X-Git-Url: https://git.saurik.com/wxWidgets.git/blobdiff_plain/5b02c8a11f0e0d284eff32cfde1fcd2a4b2e659d..82c126e50158efee5a1f46e1200be380c5199f8d:/src/png/pngset.c diff --git a/src/png/pngset.c b/src/png/pngset.c index 1079bdc13b..2871140d63 100644 --- a/src/png/pngset.c +++ b/src/png/pngset.c @@ -1,9 +1,9 @@ /* pngset.c - storage of image information into info struct * - * libpng 1.2.6 - August 15, 2004 + * Last changed in libpng 1.2.17 May 15, 2007 * For conditions of distribution and use, see copyright notice in png.h - * Copyright (c) 1998-2004 Glenn Randers-Pehrson + * Copyright (c) 1998-2007 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -16,6 +16,8 @@ #define PNG_INTERNAL #include "png.h" +#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) + #if defined(PNG_bKGD_SUPPORTED) void PNGAPI png_set_bKGD(png_structp png_ptr, png_infop info_ptr, png_color_16p background) @@ -100,6 +102,7 @@ png_set_cHRM_fixed(png_structp png_ptr, png_infop info_ptr, "Ignoring attempt to set negative chromaticity value"); return; } +#ifdef PNG_FLOATING_POINT_SUPPORTED if (white_x > (double) PNG_UINT_31_MAX || white_y > (double) PNG_UINT_31_MAX || red_x > (double) PNG_UINT_31_MAX || @@ -108,6 +111,16 @@ png_set_cHRM_fixed(png_structp png_ptr, png_infop info_ptr, green_y > (double) PNG_UINT_31_MAX || blue_x > (double) PNG_UINT_31_MAX || blue_y > (double) PNG_UINT_31_MAX) +#else + if (white_x > (png_fixed_point) PNG_UINT_31_MAX/100000L || + white_y > (png_fixed_point) PNG_UINT_31_MAX/100000L || + red_x > (png_fixed_point) PNG_UINT_31_MAX/100000L || + red_y > (png_fixed_point) PNG_UINT_31_MAX/100000L || + green_x > (png_fixed_point) PNG_UINT_31_MAX/100000L || + green_y > (png_fixed_point) PNG_UINT_31_MAX/100000L || + blue_x > (png_fixed_point) PNG_UINT_31_MAX/100000L || + blue_y > (png_fixed_point) PNG_UINT_31_MAX/100000L) +#endif { png_warning(png_ptr, "Ignoring attempt to set chromaticity value exceeding 21474.83"); @@ -209,19 +222,21 @@ png_set_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_16p hist) png_debug1(1, "in %s storage function\n", "hIST"); if (png_ptr == NULL || info_ptr == NULL) return; - if (info_ptr->num_palette == 0) + if (info_ptr->num_palette <= 0 || info_ptr->num_palette + > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, - "Palette size 0, hIST allocation skipped."); + "Invalid palette size, hIST allocation skipped."); return; } #ifdef PNG_FREE_ME_SUPPORTED png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0); #endif - /* Changed from info->num_palette to 256 in version 1.2.1 */ + /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in version + 1.2.1 */ png_ptr->hist = (png_uint_16p)png_malloc_warn(png_ptr, - (png_uint_32)(256 * png_sizeof (png_uint_16))); + (png_uint_32)(PNG_MAX_PALETTE_LENGTH * png_sizeof (png_uint_16))); if (png_ptr->hist == NULL) { png_warning(png_ptr, "Insufficient memory for hIST chunk data."); @@ -303,13 +318,13 @@ png_set_IHDR(png_structp png_ptr, png_infop info_ptr, * 5. The color_type is RGB or RGBA */ if((png_ptr->mode&PNG_HAVE_PNG_SIGNATURE)&&png_ptr->mng_features_permitted) - png_warning(png_ptr,"MNG features are not allowed in a PNG datastream\n"); + png_warning(png_ptr,"MNG features are not allowed in a PNG datastream"); if(filter_type != PNG_FILTER_TYPE_BASE) { if(!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) && (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && ((png_ptr->mode&PNG_HAVE_PNG_SIGNATURE) == 0) && - (color_type == PNG_COLOR_TYPE_RGB || + (color_type == PNG_COLOR_TYPE_RGB || color_type == PNG_COLOR_TYPE_RGB_ALPHA))) png_error(png_ptr, "Unknown filter method in IHDR"); if(png_ptr->mode&PNG_HAVE_PNG_SIGNATURE) @@ -338,7 +353,7 @@ png_set_IHDR(png_structp png_ptr, png_infop info_ptr, info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth); /* check for potential overflow */ - if ( width > (PNG_UINT_32_MAX + if (width > (PNG_UINT_32_MAX >> 3) /* 8-byte RGBA pixels */ - 64 /* bigrowbuf hack */ - 1 /* filter byte */ @@ -469,7 +484,8 @@ png_set_sCAL_s(png_structp png_ptr, png_infop info_ptr, info_ptr->scal_s_width = (png_charp)png_malloc_warn(png_ptr, length); if (info_ptr->scal_s_width == NULL) { - png_warning(png_ptr, "Memory allocation failed while processing sCAL."); + png_warning(png_ptr, + "Memory allocation failed while processing sCAL."); } png_memcpy(info_ptr->scal_s_width, swidth, (png_size_t)length); @@ -479,7 +495,8 @@ png_set_sCAL_s(png_structp png_ptr, png_infop info_ptr, if (info_ptr->scal_s_height == NULL) { png_free (png_ptr, info_ptr->scal_s_width); - png_warning(png_ptr, "Memory allocation failed while processing sCAL."); + png_warning(png_ptr, + "Memory allocation failed while processing sCAL."); } png_memcpy(info_ptr->scal_s_height, sheight, (png_size_t)length); @@ -517,6 +534,17 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr, if (png_ptr == NULL || info_ptr == NULL) return; + if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) + { + if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + png_error(png_ptr, "Invalid palette length"); + else + { + png_warning(png_ptr, "Invalid palette length"); + return; + } + } + /* * It may not actually be necessary to set png_ptr->palette here; * we do it for backward compatibility with the way the png_handle_tRNS @@ -526,11 +554,13 @@ png_set_PLTE(png_structp png_ptr, png_infop info_ptr, png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); #endif - /* Changed in libpng-1.2.1 to allocate 256 instead of num_palette entries, + /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead + of num_palette entries, in case of an invalid PNG file that has too-large sample values. */ png_ptr->palette = (png_colorp)png_malloc(png_ptr, - 256 * png_sizeof(png_color)); - png_memset(png_ptr->palette, 0, 256 * png_sizeof(png_color)); + PNG_MAX_PALETTE_LENGTH * png_sizeof(png_color)); + png_memset(png_ptr->palette, 0, PNG_MAX_PALETTE_LENGTH * + png_sizeof(png_color)); png_memcpy(png_ptr->palette, palette, num_palette * png_sizeof (png_color)); info_ptr->palette = png_ptr->palette; info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette; @@ -660,7 +690,7 @@ png_set_iCCP(png_structp png_ptr, png_infop info_ptr, png_warning(png_ptr, "Insufficient memory to process iCCP chunk."); return; } - png_strcpy(new_iccp_name, name); + png_strncpy(new_iccp_name, name, png_sizeof(new_iccp_name)); new_iccp_profile = (png_charp)png_malloc_warn(png_ptr, proflen); if (new_iccp_profile == NULL) { @@ -849,7 +879,6 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr, png_textp text_ptr, textp->itxt_length = 0; #endif } - info_ptr->text[info_ptr->num_text]= *textp; info_ptr->num_text++; png_debug1(3, "transferred text chunk %d\n", info_ptr->num_text); } @@ -890,10 +919,11 @@ png_set_tRNS(png_structp png_ptr, png_infop info_ptr, #ifdef PNG_FREE_ME_SUPPORTED png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); #endif - /* Changed from num_trans to 256 in version 1.2.1 */ + /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ png_ptr->trans = info_ptr->trans = (png_bytep)png_malloc(png_ptr, - (png_uint_32)256); - png_memcpy(info_ptr->trans, trans, (png_size_t)num_trans); + (png_uint_32)PNG_MAX_PALETTE_LENGTH); + if (num_trans <= PNG_MAX_PALETTE_LENGTH) + png_memcpy(info_ptr->trans, trans, (png_size_t)num_trans); #ifdef PNG_FREE_ME_SUPPORTED info_ptr->free_me |= PNG_FREE_TRNS; #else @@ -921,6 +951,9 @@ png_set_sPLT(png_structp png_ptr, png_sPLT_tp np; int i; + if (png_ptr == NULL || info_ptr == NULL) + return; + np = (png_sPLT_tp)png_malloc_warn(png_ptr, (info_ptr->splt_palettes_num + nentries) * png_sizeof(png_sPLT_t)); if (np == NULL) @@ -939,15 +972,27 @@ png_set_sPLT(png_structp png_ptr, png_sPLT_tp to = np + info_ptr->splt_palettes_num + i; png_sPLT_tp from = entries + i; - to->name = (png_charp)png_malloc(png_ptr, - png_strlen(from->name) + 1); + to->name = (png_charp)png_malloc_warn(png_ptr, + png_strlen(from->name) + 1); + if (to->name == NULL) + { + png_warning(png_ptr, + "Out of memory while processing sPLT chunk"); + } /* TODO: use png_malloc_warn */ - png_strcpy(to->name, from->name); - to->entries = (png_sPLT_entryp)png_malloc(png_ptr, - from->nentries * png_sizeof(png_sPLT_t)); + png_strncpy(to->name, from->name, png_strlen(from->name)); + to->entries = (png_sPLT_entryp)png_malloc_warn(png_ptr, + from->nentries * png_sizeof(png_sPLT_entry)); /* TODO: use png_malloc_warn */ png_memcpy(to->entries, from->entries, - from->nentries * png_sizeof(png_sPLT_t)); + from->nentries * png_sizeof(png_sPLT_entry)); + if (to->entries == NULL) + { + png_warning(png_ptr, + "Out of memory while processing sPLT chunk"); + png_free(png_ptr,to->name); + to->name = NULL; + } to->nentries = from->nentries; to->depth = from->depth; } @@ -977,7 +1022,8 @@ png_set_unknown_chunks(png_structp png_ptr, png_sizeof(png_unknown_chunk)); if (np == NULL) { - png_warning(png_ptr, "Out of memory while processing unknown chunk."); + png_warning(png_ptr, + "Out of memory while processing unknown chunk."); return; } @@ -995,7 +1041,8 @@ png_set_unknown_chunks(png_structp png_ptr, to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); if (to->data == NULL) { - png_warning(png_ptr, "Out of memory processing unknown chunk."); + png_warning(png_ptr, + "Out of memory while processing unknown chunk."); } else { @@ -1023,13 +1070,14 @@ png_set_unknown_chunk_location(png_structp png_ptr, png_infop info_ptr, } #endif +#if defined(PNG_1_0_X) || defined(PNG_1_2_X) #if defined(PNG_READ_EMPTY_PLTE_SUPPORTED) || \ defined(PNG_WRITE_EMPTY_PLTE_SUPPORTED) void PNGAPI png_permit_empty_plte (png_structp png_ptr, int empty_plte_permitted) { /* This function is deprecated in favor of png_permit_mng_features() - and will be removed from libpng-2.0.0 */ + and will be removed from libpng-1.3.0 */ png_debug(1, "in png_permit_empty_plte, DEPRECATED.\n"); if (png_ptr == NULL) return; @@ -1038,6 +1086,7 @@ png_permit_empty_plte (png_structp png_ptr, int empty_plte_permitted) ((empty_plte_permitted & PNG_FLAG_MNG_EMPTY_PLTE))); } #endif +#endif #if defined(PNG_MNG_FEATURES_SUPPORTED) png_uint_32 PNGAPI @@ -1059,6 +1108,8 @@ png_set_keep_unknown_chunks(png_structp png_ptr, int keep, png_bytep { png_bytep new_list, p; int i, old_num_chunks; + if (png_ptr == NULL) + return; if (num_chunks == 0) { if(keep == PNG_HANDLE_CHUNK_ALWAYS || keep == PNG_HANDLE_CHUNK_IF_SAFE) @@ -1102,6 +1153,8 @@ png_set_read_user_chunk_fn(png_structp png_ptr, png_voidp user_chunk_ptr, png_user_chunk_ptr read_user_chunk_fn) { png_debug(1, "in png_set_read_user_chunk_fn\n"); + if (png_ptr == NULL) + return; png_ptr->read_user_chunk_fn = read_user_chunk_fn; png_ptr->user_chunk_ptr = user_chunk_ptr; } @@ -1128,6 +1181,8 @@ png_set_rows(png_structp png_ptr, png_infop info_ptr, png_bytepp row_pointers) void PNGAPI png_set_compression_buffer_size(png_structp png_ptr, png_uint_32 size) { + if (png_ptr == NULL) + return; if(png_ptr->zbuf) png_free(png_ptr, png_ptr->zbuf); png_ptr->zbuf_size = (png_size_t)size; @@ -1147,57 +1202,24 @@ png_set_invalid(png_structp png_ptr, png_infop info_ptr, int mask) #ifndef PNG_1_0_X #ifdef PNG_ASSEMBLER_CODE_SUPPORTED -/* this function was added to libpng 1.2.0 and should always exist by default */ +/* function was added to libpng 1.2.0 and should always exist by default */ void PNGAPI png_set_asm_flags (png_structp png_ptr, png_uint_32 asm_flags) { - png_uint_32 settable_asm_flags; - png_uint_32 settable_mmx_flags; - - settable_mmx_flags = -#ifdef PNG_HAVE_ASSEMBLER_COMBINE_ROW - PNG_ASM_FLAG_MMX_READ_COMBINE_ROW | -#endif -#ifdef PNG_HAVE_ASSEMBLER_READ_INTERLACE - PNG_ASM_FLAG_MMX_READ_INTERLACE | -#endif -#ifdef PNG_HAVE_ASSEMBLER_READ_FILTER_ROW - PNG_ASM_FLAG_MMX_READ_FILTER_SUB | - PNG_ASM_FLAG_MMX_READ_FILTER_UP | - PNG_ASM_FLAG_MMX_READ_FILTER_AVG | - PNG_ASM_FLAG_MMX_READ_FILTER_PAETH | -#endif - 0; - - /* could be some non-MMX ones in the future, but not currently: */ - settable_asm_flags = settable_mmx_flags; - - if (!(png_ptr->asm_flags & PNG_ASM_FLAG_MMX_SUPPORT_COMPILED) || - !(png_ptr->asm_flags & PNG_ASM_FLAG_MMX_SUPPORT_IN_CPU)) - { - /* clear all MMX flags if MMX isn't supported */ - settable_asm_flags &= ~settable_mmx_flags; - png_ptr->asm_flags &= ~settable_mmx_flags; - } - - /* we're replacing the settable bits with those passed in by the user, - * so first zero them out of the master copy, then logical-OR in the - * allowed subset that was requested */ - - png_ptr->asm_flags &= ~settable_asm_flags; /* zero them */ - png_ptr->asm_flags |= (asm_flags & settable_asm_flags); /* set them */ +/* Obsolete as of libpng-1.2.20 and will be removed from libpng-1.4.0 */ + if (png_ptr != NULL) + png_ptr->asm_flags = 0; } -#endif /* ?PNG_ASSEMBLER_CODE_SUPPORTED */ -#ifdef PNG_ASSEMBLER_CODE_SUPPORTED /* this function was added to libpng 1.2.0 */ void PNGAPI png_set_mmx_thresholds (png_structp png_ptr, png_byte mmx_bitdepth_threshold, png_uint_32 mmx_rowbytes_threshold) { - png_ptr->mmx_bitdepth_threshold = mmx_bitdepth_threshold; - png_ptr->mmx_rowbytes_threshold = mmx_rowbytes_threshold; +/* Obsolete as of libpng-1.2.20 and will be removed from libpng-1.4.0 */ + if (png_ptr == NULL) + return; } #endif /* ?PNG_ASSEMBLER_CODE_SUPPORTED */ @@ -1211,9 +1233,11 @@ png_set_user_limits (png_structp png_ptr, png_uint_32 user_width_max, * rejected by png_set_IHDR(). To accept any PNG datastream * regardless of dimensions, set both limits to 0x7ffffffL. */ + if(png_ptr == NULL) return; png_ptr->user_width_max = user_width_max; png_ptr->user_height_max = user_height_max; } #endif /* ?PNG_SET_USER_LIMITS_SUPPORTED */ #endif /* ?PNG_1_0_X */ +#endif /* PNG_READ_SUPPORTED || PNG_WRITE_SUPPORTED */