return (NULL); + if (png_ptr == NULL) return (NULL); return png_ptr->io_ptr; } #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */