VirtualBox

source: vbox/trunk/src/libs/libpng-1.6.37/contrib/tools/pngfix.c@ 98108

Last change on this file since 98108 was 96425, checked in by vboxsync, 2 years ago

src/libs: Switch to libpng-1.6.37, bugref:8515 [re-export]
  • Property svn:eol-style set to native
File size: 126.7 KB
Line 
1/* pngfix.c
2 *
3 * Last changed in libpng 1.6.31 [July 27, 2017]
4 * Copyright (c) 2014-2017 John Cunningham Bowler
5 *
6 * This code is released under the libpng license.
7 * For conditions of distribution and use, see the disclaimer
8 * and license in png.h
9 *
10 * Tool to check and fix the zlib inflate 'too far back' problem.
11 * See the usage message for more information.
12 */
13#include <stdlib.h>
14#include <stdio.h>
15#include <string.h>
16#include <ctype.h>
17#include <limits.h>
18#include <errno.h>
19#include <assert.h>
20
21#define implies(x,y) assert(!(x) || (y))
22
23#ifdef __GNUC__
24 /* This is used to fix the error:
25 *
26 * pngfix.c:
27 * In function 'zlib_advance':
28 * pngfix.c:181:13: error: assuming signed overflow does not
29 * occur when simplifying conditional to constant [-Werror=strict-overflow]
30 */
31# define FIX_GCC volatile
32#else
33# define FIX_GCC
34#endif
35
36#define PROGRAM_NAME "pngfix"
37
38/* Define the following to use this program against your installed libpng,
39 * rather than the one being built here:
40 */
41#ifdef PNG_FREESTANDING_TESTS
42# include <png.h>
43#else
44# include "../../png.h"
45#endif
46
47#if PNG_LIBPNG_VER < 10603 /* 1.6.3 */
48# error "pngfix will not work with libpng prior to 1.6.3"
49#endif
50
51#ifdef PNG_SETJMP_SUPPORTED
52#include <setjmp.h>
53
54#if defined(PNG_READ_SUPPORTED) && defined(PNG_EASY_ACCESS_SUPPORTED) &&\
55 (defined(PNG_READ_DEINTERLACE_SUPPORTED) ||\
56 defined(PNG_READ_INTERLACING_SUPPORTED))
57
58/* zlib.h defines the structure z_stream, an instance of which is included
59 * in this structure and is required for decompressing the LZ compressed
60 * data in PNG files.
61 */
62#ifndef ZLIB_CONST
63 /* We must ensure that zlib uses 'const' in declarations. */
64# define ZLIB_CONST
65#endif
66#include <zlib.h>
67#ifdef const
68 /* zlib.h sometimes #defines const to nothing, undo this. */
69# undef const
70#endif
71
72/* zlib.h has mediocre z_const use before 1.2.6, this stuff is for compatibility
73 * with older builds.
74 */
75#if ZLIB_VERNUM < 0x1260
76# define PNGZ_MSG_CAST(s) constcast(char*,s)
77# define PNGZ_INPUT_CAST(b) constcast(png_bytep,b)
78#else
79# define PNGZ_MSG_CAST(s) (s)
80# define PNGZ_INPUT_CAST(b) (b)
81#endif
82
83#ifndef PNG_MAXIMUM_INFLATE_WINDOW
84# error "pngfix not supported in this libpng version"
85#endif
86
87#if ZLIB_VERNUM >= 0x1240
88
89/* Copied from pngpriv.h */
90#ifdef __cplusplus
91# define voidcast(type, value) static_cast<type>(value)
92# define constcast(type, value) const_cast<type>(value)
93# define aligncast(type, value) \
94 static_cast<type>(static_cast<void*>(value))
95# define aligncastconst(type, value) \
96 static_cast<type>(static_cast<const void*>(value))
97#else
98# define voidcast(type, value) (value)
99# define constcast(type, value) ((type)(value))
100# define aligncast(type, value) ((void*)(value))
101# define aligncastconst(type, value) ((const void*)(value))
102#endif /* __cplusplus */
103
104#if PNG_LIBPNG_VER < 10700
105/* Chunk tags (copied from pngpriv.h) */
106#define PNG_32b(b,s) ((png_uint_32)(b) << (s))
107#define PNG_U32(b1,b2,b3,b4) \
108 (PNG_32b(b1,24) | PNG_32b(b2,16) | PNG_32b(b3,8) | PNG_32b(b4,0))
109
110/* Constants for known chunk types. */
111#define png_IDAT PNG_U32( 73, 68, 65, 84)
112#define png_IEND PNG_U32( 73, 69, 78, 68)
113#define png_IHDR PNG_U32( 73, 72, 68, 82)
114#define png_PLTE PNG_U32( 80, 76, 84, 69)
115#define png_bKGD PNG_U32( 98, 75, 71, 68)
116#define png_cHRM PNG_U32( 99, 72, 82, 77)
117#define png_fRAc PNG_U32(102, 82, 65, 99) /* registered, not defined */
118#define png_gAMA PNG_U32(103, 65, 77, 65)
119#define png_gIFg PNG_U32(103, 73, 70, 103)
120#define png_gIFt PNG_U32(103, 73, 70, 116) /* deprecated */
121#define png_gIFx PNG_U32(103, 73, 70, 120)
122#define png_hIST PNG_U32(104, 73, 83, 84)
123#define png_iCCP PNG_U32(105, 67, 67, 80)
124#define png_iTXt PNG_U32(105, 84, 88, 116)
125#define png_oFFs PNG_U32(111, 70, 70, 115)
126#define png_pCAL PNG_U32(112, 67, 65, 76)
127#define png_pHYs PNG_U32(112, 72, 89, 115)
128#define png_sBIT PNG_U32(115, 66, 73, 84)
129#define png_sCAL PNG_U32(115, 67, 65, 76)
130#define png_sPLT PNG_U32(115, 80, 76, 84)
131#define png_sRGB PNG_U32(115, 82, 71, 66)
132#define png_sTER PNG_U32(115, 84, 69, 82)
133#define png_tEXt PNG_U32(116, 69, 88, 116)
134#define png_tIME PNG_U32(116, 73, 77, 69)
135#define png_tRNS PNG_U32(116, 82, 78, 83)
136#define png_zTXt PNG_U32(122, 84, 88, 116)
137#endif
138
139/* The 8-byte signature as a pair of 32-bit quantities */
140#define sig1 PNG_U32(137, 80, 78, 71)
141#define sig2 PNG_U32( 13, 10, 26, 10)
142
143/* Is the chunk critical? */
144#define CRITICAL(chunk) (((chunk) & PNG_U32(32,0,0,0)) == 0)
145
146/* Is it safe to copy? */
147#define SAFE_TO_COPY(chunk) (((chunk) & PNG_U32(0,0,0,32)) != 0)
148
149/* Fix ups for builds with limited read support */
150#ifndef PNG_ERROR_TEXT_SUPPORTED
151# define png_error(a,b) png_err(a)
152#endif
153
154/********************************* UTILITIES **********************************/
155/* UNREACHED is a value to cause an assert to fail. Because of the way the
156 * assert macro is written the string "UNREACHED" is produced in the error
157 * message.
158 */
159#define UNREACHED 0
160
161/* 80-bit number handling - a PNG image can be up to (2^31-1)x(2^31-1) 8-byte
162 * (16-bit RGBA) pixels in size; that's less than 2^65 bytes or 2^68 bits, so
163 * arithmetic of 80-bit numbers is sufficient. This representation uses an
164 * arbitrary length array of png_uint_16 digits (0..65535). The representation
165 * is little endian.
166 *
167 * The arithmetic functions take zero to two uarb values together with the
168 * number of digits in those values and write the result to the given uarb
169 * (always the first argument) returning the number of digits in the result.
170 * If the result is negative the return value is also negative (this would
171 * normally be an error).
172 */
173typedef png_uint_16 udigit; /* A 'unum' is an array of these */
174typedef png_uint_16p uarb;
175typedef png_const_uint_16p uarbc;
176
177#define UDIGITS(unum) ((sizeof unum)/(sizeof (udigit))
178 /* IMPORTANT: only apply this to an array, applied to a pointer the result
179 * will typically be '2', which is not useful.
180 */
181
182static int
183uarb_set(uarb result, png_alloc_size_t val)
184 /* Set (initialize) 'result' to 'val'. The size required for 'result' must
185 * be determined by the caller from a knowledge of the maximum for 'val'.
186 */
187{
188 int ndigits = 0;
189
190 while (val > 0)
191 {
192 result[ndigits++] = (png_uint_16)(val & 0xffff);
193 val >>= 16;
194 }
195
196 return ndigits;
197}
198
199static int
200uarb_copy(uarb to, uarb from, int idigits)
201 /* Copy a uarb, may reduce the digit count */
202{
203 int d, odigits;
204
205 for (d=odigits=0; d<idigits; ++d)
206 if ((to[d] = from[d]) != 0)
207 odigits = d+1;
208
209 return odigits;
210}
211
212static int
213uarb_inc(uarb num, int in_digits, png_int_32 add)
214 /* This is a signed 32-bit add, except that to avoid overflow the value added
215 * or subtracted must be no more than 2^31-65536. A negative result
216 * indicates a negative number (which is an error below). The size of
217 * 'num' should be max(in_digits+1,2) for arbitrary 'add' but can be just
218 * in_digits+1 if add is known to be in the range -65535..65535.
219 */
220{
221 FIX_GCC int out_digits = 0;
222
223 while (out_digits < in_digits)
224 {
225 add += num[out_digits];
226 num[out_digits++] = (png_uint_16)(add & 0xffff);
227 add >>= 16;
228 }
229
230 while (add != 0 && add != (-1))
231 {
232 num[out_digits++] = (png_uint_16)(add & 0xffff);
233 add >>= 16;
234 }
235
236 if (add == 0)
237 {
238 while (out_digits > 0 && num[out_digits-1] == 0)
239 --out_digits;
240 return out_digits; /* may be 0 */
241 }
242
243 else /* negative result */
244 {
245 while (out_digits > 1 && num[out_digits-1] == 0xffff)
246 --out_digits;
247
248 return -out_digits;
249 }
250}
251
252static int
253uarb_add32(uarb num, int in_digits, png_uint_32 add)
254 /* As above but this works with any 32-bit value and only does 'add' */
255{
256 if (in_digits > 0)
257 {
258 in_digits = uarb_inc(num, in_digits, add & 0xffff);
259 return uarb_inc(num+1, in_digits-1, add >> 16)+1;
260 }
261
262 return uarb_set(num, add);
263}
264
265static int
266uarb_mult_digit(uarb acc, int a_digits, uarb num, FIX_GCC int n_digits,
267 png_uint_16 val)
268 /* Primitive one-digit multiply - 'val' must be 0..65535. Note that this
269 * primitive is a multiply and accumulate - the result of *num * val is added
270 * to *acc.
271 *
272 * This is a one-digit multiply, so the product may be up to one digit longer
273 * than 'num', however the add to 'acc' means that the caller must ensure
274 * that 'acc' is at least one digit longer than this *and* at least one digit
275 * longer than the current length of 'acc'. (Or the caller must otherwise
276 * ensure 'adigits' is adequate from knowledge of the values.)
277 */
278{
279 /* The digits in *acc, *num and val are in the range 0..65535, so the
280 * result below is at most (65535*65535)+2*65635 = 65535*(65535+2), which is
281 * exactly 0xffffffff.
282 */
283 if (val > 0 && n_digits > 0) /* Else the product is 0 */
284 {
285 png_uint_32 carry = 0;
286 int out_digits = 0;
287
288 while (out_digits < n_digits || carry > 0)
289 {
290 if (out_digits < a_digits)
291 carry += acc[out_digits];
292
293 if (out_digits < n_digits)
294 carry += (png_uint_32)num[out_digits] * val;
295
296 acc[out_digits++] = (png_uint_16)(carry & 0xffff);
297 carry >>= 16;
298 }
299
300 /* So carry is 0 and all the input digits have been consumed. This means
301 * that it is possible to skip any remaining digits in acc.
302 */
303 if (out_digits > a_digits)
304 return out_digits;
305 }
306
307 return a_digits;
308}
309
310static int
311uarb_mult32(uarb acc, int a_digits, uarb num, int n_digits, png_uint_32 val)
312 /* calculate acc += num * val, 'val' may be any 32-bit value, 'acc' and 'num'
313 * may be any value, returns the number of digits in 'acc'.
314 */
315{
316 if (n_digits > 0 && val > 0)
317 {
318 a_digits = uarb_mult_digit(acc, a_digits, num, n_digits,
319 (png_uint_16)(val & 0xffff));
320
321 val >>= 16;
322 if (val > 0)
323 a_digits = uarb_mult_digit(acc+1, a_digits-1, num, n_digits,
324 (png_uint_16)val) + 1;
325
326 /* Because n_digits and val are >0 the following must be true: */
327 assert(a_digits > 0);
328 }
329
330 return a_digits;
331}
332
333static int
334uarb_shift(uarb inout, int ndigits, unsigned int right_shift)
335 /* Shift inout right by right_shift bits, right_shift must be in the range
336 * 1..15
337 */
338{
339 FIX_GCC int i = ndigits;
340 png_uint_16 carry = 0;
341
342 assert(right_shift >= 1 && right_shift <= 15);
343
344 while (--i >= 0)
345 {
346 png_uint_16 temp = (png_uint_16)(carry | (inout[i] >> right_shift));
347
348 /* Bottom bits to top bits of carry */
349 carry = (png_uint_16)((inout[i] << (16-right_shift)) & 0xffff);
350
351 inout[i] = temp;
352
353 /* The shift may reduce ndigits */
354 if (i == ndigits-1 && temp == 0)
355 ndigits = i;
356 }
357
358 return ndigits;
359}
360
361static int
362uarb_cmp(uarb a, int adigits, uarb b, int bdigits)
363 /* Return -1/0/+1 according as a<b/a==b/a>b */
364{
365 if (adigits < bdigits)
366 return -1;
367
368 if (adigits > bdigits)
369 return 1;
370
371 while (adigits-- > 0)
372 if (a[adigits] < b[adigits])
373 return -1;
374
375 else if (a[adigits] > b[adigits])
376 return 1;
377
378 return 0;
379}
380
381#if 0 /*UNUSED*/
382static int
383uarb_eq32(uarb num, int digits, png_uint_32 val)
384 /* Return true if the uarb is equal to 'val' */
385{
386 switch (digits)
387 {
388 case 0: return val == 0;
389 case 1: return val == num[0];
390 case 2: return (val & 0xffff) == num[0] && (val >> 16) == num[1];
391 default: return 0;
392 }
393}
394#endif
395
396static void
397uarb_printx(uarb num, int digits, FILE *out)
398 /* Print 'num' as a hexadecimal number (easier than decimal!) */
399{
400 while (digits > 0)
401 if (num[--digits] > 0)
402 {
403 fprintf(out, "0x%x", num[digits]);
404
405 while (digits > 0)
406 fprintf(out, "%.4x", num[--digits]);
407 }
408
409 else if (digits == 0) /* the number is 0 */
410 fputs("0x0", out);
411}
412
413static void
414uarb_print(uarb num, int digits, FILE *out)
415 /* Prints 'num' as a decimal if it will fit in an unsigned long, else as a
416 * hexadecimal number. Notice that the results vary for images over 4GByte
417 * in a system dependent way, and the hexadecimal form doesn't work very well
418 * in awk script input.
419 *
420 *
421 * TODO: write uarb_div10
422 */
423{
424 if (digits * sizeof (udigit) > sizeof (unsigned long))
425 uarb_printx(num, digits, out);
426
427 else
428 {
429 unsigned long n = 0;
430
431 while (digits > 0)
432 n = (n << 16) + num[--digits];
433
434 fprintf(out, "%lu", n);
435 }
436}
437
438/* Generate random bytes. This uses a boring repeatable algorithm and it
439 * is implemented here so that it gives the same set of numbers on every
440 * architecture. It's a linear congruential generator (Knuth or Sedgewick
441 * "Algorithms") but it comes from the 'feedback taps' table in Horowitz and
442 * Hill, "The Art of Electronics" (Pseudo-Random Bit Sequences and Noise
443 * Generation.)
444 *
445 * (Copied from contrib/libtests/pngvalid.c)
446 */
447static void
448make_random_bytes(png_uint_32* seed, void* pv, size_t size)
449{
450 png_uint_32 u0 = seed[0], u1 = seed[1];
451 png_bytep bytes = voidcast(png_bytep, pv);
452
453 /* There are thirty-three bits; the next bit in the sequence is bit-33 XOR
454 * bit-20. The top 1 bit is in u1, the bottom 32 are in u0.
455 */
456 size_t i;
457 for (i=0; i<size; ++i)
458 {
459 /* First generate 8 new bits then shift them in at the end. */
460 png_uint_32 u = ((u0 >> (20-8)) ^ ((u1 << 7) | (u0 >> (32-7)))) & 0xff;
461 u1 <<= 8;
462 u1 |= u0 >> 24;
463 u0 <<= 8;
464 u0 |= u;
465 *bytes++ = (png_byte)u;
466 }
467
468 seed[0] = u0;
469 seed[1] = u1;
470}
471
472/* Clear an object to a random value. */
473static void
474clear(void *pv, size_t size)
475{
476 static png_uint_32 clear_seed[2] = { 0x12345678, 0x9abcdef0 };
477 make_random_bytes(clear_seed, pv, size);
478}
479
480#define CLEAR(object) clear(&(object), sizeof (object))
481
482/* Copied from unreleased 1.7 code.
483 *
484 * CRC checking uses a local pre-built implementation of the Ethernet CRC32.
485 * This is to avoid a function call to the zlib DLL and to optimize the
486 * byte-by-byte case.
487 */
488static png_uint_32 crc_table[256] =
489{
490 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,
491 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,
492 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,
493 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
494 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,
495 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
496 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,
497 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
498 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,
499 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,
500 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,
501 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
502 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,
503 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,
504 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,
505 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
506 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,
507 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
508 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,
509 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
510 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,
511 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,
512 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,
513 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
514 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,
515 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,
516 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,
517 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
518 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,
519 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
520 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,
521 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
522 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,
523 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,
524 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,
525 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
526 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
527 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,
528 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,
529 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
530 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,
531 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
532 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,
533 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
534 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,
535 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,
536 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,
537 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
538 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,
539 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,
540 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,
541 0x2d02ef8d
542};
543
544/* The CRC calculated here *IS* conditioned, the corresponding value used by
545 * zlib and the result value is obtained by XORing with CRC_INIT, which is also
546 * the first value that must be passed in (for the first byte) to crc_one_byte.
547 */
548#define CRC_INIT 0xffffffff
549
550static png_uint_32
551crc_one_byte(png_uint_32 crc, int b)
552{
553 return crc_table[(crc ^ b) & 0xff] ^ (crc >> 8);
554}
555
556static png_uint_32
557crc_init_4(png_uint_32 value)
558{
559 /* This is an alternative to the algorithm used in zlib, which requires four
560 * separate tables to parallelize the four byte operations, it only works for
561 * a CRC of the first four bytes of the stream, but this is what happens in
562 * the parser below where length+chunk-name is read and chunk-name used to
563 * initialize the CRC. Notice that the calculation here avoids repeated
564 * conditioning (xor with 0xffffffff) by storing the conditioned value.
565 */
566 png_uint_32 crc = crc_table[(~value >> 24)] ^ 0xffffff;
567
568 crc = crc_table[(crc ^ (value >> 16)) & 0xff] ^ (crc >> 8);
569 crc = crc_table[(crc ^ (value >> 8)) & 0xff] ^ (crc >> 8);
570 return crc_table[(crc ^ value) & 0xff] ^ (crc >> 8);
571}
572
573static int
574chunk_type_valid(png_uint_32 c)
575 /* Bit whacking approach to chunk name validation that is intended to avoid
576 * branches. The cost is that it uses a lot of 32-bit constants, which might
577 * be bad on some architectures.
578 */
579{
580 png_uint_32 t;
581
582 /* Remove bit 5 from all but the reserved byte; this means every
583 * 8-bit unit must be in the range 65-90 to be valid. So bit 5
584 * must be zero, bit 6 must be set and bit 7 zero.
585 */
586 c &= ~PNG_U32(32,32,0,32);
587 t = (c & ~0x1f1f1f1f) ^ 0x40404040;
588
589 /* Subtract 65 for each 8-bit quantity, this must not overflow
590 * and each byte must then be in the range 0-25.
591 */
592 c -= PNG_U32(65,65,65,65);
593 t |=c ;
594
595 /* Subtract 26, handling the overflow which should set the top
596 * three bits of each byte.
597 */
598 c -= PNG_U32(25,25,25,26);
599 t |= ~c;
600
601 return (t & 0xe0e0e0e0) == 0;
602}
603
604/**************************** CONTROL INFORMATION *****************************/
605
606/* Information about a sequence of IDAT chunks, the chunks have been re-synced
607 * using sync_stream below and the new lengths are recorded here. Because the
608 * number of chunks is unlimited this is handled using a linked list of these
609 * structures.
610 */
611struct IDAT_list
612{
613 struct IDAT_list *next; /* Linked list */
614 unsigned int length; /* Actual length of the array below */
615 unsigned int count; /* Number of entries that are valid */
616# define IDAT_INIT_LENGTH 16
617 png_uint_32 lengths[IDAT_INIT_LENGTH];
618};
619
620static void
621IDAT_list_init(struct IDAT_list *list)
622{
623 CLEAR(*list);
624
625 list->next = NULL;
626 list->length = IDAT_INIT_LENGTH;
627}
628
629static size_t
630IDAT_list_size(struct IDAT_list *list, unsigned int length)
631 /* Return the size in bytes of an IDAT_list of the given length. */
632{
633 if (list != NULL)
634 length = list->length;
635
636 return sizeof *list - sizeof list->lengths +
637 length * sizeof list->lengths[0];
638}
639
640static void
641IDAT_list_end(struct IDAT_list *IDAT_list)
642{
643 struct IDAT_list *list = IDAT_list->next;
644
645 CLEAR(*IDAT_list);
646
647 while (list != NULL)
648 {
649 struct IDAT_list *next = list->next;
650
651 clear(list, IDAT_list_size(list, 0));
652 free(list);
653 list = next;
654 }
655}
656
657static struct IDAT_list *
658IDAT_list_extend(struct IDAT_list *tail)
659{
660 /* Use the previous cached value if available. */
661 struct IDAT_list *next = tail->next;
662
663 if (next == NULL)
664 {
665 /* Insert a new, malloc'ed, block of IDAT information buffers, this
666 * one twice as large as the previous one:
667 */
668 unsigned int length = 2 * tail->length;
669
670 if (length < tail->length) /* arithmetic overflow */
671 length = tail->length;
672
673 next = voidcast(IDAT_list*, malloc(IDAT_list_size(NULL, length)));
674 CLEAR(*next);
675
676 /* The caller must handle this: */
677 if (next == NULL)
678 return NULL;
679
680 next->next = NULL;
681 next->length = length;
682 tail->next = next;
683 }
684
685 return next;
686}
687
688/* GLOBAL CONTROL STRUCTURE */
689struct global
690{
691 /* PUBLIC GLOBAL VARIABLES: OWNER INITIALIZE */
692 unsigned int errors :1; /* print file errors to stderr */
693 unsigned int warnings :1; /* print libpng warnings to stderr */
694 unsigned int optimize_zlib :1; /* Run optimization search */
695 unsigned int quiet :2; /* don't output summaries */
696 unsigned int verbose :3; /* various internal tracking */
697 unsigned int skip :3; /* Non-critical chunks to skip */
698# define SKIP_NONE 0
699# define SKIP_BAD_CRC 1 /* Chunks with a bad CRC */
700# define SKIP_UNSAFE 2 /* Chunks not safe to copy */
701# define SKIP_UNUSED 3 /* Chunks not used by libpng */
702# define SKIP_TRANSFORM 4 /* Chunks only used in transforms */
703# define SKIP_COLOR 5 /* Everything but tRNS, sBIT, gAMA and sRGB */
704# define SKIP_ALL 6 /* Everything but tRNS and sBIT */
705
706 png_uint_32 idat_max; /* 0 to perform no re-chunking */
707
708 int status_code; /* Accumulated status code */
709# define TOO_FAR_BACK 0x01 /* found a too-far-back error */
710# define CRC_ERROR 0x02 /* fixed an invalid CRC */
711# define STREAM_ERROR 0x04 /* damaged PNG stream (may be fixable) */
712# define TRUNCATED 0x08 /* truncated but still readable */
713# define FILE_ERROR 0x10 /* could not read the file */
714# define WRITE_ERROR 0x20 /* write error (this terminates the read) */
715# define INTERNAL_ERROR 0x40 /* internal limits/errors encountered */
716
717 /* PUBLIC GLOBAL VARIABLES: USED INTERNALLY BY IDAT READ CODE */
718 struct IDAT_list idat_cache; /* Cache of file IDAT information buffers */
719 /* The structure is shared across all uses of this global control
720 * structure to avoid reallocation between IDAT streams.
721 */
722};
723
724static int
725global_end(struct global *global)
726{
727
728 int rc;
729
730 IDAT_list_end(&global->idat_cache);
731 rc = global->status_code;
732 CLEAR(*global);
733 return rc;
734}
735
736static void
737global_init(struct global *global)
738 /* Call this once (and only once) to initialize the control */
739{
740 CLEAR(*global);
741
742 /* Globals */
743 global->errors = 0;
744 global->warnings = 0;
745 global->quiet = 0;
746 global->verbose = 0;
747 global->idat_max = 0; /* no re-chunking of IDAT */
748 global->optimize_zlib = 0;
749 global->skip = SKIP_NONE;
750 global->status_code = 0;
751
752 IDAT_list_init(&global->idat_cache);
753}
754
755static int
756skip_chunk_type(const struct global *global, png_uint_32 type)
757 /* Return true if this chunk is to be skipped according to the --strip
758 * option. This code needs to recognize all known ancillary chunks in order
759 * to handle the --strip=unsafe option.
760 */
761{
762 /* Never strip critical chunks: */
763 if (CRITICAL(type))
764 return 0;
765
766 switch (type)
767 {
768 /* Chunks that are treated as, effectively, critical because they affect
769 * correct interpretation of the pixel values:
770 */
771 case png_tRNS: case png_sBIT:
772 return 0;
773
774 /* Chunks that specify gamma encoding which should therefore only be
775 * removed if the user insists:
776 */
777 case png_gAMA: case png_sRGB:
778 if (global->skip >= SKIP_ALL)
779 return 1;
780 return 0;
781
782 /* Chunks that affect color interpretation - not used by libpng and rarely
783 * used by applications, but technically still required for correct
784 * interpretation of the image data:
785 */
786 case png_cHRM: case png_iCCP:
787 if (global->skip >= SKIP_COLOR)
788 return 1;
789 return 0;
790
791 /* Other chunks that are used by libpng in image transformations (as
792 * opposed to known chunks that have get/set APIs but are not otherwise
793 * used.)
794 */
795 case png_bKGD:
796 if (global->skip >= SKIP_TRANSFORM)
797 return 1;
798 return 0;
799
800 /* All other chunks that libpng knows about and affect neither image
801 * interpretation nor libpng transforms - chunks that are effectively
802 * unused by libpng even though libpng might recognize and store them.
803 */
804 case png_fRAc: case png_gIFg: case png_gIFt: case png_gIFx: case png_hIST:
805 case png_iTXt: case png_oFFs: case png_pCAL: case png_pHYs: case png_sCAL:
806 case png_sPLT: case png_sTER: case png_tEXt: case png_tIME: case png_zTXt:
807 if (global->skip >= SKIP_UNUSED)
808 return 1;
809 return 0;
810
811 /* Chunks that libpng does not know about (notice that this depends on the
812 * list above including all known chunks!) The decision here depends on
813 * whether the safe-to-copy bit is set in the chunk type.
814 */
815 default:
816 if (SAFE_TO_COPY(type))
817 {
818 if (global->skip >= SKIP_UNUSED) /* as above */
819 return 1;
820 }
821
822 else if (global->skip >= SKIP_UNSAFE)
823 return 1;
824
825 return 0;
826 }
827}
828
829/* PER-FILE CONTROL STRUCTURE */
830struct chunk;
831struct IDAT;
832struct file
833{
834 /* ANCESTORS */
835 struct global *global;
836
837 /* PUBLIC PER-FILE VARIABLES: CALLER INITIALIZE */
838 const char * file_name;
839 const char * out_name; /* Name of output file (if required) */
840
841 /* PUBLIC PER-FILE VARIABLES: SET BY PNG READ CODE */
842 /* File specific result codes */
843 int status_code; /* Set to a bit mask of the following: */
844 int read_errno; /* Records a read error errno */
845 int write_errno; /* Records a write error errno */
846
847 /* IHDR information */
848 png_uint_32 width;
849 png_uint_32 height;
850 png_byte bit_depth;
851 png_byte color_type;
852 png_byte compression_method;
853 png_byte filter_method;
854 png_byte interlace_method;
855
856 udigit image_bytes[5];
857 int image_digits;
858
859 /* PROTECTED PER-FILE VARIABLES: USED BY THE READ CODE */
860 FILE * file; /* Original PNG file */
861 FILE * out; /* If a new one is being written */
862 jmp_buf jmpbuf; /* Set while reading a PNG */
863
864 /* PROTECTED CHUNK SPECIFIC VARIABLES: USED BY CHUNK CODE */
865 /* The following variables are used during reading to record the length, type
866 * and data position of the *next* chunk or, right at the start, the
867 * signature (in length,type).
868 *
869 * When a chunk control structure is instantiated these values are copied
870 * into the structure and can then be overritten with the data for the next
871 * chunk.
872 */
873 fpos_t data_pos; /* Position of first byte of chunk data */
874 png_uint_32 length; /* First word (length or signature start) */
875 png_uint_32 type; /* Second word (type or signature end) */
876 png_uint_32 crc; /* Running chunk CRC (used by read_chunk) */
877
878 /* These counts are maintained by the read and write routines below and are
879 * reset by the chunk handling code. They record the total number of bytes
880 * read or written for the chunk, including the header (length,type) bytes.
881 */
882 png_uint_32 read_count; /* Count of bytes read (in the chunk) */
883 png_uint_32 write_count; /* Count of bytes written (in the chunk) */
884 int state; /* As defined here: */
885# define STATE_SIGNATURE 0 /* The signature is being written */
886# define STATE_CHUNKS 1 /* Non-IDAT chunks are being written */
887# define STATE_IDAT 2 /* An IDAT stream is being written */
888
889 /* Two pointers used to enable clean-up in the event of fatal errors and to
890 * hold state about the parser process (only one of each at present.)
891 */
892 struct chunk * chunk;
893 struct IDAT * idat;
894
895 /* Interface to allocate a new chunk or IDAT control structure. The result
896 * is returned by setting one or other of the above variables. Note that the
897 * relevant initializer is called by the allocator function. The alloc_ptr
898 * is used only by the implementation of the allocate function.
899 */
900 void * alloc_ptr;
901 void (*alloc)(struct file*,int idat);
902 /* idat: allocate IDAT not chunk */
903};
904
905/* Valid longjmp (stop) codes are: */
906#define LIBPNG_WARNING_CODE 1 /* generic png_error */
907#define LIBPNG_ERROR_CODE 2 /* generic png_error */
908#define ZLIB_ERROR_CODE 3 /* generic zlib error */
909#define INVALID_ERROR_CODE 4 /* detected an invalid PNG */
910#define READ_ERROR_CODE 5 /* read failed */
911#define WRITE_ERROR_CODE 6 /* error in write */
912#define UNEXPECTED_ERROR_CODE 7 /* unexpected (internal?) error */
913
914static void
915emit_string(const char *str, FILE *out)
916 /* Print a string with spaces replaced by '_' and non-printing characters by
917 * an octal escape.
918 */
919{
920 for (; *str; ++str)
921 if (isgraph(UCHAR_MAX & *str))
922 putc(*str, out);
923
924 else if (isspace(UCHAR_MAX & *str))
925 putc('_', out);
926
927 else
928 fprintf(out, "\\%.3o", *str);
929}
930
931static const char *
932strcode(int code)
933{
934 switch (code)
935 {
936 case LIBPNG_WARNING_CODE: return "warning";
937 case LIBPNG_ERROR_CODE: return "libpng";
938 case ZLIB_ERROR_CODE: return "zlib";
939 case INVALID_ERROR_CODE: return "invalid";
940 case READ_ERROR_CODE: return "read";
941 case WRITE_ERROR_CODE: return "write";
942 case UNEXPECTED_ERROR_CODE: return "unexpected";
943 default: return "INVALID";
944 }
945}
946
947static void
948emit_error(struct file *file, int code, const char *what)
949 /* Generic error message routine, takes a 'stop' code but can be used
950 * elsewhere. Always outputs a message.
951 */
952{
953 const char *reason;
954 int err = 0;
955
956 switch (code)
957 {
958 case LIBPNG_WARNING_CODE: reason = "libpng warning:"; break;
959 case LIBPNG_ERROR_CODE: reason = "libpng error:"; break;
960 case ZLIB_ERROR_CODE: reason = "zlib error:"; break;
961 case INVALID_ERROR_CODE: reason = "invalid"; break;
962 case READ_ERROR_CODE: reason = "read failure:";
963 err = file->read_errno;
964 break;
965 case WRITE_ERROR_CODE: reason = "write error";
966 err = file->write_errno;
967 break;
968 case UNEXPECTED_ERROR_CODE: reason = "unexpected error:";
969 err = file->read_errno;
970 if (err == 0)
971 err = file->write_errno;
972 break;
973 default: reason = "INVALID (internal error):"; break;
974 }
975
976 if (err != 0)
977 fprintf(stderr, "%s: %s %s [%s]\n", file->file_name, reason, what,
978 strerror(err));
979
980 else
981 fprintf(stderr, "%s: %s %s\n", file->file_name, reason, what);
982}
983
984static void chunk_end(struct chunk **);
985static void IDAT_end(struct IDAT **);
986
987static int
988file_end(struct file *file)
989{
990 int rc;
991
992 /* If either of the chunk pointers are set end them here, the IDAT structure
993 * must be deallocated first as it may deallocate the chunk structure.
994 */
995 if (file->idat != NULL)
996 IDAT_end(&file->idat);
997
998 if (file->chunk != NULL)
999 chunk_end(&file->chunk);
1000
1001 rc = file->status_code;
1002
1003 if (file->file != NULL)
1004 (void)fclose(file->file);
1005
1006 if (file->out != NULL)
1007 {
1008 /* NOTE: this is bitwise |, all the following functions must execute and
1009 * must succeed.
1010 */
1011 if (ferror(file->out) | fflush(file->out) | fclose(file->out))
1012 {
1013 perror(file->out_name);
1014 emit_error(file, READ_ERROR_CODE, "output write error");
1015 rc |= WRITE_ERROR;
1016 }
1017 }
1018
1019 /* Accumulate the result codes */
1020 file->global->status_code |= rc;
1021
1022 CLEAR(*file);
1023
1024 return rc; /* status code: non-zero on read or write error */
1025}
1026
1027static int
1028file_init(struct file *file, struct global *global, const char *file_name,
1029 const char *out_name, void *alloc_ptr, void (*alloc)(struct file*,int))
1030 /* Initialize a file control structure. This will open the given files as
1031 * well. The status code returned is 0 on success, non zero (using the flags
1032 * above) on a file open error.
1033 */
1034{
1035 CLEAR(*file);
1036 file->global = global;
1037
1038 file->file_name = file_name;
1039 file->out_name = out_name;
1040 file->status_code = 0;
1041 file->read_errno = 0;
1042 file->write_errno = 0;
1043
1044 file->file = NULL;
1045 file->out = NULL;
1046 /* jmpbuf is garbage: must be set by read_png */
1047
1048 file->read_count = 0;
1049 file->state = STATE_SIGNATURE;
1050
1051 file->chunk = NULL;
1052 file->idat = NULL;
1053
1054 file->alloc_ptr = alloc_ptr;
1055 file->alloc = alloc;
1056
1057 /* Open the files: */
1058 assert(file_name != NULL);
1059 file->file = fopen(file_name, "rb");
1060
1061 if (file->file == NULL)
1062 {
1063 file->read_errno = errno;
1064 file->status_code |= FILE_ERROR;
1065 /* Always output: please give a readable file! */
1066 perror(file_name);
1067 return FILE_ERROR;
1068 }
1069
1070 if (out_name != NULL)
1071 {
1072 file->out = fopen(out_name, "wb");
1073
1074 if (file->out == NULL)
1075 {
1076 file->write_errno = errno;
1077 file->status_code |= WRITE_ERROR;
1078 perror(out_name);
1079 return WRITE_ERROR;
1080 }
1081 }
1082
1083 return 0;
1084}
1085
1086static void
1087log_error(struct file *file, int code, const char *what)
1088 /* Like emit_error but checks the global 'errors' flag */
1089{
1090 if (file->global->errors)
1091 emit_error(file, code, what);
1092}
1093
1094static char
1095type_char(png_uint_32 v)
1096{
1097 /* In fact because chunk::chunk_type is validated prior to any call to this
1098 * function it will always return a-zA-Z, but the extra codes are just there
1099 * to help in finding internal (programming) errors. Note that the code only
1100 * ever considers the low 7 bits of the value (so it is not necessary for the
1101 * type_name function to mask of the byte.)
1102 */
1103 if (v & 32)
1104 return "!abcdefghijklmnopqrstuvwxyz56789"[(v-96)&31];
1105
1106 else
1107 return "@ABCDEFGHIJKLMNOPQRSTUVWXYZ01234"[(v-64)&31];
1108}
1109
1110static void
1111type_name(png_uint_32 type, FILE *out)
1112{
1113 putc(type_char(type >> 24), out);
1114 putc(type_char(type >> 16), out);
1115 putc(type_char(type >> 8), out);
1116 putc(type_char(type ), out);
1117}
1118
1119static void
1120type_sep(FILE *out)
1121{
1122 putc(':', out);
1123 putc(' ', out);
1124}
1125
1126static png_uint_32 current_type(struct file *file, int code);
1127
1128PNG_NORETURN static void
1129stop(struct file *file, int code, const char *what)
1130 /* Return control when a PNG file cannot be read. This outputs an 'ERR'
1131 * summary line too.
1132 */
1133{
1134 log_error(file, code, what);
1135
1136 /* The chunk being read is typically identified by file->chunk or, if this is
1137 * NULL, by file->type. This may be wrong if libpng reads ahead, but this
1138 * only happens with IDAT where libpng reads the header then jumps around
1139 * finding errors in the previous chunks. We know that is happening because
1140 * we are at the start of the IDAT (i.e. no IDAT data has yet been written.)
1141 *
1142 * SUMMARY FORMAT (stop):
1143 *
1144 * IDAT ERR status code read-errno write-errno message file
1145 *
1146 * 'uncompressed' will be 0 if there was a problem in the IHDR. The errno
1147 * values are emit_string(strerror(errno)).
1148 */
1149 if (file->global->quiet < 2) /* need two quiets to stop this. */
1150 {
1151 png_uint_32 type;
1152
1153 if (file->chunk != NULL)
1154 type = current_type(file, code); /* Gropes in struct chunk and IDAT */
1155
1156 else
1157 type = file->type;
1158
1159 if (type)
1160 type_name(type, stdout);
1161
1162 else /* magic: an IDAT header, produces bogons for too many IDATs */
1163 fputs("HEAD", stdout); /* not a registered chunk! */
1164
1165 printf(" ERR %.2x %s ", file->status_code, strcode(code));
1166 /* This only works one strerror at a time, because of the way strerror is
1167 * implemented.
1168 */
1169 emit_string(strerror(file->read_errno), stdout);
1170 putc(' ', stdout);
1171 emit_string(strerror(file->write_errno), stdout);
1172 putc(' ', stdout);
1173 emit_string(what, stdout);
1174 putc(' ', stdout);
1175 fputs(file->file_name, stdout);
1176 putc('\n', stdout);
1177 }
1178
1179 file->status_code |= FILE_ERROR;
1180 longjmp(file->jmpbuf, code);
1181}
1182
1183PNG_NORETURN static void
1184stop_invalid(struct file *file, const char *what)
1185{
1186 stop(file, INVALID_ERROR_CODE, what);
1187}
1188
1189static void
1190type_message(struct file *file, png_uint_32 type, const char *what)
1191 /* Error message for a chunk; the chunk name comes from 'type' */
1192{
1193 if (file->global->errors)
1194 {
1195 fputs(file->file_name, stderr);
1196 type_sep(stderr);
1197 type_name(type, stderr);
1198 type_sep(stderr);
1199 fputs(what, stderr);
1200 putc('\n', stderr);
1201 }
1202}
1203
1204/* Input file positioning - we jump around in the input file while reading
1205 * stuff, these wrappers deal with the error handling.
1206 */
1207static void
1208file_getpos(struct file *file, fpos_t *pos)
1209{
1210 if (fgetpos(file->file, pos))
1211 {
1212 /* This is unexpected, so perror it */
1213 perror(file->file_name);
1214 stop(file, READ_ERROR_CODE, "fgetpos");
1215 }
1216}
1217
1218static void
1219file_setpos(struct file *file, const fpos_t *pos)
1220{
1221 if (fsetpos(file->file, pos))
1222 {
1223 perror(file->file_name);
1224 stop(file, READ_ERROR_CODE, "fsetpos");
1225 }
1226}
1227
1228static void
1229getpos(struct file *file)
1230 /* Get the current position and store it in 'data_pos'. The corresponding
1231 * setpos() function is chunk specific because it uses the copy of the
1232 * position for the specific chunk.
1233 */
1234{
1235 file_getpos(file, &file->data_pos);
1236}
1237
1238
1239/* Read utility - read a single byte, returns a value in the range 0..255 or EOF
1240 * on a read error. In the latter case status_code and read_errno are updated
1241 * appropriately.
1242 */
1243static int
1244read_byte(struct file *file)
1245{
1246 int ch = getc(file->file);
1247
1248 if (ch >= 0 && ch <= 255)
1249 {
1250 ++(file->read_count);
1251 return ch;
1252 }
1253
1254 else if (ch != EOF)
1255 {
1256 file->status_code |= INTERNAL_ERROR;
1257 file->read_errno = ERANGE; /* out of range character */
1258
1259 /* This is very unexpected; an error message is always output: */
1260 emit_error(file, UNEXPECTED_ERROR_CODE, "file read");
1261 }
1262
1263# ifdef EINTR
1264 else if (errno == EINTR) /* Interrupted, try again */
1265 {
1266 errno = 0;
1267 return read_byte(file);
1268 }
1269# endif
1270
1271 else
1272 {
1273 /* An error, it doesn't really matter what the error is but it gets
1274 * recorded anyway.
1275 */
1276 if (ferror(file->file))
1277 file->read_errno = errno;
1278
1279 else if (feof(file->file))
1280 file->read_errno = 0; /* I.e. a regular EOF, no error */
1281
1282 else /* unexpected */
1283 file->read_errno = EDOM;
1284 }
1285
1286 /* 'TRUNCATED' is used for all cases of failure to read a byte, because of
1287 * the way libpng works a byte read is never attempted unless the byte is
1288 * expected to be there, so EOF should not occur.
1289 */
1290 file->status_code |= TRUNCATED;
1291 return EOF;
1292}
1293
1294static png_byte
1295reread_byte(struct file *file)
1296 /* Read a byte when an error is not expected to happen because the byte has
1297 * been read before without error.
1298 */
1299{
1300 int ch = getc(file->file);
1301
1302 if (errno != 0)
1303 file->read_errno = errno;
1304
1305 if (ch < 0 || ch > 255)
1306 stop(file, UNEXPECTED_ERROR_CODE, "reread");
1307
1308 return (png_byte)ch;
1309}
1310
1311static png_uint_32
1312reread_4(struct file *file)
1313 /* The same but for a four byte quantity */
1314{
1315 png_uint_32 result = 0;
1316 int i = 0;
1317
1318 while (++i <= 4)
1319 result = (result << 8) + reread_byte(file);
1320
1321 return result;
1322}
1323
1324static void
1325skip_12(struct file *file)
1326 /* Skip exactly 12 bytes in the input stream - used to skip a CRC and chunk
1327 * header that has been read before.
1328 */
1329{
1330 /* Since the chunks were read before this shouldn't fail: */
1331 if (fseek(file->file, 12, SEEK_CUR) != 0)
1332 {
1333 if (errno != 0)
1334 file->read_errno = errno;
1335
1336 stop(file, UNEXPECTED_ERROR_CODE, "reskip");
1337 }
1338}
1339
1340static void
1341write_byte(struct file *file, int b)
1342 /* Write one byte to the output - this causes a fatal error if the write
1343 * fails and the read of this PNG file immediately terminates. Just
1344 * increments the write count if there is no output file.
1345 */
1346{
1347 if (file->out != NULL)
1348 {
1349 if (putc(b, file->out) != b)
1350 {
1351 file->write_errno = errno;
1352 file->status_code |= WRITE_ERROR;
1353 stop(file, WRITE_ERROR_CODE, "write byte");
1354 }
1355 }
1356
1357 ++(file->write_count);
1358}
1359
1360/* Derivatives of the read/write functions. */
1361static unsigned int
1362read_4(struct file *file, png_uint_32 *pu)
1363 /* Read four bytes, returns the number of bytes read successfully and, if all
1364 * four bytes are read, assigns the result to *pu.
1365 */
1366{
1367 unsigned int i = 0;
1368 png_uint_32 val = 0;
1369
1370 do
1371 {
1372 int ch = read_byte(file);
1373
1374 if (ch == EOF)
1375 return i;
1376
1377 val = (val << 8) + ch;
1378 } while (++i < 4);
1379
1380 *pu = val;
1381 return i;
1382}
1383
1384/* CRC handling - read but calculate the CRC while doing so. */
1385static int
1386crc_read_many(struct file *file, png_uint_32 length)
1387 /* Reads 'length' bytes and updates the CRC, returns true on success, false
1388 * if the input is truncated.
1389 */
1390{
1391 if (length > 0)
1392 {
1393 png_uint_32 crc = file->crc;
1394
1395 do
1396 {
1397 int ch = read_byte(file);
1398
1399 if (ch == EOF)
1400 return 0; /* Truncated */
1401
1402 crc = crc_one_byte(crc, ch);
1403 }
1404 while (--length > 0);
1405
1406 file->crc = crc;
1407 }
1408
1409 return 1; /* OK */
1410}
1411
1412static int
1413calc_image_size(struct file *file)
1414 /* Fill in the image_bytes field given the IHDR information, calls stop on
1415 * error.
1416 */
1417{
1418 png_uint_16 pd = file->bit_depth;
1419
1420 switch (file->color_type)
1421 {
1422 default:
1423 stop_invalid(file, "IHDR: colour type");
1424
1425 invalid_bit_depth:
1426 stop_invalid(file, "IHDR: bit depth");
1427
1428 case 0: /* g */
1429 if (pd != 1 && pd != 2 && pd != 4 && pd != 8 && pd != 16)
1430 goto invalid_bit_depth;
1431 break;
1432
1433 case 3:
1434 if (pd != 1 && pd != 2 && pd != 4 && pd != 8)
1435 goto invalid_bit_depth;
1436 break;
1437
1438 case 2: /* rgb */
1439 if (pd != 8 && pd != 16)
1440 goto invalid_bit_depth;
1441
1442 pd = (png_uint_16)(pd * 3);
1443 break;
1444
1445 case 4: /* ga */
1446 if (pd != 8 && pd != 16)
1447 goto invalid_bit_depth;
1448
1449 pd = (png_uint_16)(pd * 2);
1450 break;
1451
1452 case 6: /* rgba */
1453 if (pd != 8 && pd != 16)
1454 goto invalid_bit_depth;
1455
1456 pd = (png_uint_16)(pd * 4);
1457 break;
1458 }
1459
1460 if (file->width < 1 || file->width > 0x7fffffff)
1461 stop_invalid(file, "IHDR: width");
1462
1463 else if (file->height < 1 || file->height > 0x7fffffff)
1464 stop_invalid(file, "IHDR: height");
1465
1466 else if (file->compression_method != 0)
1467 stop_invalid(file, "IHDR: compression method");
1468
1469 else if (file->filter_method != 0)
1470 stop_invalid(file, "IHDR: filter method");
1471
1472 else switch (file->interlace_method)
1473 {
1474 case PNG_INTERLACE_ADAM7:
1475 /* Interlacing makes the image larger because of the replication of
1476 * both the filter byte and the padding to a byte boundary.
1477 */
1478 {
1479 int pass;
1480 int image_digits = 0;
1481 udigit row_width[2], row_bytes[3];
1482
1483 for (pass=0; pass<=6; ++pass)
1484 {
1485 png_uint_32 pw = PNG_PASS_COLS(file->width, pass);
1486
1487 if (pw > 0)
1488 {
1489 int digits;
1490
1491 /* calculate 1+((pw*pd+7)>>3) in row_bytes */
1492 digits = uarb_mult_digit(row_bytes, uarb_set(row_bytes, 7),
1493 row_width, uarb_set(row_width, pw), pd);
1494 digits = uarb_shift(row_bytes, digits, 3);
1495 digits = uarb_inc(row_bytes, digits, 1);
1496
1497 /* Add row_bytes * pass-height to the file image_bytes field
1498 */
1499 image_digits = uarb_mult32(file->image_bytes, image_digits,
1500 row_bytes, digits,
1501 PNG_PASS_ROWS(file->height, pass));
1502 }
1503 }
1504
1505 file->image_digits = image_digits;
1506 }
1507 break;
1508
1509 case PNG_INTERLACE_NONE:
1510 {
1511 int digits;
1512 udigit row_width[2], row_bytes[3];
1513
1514 /* As above, but use image_width in place of the pass width: */
1515 digits = uarb_mult_digit(row_bytes, uarb_set(row_bytes, 7),
1516 row_width, uarb_set(row_width, file->width), pd);
1517 digits = uarb_shift(row_bytes, digits, 3);
1518 digits = uarb_inc(row_bytes, digits, 1);
1519
1520 /* Set row_bytes * image-height to the file image_bytes field */
1521 file->image_digits = uarb_mult32(file->image_bytes, 0,
1522 row_bytes, digits, file->height);
1523 }
1524 break;
1525
1526 default:
1527 stop_invalid(file, "IHDR: interlace method");
1528 }
1529
1530 assert(file->image_digits >= 1 && file->image_digits <= 5);
1531 return 1;
1532}
1533
1534/* PER-CHUNK CONTROL STRUCTURE
1535 * This structure is instantiated for each chunk, except for the IDAT chunks
1536 * where one chunk control structure is used for the whole of a single stream of
1537 * IDAT chunks (see the IDAT control structure below).
1538 */
1539struct chunk
1540{
1541 /* ANCESTORS */
1542 struct file * file;
1543 struct global * global;
1544
1545 /* PUBLIC IDAT INFORMATION: SET BY THE ZLIB CODE */
1546 udigit uncompressed_bytes[5];
1547 int uncompressed_digits;
1548 udigit compressed_bytes[5];
1549 int compressed_digits;
1550
1551 /* PUBLIC PER-CHUNK INFORMATION: USED BY CHUNK READ CODE */
1552 /* This information is filled in by chunk_init from the data in the file
1553 * control structure, but chunk_length may be changed later.
1554 */
1555 fpos_t chunk_data_pos; /* Position of first byte of chunk data */
1556 png_uint_32 chunk_length; /* From header (or modified below) */
1557 png_uint_32 chunk_type; /* From header */
1558
1559 /* PUBLIC PER-CHUNK INFORMATION: FOR THE CHUNK WRITE CODE */
1560 png_uint_32 write_crc; /* Output CRC (may differ from read_crc) */
1561 png_uint_32 rewrite_offset; /* Count of bytes before rewrite. */
1562 int rewrite_length; /* Number of bytes left to change */
1563 png_byte rewrite_buffer[2]; /* Buffer of new byte values */
1564};
1565
1566static void
1567chunk_message(struct chunk *chunk, const char *message)
1568{
1569 type_message(chunk->file, chunk->chunk_type, message);
1570}
1571
1572static void
1573chunk_end(struct chunk **chunk_var)
1574{
1575 struct chunk *chunk = *chunk_var;
1576
1577 *chunk_var = NULL;
1578 CLEAR(*chunk);
1579}
1580
1581static void
1582chunk_init(struct chunk * const chunk, struct file * const file)
1583 /* When a chunk is initialized the file length/type/pos are copied into the
1584 * corresponding chunk fields and the new chunk is registered in the file
1585 * structure. There can only be one chunk at a time.
1586 *
1587 * NOTE: this routine must onely be called from the file alloc routine!
1588 */
1589{
1590 assert(file->chunk == NULL);
1591
1592 CLEAR(*chunk);
1593
1594 chunk->file = file;
1595 chunk->global = file->global;
1596
1597 chunk->chunk_data_pos = file->data_pos;
1598 chunk->chunk_length = file->length;
1599 chunk->chunk_type = file->type;
1600
1601 /* Compresssed/uncompressed size information (from the zlib control structure
1602 * that is used to check the compressed data in a chunk.)
1603 */
1604 chunk->uncompressed_digits = 0;
1605 chunk->compressed_digits = 0;
1606
1607 file->chunk = chunk;
1608}
1609
1610static png_uint_32
1611current_type(struct file *file, int code)
1612 /* Guess the actual chunk type that causes a stop() */
1613{
1614 /* This may return png_IDAT for errors detected (late) in the header; that
1615 * includes any inter-chunk consistency check that libpng performs. Assume
1616 * that if the chunk_type is png_IDAT and the file write count is 8 this is
1617 * what is happening.
1618 */
1619 if (file->chunk != NULL)
1620 {
1621 png_uint_32 type = file->chunk->chunk_type;
1622
1623 /* This is probably wrong for the excess IDATs case, because then libpng
1624 * whines about too many of them (apparently in some cases erroneously)
1625 * when the header is read.
1626 */
1627 if (code <= LIBPNG_ERROR_CODE && type == png_IDAT &&
1628 file->write_count == 8)
1629 type = 0; /* magic */
1630
1631 return type;
1632 }
1633
1634 else
1635 return file->type;
1636}
1637
1638static void
1639setpos(struct chunk *chunk)
1640 /* Reset the position to 'chunk_data_pos' - the start of the data for this
1641 * chunk. As a side effect the read_count in the file is reset to 8, just
1642 * after the length/type header.
1643 */
1644{
1645 chunk->file->read_count = 8;
1646 file_setpos(chunk->file, &chunk->chunk_data_pos);
1647}
1648
1649/* Specific chunk handling - called for each chunk header, all special chunk
1650 * processing is initiated in these functions.
1651 */
1652/* The next functions handle special processing for those chunks with LZ data,
1653 * the data is identified and checked for validity. If there are problems which
1654 * cannot be corrected the routines return false, otherwise true (although
1655 * modification to the zlib header may be required.)
1656 *
1657 * The compressed data is in zlib format (RFC1950) and consequently has a
1658 * minimum length of 7 bytes.
1659 */
1660static int zlib_check(struct file *file, png_uint_32 offset);
1661
1662static int
1663process_zTXt_iCCP(struct file *file)
1664 /* zTXt and iCCP have exactly the same form - keyword, null, compression
1665 * method then compressed data.
1666 */
1667{
1668 struct chunk *chunk = file->chunk;
1669 png_uint_32 length;
1670 png_uint_32 index = 0;
1671
1672 assert(chunk != NULL && file->idat == NULL);
1673 length = chunk->chunk_length;
1674 setpos(chunk);
1675
1676 while (length >= 9)
1677 {
1678 --length;
1679 ++index;
1680 if (reread_byte(file) == 0) /* keyword null terminator */
1681 {
1682 --length;
1683 ++index;
1684 (void)reread_byte(file); /* compression method */
1685 return zlib_check(file, index);
1686 }
1687 }
1688
1689 chunk_message(chunk, "too short");
1690 return 0; /* skip */
1691}
1692
1693static int
1694process_iTXt(struct file *file)
1695{
1696 /* Like zTXt but more fields. */
1697 struct chunk *chunk = file->chunk;
1698 png_uint_32 length;
1699 png_uint_32 index = 0;
1700
1701 assert(chunk != NULL && file->idat == NULL);
1702 length = chunk->chunk_length;
1703 setpos(chunk);
1704
1705 while (length >= 5)
1706 {
1707 --length;
1708 ++index;
1709 if (reread_byte(file) == 0) /* keyword null terminator */
1710 {
1711 --length;
1712 ++index;
1713 if (reread_byte(file) == 0) /* uncompressed text */
1714 return 1; /* nothing to check */
1715
1716 --length;
1717 ++index;
1718 (void)reread_byte(file); /* compression method */
1719
1720 /* Skip the language tag (null terminated). */
1721 while (length >= 9)
1722 {
1723 --length;
1724 ++index;
1725 if (reread_byte(file) == 0) /* terminator */
1726 {
1727 /* Skip the translated keyword */
1728 while (length >= 8)
1729 {
1730 --length;
1731 ++index;
1732 if (reread_byte(file) == 0) /* terminator */
1733 return zlib_check(file, index);
1734 }
1735 }
1736 }
1737
1738 /* Ran out of bytes in the compressed case. */
1739 break;
1740 }
1741 }
1742
1743 log_error(file, INVALID_ERROR_CODE, "iTXt chunk length");
1744
1745 return 0; /* skip */
1746}
1747
1748/* IDAT READ/WRITE CONTROL STRUCTURE */
1749struct IDAT
1750{
1751 /* ANCESTORS */
1752 struct file * file;
1753 struct global * global;
1754
1755 /* PROTECTED IDAT INFORMATION: SET BY THE IDAT READ CODE */
1756 struct IDAT_list *idat_list_head; /* START of the list of IDAT information */
1757 struct IDAT_list *idat_list_tail; /* *END* of the list of IDAT information */
1758
1759 /* PROTECTED IDAT INFORMATION: USED BY THE IDAT WRITE CODE */
1760 struct IDAT_list *idat_cur; /* Current list entry */
1761 unsigned int idat_count; /* And the *current* index into the list */
1762 png_uint_32 idat_index; /* Index of *next* input byte to write */
1763 png_uint_32 idat_length; /* Cache of current chunk length */
1764};
1765
1766/* NOTE: there is currently no IDAT_reset, so a stream cannot contain more than
1767 * one IDAT sequence (i.e. MNG is not supported).
1768 */
1769
1770static void
1771IDAT_end(struct IDAT **idat_var)
1772{
1773 struct IDAT *idat = *idat_var;
1774 struct file *file = idat->file;
1775
1776 *idat_var = NULL;
1777
1778 CLEAR(*idat);
1779
1780 assert(file->chunk != NULL);
1781 chunk_end(&file->chunk);
1782
1783 /* Regardless of why the IDAT was killed set the state back to CHUNKS (it may
1784 * already be CHUNKS because the state isn't changed until process_IDAT
1785 * returns; a stop will cause IDAT_end to be entered in state CHUNKS!)
1786 */
1787 file->state = STATE_CHUNKS;
1788}
1789
1790static void
1791IDAT_init(struct IDAT * const idat, struct file * const file)
1792 /* When the chunk is png_IDAT instantiate an IDAT control structure in place
1793 * of a chunk control structure. The IDAT will instantiate a chunk control
1794 * structure using the file alloc routine.
1795 *
1796 * NOTE: this routine must only be called from the file alloc routine!
1797 */
1798{
1799 assert(file->chunk == NULL);
1800 assert(file->idat == NULL);
1801
1802 CLEAR(*idat);
1803
1804 idat->file = file;
1805 idat->global = file->global;
1806
1807 /* Initialize the tail to the pre-allocated buffer and set the count to 0
1808 * (empty.)
1809 */
1810 idat->global->idat_cache.count = 0;
1811 idat->idat_list_head = idat->idat_list_tail = &idat->global->idat_cache;
1812
1813 /* Now the chunk. The allocator calls the initializer of the new chunk and
1814 * stores the result in file->chunk:
1815 */
1816 file->alloc(file, 0/*chunk*/);
1817 assert(file->chunk != NULL);
1818
1819 /* And store this for cleanup (and to check for double alloc or failure to
1820 * free.)
1821 */
1822 file->idat = idat;
1823}
1824
1825static png_uint_32
1826rechunk_length(struct IDAT *idat, int start)
1827 /* Return the length for the next IDAT chunk, taking into account
1828 * rechunking.
1829 */
1830{
1831 png_uint_32 len = idat->global->idat_max;
1832
1833 if (len == 0) /* use original chunk lengths */
1834 {
1835 const struct IDAT_list *cur;
1836 unsigned int count;
1837
1838 if (start)
1839 return idat->idat_length; /* use the cache */
1840
1841 /* Otherwise rechunk_length is called at the end of a chunk for the length
1842 * of the next one.
1843 */
1844 cur = idat->idat_cur;
1845 count = idat->idat_count;
1846
1847 assert(idat->idat_index == idat->idat_length &&
1848 idat->idat_length == cur->lengths[count]);
1849
1850 /* Return length of the *next* chunk */
1851 if (++count < cur->count)
1852 return cur->lengths[count];
1853
1854 /* End of this list */
1855 assert(cur != idat->idat_list_tail);
1856 cur = cur->next;
1857 assert(cur != NULL && cur->count > 0);
1858 return cur->lengths[0];
1859 }
1860
1861 else /* rechunking */
1862 {
1863 /* The chunk size is the lesser of file->idat_max and the number
1864 * of remaining bytes.
1865 */
1866 png_uint_32 have = idat->idat_length - idat->idat_index;
1867
1868 if (len > have)
1869 {
1870 struct IDAT_list *cur = idat->idat_cur;
1871 unsigned int j = idat->idat_count+1; /* the next IDAT in the list */
1872
1873 do
1874 {
1875 /* Add up the remaining bytes. This can't overflow because the
1876 * individual lengths are always <= 0x7fffffff, so when we add two
1877 * of them overflow is not possible.
1878 */
1879 assert(cur != NULL);
1880
1881 for (;;)
1882 {
1883 /* NOTE: IDAT_list::count here, not IDAT_list::length */
1884 for (; j < cur->count; ++j)
1885 {
1886 have += cur->lengths[j];
1887 if (len <= have)
1888 return len;
1889 }
1890
1891 /* If this was the end return the count of the available bytes */
1892 if (cur == idat->idat_list_tail)
1893 return have;
1894
1895 cur = cur->next;
1896 j = 0;
1897 }
1898 }
1899 while (len > have);
1900 }
1901
1902 return len;
1903 }
1904}
1905
1906static int
1907process_IDAT(struct file *file)
1908 /* Process the IDAT stream, this is the more complex than the preceding
1909 * cases because the compressed data is spread across multiple IDAT chunks
1910 * (typically). Rechunking of the data is not handled here; all this
1911 * function does is establish whether the zlib header needs to be modified.
1912 *
1913 * Initially the function returns false, indicating that the chunk should not
1914 * be written. It does this until the last IDAT chunk is passed in, then it
1915 * checks the zlib data and returns true.
1916 *
1917 * It does not return false on a fatal error; it calls stop instead.
1918 *
1919 * The caller must have an instantiated (IDAT) control structure and it must
1920 * have extent over the whole read of the IDAT stream. For a PNG this means
1921 * the whole PNG read, for MNG it could have lesser extent.
1922 */
1923{
1924 struct IDAT_list *list;
1925
1926 assert(file->idat != NULL && file->chunk != NULL);
1927
1928 /* We need to first check the entire sequence of IDAT chunks to ensure the
1929 * stream is in sync. Do this by building a list of all the chunks and
1930 * recording the length of each because the length may have been fixed up by
1931 * sync_stream below.
1932 *
1933 * At the end of the list of chunks, where the type of the next chunk is not
1934 * png_IDAT, process the whole stream using the list data to check validity
1935 * then return control to the start and rewrite everything.
1936 */
1937 list = file->idat->idat_list_tail;
1938
1939 if (list->count == list->length)
1940 {
1941 list = IDAT_list_extend(list);
1942
1943 if (list == NULL)
1944 stop(file, READ_ERROR_CODE, "out of memory");
1945
1946 /* Move to the next block */
1947 list->count = 0;
1948 file->idat->idat_list_tail = list;
1949 }
1950
1951 /* And fill in the next IDAT information buffer. */
1952 list->lengths[(list->count)++] = file->chunk->chunk_length;
1953
1954 /* The type of the next chunk was recorded in the file control structure by
1955 * the caller, if this is png_IDAT return 'skip' to the caller.
1956 */
1957 if (file->type == png_IDAT)
1958 return 0; /* skip this for the moment */
1959
1960 /* This is the final IDAT chunk, so run the tests to check for the too far
1961 * back error and possibly optimize the window bits. This means going back
1962 * to the start of the first chunk data, which is stored in the original
1963 * chunk allocation.
1964 */
1965 setpos(file->chunk);
1966
1967 if (zlib_check(file, 0))
1968 {
1969 struct IDAT *idat;
1970 int cmp;
1971
1972 /* The IDAT stream was successfully uncompressed; see whether it
1973 * contained the correct number of bytes of image data.
1974 */
1975 cmp = uarb_cmp(file->image_bytes, file->image_digits,
1976 file->chunk->uncompressed_bytes, file->chunk->uncompressed_digits);
1977
1978 if (cmp < 0)
1979 type_message(file, png_IDAT, "extra uncompressed data");
1980
1981 else if (cmp > 0)
1982 stop(file, LIBPNG_ERROR_CODE, "IDAT: uncompressed data too small");
1983
1984 /* Return the stream to the start of the first IDAT chunk; the length
1985 * is set in the write case below but the input chunk variables must be
1986 * set (once) here:
1987 */
1988 setpos(file->chunk);
1989
1990 idat = file->idat;
1991 idat->idat_cur = idat->idat_list_head;
1992 idat->idat_length = idat->idat_cur->lengths[0];
1993 idat->idat_count = 0; /* Count of chunks read in current list */
1994 idat->idat_index = 0; /* Index into chunk data */
1995
1996 /* Update the chunk length to the correct value for the IDAT chunk: */
1997 file->chunk->chunk_length = rechunk_length(idat, 1/*start*/);
1998
1999 /* Change the state to writing IDAT chunks */
2000 file->state = STATE_IDAT;
2001
2002 return 1;
2003 }
2004
2005 else /* Failure to decompress the IDAT stream; give up. */
2006 stop(file, ZLIB_ERROR_CODE, "could not uncompress IDAT");
2007}
2008
2009/* ZLIB CONTROL STRUCTURE */
2010struct zlib
2011{
2012 /* ANCESTORS */
2013 struct IDAT * idat; /* NOTE: May be NULL */
2014 struct chunk * chunk;
2015 struct file * file;
2016 struct global *global;
2017
2018 /* GLOBAL ZLIB INFORMATION: SET BY THE CALLER */
2019 png_uint_32 rewrite_offset;
2020
2021 /* GLOBAL ZLIB INFORMATION: SET BY THE ZLIB READ CODE */
2022 udigit compressed_bytes[5];
2023 int compressed_digits;
2024 udigit uncompressed_bytes[5];
2025 int uncompressed_digits;
2026 int file_bits; /* window bits from the file */
2027 int ok_bits; /* Set <16 on a successful read */
2028 int cksum; /* Set on a checksum error */
2029
2030 /* PROTECTED ZLIB INFORMATION: USED BY THE ZLIB ROUTINES */
2031 z_stream z;
2032 png_uint_32 extra_bytes; /* Count of extra compressed bytes */
2033 int state;
2034 int rc; /* Last return code */
2035 int window_bits; /* 0 if no change */
2036 png_byte header[2];
2037};
2038
2039static const char *
2040zlib_flevel(struct zlib *zlib)
2041{
2042 switch (zlib->header[1] >> 6)
2043 {
2044 case 0: return "supfast";
2045 case 1: return "stdfast";
2046 case 2: return "default";
2047 case 3: return "maximum";
2048 default: assert(UNREACHED);
2049 }
2050
2051 return "COMPILER BUG";
2052}
2053
2054static const char *
2055zlib_rc(struct zlib *zlib)
2056 /* Return a string for the zlib return code */
2057{
2058 switch (zlib->rc)
2059 {
2060 case Z_OK: return "Z_OK";
2061 case Z_STREAM_END: return "Z_STREAM_END";
2062 case Z_NEED_DICT: return "Z_NEED_DICT";
2063 case Z_ERRNO: return "Z_ERRNO";
2064 case Z_STREAM_ERROR: return "Z_STREAM_ERROR";
2065 case Z_DATA_ERROR: return "Z_DATA_ERROR";
2066 case Z_MEM_ERROR: return "Z_MEM_ERROR";
2067 case Z_BUF_ERROR: return "Z_BUF_ERROR";
2068 case Z_VERSION_ERROR: return "Z_VERSION_ERROR";
2069 default: return "Z_*INVALID_RC*";
2070 }
2071}
2072
2073static void
2074zlib_message(struct zlib *zlib, int unexpected)
2075 /* Output a message given a zlib rc */
2076{
2077 if (zlib->global->errors)
2078 {
2079 const char *reason = zlib->z.msg;
2080
2081 if (reason == NULL)
2082 reason = "[no message]";
2083
2084 fputs(zlib->file->file_name, stderr);
2085 type_sep(stderr);
2086 type_name(zlib->chunk->chunk_type, stderr);
2087 fprintf(stderr, ": %szlib error: %d (%s) (%s)\n",
2088 unexpected ? "unexpected " : "", zlib->rc, zlib_rc(zlib), reason);
2089 }
2090}
2091
2092static void
2093zlib_end(struct zlib *zlib)
2094{
2095 /* Output the summary line now; this ensures a summary line always gets
2096 * output regardless of the manner of exit.
2097 */
2098 if (!zlib->global->quiet)
2099 {
2100 if (zlib->ok_bits < 16) /* stream was read ok */
2101 {
2102 const char *reason;
2103
2104 if (zlib->cksum)
2105 reason = "CHK"; /* checksum error */
2106
2107 else if (zlib->ok_bits > zlib->file_bits)
2108 reason = "TFB"; /* fixing a too-far-back error */
2109
2110 else if (zlib->ok_bits == zlib->file_bits)
2111 reason = "OK ";
2112
2113 else
2114 reason = "OPT"; /* optimizing window bits */
2115
2116 /* SUMMARY FORMAT (for a successful zlib inflate):
2117 *
2118 * IDAT reason flevel file-bits ok-bits compressed uncompressed file
2119 */
2120 type_name(zlib->chunk->chunk_type, stdout);
2121 printf(" %s %s %d %d ", reason, zlib_flevel(zlib), zlib->file_bits,
2122 zlib->ok_bits);
2123 uarb_print(zlib->compressed_bytes, zlib->compressed_digits, stdout);
2124 putc(' ', stdout);
2125 uarb_print(zlib->uncompressed_bytes, zlib->uncompressed_digits,
2126 stdout);
2127 putc(' ', stdout);
2128 fputs(zlib->file->file_name, stdout);
2129 putc('\n', stdout);
2130 }
2131
2132 else
2133 {
2134 /* This is a zlib read error; the chunk will be skipped. For an IDAT
2135 * stream this will also cause a fatal read error (via stop()).
2136 *
2137 * SUMMARY FORMAT:
2138 *
2139 * IDAT SKP flevel file-bits z-rc compressed message file
2140 *
2141 * z-rc is the zlib failure code; message is the error message with
2142 * spaces replaced by '-'. The compressed byte count indicates where
2143 * in the zlib stream the error occurred.
2144 */
2145 type_name(zlib->chunk->chunk_type, stdout);
2146 printf(" SKP %s %d %s ", zlib_flevel(zlib), zlib->file_bits,
2147 zlib_rc(zlib));
2148 uarb_print(zlib->compressed_bytes, zlib->compressed_digits, stdout);
2149 putc(' ', stdout);
2150 emit_string(zlib->z.msg ? zlib->z.msg : "[no_message]", stdout);
2151 putc(' ', stdout);
2152 fputs(zlib->file->file_name, stdout);
2153 putc('\n', stdout);
2154 }
2155 }
2156
2157 if (zlib->state >= 0)
2158 {
2159 zlib->rc = inflateEnd(&zlib->z);
2160
2161 if (zlib->rc != Z_OK)
2162 zlib_message(zlib, 1/*unexpected*/);
2163 }
2164
2165 CLEAR(*zlib);
2166}
2167
2168static int
2169zlib_reset(struct zlib *zlib, int window_bits)
2170 /* Reinitializes a zlib with a different window_bits */
2171{
2172 assert(zlib->state >= 0); /* initialized by zlib_init */
2173
2174 zlib->z.next_in = Z_NULL;
2175 zlib->z.avail_in = 0;
2176 zlib->z.next_out = Z_NULL;
2177 zlib->z.avail_out = 0;
2178
2179 zlib->window_bits = window_bits;
2180 zlib->compressed_digits = 0;
2181 zlib->uncompressed_digits = 0;
2182
2183 zlib->state = 0; /* initialized, once */
2184 zlib->rc = inflateReset2(&zlib->z, 0);
2185 if (zlib->rc != Z_OK)
2186 {
2187 zlib_message(zlib, 1/*unexpected*/);
2188 return 0;
2189 }
2190
2191 return 1;
2192}
2193
2194static int
2195zlib_init(struct zlib *zlib, struct IDAT *idat, struct chunk *chunk,
2196 int window_bits, png_uint_32 offset)
2197 /* Initialize a zlib_control; the result is true/false */
2198{
2199 CLEAR(*zlib);
2200
2201 zlib->idat = idat;
2202 zlib->chunk = chunk;
2203 zlib->file = chunk->file;
2204 zlib->global = chunk->global;
2205 zlib->rewrite_offset = offset; /* never changed for this zlib */
2206
2207 /* *_out does not need to be set: */
2208 zlib->z.next_in = Z_NULL;
2209 zlib->z.avail_in = 0;
2210 zlib->z.zalloc = Z_NULL;
2211 zlib->z.zfree = Z_NULL;
2212 zlib->z.opaque = Z_NULL;
2213
2214 zlib->state = -1;
2215 zlib->window_bits = window_bits;
2216
2217 zlib->compressed_digits = 0;
2218 zlib->uncompressed_digits = 0;
2219
2220 /* These values are sticky across reset (in addition to the stuff in the
2221 * first block, which is actually constant.)
2222 */
2223 zlib->file_bits = 24;
2224 zlib->ok_bits = 16; /* unset */
2225 zlib->cksum = 0; /* set when a checksum error is detected */
2226
2227 /* '0' means use the header; inflateInit2 should always succeed because it
2228 * does nothing apart from allocating the internal zstate.
2229 */
2230 zlib->rc = inflateInit2(&zlib->z, 0);
2231 if (zlib->rc != Z_OK)
2232 {
2233 zlib_message(zlib, 1/*unexpected*/);
2234 return 0;
2235 }
2236
2237 else
2238 {
2239 zlib->state = 0; /* initialized */
2240 return 1;
2241 }
2242}
2243
2244static int
2245max_window_bits(uarbc size, int ndigits)
2246 /* Return the zlib stream window bits required for data of the given size. */
2247{
2248 png_uint_16 cb;
2249
2250 if (ndigits > 1)
2251 return 15;
2252
2253 cb = size[0];
2254
2255 if (cb > 16384) return 15;
2256 if (cb > 8192) return 14;
2257 if (cb > 4096) return 13;
2258 if (cb > 2048) return 12;
2259 if (cb > 1024) return 11;
2260 if (cb > 512) return 10;
2261 if (cb > 256) return 9;
2262 return 8;
2263}
2264
2265static int
2266zlib_advance(struct zlib *zlib, png_uint_32 nbytes)
2267 /* Read nbytes compressed bytes; the stream will be initialized if required.
2268 * Bytes are always being reread and errors are fatal. The return code is as
2269 * follows:
2270 *
2271 * -1: saw the "too far back" error
2272 * 0: ok, keep going
2273 * 1: saw Z_STREAM_END (zlib->extra_bytes indicates too much data)
2274 * 2: a zlib error that cannot be corrected (error message already
2275 * output if required.)
2276 */
2277# define ZLIB_TOO_FAR_BACK (-1)
2278# define ZLIB_OK 0
2279# define ZLIB_STREAM_END 1
2280# define ZLIB_FATAL 2
2281{
2282 int state = zlib->state;
2283 int endrc = ZLIB_OK;
2284 png_uint_32 in_bytes = 0;
2285 struct file *file = zlib->file;
2286
2287 assert(state >= 0);
2288
2289 while (in_bytes < nbytes && endrc == ZLIB_OK)
2290 {
2291 png_uint_32 out_bytes;
2292 int flush;
2293 png_byte bIn = reread_byte(file);
2294 png_byte bOut;
2295
2296 switch (state)
2297 {
2298 case 0: /* first header byte */
2299 {
2300 int file_bits = 8+(bIn >> 4);
2301 int new_bits = zlib->window_bits;
2302
2303 zlib->file_bits = file_bits;
2304
2305 /* Check against the existing value - it may not need to be
2306 * changed. Note that a bogus file_bits is allowed through once,
2307 * to see if it works, but the window_bits value is set to 15,
2308 * the maximum.
2309 */
2310 if (new_bits == 0) /* no change */
2311 zlib->window_bits = ((file_bits > 15) ? 15 : file_bits);
2312
2313 else if (new_bits != file_bits) /* rewrite required */
2314 bIn = (png_byte)((bIn & 0xf) + ((new_bits-8) << 4));
2315 }
2316
2317 zlib->header[0] = bIn;
2318 zlib->state = state = 1;
2319 break;
2320
2321 case 1: /* second header byte */
2322 {
2323 int b2 = bIn & 0xe0; /* top 3 bits */
2324
2325 /* The checksum calculation, on the first 11 bits: */
2326 b2 += 0x1f - ((zlib->header[0] << 8) + b2) % 0x1f;
2327
2328 /* Update the checksum byte if required: */
2329 if (bIn != b2)
2330 {
2331 /* If the first byte wasn't changed this indicates an error in
2332 * the checksum calculation; signal this by setting 'cksum'.
2333 */
2334 if (zlib->file_bits == zlib->window_bits)
2335 zlib->cksum = 1;
2336
2337 bIn = (png_byte)b2;
2338 }
2339 }
2340
2341 zlib->header[1] = bIn;
2342 zlib->state = state = 2;
2343 break;
2344
2345 default: /* After the header bytes */
2346 break;
2347 }
2348
2349 /* For some streams, perhaps only those compressed with 'superfast
2350 * compression' (which results in a lot of copying) Z_BUF_ERROR can happen
2351 * immediately after all output has been flushed on the next input byte.
2352 * This is handled below when Z_BUF_ERROR is detected by adding an output
2353 * byte.
2354 */
2355 zlib->z.next_in = &bIn;
2356 zlib->z.avail_in = 1;
2357 zlib->z.next_out = &bOut;
2358 zlib->z.avail_out = 0; /* Initially */
2359
2360 /* Initially use Z_NO_FLUSH in an attempt to persuade zlib to look at this
2361 * byte without confusing what is going on with output.
2362 */
2363 flush = Z_NO_FLUSH;
2364 out_bytes = 0;
2365
2366 /* NOTE: expression 3 is only evaluated on 'continue', because of the
2367 * 'break' at the end of this loop below.
2368 */
2369 for (;endrc == ZLIB_OK;
2370 flush = Z_SYNC_FLUSH,
2371 zlib->z.next_out = &bOut,
2372 zlib->z.avail_out = 1,
2373 ++out_bytes)
2374 {
2375 zlib->rc = inflate(&zlib->z, flush);
2376 out_bytes -= zlib->z.avail_out;
2377
2378 switch (zlib->rc)
2379 {
2380 case Z_BUF_ERROR:
2381 if (zlib->z.avail_out == 0)
2382 continue; /* Try another output byte. */
2383
2384 if (zlib->z.avail_in == 0)
2385 break; /* Try another input byte */
2386
2387 /* Both avail_out and avail_in are 1 yet zlib returned a code
2388 * indicating no progress was possible. This is unexpected.
2389 */
2390 zlib_message(zlib, 1/*unexpected*/);
2391 endrc = ZLIB_FATAL; /* stop processing */
2392 break;
2393
2394 case Z_OK:
2395 /* Zlib is supposed to have made progress: */
2396 assert(zlib->z.avail_out == 0 || zlib->z.avail_in == 0);
2397 continue;
2398
2399 case Z_STREAM_END:
2400 /* This is the successful end. */
2401 zlib->state = 3; /* end of stream */
2402 endrc = ZLIB_STREAM_END;
2403 break;
2404
2405 case Z_NEED_DICT:
2406 zlib_message(zlib, 0/*stream error*/);
2407 endrc = ZLIB_FATAL;
2408 break;
2409
2410 case Z_DATA_ERROR:
2411 /* The too far back error can be corrected, others cannot: */
2412 if (zlib->z.msg != NULL &&
2413 strcmp(zlib->z.msg, "invalid distance too far back") == 0)
2414 {
2415 endrc = ZLIB_TOO_FAR_BACK;
2416 break;
2417 }
2418 /* FALLTHROUGH */
2419
2420 default:
2421 zlib_message(zlib, 0/*stream error*/);
2422 endrc = ZLIB_FATAL;
2423 break;
2424 } /* switch (inflate rc) */
2425
2426 /* Control gets here when further output is not possible; endrc may
2427 * still be ZLIB_OK if more input is required.
2428 */
2429 break;
2430 } /* for (output bytes) */
2431
2432 /* Keep a running count of output byte produced: */
2433 zlib->uncompressed_digits = uarb_add32(zlib->uncompressed_bytes,
2434 zlib->uncompressed_digits, out_bytes);
2435
2436 /* Keep going, the loop will terminate when endrc is no longer set to
2437 * ZLIB_OK or all the input bytes have been consumed; meanwhile keep
2438 * adding input bytes.
2439 */
2440 assert(zlib->z.avail_in == 0 || endrc != ZLIB_OK);
2441
2442 in_bytes += 1 - zlib->z.avail_in;
2443 } /* while (input bytes) */
2444
2445 assert(in_bytes == nbytes || endrc != ZLIB_OK);
2446
2447 /* Update the running total of input bytes consumed */
2448 zlib->compressed_digits = uarb_add32(zlib->compressed_bytes,
2449 zlib->compressed_digits, in_bytes - zlib->z.avail_in);
2450
2451 /* At the end of the stream update the chunk with the accumulated
2452 * information if it is an improvement:
2453 */
2454 if (endrc == ZLIB_STREAM_END && zlib->window_bits < zlib->ok_bits)
2455 {
2456 struct chunk *chunk = zlib->chunk;
2457
2458 chunk->uncompressed_digits = uarb_copy(chunk->uncompressed_bytes,
2459 zlib->uncompressed_bytes, zlib->uncompressed_digits);
2460 chunk->compressed_digits = uarb_copy(chunk->compressed_bytes,
2461 zlib->compressed_bytes, zlib->compressed_digits);
2462 chunk->rewrite_buffer[0] = zlib->header[0];
2463 chunk->rewrite_buffer[1] = zlib->header[1];
2464
2465 if (zlib->window_bits != zlib->file_bits || zlib->cksum)
2466 {
2467 /* A rewrite is required */
2468 chunk->rewrite_offset = zlib->rewrite_offset;
2469 chunk->rewrite_length = 2;
2470 }
2471
2472 else
2473 {
2474 chunk->rewrite_offset = 0;
2475 chunk->rewrite_length = 0;
2476 }
2477
2478 if (in_bytes < nbytes)
2479 chunk_message(chunk, "extra compressed data");
2480
2481 zlib->extra_bytes = nbytes - in_bytes;
2482 zlib->ok_bits = zlib->window_bits;
2483 }
2484
2485 return endrc;
2486}
2487
2488static int
2489zlib_run(struct zlib *zlib)
2490 /* Like zlib_advance but also handles a stream of IDAT chunks. */
2491{
2492 /* The 'extra_bytes' field is set by zlib_advance if there is extra
2493 * compressed data in the chunk it handles (if it sees Z_STREAM_END before
2494 * all the input data has been used.) This function uses the value to update
2495 * the correct chunk length, so the problem should only ever be detected once
2496 * for each chunk. zlib_advance outputs the error message, though see the
2497 * IDAT specific check below.
2498 */
2499 zlib->extra_bytes = 0;
2500
2501 if (zlib->idat != NULL)
2502 {
2503 struct IDAT_list *list = zlib->idat->idat_list_head;
2504 struct IDAT_list *last = zlib->idat->idat_list_tail;
2505 int skip = 0;
2506
2507 /* 'rewrite_offset' is the offset of the LZ data within the chunk, for
2508 * IDAT it should be 0:
2509 */
2510 assert(zlib->rewrite_offset == 0);
2511
2512 /* Process each IDAT_list in turn; the caller has left the stream
2513 * positioned at the start of the first IDAT chunk data.
2514 */
2515 for (;;)
2516 {
2517 unsigned int count = list->count;
2518 unsigned int i;
2519
2520 for (i = 0; i<count; ++i)
2521 {
2522 int rc;
2523
2524 if (skip > 0) /* Skip CRC and next IDAT header */
2525 skip_12(zlib->file);
2526
2527 skip = 12; /* for the next time */
2528
2529 rc = zlib_advance(zlib, list->lengths[i]);
2530
2531 switch (rc)
2532 {
2533 case ZLIB_OK: /* keep going */
2534 break;
2535
2536 case ZLIB_STREAM_END: /* stop */
2537 /* There may be extra chunks; if there are and one of them is
2538 * not zero length output the 'extra data' message. Only do
2539 * this check if errors are being output.
2540 */
2541 if (zlib->global->errors && zlib->extra_bytes == 0)
2542 {
2543 struct IDAT_list *check = list;
2544 int j = i+1, jcount = count;
2545
2546 for (;;)
2547 {
2548 for (; j<jcount; ++j)
2549 if (check->lengths[j] > 0)
2550 {
2551 chunk_message(zlib->chunk,
2552 "extra compressed data");
2553 goto end_check;
2554 }
2555
2556 if (check == last)
2557 break;
2558
2559 check = check->next;
2560 jcount = check->count;
2561 j = 0;
2562 }
2563 }
2564
2565 end_check:
2566 /* Terminate the list at the current position, reducing the
2567 * length of the last IDAT too if required.
2568 */
2569 list->lengths[i] -= zlib->extra_bytes;
2570 list->count = i+1;
2571 zlib->idat->idat_list_tail = list;
2572 /* FALLTHROUGH */
2573
2574 default:
2575 return rc;
2576 }
2577 }
2578
2579 /* At the end of the compressed data and Z_STREAM_END was not seen. */
2580 if (list == last)
2581 return ZLIB_OK;
2582
2583 list = list->next;
2584 }
2585 }
2586
2587 else
2588 {
2589 struct chunk *chunk = zlib->chunk;
2590 int rc;
2591
2592 assert(zlib->rewrite_offset < chunk->chunk_length);
2593
2594 rc = zlib_advance(zlib, chunk->chunk_length - zlib->rewrite_offset);
2595
2596 /* The extra bytes in the chunk are handled now by adjusting the chunk
2597 * length to exclude them; the zlib data is always stored at the end of
2598 * the PNG chunk (although clearly this is not necessary.) zlib_advance
2599 * has already output a warning message.
2600 */
2601 chunk->chunk_length -= zlib->extra_bytes;
2602 return rc;
2603 }
2604}
2605
2606static int /* global function; not a member function */
2607zlib_check(struct file *file, png_uint_32 offset)
2608 /* Check the stream of zlib compressed data in either idat (if given) or (if
2609 * not) chunk. In fact it is zlib_run that handles the difference in reading
2610 * a single chunk and a list of IDAT chunks.
2611 *
2612 * In either case the input file must be positioned at the first byte of zlib
2613 * compressed data (the first header byte).
2614 *
2615 * The return value is true on success, including the case where the zlib
2616 * header may need to be rewritten, and false on an unrecoverable error.
2617 *
2618 * In the case of IDAT chunks 'offset' should be 0.
2619 */
2620{
2621 fpos_t start_pos;
2622 struct zlib zlib;
2623
2624 /* Record the start of the LZ data to allow a re-read. */
2625 file_getpos(file, &start_pos);
2626
2627 /* First test the existing (file) window bits: */
2628 if (zlib_init(&zlib, file->idat, file->chunk, 0/*window bits*/, offset))
2629 {
2630 int min_bits, max_bits, rc;
2631
2632 /* The first run using the existing window bits. */
2633 rc = zlib_run(&zlib);
2634
2635 switch (rc)
2636 {
2637 case ZLIB_TOO_FAR_BACK:
2638 /* too far back error */
2639 file->status_code |= TOO_FAR_BACK;
2640 min_bits = zlib.window_bits + 1;
2641 max_bits = 15;
2642 break;
2643
2644 case ZLIB_STREAM_END:
2645 if (!zlib.global->optimize_zlib &&
2646 zlib.window_bits == zlib.file_bits && !zlib.cksum)
2647 {
2648 /* The trivial case where the stream is ok and optimization was
2649 * not requested.
2650 */
2651 zlib_end(&zlib);
2652 return 1;
2653 }
2654
2655 max_bits = max_window_bits(zlib.uncompressed_bytes,
2656 zlib.uncompressed_digits);
2657 if (zlib.ok_bits < max_bits)
2658 max_bits = zlib.ok_bits;
2659 min_bits = 8;
2660
2661 /* cksum is set if there is an error in the zlib header checksum
2662 * calculation in the original file (and this may be the only reason
2663 * a rewrite is required). We can't rely on the file window bits in
2664 * this case, so do the optimization anyway.
2665 */
2666 if (zlib.cksum)
2667 chunk_message(zlib.chunk, "zlib checksum");
2668 break;
2669
2670
2671 case ZLIB_OK:
2672 /* Truncated stream; unrecoverable, gets converted to ZLIB_FATAL */
2673 zlib.z.msg = PNGZ_MSG_CAST("[truncated]");
2674 zlib_message(&zlib, 0/*expected*/);
2675 /* FALLTHROUGH */
2676
2677 default:
2678 /* Unrecoverable error; skip the chunk; a zlib_message has already
2679 * been output.
2680 */
2681 zlib_end(&zlib);
2682 return 0;
2683 }
2684
2685 /* Optimize window bits or fix a too-far-back error. min_bits and
2686 * max_bits have been set appropriately, ok_bits records the bit value
2687 * known to work.
2688 */
2689 while (min_bits < max_bits || max_bits < zlib.ok_bits/*if 16*/)
2690 {
2691 int test_bits = (min_bits + max_bits) >> 1;
2692
2693 if (zlib_reset(&zlib, test_bits))
2694 {
2695 file_setpos(file, &start_pos);
2696 rc = zlib_run(&zlib);
2697
2698 switch (rc)
2699 {
2700 case ZLIB_TOO_FAR_BACK:
2701 min_bits = test_bits+1;
2702 if (min_bits > max_bits)
2703 {
2704 /* This happens when the stream really is damaged and it
2705 * contains a distance code that addresses bytes before
2706 * the start of the uncompressed data.
2707 */
2708 assert(test_bits == 15);
2709
2710 /* Output the error that wasn't output before: */
2711 if (zlib.z.msg == NULL)
2712 zlib.z.msg = PNGZ_MSG_CAST(
2713 "invalid distance too far back");
2714 zlib_message(&zlib, 0/*stream error*/);
2715 zlib_end(&zlib);
2716 return 0;
2717 }
2718 break;
2719
2720 case ZLIB_STREAM_END: /* success */
2721 max_bits = test_bits;
2722 break;
2723
2724 default:
2725 /* A fatal error; this happens if a too-far-back error was
2726 * hiding a more serious error, zlib_advance has already
2727 * output a zlib_message.
2728 */
2729 zlib_end(&zlib);
2730 return 0;
2731 }
2732 }
2733
2734 else /* inflateReset2 failed */
2735 {
2736 zlib_end(&zlib);
2737 return 0;
2738 }
2739 }
2740
2741 /* The loop guarantees this */
2742 assert(zlib.ok_bits == max_bits);
2743 zlib_end(&zlib);
2744 return 1;
2745 }
2746
2747 else /* zlib initialization failed - skip the chunk */
2748 {
2749 zlib_end(&zlib);
2750 return 0;
2751 }
2752}
2753
2754/***************************** LIBPNG CALLBACKS *******************************/
2755/* The strategy here is to run a regular libpng PNG file read but examine the
2756 * input data (from the file) before passing it to libpng so as to be aware of
2757 * the state we expect libpng to be in. Warning and error callbacks are also
2758 * intercepted so that they can be quieted and interpreted. Interpretation
2759 * depends on a somewhat risky string match for known error messages; let us
2760 * hope that this can be fixed in the next version of libpng.
2761 *
2762 * The control structure is pointed to by the libpng error pointer. It contains
2763 * that set of structures which must persist across multiple read callbacks,
2764 * which is pretty much everything except the 'zlib' control structure.
2765 *
2766 * The file structure is instantiated in the caller of the per-file routine, but
2767 * the per-file routine contains the chunk and IDAT control structures.
2768 */
2769/* The three routines read_chunk, process_chunk and sync_stream can only be
2770 * called via a call to read_chunk and only exit at a return from process_chunk.
2771 * These routines could have been written as one confusing large routine,
2772 * instead this code relies on the compiler to do tail call elimination. The
2773 * possible calls are as follows:
2774 *
2775 * read_chunk
2776 * -> sync_stream
2777 * -> process_chunk
2778 * -> process_chunk
2779 * -> read_chunk
2780 * returns
2781 */
2782static void read_chunk(struct file *file);
2783static void
2784process_chunk(struct file *file, png_uint_32 file_crc, png_uint_32 next_length,
2785 png_uint_32 next_type)
2786 /* Called when the chunk data has been read, next_length and next_type
2787 * will be set for the next chunk (or 0 if this is IEND).
2788 *
2789 * When this routine returns, chunk_length and chunk_type will be set for the
2790 * next chunk to write because if a chunk is skipped this return calls back
2791 * to read_chunk.
2792 */
2793{
2794 png_uint_32 type = file->type;
2795
2796 if (file->global->verbose > 1)
2797 {
2798 fputs(" ", stderr);
2799 type_name(file->type, stderr);
2800 fprintf(stderr, " %lu 0x%.8x 0x%.8x\n", (unsigned long)file->length,
2801 file->crc ^ 0xffffffff, file_crc);
2802 }
2803
2804 /* The basic structure seems correct but the CRC may not match, in this
2805 * case assume that it is simply a bad CRC, either wrongly calculated or
2806 * because of damaged stream data.
2807 */
2808 if ((file->crc ^ 0xffffffff) != file_crc)
2809 {
2810 /* The behavior is set by the 'skip' setting; if it is anything other
2811 * than SKIP_BAD_CRC ignore the bad CRC and return the chunk, with a
2812 * corrected CRC and possibly processed, to libpng. Otherwise skip the
2813 * chunk, which will result in a fatal error if the chunk is critical.
2814 */
2815 file->status_code |= CRC_ERROR;
2816
2817 /* Ignore the bad CRC */
2818 if (file->global->skip != SKIP_BAD_CRC)
2819 type_message(file, type, "bad CRC");
2820
2821 /* This will cause an IEND with a bad CRC to stop */
2822 else if (CRITICAL(type))
2823 stop(file, READ_ERROR_CODE, "bad CRC in critical chunk");
2824
2825 else
2826 {
2827 type_message(file, type, "skipped: bad CRC");
2828
2829 /* NOTE: this cannot be reached for IEND because it is critical. */
2830 goto skip_chunk;
2831 }
2832 }
2833
2834 /* Check for other 'skip' cases and handle these; these only apply to
2835 * ancillary chunks (and not tRNS, which should probably have been a critical
2836 * chunk.)
2837 */
2838 if (skip_chunk_type(file->global, type))
2839 goto skip_chunk;
2840
2841 /* The chunk may still be skipped if problems are detected in the LZ data,
2842 * however the LZ data check requires a chunk. Handle this by instantiating
2843 * a chunk unless an IDAT is already instantiated (IDAT control structures
2844 * instantiate their own chunk.)
2845 */
2846 if (type != png_IDAT)
2847 file->alloc(file, 0/*chunk*/);
2848
2849 else if (file->idat == NULL)
2850 file->alloc(file, 1/*IDAT*/);
2851
2852 else
2853 {
2854 /* The chunk length must be updated for process_IDAT */
2855 assert(file->chunk != NULL);
2856 assert(file->chunk->chunk_type == png_IDAT);
2857 file->chunk->chunk_length = file->length;
2858 }
2859
2860 /* Record the 'next' information too, now that the original values for
2861 * this chunk have been copied. Notice that the IDAT chunks only make a
2862 * copy of the position of the first chunk, this is fine - process_IDAT does
2863 * not need the position of this chunk.
2864 */
2865 file->length = next_length;
2866 file->type = next_type;
2867 getpos(file);
2868
2869 /* Do per-type processing, note that if this code does not return from the
2870 * function the chunk will be skipped. The rewrite is cancelled here so that
2871 * it can be set in the per-chunk processing.
2872 */
2873 file->chunk->rewrite_length = 0;
2874 file->chunk->rewrite_offset = 0;
2875 switch (type)
2876 {
2877 default:
2878 return;
2879
2880 case png_IHDR:
2881 /* Read this now and update the control structure with the information
2882 * it contains. The header is validated completely to ensure this is a
2883 * PNG.
2884 */
2885 {
2886 struct chunk *chunk = file->chunk;
2887
2888 if (chunk->chunk_length != 13)
2889 stop_invalid(file, "IHDR length");
2890
2891 /* Read all the IHDR information and validate it. */
2892 setpos(chunk);
2893 file->width = reread_4(file);
2894 file->height = reread_4(file);
2895 file->bit_depth = reread_byte(file);
2896 file->color_type = reread_byte(file);
2897 file->compression_method = reread_byte(file);
2898 file->filter_method = reread_byte(file);
2899 file->interlace_method = reread_byte(file);
2900
2901 /* This validates all the fields, and calls stop_invalid if
2902 * there is a problem.
2903 */
2904 calc_image_size(file);
2905 }
2906 return;
2907
2908 /* Ancillary chunks that require further processing: */
2909 case png_zTXt: case png_iCCP:
2910 if (process_zTXt_iCCP(file))
2911 return;
2912 chunk_end(&file->chunk);
2913 file_setpos(file, &file->data_pos);
2914 break;
2915
2916 case png_iTXt:
2917 if (process_iTXt(file))
2918 return;
2919 chunk_end(&file->chunk);
2920 file_setpos(file, &file->data_pos);
2921 break;
2922
2923 case png_IDAT:
2924 if (process_IDAT(file))
2925 return;
2926 /* First pass: */
2927 assert(next_type == png_IDAT);
2928 break;
2929 }
2930
2931 /* Control reaches this point if the chunk must be skipped. For chunks other
2932 * than IDAT this means that the zlib compressed data is fatally damanged and
2933 * the chunk will not be passed to libpng. For IDAT it means that the end of
2934 * the IDAT stream has not yet been reached and we must handle the next
2935 * (IDAT) chunk. If the LZ data in an IDAT stream cannot be read 'stop' must
2936 * be used to halt parsing of the PNG.
2937 */
2938 read_chunk(file);
2939 return;
2940
2941 /* This is the generic code to skip the current chunk; simply jump to the
2942 * next one.
2943 */
2944skip_chunk:
2945 file->length = next_length;
2946 file->type = next_type;
2947 getpos(file);
2948 read_chunk(file);
2949}
2950
2951static png_uint_32
2952get32(png_bytep buffer, int offset)
2953 /* Read a 32-bit value from an 8-byte circular buffer (used only below).
2954 */
2955{
2956 return
2957 (buffer[ offset & 7] << 24) +
2958 (buffer[(offset+1) & 7] << 16) +
2959 (buffer[(offset+2) & 7] << 8) +
2960 (buffer[(offset+3) & 7] );
2961}
2962
2963static void
2964sync_stream(struct file *file)
2965 /* The stream seems to be messed up, attempt to resync from the current chunk
2966 * header. Executes stop on a fatal error, otherwise calls process_chunk.
2967 */
2968{
2969 png_uint_32 file_crc;
2970
2971 file->status_code |= STREAM_ERROR;
2972
2973 if (file->global->verbose)
2974 {
2975 fputs(" SYNC ", stderr);
2976 type_name(file->type, stderr);
2977 putc('\n', stderr);
2978 }
2979
2980 /* Return to the start of the chunk data */
2981 file_setpos(file, &file->data_pos);
2982 file->read_count = 8;
2983
2984 if (read_4(file, &file_crc) == 4) /* else completely truncated */
2985 {
2986 /* Ignore the recorded chunk length, proceed through the data looking for
2987 * a leading sequence of bytes that match the CRC in the following four
2988 * bytes. Each time a match is found check the next 8 bytes for a valid
2989 * length, chunk-type pair.
2990 */
2991 png_uint_32 length;
2992 png_uint_32 type = file->type;
2993 png_uint_32 crc = crc_init_4(type);
2994 png_byte buffer[8];
2995 unsigned int nread = 0, nused = 0;
2996
2997 for (length=0; length <= 0x7fffffff; ++length)
2998 {
2999 int ch;
3000
3001 if ((crc ^ 0xffffffff) == file_crc)
3002 {
3003 /* A match on the CRC; for IEND this is sufficient, but for anything
3004 * else expect a following chunk header.
3005 */
3006 if (type == png_IEND)
3007 {
3008 file->length = length;
3009 process_chunk(file, file_crc, 0, 0);
3010 return;
3011 }
3012
3013 else
3014 {
3015 /* Need 8 bytes */
3016 while (nread < 8+nused)
3017 {
3018 ch = read_byte(file);
3019 if (ch == EOF)
3020 goto truncated;
3021 buffer[(nread++) & 7] = (png_byte)ch;
3022 }
3023
3024 /* Prevent overflow */
3025 nread -= nused & ~7;
3026 nused -= nused & ~7; /* or, nused &= 7 ;-) */
3027
3028 /* Examine the 8 bytes for a valid chunk header. */
3029 {
3030 png_uint_32 next_length = get32(buffer, nused);
3031
3032 if (next_length < 0x7fffffff)
3033 {
3034 png_uint_32 next_type = get32(buffer, nused+4);
3035
3036 if (chunk_type_valid(next_type))
3037 {
3038 file->read_count -= 8;
3039 process_chunk(file, file_crc, next_length, next_type);
3040 return;
3041 }
3042 }
3043
3044 /* Not valid, keep going. */
3045 }
3046 }
3047 }
3048
3049 /* This catches up with the circular buffer which gets filled above
3050 * while checking a chunk header. This code is slightly tricky - if
3051 * the chunk_type is IEND the buffer will never be used, if it is not
3052 * the code will always read ahead exactly 8 bytes and pass this on to
3053 * process_chunk. So the invariant that IEND leaves the file position
3054 * after the IEND CRC and other chunk leave it after the *next* chunk
3055 * header is not broken.
3056 */
3057 if (nread <= nused)
3058 {
3059 ch = read_byte(file);
3060
3061 if (ch == EOF)
3062 goto truncated;
3063 }
3064
3065 else
3066 ch = buffer[(++nused) & 7];
3067
3068 crc = crc_one_byte(crc, file_crc >> 24);
3069 file_crc = (file_crc << 8) + ch;
3070 }
3071
3072 /* Control gets to here if when 0x7fffffff bytes (plus 8) have been read,
3073 * ok, treat this as a damaged stream too:
3074 */
3075 }
3076
3077truncated:
3078 stop(file, READ_ERROR_CODE, "damaged PNG stream");
3079}
3080
3081static void
3082read_chunk(struct file *file)
3083 /* On entry file::data_pos must be set to the position of the first byte
3084 * of the chunk data *and* the input file must be at this position. This
3085 * routine (via process_chunk) instantiates a chunk or IDAT control structure
3086 * based on file::length and file::type and also resets these fields and
3087 * file::data_pos for the chunk after this one. For an IDAT chunk the whole
3088 * stream of IDATs will be read, until something other than an IDAT is
3089 * encountered, and the file fields will be set for the chunk after the end
3090 * of the stream of IDATs.
3091 *
3092 * For IEND the file::type field will be set to 0, and nothing beyond the end
3093 * of the IEND chunk will have been read.
3094 */
3095{
3096 png_uint_32 length = file->length;
3097 png_uint_32 type = file->type;
3098
3099 /* After IEND file::type is set to 0, if libpng attempts to read
3100 * more data at this point this is a bug in libpng.
3101 */
3102 if (type == 0)
3103 stop(file, UNEXPECTED_ERROR_CODE, "read beyond IEND");
3104
3105 if (file->global->verbose > 2)
3106 {
3107 fputs(" ", stderr);
3108 type_name(type, stderr);
3109 fprintf(stderr, " %lu\n", (unsigned long)length);
3110 }
3111
3112 /* Start the read_crc calculation with the chunk type, then read to the end
3113 * of the chunk data (without processing it in any way) to check that it is
3114 * all there and calculate the CRC.
3115 */
3116 file->crc = crc_init_4(type);
3117 if (crc_read_many(file, length)) /* else it was truncated */
3118 {
3119 png_uint_32 file_crc; /* CRC read from file */
3120 unsigned int nread = read_4(file, &file_crc);
3121
3122 if (nread == 4)
3123 {
3124 if (type != png_IEND) /* do not read beyond IEND */
3125 {
3126 png_uint_32 next_length;
3127
3128 nread += read_4(file, &next_length);
3129 if (nread == 8 && next_length <= 0x7fffffff)
3130 {
3131 png_uint_32 next_type;
3132
3133 nread += read_4(file, &next_type);
3134
3135 if (nread == 12 && chunk_type_valid(next_type))
3136 {
3137 /* Adjust the read count back to the correct value for this
3138 * chunk.
3139 */
3140 file->read_count -= 8;
3141 process_chunk(file, file_crc, next_length, next_type);
3142 return;
3143 }
3144 }
3145 }
3146
3147 else /* IEND */
3148 {
3149 process_chunk(file, file_crc, 0, 0);
3150 return;
3151 }
3152 }
3153 }
3154
3155 /* Control gets to here if the stream seems invalid or damaged in some
3156 * way. Either there was a problem reading all the expected data (this
3157 * chunk's data, its CRC and the length and type of the next chunk) or the
3158 * next chunk length/type are invalid. Notice that the cases that end up
3159 * here all correspond to cases that would otherwise terminate the read of
3160 * the PNG file.
3161 */
3162 sync_stream(file);
3163}
3164
3165/* This returns a file* from a png_struct in an implementation specific way. */
3166static struct file *get_control(png_const_structrp png_ptr);
3167
3168static void PNGCBAPI
3169error_handler(png_structp png_ptr, png_const_charp message)
3170{
3171 stop(get_control(png_ptr), LIBPNG_ERROR_CODE, message);
3172}
3173
3174static void PNGCBAPI
3175warning_handler(png_structp png_ptr, png_const_charp message)
3176{
3177 struct file *file = get_control(png_ptr);
3178
3179 if (file->global->warnings)
3180 emit_error(file, LIBPNG_WARNING_CODE, message);
3181}
3182
3183/* Read callback - this is where the work gets done to check the stream before
3184 * passing it to libpng
3185 */
3186static void PNGCBAPI
3187read_callback(png_structp png_ptr, png_bytep buffer, size_t count)
3188 /* Return 'count' bytes to libpng in 'buffer' */
3189{
3190 struct file *file = get_control(png_ptr);
3191 png_uint_32 type, length; /* For the chunk be *WRITTEN* */
3192 struct chunk *chunk;
3193
3194 /* libpng should always ask for at least one byte */
3195 if (count == 0)
3196 stop(file, UNEXPECTED_ERROR_CODE, "read callback for 0 bytes");
3197
3198 /* The callback always reads ahead by 8 bytes - the signature or chunk header
3199 * - these bytes are stored in chunk_length and chunk_type. This block is
3200 * executed once for the signature and once for the first chunk right at the
3201 * start.
3202 */
3203 if (file->read_count < 8)
3204 {
3205 assert(file->read_count == 0);
3206 assert((file->status_code & TRUNCATED) == 0);
3207
3208 (void)read_4(file, &file->length);
3209
3210 if (file->read_count == 4)
3211 (void)read_4(file, &file->type);
3212
3213 if (file->read_count < 8)
3214 {
3215 assert((file->status_code & TRUNCATED) != 0);
3216 stop(file, READ_ERROR_CODE, "not a PNG (too short)");
3217 }
3218
3219 if (file->state == STATE_SIGNATURE)
3220 {
3221 if (file->length != sig1 || file->type != sig2)
3222 stop(file, LIBPNG_ERROR_CODE, "not a PNG (signature)");
3223
3224 /* Else write it (this is the initialization of write_count, prior to
3225 * this it contains CLEAR garbage.)
3226 */
3227 file->write_count = 0;
3228 }
3229
3230 else
3231 {
3232 assert(file->state == STATE_CHUNKS);
3233
3234 /* The first chunk must be a well formed IHDR (this could be relaxed to
3235 * use the checks in process_chunk, but that seems unnecessary.)
3236 */
3237 if (file->length != 13 || file->type != png_IHDR)
3238 stop(file, LIBPNG_ERROR_CODE, "not a PNG (IHDR)");
3239
3240 /* The position of the data must be stored too */
3241 getpos(file);
3242 }
3243 }
3244
3245 /* Retrieve previous state (because the read callbacks are made pretty much
3246 * byte-by-byte in the sequential reader prior to 1.7).
3247 */
3248 chunk = file->chunk;
3249
3250 if (chunk != NULL)
3251 {
3252 length = chunk->chunk_length;
3253 type = chunk->chunk_type;
3254 }
3255
3256 else
3257 {
3258 /* This is the signature case; for IDAT and other chunks these values will
3259 * be overwritten when read_chunk is called below.
3260 */
3261 length = file->length;
3262 type = file->type;
3263 }
3264
3265 do
3266 {
3267 png_uint_32 b;
3268
3269 /* Complete the read of a chunk; as a side effect this also instantiates
3270 * a chunk control structure and sets the file length/type/data_pos fields
3271 * for the *NEXT* chunk header.
3272 *
3273 * NOTE: at an IDAT any following IDAT chunks will also be read and the
3274 * next_ fields will refer to the chunk after the last IDAT.
3275 *
3276 * NOTE: read_chunk only returns when it has read a chunk that must now be
3277 * written.
3278 */
3279 if (file->state != STATE_SIGNATURE && chunk == NULL)
3280 {
3281 assert(file->read_count == 8);
3282 assert(file->idat == NULL);
3283 read_chunk(file);
3284 chunk = file->chunk;
3285 assert(chunk != NULL);
3286
3287 /* Do the initialization that was not done before. */
3288 length = chunk->chunk_length;
3289 type = chunk->chunk_type;
3290
3291 /* And start writing the new chunk. */
3292 file->write_count = 0;
3293 }
3294
3295 /* The chunk_ fields describe a chunk that must be written, or hold the
3296 * signature. Write the header first. In the signature case this
3297 * rewrites the signature.
3298 */
3299 switch (file->write_count)
3300 {
3301 case 0: b = length >> 24; break;
3302 case 1: b = length >> 16; break;
3303 case 2: b = length >> 8; break;
3304 case 3: b = length ; break;
3305
3306 case 4: b = type >> 24; break;
3307 case 5: b = type >> 16; break;
3308 case 6: b = type >> 8; break;
3309 case 7: b = type ; break;
3310
3311 case 8:
3312 /* The header has been written. If this is really the signature
3313 * that's all that is required and we can go to normal chunk
3314 * processing.
3315 */
3316 if (file->state == STATE_SIGNATURE)
3317 {
3318 /* The signature has been written, the tail call to read_callback
3319 * below (it's just a goto to the start with a decent compiler)
3320 * will read the IHDR header ahead and validate it.
3321 */
3322 assert(length == sig1 && type == sig2);
3323 file->read_count = 0; /* Forces a header read */
3324 file->state = STATE_CHUNKS; /* IHDR: checked above */
3325 read_callback(png_ptr, buffer, count);
3326 return;
3327 }
3328
3329 else
3330 {
3331 assert(chunk != NULL);
3332
3333 /* Set up for write, notice that repositioning the input stream
3334 * is only necessary if something is to be read from it. Also
3335 * notice that for the IDAT stream this must only happen once -
3336 * on the first IDAT - to get back to the start of the list and
3337 * this is done inside process_IDAT:
3338 */
3339 chunk->write_crc = crc_init_4(type);
3340 if (file->state != STATE_IDAT && length > 0)
3341 setpos(chunk);
3342 }
3343 /* FALLTHROUGH */
3344
3345 default:
3346 assert(chunk != NULL);
3347
3348 /* NOTE: the arithmetic below overflows and gives a large positive
3349 * png_uint_32 value until the whole chunk data has been written.
3350 */
3351 switch (file->write_count - length)
3352 {
3353 /* Write the chunk data, normally this just comes from
3354 * the file. The only exception is for that part of a
3355 * chunk which is zlib data and which must be rewritten,
3356 * and IDAT chunks which can be completely
3357 * reconstructed.
3358 */
3359 default:
3360 if (file->state == STATE_IDAT)
3361 {
3362 struct IDAT *idat = file->idat;
3363
3364 assert(idat != NULL);
3365
3366 /* Read an IDAT byte from the input stream of IDAT chunks.
3367 * Because the IDAT stream can be re-chunked this stream is
3368 * held in the struct IDAT members. The chunk members, in
3369 * particular chunk_length (and therefore the length local)
3370 * refer to the output chunk.
3371 */
3372 while (idat->idat_index >= idat->idat_length)
3373 {
3374 /* Advance one chunk */
3375 struct IDAT_list *cur = idat->idat_cur;
3376
3377 assert(idat->idat_index == idat->idat_length);
3378 assert(cur != NULL && cur->count > 0);
3379
3380 /* NOTE: IDAT_list::count here, not IDAT_list::length */
3381 if (++(idat->idat_count) >= cur->count)
3382 {
3383 assert(idat->idat_count == cur->count);
3384
3385 /* Move on to the next IDAT_list: */
3386 cur = cur->next;
3387
3388 /* This is an internal error - read beyond the end of
3389 * the pre-calculated stream.
3390 */
3391 if (cur == NULL || cur->count == 0)
3392 stop(file, UNEXPECTED_ERROR_CODE,
3393 "read beyond end of IDAT");
3394
3395 idat->idat_count = 0;
3396 idat->idat_cur = cur;
3397 }
3398
3399 idat->idat_index = 0;
3400 /* Zero length IDAT chunks are permitted, so the length
3401 * here may be 0.
3402 */
3403 idat->idat_length = cur->lengths[idat->idat_count];
3404
3405 /* And skip 12 bytes to the next chunk data */
3406 skip_12(file);
3407 }
3408
3409 /* The index is always that of the next byte, the rest of
3410 * the information is always the current IDAT chunk and the
3411 * current list.
3412 */
3413 ++(idat->idat_index);
3414 }
3415
3416 /* Read the byte from the stream. */
3417 b = reread_byte(file);
3418
3419 /* If the byte must be rewritten handle that here */
3420 if (chunk->rewrite_length > 0)
3421 {
3422 if (chunk->rewrite_offset > 0)
3423 --(chunk->rewrite_offset);
3424
3425 else
3426 {
3427 b = chunk->rewrite_buffer[0];
3428 memmove(chunk->rewrite_buffer, chunk->rewrite_buffer+1,
3429 (sizeof chunk->rewrite_buffer)-
3430 (sizeof chunk->rewrite_buffer[0]));
3431
3432 --(chunk->rewrite_length);
3433 }
3434 }
3435
3436 chunk->write_crc = crc_one_byte(chunk->write_crc, b);
3437 break;
3438
3439 /* The CRC is written at:
3440 *
3441 * chunk_write == chunk_length+8..chunk_length+11
3442 *
3443 * so 8 to 11. The CRC is not (yet) conditioned.
3444 */
3445 case 8: b = chunk->write_crc >> 24; goto write_crc;
3446 case 9: b = chunk->write_crc >> 16; goto write_crc;
3447 case 10: b = chunk->write_crc >> 8; goto write_crc;
3448 case 11:
3449 /* This must happen before the chunk_end below: */
3450 b = chunk->write_crc;
3451
3452 if (file->global->verbose > 2)
3453 {
3454 fputs(" ", stderr);
3455 type_name(type, stderr);
3456 fprintf(stderr, " %lu 0x%.8x\n", (unsigned long)length,
3457 chunk->write_crc ^ 0xffffffff);
3458 }
3459
3460 /* The IDAT stream is written without a call to read_chunk
3461 * until the end is reached. rechunk_length() calculates the
3462 * length of the output chunks. Control gets to this point at
3463 * the end of an *output* chunk - the length calculated by
3464 * rechunk_length. If this corresponds to the end of the
3465 * input stream stop writing IDAT chunks, otherwise continue.
3466 */
3467 if (file->state == STATE_IDAT &&
3468 (file->idat->idat_index < file->idat->idat_length ||
3469 1+file->idat->idat_count < file->idat->idat_cur->count ||
3470 file->idat->idat_cur != file->idat->idat_list_tail))
3471 {
3472 /* Write another IDAT chunk. Call rechunk_length to
3473 * calculate the length required.
3474 */
3475 length = chunk->chunk_length =
3476 rechunk_length(file->idat, 0/*end*/);
3477 assert(type == png_IDAT);
3478 file->write_count = 0; /* for the new chunk */
3479 --(file->write_count); /* fake out the increment below */
3480 }
3481
3482 else
3483 {
3484 /* Entered at the end of a non-IDAT chunk and at the end of
3485 * the IDAT stream. The rewrite should have been cleared.
3486 */
3487 if (chunk->rewrite_length > 0 || chunk->rewrite_offset > 0)
3488 stop(file, UNEXPECTED_ERROR_CODE, "pending rewrite");
3489
3490 /* This is the last byte so reset chunk_read for the next
3491 * chunk and move the input file to the position after the
3492 * *next* chunk header if required.
3493 */
3494 file->read_count = 8;
3495 file_setpos(file, &file->data_pos);
3496
3497 if (file->idat == NULL)
3498 chunk_end(&file->chunk);
3499
3500 else
3501 IDAT_end(&file->idat);
3502 }
3503
3504 write_crc:
3505 b ^= 0xff; /* conditioning */
3506 break;
3507 }
3508 break;
3509 }
3510
3511 /* Write one byte */
3512 b &= 0xff;
3513 *buffer++ = (png_byte)b;
3514 --count;
3515 write_byte(file, (png_byte)b); /* increments chunk_write */
3516 }
3517 while (count > 0);
3518}
3519
3520/* Bundle the file and an uninitialized chunk and IDAT control structure
3521 * together to allow implementation of the chunk/IDAT allocate routine.
3522 */
3523struct control
3524{
3525 struct file file;
3526 struct chunk chunk;
3527 struct IDAT idat;
3528};
3529
3530static int
3531control_end(struct control *control)
3532{
3533 return file_end(&control->file);
3534}
3535
3536static struct file *
3537get_control(png_const_structrp png_ptr)
3538{
3539 /* This just returns the (file*). The chunk and idat control structures
3540 * don't always exist.
3541 */
3542 struct control *control = voidcast(struct control*,
3543 png_get_error_ptr(png_ptr));
3544 return &control->file;
3545}
3546
3547static void
3548allocate(struct file *file, int allocate_idat)
3549{
3550 struct control *control = voidcast(struct control*, file->alloc_ptr);
3551
3552 if (allocate_idat)
3553 {
3554 assert(file->idat == NULL);
3555 IDAT_init(&control->idat, file);
3556 }
3557
3558 else /* chunk */
3559 {
3560 assert(file->chunk == NULL);
3561 chunk_init(&control->chunk, file);
3562 }
3563}
3564
3565static int
3566control_init(struct control *control, struct global *global,
3567 const char *file_name, const char *out_name)
3568 /* This wraps file_init(&control::file) and simply returns the result from
3569 * file_init.
3570 */
3571{
3572 return file_init(&control->file, global, file_name, out_name, control,
3573 allocate);
3574}
3575
3576static int
3577read_png(struct control *control)
3578 /* Read a PNG, return 0 on success else an error (status) code; a bit mask as
3579 * defined for file::status_code as above.
3580 */
3581{
3582 png_structp png_ptr;
3583 png_infop info_ptr = NULL;
3584 volatile int rc;
3585
3586 png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control,
3587 error_handler, warning_handler);
3588
3589 if (png_ptr == NULL)
3590 {
3591 /* This is not really expected. */
3592 log_error(&control->file, LIBPNG_ERROR_CODE, "OOM allocating png_struct");
3593 control->file.status_code |= INTERNAL_ERROR;
3594 return LIBPNG_ERROR_CODE;
3595 }
3596
3597 rc = setjmp(control->file.jmpbuf);
3598 if (rc == 0)
3599 {
3600# ifdef PNG_SET_USER_LIMITS_SUPPORTED
3601 /* Remove any limits on the size of PNG files that can be read,
3602 * without this we may reject files based on built-in safety
3603 * limits.
3604 */
3605 png_set_user_limits(png_ptr, 0x7fffffff, 0x7fffffff);
3606 png_set_chunk_cache_max(png_ptr, 0);
3607 png_set_chunk_malloc_max(png_ptr, 0);
3608# endif
3609
3610 png_set_read_fn(png_ptr, control, read_callback);
3611
3612 info_ptr = png_create_info_struct(png_ptr);
3613 if (info_ptr == NULL)
3614 png_error(png_ptr, "OOM allocating info structure");
3615
3616 if (control->file.global->verbose)
3617 fprintf(stderr, " INFO\n");
3618
3619 png_read_info(png_ptr, info_ptr);
3620
3621 {
3622 png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
3623 int passes = png_set_interlace_handling(png_ptr);
3624 int pass;
3625
3626 png_start_read_image(png_ptr);
3627
3628 for (pass = 0; pass < passes; ++pass)
3629 {
3630 png_uint_32 y = height;
3631
3632 /* NOTE: this skips asking libpng to return either version of
3633 * the image row, but libpng still reads the rows.
3634 */
3635 while (y-- > 0)
3636 png_read_row(png_ptr, NULL, NULL);
3637 }
3638 }
3639
3640 if (control->file.global->verbose)
3641 fprintf(stderr, " END\n");
3642
3643 /* Make sure to read to the end of the file: */
3644 png_read_end(png_ptr, info_ptr);
3645 }
3646
3647 png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
3648 return rc;
3649}
3650
3651static int
3652one_file(struct global *global, const char *file_name, const char *out_name)
3653{
3654 int rc;
3655 struct control control;
3656
3657 if (global->verbose)
3658 fprintf(stderr, "FILE %s -> %s\n", file_name,
3659 out_name ? out_name : "<none>");
3660
3661 /* Although control_init can return a failure code the structure is always
3662 * initialized, so control_end can be used to accumulate any status codes.
3663 */
3664 rc = control_init(&control, global, file_name, out_name);
3665
3666 if (rc == 0)
3667 rc = read_png(&control);
3668
3669 rc |= control_end(&control);
3670
3671 return rc;
3672}
3673
3674static void
3675usage(const char *prog)
3676{
3677 /* ANSI C-90 limits strings to 509 characters, so use a string array: */
3678 size_t i;
3679 static const char *usage_string[] = {
3680" Tests, optimizes and optionally fixes the zlib header in PNG files.",
3681" Optionally, when fixing, strips ancillary chunks from the file.",
36820,
3683"OPTIONS",
3684" OPERATION",
3685" By default files are just checked for readability with a summary of the",
3686" of zlib issues founds for each compressed chunk and the IDAT stream in",
3687" the file.",
3688" --optimize (-o):",
3689" Find the smallest deflate window size for the compressed data.",
3690" --strip=[none|crc|unsafe|unused|transform|color|all]:",
3691" none (default): Retain all chunks.",
3692" crc: Remove chunks with a bad CRC.",
3693" unsafe: Remove chunks that may be unsafe to retain if the image data",
3694" is modified. This is set automatically if --max is given but",
3695" may be cancelled by a later --strip=none.",
3696" unused: Remove chunks not used by libpng when decoding an image.",
3697" This retains any chunks that might be used by libpng image",
3698" transformations.",
3699" transform: unused+bKGD.",
3700" color: transform+iCCP and cHRM.",
3701" all: color+gAMA and sRGB.",
3702" Only ancillary chunks are ever removed. In addition the tRNS and sBIT",
3703" chunks are never removed as they affect exact interpretation of the",
3704" image pixel values. The following known chunks are treated specially",
3705" by the above options:",
3706" gAMA, sRGB [all]: These specify the gamma encoding used for the pixel",
3707" values.",
3708" cHRM, iCCP [color]: These specify how colors are encoded. iCCP also",
3709" specifies the exact encoding of a pixel value; however, in",
3710" practice most programs will ignore it.",
3711" bKGD [transform]: This is used by libpng transforms."
3712" --max=<number>:",
3713" Use IDAT chunks sized <number>. If no number is given the IDAT",
3714" chunks will be the maximum size permitted; 2^31-1 bytes. If the option",
3715" is omitted the original chunk sizes will not be changed. When the",
3716" option is given --strip=unsafe is set automatically. This may be",
3717" cancelled if you know that all unknown unsafe-to-copy chunks really are",
3718" safe to copy across an IDAT size change. This is true of all chunks",
3719" that have ever been formally proposed as PNG extensions.",
3720" MESSAGES",
3721" By default the program only outputs summaries for each file.",
3722" --quiet (-q):",
3723" Do not output the summaries except for files that cannot be read. With",
3724" two --quiets these are not output either.",
3725" --errors (-e):",
3726" Output errors from libpng and the program (except too-far-back).",
3727" --warnings (-w):",
3728" Output warnings from libpng.",
3729" OUTPUT",
3730" By default nothing is written.",
3731" --out=<file>:",
3732" Write the optimized/corrected version of the next PNG to <file>. This",
3733" overrides the following two options",
3734" --suffix=<suffix>:",
3735" Set --out=<name><suffix> for all following files unless overridden on",
3736" a per-file basis by explicit --out.",
3737" --prefix=<prefix>:",
3738" Set --out=<prefix><name> for all the following files unless overridden",
3739" on a per-file basis by explicit --out.",
3740" These two options can be used together to produce a suffix and prefix.",
3741" INTERNAL OPTIONS",
3742#if 0 /*NYI*/
3743#ifdef PNG_MAXIMUM_INFLATE_WINDOW
3744" --test:",
3745" Test the PNG_MAXIMUM_INFLATE_WINDOW option. Setting this disables",
3746" output as this would produce a broken file.",
3747#endif
3748#endif
37490,
3750"EXIT CODES",
3751" *** SUBJECT TO CHANGE ***",
3752" The program exit code is value in the range 0..127 holding a bit mask of",
3753" the following codes. Notice that the results for each file are combined",
3754" together - check one file at a time to get a meaningful error code!",
3755" 0x01: The zlib too-far-back error existed in at least one chunk.",
3756" 0x02: At least one chunk had a CRC error.",
3757" 0x04: A chunk length was incorrect.",
3758" 0x08: The file was truncated.",
3759" Errors less than 16 are potentially recoverable, for a single file if the",
3760" exit code is less than 16 the file could be read (with corrections if a",
3761" non-zero code is returned).",
3762" 0x10: The file could not be read, even with corrections.",
3763" 0x20: The output file could not be written.",
3764" 0x40: An unexpected, potentially internal, error occurred.",
3765" If the command line arguments are incorrect the program exits with exit",
3766" 255. Some older operating systems only support 7-bit exit codes, on those",
3767" systems it is suggested that this program is first tested by supplying",
3768" invalid arguments.",
37690,
3770"DESCRIPTION",
3771" " PROGRAM_NAME ":",
3772" checks each PNG file on the command line for errors. By default errors are",
3773" not output and the program just returns an exit code and prints a summary.",
3774" With the --quiet (-q) option the summaries are suppressed too and the",
3775" program only outputs unexpected errors (internal errors and file open",
3776" errors).",
3777" Various known problems in PNG files are fixed while the file is being read",
3778" The exit code says what problems were fixed. In particular the zlib error:",
37790,
3780" \"invalid distance too far back\"",
37810,
3782" caused by an incorrect optimization of a zlib stream is fixed in any",
3783" compressed chunk in which it is encountered. An integrity problem of the",
3784" PNG stream caused by a bug in libpng which wrote an incorrect chunk length",
3785" is also fixed. Chunk CRC errors are automatically fixed up.",
37860,
3787" Setting one of the \"OUTPUT\" options causes the possibly modified file to",
3788" be written to a new file.",
37890,
3790" Notice that some PNG files with the zlib optimization problem can still be",
3791" read by libpng under some circumstances. This program will still detect",
3792" and, if requested, correct the error.",
37930,
3794" The program will reliably process all files on the command line unless",
3795" either an invalid argument causes the usage message (this message) to be",
3796" produced or the program crashes.",
37970,
3798" The summary lines describe issues encountered with the zlib compressed",
3799" stream of a chunk. They have the following format, which is SUBJECT TO",
3800" CHANGE in the future:",
38010,
3802" chunk reason comp-level p1 p2 p3 p4 file",
38030,
3804" p1 through p4 vary according to the 'reason'. There are always 8 space",
3805" separated fields. Reasons specific formats are:",
38060,
3807" chunk ERR status code read-errno write-errno message file",
3808" chunk SKP comp-level file-bits zlib-rc compressed message file",
3809" chunk ??? comp-level file-bits ok-bits compressed uncompress file",
38100,
3811" The various fields are",
38120,
3813"$1 chunk: The chunk type of a chunk in the file or 'HEAD' if a problem",
3814" is reported by libpng at the start of the IDAT stream.",
3815"$2 reason: One of:",
3816" CHK: A zlib header checksum was detected and fixed.",
3817" TFB: The zlib too far back error was detected and fixed.",
3818" OK : No errors were detected in the zlib stream and optimization",
3819" was not requested, or was not possible.",
3820" OPT: The zlib stream window bits value could be improved (and was).",
3821" SKP: The chunk was skipped because of a zlib issue (zlib-rc) with",
3822" explanation 'message'",
3823" ERR: The read of the file was aborted. The parameters explain why.",
3824"$3 status: For 'ERR' the accumulated status code from 'EXIT CODES' above.",
3825" This is printed as a 2 digit hexadecimal value",
3826" comp-level: The recorded compression level (FLEVEL) of a zlib stream",
3827" expressed as a string {supfast,stdfast,default,maximum}",
3828"$4 code: The file exit code; where stop was called, as a fairly terse",
3829" string {warning,libpng,zlib,invalid,read,write,unexpected}.",
3830" file-bits: The zlib window bits recorded in the file.",
3831"$5 read-errno: A system errno value from a read translated by strerror(3).",
3832" zlib-rc: A zlib return code as a string (see zlib.h).",
3833" ok-bits: The smallest zlib window bits value that works.",
3834"$6 write-errno:A system errno value from a write translated by strerror(3).",
3835" compressed: The count of compressed bytes in the zlib stream, when the",
3836" reason is 'SKP'; this is a count of the bytes read from the",
3837" stream when the fatal error was encountered.",
3838"$7 message: An error message (spaces replaced by _, as in all parameters),",
3839" uncompress: The count of bytes from uncompressing the zlib stream; this",
3840" may not be the same as the number of bytes in the image.",
3841"$8 file: The name of the file (this may contain spaces).",
3842};
3843
3844 fprintf(stderr, "Usage: %s {[options] png-file}\n", prog);
3845
3846 for (i=0; i < (sizeof usage_string)/(sizeof usage_string[0]); ++i)
3847 {
3848 if (usage_string[i] != 0)
3849 fputs(usage_string[i], stderr);
3850
3851 fputc('\n', stderr);
3852 }
3853
3854 exit(255);
3855}
3856
3857int
3858main(int argc, const char **argv)
3859{
3860 char temp_name[FILENAME_MAX+1];
3861 const char * prog = *argv;
3862 const char * outfile = NULL;
3863 const char * suffix = NULL;
3864 const char * prefix = NULL;
3865 int done = 0; /* if at least one file is processed */
3866 struct global global;
3867
3868 global_init(&global);
3869
3870 while (--argc > 0)
3871 {
3872 ++argv;
3873
3874 if (strcmp(*argv, "--debug") == 0)
3875 {
3876 /* To help debugging problems: */
3877 global.errors = global.warnings = 1;
3878 global.quiet = 0;
3879 global.verbose = 7;
3880 }
3881
3882 else if (strncmp(*argv, "--max=", 6) == 0)
3883 {
3884 global.idat_max = (png_uint_32)atol(6+*argv);
3885
3886 if (global.skip < SKIP_UNSAFE)
3887 global.skip = SKIP_UNSAFE;
3888 }
3889
3890 else if (strcmp(*argv, "--max") == 0)
3891 {
3892 global.idat_max = 0x7fffffff;
3893
3894 if (global.skip < SKIP_UNSAFE)
3895 global.skip = SKIP_UNSAFE;
3896 }
3897
3898 else if (strcmp(*argv, "--optimize") == 0 || strcmp(*argv, "-o") == 0)
3899 global.optimize_zlib = 1;
3900
3901 else if (strncmp(*argv, "--out=", 6) == 0)
3902 outfile = 6+*argv;
3903
3904 else if (strncmp(*argv, "--suffix=", 9) == 0)
3905 suffix = 9+*argv;
3906
3907 else if (strncmp(*argv, "--prefix=", 9) == 0)
3908 prefix = 9+*argv;
3909
3910 else if (strcmp(*argv, "--strip=none") == 0)
3911 global.skip = SKIP_NONE;
3912
3913 else if (strcmp(*argv, "--strip=crc") == 0)
3914 global.skip = SKIP_BAD_CRC;
3915
3916 else if (strcmp(*argv, "--strip=unsafe") == 0)
3917 global.skip = SKIP_UNSAFE;
3918
3919 else if (strcmp(*argv, "--strip=unused") == 0)
3920 global.skip = SKIP_UNUSED;
3921
3922 else if (strcmp(*argv, "--strip=transform") == 0)
3923 global.skip = SKIP_TRANSFORM;
3924
3925 else if (strcmp(*argv, "--strip=color") == 0)
3926 global.skip = SKIP_COLOR;
3927
3928 else if (strcmp(*argv, "--strip=all") == 0)
3929 global.skip = SKIP_ALL;
3930
3931 else if (strcmp(*argv, "--errors") == 0 || strcmp(*argv, "-e") == 0)
3932 global.errors = 1;
3933
3934 else if (strcmp(*argv, "--warnings") == 0 || strcmp(*argv, "-w") == 0)
3935 global.warnings = 1;
3936
3937 else if (strcmp(*argv, "--quiet") == 0 || strcmp(*argv, "-q") == 0)
3938 {
3939 if (global.quiet)
3940 global.quiet = 2;
3941
3942 else
3943 global.quiet = 1;
3944 }
3945
3946 else if (strcmp(*argv, "--verbose") == 0 || strcmp(*argv, "-v") == 0)
3947 ++global.verbose;
3948
3949#if 0
3950 /* NYI */
3951# ifdef PNG_MAXIMUM_INFLATE_WINDOW
3952 else if (strcmp(*argv, "--test") == 0)
3953 ++set_option;
3954# endif
3955#endif
3956
3957 else if ((*argv)[0] == '-')
3958 usage(prog);
3959
3960 else
3961 {
3962 size_t outlen = strlen(*argv);
3963
3964 if (outfile == NULL) /* else this takes precedence */
3965 {
3966 /* Consider the prefix/suffix options */
3967 if (prefix != NULL)
3968 {
3969 size_t prefixlen = strlen(prefix);
3970
3971 if (prefixlen+outlen > FILENAME_MAX)
3972 {
3973 fprintf(stderr, "%s: output file name too long: %s%s%s\n",
3974 prog, prefix, *argv, suffix ? suffix : "");
3975 global.status_code |= WRITE_ERROR;
3976 continue;
3977 }
3978
3979 memcpy(temp_name, prefix, prefixlen);
3980 memcpy(temp_name+prefixlen, *argv, outlen);
3981 outlen += prefixlen;
3982 outfile = temp_name;
3983 }
3984
3985 else if (suffix != NULL)
3986 memcpy(temp_name, *argv, outlen);
3987
3988 temp_name[outlen] = 0;
3989
3990 if (suffix != NULL)
3991 {
3992 size_t suffixlen = strlen(suffix);
3993
3994 if (outlen+suffixlen > FILENAME_MAX)
3995 {
3996 fprintf(stderr, "%s: output file name too long: %s%s\n",
3997 prog, *argv, suffix);
3998 global.status_code |= WRITE_ERROR;
3999 continue;
4000 }
4001
4002 memcpy(temp_name+outlen, suffix, suffixlen);
4003 outlen += suffixlen;
4004 temp_name[outlen] = 0;
4005 outfile = temp_name;
4006 }
4007 }
4008
4009 (void)one_file(&global, *argv, outfile);
4010 ++done;
4011 outfile = NULL;
4012 }
4013 }
4014
4015 if (!done)
4016 usage(prog);
4017
4018 return global_end(&global);
4019}
4020
4021#else /* ZLIB_VERNUM < 0x1240 */
4022int
4023main(void)
4024{
4025 fprintf(stderr,
4026 "pngfix needs libpng with a zlib >=1.2.4 (not 0x%x)\n",
4027 ZLIB_VERNUM);
4028 return 77;
4029}
4030#endif /* ZLIB_VERNUM */
4031
4032#else /* No read support */
4033
4034int
4035main(void)
4036{
4037 fprintf(stderr, "pngfix does not work without read deinterlace support\n");
4038 return 77;
4039}
4040#endif /* PNG_READ_SUPPORTED && PNG_EASY_ACCESS_SUPPORTED */
4041#else /* No setjmp support */
4042int
4043main(void)
4044{
4045 fprintf(stderr, "pngfix does not work without setjmp support\n");
4046 return 77;
4047}
4048#endif /* PNG_SETJMP_SUPPORTED */
4049
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette