VirtualBox

source: vbox/trunk/src/libs/libpng-1.6.43/png.c@ 106945

Last change on this file since 106945 was 105469, checked in by vboxsync, 4 months ago

libpng-1.6.43: Applied and adjusted our libpng changes to 1.6.43. bugref:8515

  • Property svn:eol-style set to native
File size: 152.1 KB
Line 
1
2/* png.c - location for general purpose libpng functions
3 *
4 * Copyright (c) 2018-2024 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14#include "pngpriv.h"
15
16/* Generate a compiler error if there is an old png.h in the search path. */
17typedef png_libpng_version_1_6_43 Your_png_h_is_not_version_1_6_43;
18
19/* Tells libpng that we have already handled the first "num_bytes" bytes
20 * of the PNG file signature. If the PNG data is embedded into another
21 * stream we can set num_bytes = 8 so that libpng will not attempt to read
22 * or write any of the magic bytes before it starts on the IHDR.
23 */
24
25#ifdef PNG_READ_SUPPORTED
26void PNGAPI
27png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
28{
29 unsigned int nb = (unsigned int)num_bytes;
30
31 png_debug(1, "in png_set_sig_bytes");
32
33 if (png_ptr == NULL)
34 return;
35
36 if (num_bytes < 0)
37 nb = 0;
38
39 if (nb > 8)
40 png_error(png_ptr, "Too many bytes for PNG signature");
41
42 png_ptr->sig_bytes = (png_byte)nb;
43}
44
45/* Checks whether the supplied bytes match the PNG signature. We allow
46 * checking less than the full 8-byte signature so that those apps that
47 * already read the first few bytes of a file to determine the file type
48 * can simply check the remaining bytes for extra assurance. Returns
49 * an integer less than, equal to, or greater than zero if sig is found,
50 * respectively, to be less than, to match, or be greater than the correct
51 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
52 */
53int PNGAPI
54png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
55{
56 static const png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
57
58 if (num_to_check > 8)
59 num_to_check = 8;
60
61 else if (num_to_check < 1)
62 return -1;
63
64 if (start > 7)
65 return -1;
66
67 if (start + num_to_check > 8)
68 num_to_check = 8 - start;
69
70 return memcmp(&sig[start], &png_signature[start], num_to_check);
71}
72
73#endif /* READ */
74
75#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
76/* Function to allocate memory for zlib */
77PNG_FUNCTION(voidpf /* PRIVATE */,
78png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
79{
80 png_alloc_size_t num_bytes = size;
81
82 if (png_ptr == NULL)
83 return NULL;
84
85 if (items >= (~(png_alloc_size_t)0)/size)
86 {
87 png_warning (png_voidcast(png_structrp, png_ptr),
88 "Potential overflow in png_zalloc()");
89 return NULL;
90 }
91
92 num_bytes *= items;
93 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
94}
95
96/* Function to free memory for zlib */
97void /* PRIVATE */
98png_zfree(voidpf png_ptr, voidpf ptr)
99{
100 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
101}
102
103/* Reset the CRC variable to 32 bits of 1's. Care must be taken
104 * in case CRC is > 32 bits to leave the top bits 0.
105 */
106void /* PRIVATE */
107png_reset_crc(png_structrp png_ptr)
108{
109 /* The cast is safe because the crc is a 32-bit value. */
110 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
111}
112
113/* Calculate the CRC over a section of data. We can only pass as
114 * much data to this routine as the largest single buffer size. We
115 * also check that this data will actually be used before going to the
116 * trouble of calculating it.
117 */
118void /* PRIVATE */
119png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
120{
121 int need_crc = 1;
122
123 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
124 {
125 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
126 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
127 need_crc = 0;
128 }
129
130 else /* critical */
131 {
132 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
133 need_crc = 0;
134 }
135
136 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
137 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
138 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
139 * necessary to perform a loop here.
140 */
141 if (need_crc != 0 && length > 0)
142 {
143 uLong crc = png_ptr->crc; /* Should never issue a warning */
144
145 do
146 {
147 uInt safe_length = (uInt)length;
148#ifndef __COVERITY__
149 if (safe_length == 0)
150 safe_length = (uInt)-1; /* evil, but safe */
151#endif
152
153 crc = crc32(crc, ptr, safe_length);
154
155 /* The following should never issue compiler warnings; if they do the
156 * target system has characteristics that will probably violate other
157 * assumptions within the libpng code.
158 */
159 ptr += safe_length;
160 length -= safe_length;
161 }
162 while (length > 0);
163
164 /* And the following is always safe because the crc is only 32 bits. */
165 png_ptr->crc = (png_uint_32)crc;
166 }
167}
168
169/* Check a user supplied version number, called from both read and write
170 * functions that create a png_struct.
171 */
172int
173png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
174{
175 /* Libpng versions 1.0.0 and later are binary compatible if the version
176 * string matches through the second '.'; we must recompile any
177 * applications that use any older library version.
178 */
179
180 if (user_png_ver != NULL)
181 {
182 int i = -1;
183 int found_dots = 0;
184
185 do
186 {
187 i++;
188 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
189 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
190 if (user_png_ver[i] == '.')
191 found_dots++;
192 } while (found_dots < 2 && user_png_ver[i] != 0 &&
193 PNG_LIBPNG_VER_STRING[i] != 0);
194 }
195
196 else
197 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
198
199 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
200 {
201#ifdef PNG_WARNINGS_SUPPORTED
202 size_t pos = 0;
203 char m[128];
204
205 pos = png_safecat(m, (sizeof m), pos,
206 "Application built with libpng-");
207 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
208 pos = png_safecat(m, (sizeof m), pos, " but running with ");
209 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
210 PNG_UNUSED(pos)
211
212 png_warning(png_ptr, m);
213#endif
214
215#ifdef PNG_ERROR_NUMBERS_SUPPORTED
216 png_ptr->flags = 0;
217#endif
218
219 return 0;
220 }
221
222 /* Success return. */
223 return 1;
224}
225
226/* Generic function to create a png_struct for either read or write - this
227 * contains the common initialization.
228 */
229PNG_FUNCTION(png_structp /* PRIVATE */,
230png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
231 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
232 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
233{
234 png_struct create_struct;
235# ifdef PNG_SETJMP_SUPPORTED
236 jmp_buf create_jmp_buf;
237# endif
238
239 /* This temporary stack-allocated structure is used to provide a place to
240 * build enough context to allow the user provided memory allocator (if any)
241 * to be called.
242 */
243 memset(&create_struct, 0, (sizeof create_struct));
244
245 /* Added at libpng-1.2.6 */
246# ifdef PNG_USER_LIMITS_SUPPORTED
247 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
248 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
249
250# ifdef PNG_USER_CHUNK_CACHE_MAX
251 /* Added at libpng-1.2.43 and 1.4.0 */
252 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
253# endif
254
255# ifdef PNG_USER_CHUNK_MALLOC_MAX
256 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
257 * in png_struct regardless.
258 */
259 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
260# endif
261# endif
262
263 /* The following two API calls simply set fields in png_struct, so it is safe
264 * to do them now even though error handling is not yet set up.
265 */
266# ifdef PNG_USER_MEM_SUPPORTED
267 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
268# else
269 PNG_UNUSED(mem_ptr)
270 PNG_UNUSED(malloc_fn)
271 PNG_UNUSED(free_fn)
272# endif
273
274 /* (*error_fn) can return control to the caller after the error_ptr is set,
275 * this will result in a memory leak unless the error_fn does something
276 * extremely sophisticated. The design lacks merit but is implicit in the
277 * API.
278 */
279 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
280
281# ifdef PNG_SETJMP_SUPPORTED
282 if (!setjmp(create_jmp_buf))
283# endif
284 {
285# ifdef PNG_SETJMP_SUPPORTED
286 /* Temporarily fake out the longjmp information until we have
287 * successfully completed this function. This only works if we have
288 * setjmp() support compiled in, but it is safe - this stuff should
289 * never happen.
290 */
291 create_struct.jmp_buf_ptr = &create_jmp_buf;
292 create_struct.jmp_buf_size = 0; /*stack allocation*/
293 create_struct.longjmp_fn = longjmp;
294# endif
295 /* Call the general version checker (shared with read and write code):
296 */
297 if (png_user_version_check(&create_struct, user_png_ver) != 0)
298 {
299 png_structrp png_ptr = png_voidcast(png_structrp,
300 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
301
302 if (png_ptr != NULL)
303 {
304 /* png_ptr->zstream holds a back-pointer to the png_struct, so
305 * this can only be done now:
306 */
307 create_struct.zstream.zalloc = png_zalloc;
308 create_struct.zstream.zfree = png_zfree;
309 create_struct.zstream.opaque = png_ptr;
310
311# ifdef PNG_SETJMP_SUPPORTED
312 /* Eliminate the local error handling: */
313 create_struct.jmp_buf_ptr = NULL;
314 create_struct.jmp_buf_size = 0;
315 create_struct.longjmp_fn = 0;
316# endif
317
318 *png_ptr = create_struct;
319
320 /* This is the successful return point */
321 return png_ptr;
322 }
323 }
324 }
325
326 /* A longjmp because of a bug in the application storage allocator or a
327 * simple failure to allocate the png_struct.
328 */
329 return NULL;
330}
331
332/* Allocate the memory for an info_struct for the application. */
333PNG_FUNCTION(png_infop,PNGAPI
334png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
335{
336 png_inforp info_ptr;
337
338 png_debug(1, "in png_create_info_struct");
339
340 if (png_ptr == NULL)
341 return NULL;
342
343 /* Use the internal API that does not (or at least should not) error out, so
344 * that this call always returns ok. The application typically sets up the
345 * error handling *after* creating the info_struct because this is the way it
346 * has always been done in 'example.c'.
347 */
348 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
349 (sizeof *info_ptr)));
350
351 if (info_ptr != NULL)
352 memset(info_ptr, 0, (sizeof *info_ptr));
353
354 return info_ptr;
355}
356
357/* This function frees the memory associated with a single info struct.
358 * Normally, one would use either png_destroy_read_struct() or
359 * png_destroy_write_struct() to free an info struct, but this may be
360 * useful for some applications. From libpng 1.6.0 this function is also used
361 * internally to implement the png_info release part of the 'struct' destroy
362 * APIs. This ensures that all possible approaches free the same data (all of
363 * it).
364 */
365void PNGAPI
366png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
367{
368 png_inforp info_ptr = NULL;
369
370 png_debug(1, "in png_destroy_info_struct");
371
372 if (png_ptr == NULL)
373 return;
374
375 if (info_ptr_ptr != NULL)
376 info_ptr = *info_ptr_ptr;
377
378 if (info_ptr != NULL)
379 {
380 /* Do this first in case of an error below; if the app implements its own
381 * memory management this can lead to png_free calling png_error, which
382 * will abort this routine and return control to the app error handler.
383 * An infinite loop may result if it then tries to free the same info
384 * ptr.
385 */
386 *info_ptr_ptr = NULL;
387
388 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
389 memset(info_ptr, 0, (sizeof *info_ptr));
390 png_free(png_ptr, info_ptr);
391 }
392}
393
394/* Initialize the info structure. This is now an internal function (0.89)
395 * and applications using it are urged to use png_create_info_struct()
396 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
397 * is just a memset).
398 *
399 * NOTE: it is almost inconceivable that this API is used because it bypasses
400 * the user-memory mechanism and the user error handling/warning mechanisms in
401 * those cases where it does anything other than a memset.
402 */
403PNG_FUNCTION(void,PNGAPI
404png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
405 PNG_DEPRECATED)
406{
407 png_inforp info_ptr = *ptr_ptr;
408
409 png_debug(1, "in png_info_init_3");
410
411 if (info_ptr == NULL)
412 return;
413
414 if ((sizeof (png_info)) > png_info_struct_size)
415 {
416 *ptr_ptr = NULL;
417 /* The following line is why this API should not be used: */
418 free(info_ptr);
419 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
420 (sizeof *info_ptr)));
421 if (info_ptr == NULL)
422 return;
423 *ptr_ptr = info_ptr;
424 }
425
426 /* Set everything to 0 */
427 memset(info_ptr, 0, (sizeof *info_ptr));
428}
429
430void PNGAPI
431png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
432 int freer, png_uint_32 mask)
433{
434 png_debug(1, "in png_data_freer");
435
436 if (png_ptr == NULL || info_ptr == NULL)
437 return;
438
439 if (freer == PNG_DESTROY_WILL_FREE_DATA)
440 info_ptr->free_me |= mask;
441
442 else if (freer == PNG_USER_WILL_FREE_DATA)
443 info_ptr->free_me &= ~mask;
444
445 else
446 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
447}
448
449void PNGAPI
450png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
451 int num)
452{
453 png_debug(1, "in png_free_data");
454
455 if (png_ptr == NULL || info_ptr == NULL)
456 return;
457
458#ifdef PNG_TEXT_SUPPORTED
459 /* Free text item num or (if num == -1) all text items */
460 if (info_ptr->text != NULL &&
461 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
462 {
463 if (num != -1)
464 {
465 png_free(png_ptr, info_ptr->text[num].key);
466 info_ptr->text[num].key = NULL;
467 }
468
469 else
470 {
471 int i;
472
473 for (i = 0; i < info_ptr->num_text; i++)
474 png_free(png_ptr, info_ptr->text[i].key);
475
476 png_free(png_ptr, info_ptr->text);
477 info_ptr->text = NULL;
478 info_ptr->num_text = 0;
479 info_ptr->max_text = 0;
480 }
481 }
482#endif
483
484#ifdef PNG_tRNS_SUPPORTED
485 /* Free any tRNS entry */
486 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
487 {
488 info_ptr->valid &= ~PNG_INFO_tRNS;
489 png_free(png_ptr, info_ptr->trans_alpha);
490 info_ptr->trans_alpha = NULL;
491 info_ptr->num_trans = 0;
492 }
493#endif
494
495#ifdef PNG_sCAL_SUPPORTED
496 /* Free any sCAL entry */
497 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
498 {
499 png_free(png_ptr, info_ptr->scal_s_width);
500 png_free(png_ptr, info_ptr->scal_s_height);
501 info_ptr->scal_s_width = NULL;
502 info_ptr->scal_s_height = NULL;
503 info_ptr->valid &= ~PNG_INFO_sCAL;
504 }
505#endif
506
507#ifdef PNG_pCAL_SUPPORTED
508 /* Free any pCAL entry */
509 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
510 {
511 png_free(png_ptr, info_ptr->pcal_purpose);
512 png_free(png_ptr, info_ptr->pcal_units);
513 info_ptr->pcal_purpose = NULL;
514 info_ptr->pcal_units = NULL;
515
516 if (info_ptr->pcal_params != NULL)
517 {
518 int i;
519
520 for (i = 0; i < info_ptr->pcal_nparams; i++)
521 png_free(png_ptr, info_ptr->pcal_params[i]);
522
523 png_free(png_ptr, info_ptr->pcal_params);
524 info_ptr->pcal_params = NULL;
525 }
526 info_ptr->valid &= ~PNG_INFO_pCAL;
527 }
528#endif
529
530#ifdef PNG_iCCP_SUPPORTED
531 /* Free any profile entry */
532 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
533 {
534 png_free(png_ptr, info_ptr->iccp_name);
535 png_free(png_ptr, info_ptr->iccp_profile);
536 info_ptr->iccp_name = NULL;
537 info_ptr->iccp_profile = NULL;
538 info_ptr->valid &= ~PNG_INFO_iCCP;
539 }
540#endif
541
542#ifdef PNG_sPLT_SUPPORTED
543 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
544 if (info_ptr->splt_palettes != NULL &&
545 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
546 {
547 if (num != -1)
548 {
549 png_free(png_ptr, info_ptr->splt_palettes[num].name);
550 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
551 info_ptr->splt_palettes[num].name = NULL;
552 info_ptr->splt_palettes[num].entries = NULL;
553 }
554
555 else
556 {
557 int i;
558
559 for (i = 0; i < info_ptr->splt_palettes_num; i++)
560 {
561 png_free(png_ptr, info_ptr->splt_palettes[i].name);
562 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
563 }
564
565 png_free(png_ptr, info_ptr->splt_palettes);
566 info_ptr->splt_palettes = NULL;
567 info_ptr->splt_palettes_num = 0;
568 info_ptr->valid &= ~PNG_INFO_sPLT;
569 }
570 }
571#endif
572
573#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
574 if (info_ptr->unknown_chunks != NULL &&
575 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
576 {
577 if (num != -1)
578 {
579 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
580 info_ptr->unknown_chunks[num].data = NULL;
581 }
582
583 else
584 {
585 int i;
586
587 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
588 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
589
590 png_free(png_ptr, info_ptr->unknown_chunks);
591 info_ptr->unknown_chunks = NULL;
592 info_ptr->unknown_chunks_num = 0;
593 }
594 }
595#endif
596
597#ifdef PNG_eXIf_SUPPORTED
598 /* Free any eXIf entry */
599 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
600 {
601# ifdef PNG_READ_eXIf_SUPPORTED
602 if (info_ptr->eXIf_buf)
603 {
604 png_free(png_ptr, info_ptr->eXIf_buf);
605 info_ptr->eXIf_buf = NULL;
606 }
607# endif
608 if (info_ptr->exif)
609 {
610 png_free(png_ptr, info_ptr->exif);
611 info_ptr->exif = NULL;
612 }
613 info_ptr->valid &= ~PNG_INFO_eXIf;
614 }
615#endif
616
617#ifdef PNG_hIST_SUPPORTED
618 /* Free any hIST entry */
619 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
620 {
621 png_free(png_ptr, info_ptr->hist);
622 info_ptr->hist = NULL;
623 info_ptr->valid &= ~PNG_INFO_hIST;
624 }
625#endif
626
627 /* Free any PLTE entry that was internally allocated */
628 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
629 {
630 png_free(png_ptr, info_ptr->palette);
631 info_ptr->palette = NULL;
632 info_ptr->valid &= ~PNG_INFO_PLTE;
633 info_ptr->num_palette = 0;
634 }
635
636#ifdef PNG_INFO_IMAGE_SUPPORTED
637 /* Free any image bits attached to the info structure */
638 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
639 {
640 if (info_ptr->row_pointers != NULL)
641 {
642 png_uint_32 row;
643 for (row = 0; row < info_ptr->height; row++)
644 png_free(png_ptr, info_ptr->row_pointers[row]);
645
646 png_free(png_ptr, info_ptr->row_pointers);
647 info_ptr->row_pointers = NULL;
648 }
649 info_ptr->valid &= ~PNG_INFO_IDAT;
650 }
651#endif
652
653 if (num != -1)
654 mask &= ~PNG_FREE_MUL;
655
656 info_ptr->free_me &= ~mask;
657}
658#endif /* READ || WRITE */
659
660/* This function returns a pointer to the io_ptr associated with the user
661 * functions. The application should free any memory associated with this
662 * pointer before png_write_destroy() or png_read_destroy() are called.
663 */
664png_voidp PNGAPI
665png_get_io_ptr(png_const_structrp png_ptr)
666{
667 if (png_ptr == NULL)
668 return NULL;
669
670 return png_ptr->io_ptr;
671}
672
673#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
674# ifdef PNG_STDIO_SUPPORTED
675/* Initialize the default input/output functions for the PNG file. If you
676 * use your own read or write routines, you can call either png_set_read_fn()
677 * or png_set_write_fn() instead of png_init_io(). If you have defined
678 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
679 * function of your own because "FILE *" isn't necessarily available.
680 */
681void PNGAPI
682png_init_io(png_structrp png_ptr, png_FILE_p fp)
683{
684 png_debug(1, "in png_init_io");
685
686 if (png_ptr == NULL)
687 return;
688
689 png_ptr->io_ptr = (png_voidp)fp;
690}
691# endif
692
693# ifdef PNG_SAVE_INT_32_SUPPORTED
694/* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
695 * defines a cast of a signed integer to an unsigned integer either to preserve
696 * the value, if it is positive, or to calculate:
697 *
698 * (UNSIGNED_MAX+1) + integer
699 *
700 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
701 * negative integral value is added the result will be an unsigned value
702 * corresponding to the 2's complement representation.
703 */
704void PNGAPI
705png_save_int_32(png_bytep buf, png_int_32 i)
706{
707 png_save_uint_32(buf, (png_uint_32)i);
708}
709# endif
710
711# ifdef PNG_TIME_RFC1123_SUPPORTED
712/* Convert the supplied time into an RFC 1123 string suitable for use in
713 * a "Creation Time" or other text-based time string.
714 */
715int PNGAPI
716png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
717{
718 static const char short_months[12][4] =
719 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
720 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
721
722 if (out == NULL)
723 return 0;
724
725 if (ptime->year > 9999 /* RFC1123 limitation */ ||
726 ptime->month == 0 || ptime->month > 12 ||
727 ptime->day == 0 || ptime->day > 31 ||
728 ptime->hour > 23 || ptime->minute > 59 ||
729 ptime->second > 60)
730 return 0;
731
732 {
733 size_t pos = 0;
734 char number_buf[5] = {0, 0, 0, 0, 0}; /* enough for a four-digit year */
735
736# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
737# define APPEND_NUMBER(format, value)\
738 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
739# define APPEND(ch) if (pos < 28) out[pos++] = (ch)
740
741 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
742 APPEND(' ');
743 APPEND_STRING(short_months[(ptime->month - 1)]);
744 APPEND(' ');
745 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
746 APPEND(' ');
747 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
748 APPEND(':');
749 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
750 APPEND(':');
751 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
752 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
753 PNG_UNUSED (pos)
754
755# undef APPEND
756# undef APPEND_NUMBER
757# undef APPEND_STRING
758 }
759
760 return 1;
761}
762
763# if PNG_LIBPNG_VER < 10700
764/* To do: remove the following from libpng-1.7 */
765/* Original API that uses a private buffer in png_struct.
766 * Deprecated because it causes png_struct to carry a spurious temporary
767 * buffer (png_struct::time_buffer), better to have the caller pass this in.
768 */
769png_const_charp PNGAPI
770png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
771{
772 if (png_ptr != NULL)
773 {
774 /* The only failure above if png_ptr != NULL is from an invalid ptime */
775 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
776 png_warning(png_ptr, "Ignoring invalid time value");
777
778 else
779 return png_ptr->time_buffer;
780 }
781
782 return NULL;
783}
784# endif /* LIBPNG_VER < 10700 */
785# endif /* TIME_RFC1123 */
786
787#endif /* READ || WRITE */
788
789png_const_charp PNGAPI
790png_get_copyright(png_const_structrp png_ptr)
791{
792 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
793#ifdef PNG_STRING_COPYRIGHT
794 return PNG_STRING_COPYRIGHT
795#else
796 return PNG_STRING_NEWLINE \
797 "libpng version 1.6.43" PNG_STRING_NEWLINE \
798 "Copyright (c) 2018-2024 Cosmin Truta" PNG_STRING_NEWLINE \
799 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
800 PNG_STRING_NEWLINE \
801 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
802 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
803 PNG_STRING_NEWLINE;
804#endif
805}
806
807/* The following return the library version as a short string in the
808 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
809 * used with your application, print out PNG_LIBPNG_VER_STRING, which
810 * is defined in png.h.
811 * Note: now there is no difference between png_get_libpng_ver() and
812 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
813 * it is guaranteed that png.c uses the correct version of png.h.
814 */
815png_const_charp PNGAPI
816png_get_libpng_ver(png_const_structrp png_ptr)
817{
818 /* Version of *.c files used when building libpng */
819 return png_get_header_ver(png_ptr);
820}
821
822png_const_charp PNGAPI
823png_get_header_ver(png_const_structrp png_ptr)
824{
825 /* Version of *.h files used when building libpng */
826 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
827 return PNG_LIBPNG_VER_STRING;
828}
829
830png_const_charp PNGAPI
831png_get_header_version(png_const_structrp png_ptr)
832{
833 /* Returns longer string containing both version and date */
834 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
835#ifdef __STDC__
836 return PNG_HEADER_VERSION_STRING
837# ifndef PNG_READ_SUPPORTED
838 " (NO READ SUPPORT)"
839# endif
840 PNG_STRING_NEWLINE;
841#else
842 return PNG_HEADER_VERSION_STRING;
843#endif
844}
845
846#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
847/* NOTE: this routine is not used internally! */
848/* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
849 * large of png_color. This lets grayscale images be treated as
850 * paletted. Most useful for gamma correction and simplification
851 * of code. This API is not used internally.
852 */
853void PNGAPI
854png_build_grayscale_palette(int bit_depth, png_colorp palette)
855{
856 int num_palette;
857 int color_inc;
858 int i;
859 int v;
860
861 png_debug(1, "in png_do_build_grayscale_palette");
862
863 if (palette == NULL)
864 return;
865
866 switch (bit_depth)
867 {
868 case 1:
869 num_palette = 2;
870 color_inc = 0xff;
871 break;
872
873 case 2:
874 num_palette = 4;
875 color_inc = 0x55;
876 break;
877
878 case 4:
879 num_palette = 16;
880 color_inc = 0x11;
881 break;
882
883 case 8:
884 num_palette = 256;
885 color_inc = 1;
886 break;
887
888 default:
889 num_palette = 0;
890 color_inc = 0;
891 break;
892 }
893
894 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
895 {
896 palette[i].red = (png_byte)(v & 0xff);
897 palette[i].green = (png_byte)(v & 0xff);
898 palette[i].blue = (png_byte)(v & 0xff);
899 }
900}
901#endif
902
903#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
904int PNGAPI
905png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
906{
907 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
908 png_const_bytep p, p_end;
909
910 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
911 return PNG_HANDLE_CHUNK_AS_DEFAULT;
912
913 p_end = png_ptr->chunk_list;
914 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
915
916 /* The code is the fifth byte after each four byte string. Historically this
917 * code was always searched from the end of the list, this is no longer
918 * necessary because the 'set' routine handles duplicate entries correctly.
919 */
920 do /* num_chunk_list > 0, so at least one */
921 {
922 p -= 5;
923
924 if (memcmp(chunk_name, p, 4) == 0)
925 return p[4];
926 }
927 while (p > p_end);
928
929 /* This means that known chunks should be processed and unknown chunks should
930 * be handled according to the value of png_ptr->unknown_default; this can be
931 * confusing because, as a result, there are two levels of defaulting for
932 * unknown chunks.
933 */
934 return PNG_HANDLE_CHUNK_AS_DEFAULT;
935}
936
937#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
938 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
939int /* PRIVATE */
940png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
941{
942 png_byte chunk_string[5];
943
944 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
945 return png_handle_as_unknown(png_ptr, chunk_string);
946}
947#endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
948#endif /* SET_UNKNOWN_CHUNKS */
949
950#ifdef PNG_READ_SUPPORTED
951/* This function, added to libpng-1.0.6g, is untested. */
952int PNGAPI
953png_reset_zstream(png_structrp png_ptr)
954{
955 if (png_ptr == NULL)
956 return Z_STREAM_ERROR;
957
958 /* WARNING: this resets the window bits to the maximum! */
959 return inflateReset(&png_ptr->zstream);
960}
961#endif /* READ */
962
963/* This function was added to libpng-1.0.7 */
964png_uint_32 PNGAPI
965png_access_version_number(void)
966{
967 /* Version of *.c files used when building libpng */
968 return (png_uint_32)PNG_LIBPNG_VER;
969}
970
971#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
972/* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
973 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
974 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
975 */
976void /* PRIVATE */
977png_zstream_error(png_structrp png_ptr, int ret)
978{
979 /* Translate 'ret' into an appropriate error string, priority is given to the
980 * one in zstream if set. This always returns a string, even in cases like
981 * Z_OK or Z_STREAM_END where the error code is a success code.
982 */
983 if (png_ptr->zstream.msg == NULL) switch (ret)
984 {
985 default:
986 case Z_OK:
987 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
988 break;
989
990 case Z_STREAM_END:
991 /* Normal exit */
992 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
993 break;
994
995 case Z_NEED_DICT:
996 /* This means the deflate stream did not have a dictionary; this
997 * indicates a bogus PNG.
998 */
999 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1000 break;
1001
1002 case Z_ERRNO:
1003 /* gz APIs only: should not happen */
1004 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1005 break;
1006
1007 case Z_STREAM_ERROR:
1008 /* internal libpng error */
1009 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1010 break;
1011
1012 case Z_DATA_ERROR:
1013 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1014 break;
1015
1016 case Z_MEM_ERROR:
1017 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1018 break;
1019
1020 case Z_BUF_ERROR:
1021 /* End of input or output; not a problem if the caller is doing
1022 * incremental read or write.
1023 */
1024 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1025 break;
1026
1027 case Z_VERSION_ERROR:
1028 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1029 break;
1030
1031 case PNG_UNEXPECTED_ZLIB_RETURN:
1032 /* Compile errors here mean that zlib now uses the value co-opted in
1033 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1034 * and change pngpriv.h. Note that this message is "... return",
1035 * whereas the default/Z_OK one is "... return code".
1036 */
1037 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1038 break;
1039 }
1040}
1041
1042/* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1043 * at libpng 1.5.5!
1044 */
1045
1046/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1047#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1048static int
1049png_colorspace_check_gamma(png_const_structrp png_ptr,
1050 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1051 /* This is called to check a new gamma value against an existing one. The
1052 * routine returns false if the new gamma value should not be written.
1053 *
1054 * 'from' says where the new gamma value comes from:
1055 *
1056 * 0: the new gamma value is the libpng estimate for an ICC profile
1057 * 1: the new gamma value comes from a gAMA chunk
1058 * 2: the new gamma value comes from an sRGB chunk
1059 */
1060{
1061 png_fixed_point gtest;
1062
1063 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1064 (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1065 png_gamma_significant(gtest) != 0))
1066 {
1067 /* Either this is an sRGB image, in which case the calculated gamma
1068 * approximation should match, or this is an image with a profile and the
1069 * value libpng calculates for the gamma of the profile does not match the
1070 * value recorded in the file. The former, sRGB, case is an error, the
1071 * latter is just a warning.
1072 */
1073 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1074 {
1075 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1076 PNG_CHUNK_ERROR);
1077 /* Do not overwrite an sRGB value */
1078 return from == 2;
1079 }
1080
1081 else /* sRGB tag not involved */
1082 {
1083 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1084 PNG_CHUNK_WARNING);
1085 return from == 1;
1086 }
1087 }
1088
1089 return 1;
1090}
1091
1092void /* PRIVATE */
1093png_colorspace_set_gamma(png_const_structrp png_ptr,
1094 png_colorspacerp colorspace, png_fixed_point gAMA)
1095{
1096 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1097 * occur. Since the fixed point representation is asymmetrical it is
1098 * possible for 1/gamma to overflow the limit of 21474 and this means the
1099 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1100 * safety the limits here are a little narrower. The values are 0.00016 to
1101 * 6250.0, which are truly ridiculous gamma values (and will produce
1102 * displays that are all black or all white.)
1103 *
1104 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1105 * handling code, which only required the value to be >0.
1106 */
1107 png_const_charp errmsg;
1108
1109 if (gAMA < 16 || gAMA > 625000000)
1110 errmsg = "gamma value out of range";
1111
1112# ifdef PNG_READ_gAMA_SUPPORTED
1113 /* Allow the application to set the gamma value more than once */
1114 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1115 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1116 errmsg = "duplicate";
1117# endif
1118
1119 /* Do nothing if the colorspace is already invalid */
1120 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1121 return;
1122
1123 else
1124 {
1125 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1126 1/*from gAMA*/) != 0)
1127 {
1128 /* Store this gamma value. */
1129 colorspace->gamma = gAMA;
1130 colorspace->flags |=
1131 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1132 }
1133
1134 /* At present if the check_gamma test fails the gamma of the colorspace is
1135 * not updated however the colorspace is not invalidated. This
1136 * corresponds to the case where the existing gamma comes from an sRGB
1137 * chunk or profile. An error message has already been output.
1138 */
1139 return;
1140 }
1141
1142 /* Error exit - errmsg has been set. */
1143 colorspace->flags |= PNG_COLORSPACE_INVALID;
1144 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1145}
1146
1147void /* PRIVATE */
1148png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1149{
1150 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1151 {
1152 /* Everything is invalid */
1153 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1154 PNG_INFO_iCCP);
1155
1156# ifdef PNG_COLORSPACE_SUPPORTED
1157 /* Clean up the iCCP profile now if it won't be used. */
1158 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1159# else
1160 PNG_UNUSED(png_ptr)
1161# endif
1162 }
1163
1164 else
1165 {
1166# ifdef PNG_COLORSPACE_SUPPORTED
1167 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1168 * it; this allows a PNG to contain a profile which matches sRGB and
1169 * yet still have that profile retrievable by the application.
1170 */
1171 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1172 info_ptr->valid |= PNG_INFO_sRGB;
1173
1174 else
1175 info_ptr->valid &= ~PNG_INFO_sRGB;
1176
1177 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1178 info_ptr->valid |= PNG_INFO_cHRM;
1179
1180 else
1181 info_ptr->valid &= ~PNG_INFO_cHRM;
1182# endif
1183
1184 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1185 info_ptr->valid |= PNG_INFO_gAMA;
1186
1187 else
1188 info_ptr->valid &= ~PNG_INFO_gAMA;
1189 }
1190}
1191
1192#ifdef PNG_READ_SUPPORTED
1193void /* PRIVATE */
1194png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1195{
1196 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1197 return;
1198
1199 info_ptr->colorspace = png_ptr->colorspace;
1200 png_colorspace_sync_info(png_ptr, info_ptr);
1201}
1202#endif
1203#endif /* GAMMA */
1204
1205#ifdef PNG_COLORSPACE_SUPPORTED
1206/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1207 * cHRM, as opposed to using chromaticities. These internal APIs return
1208 * non-zero on a parameter error. The X, Y and Z values are required to be
1209 * positive and less than 1.0.
1210 */
1211static int
1212png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1213{
1214 png_int_32 d, dwhite, whiteX, whiteY;
1215
1216 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1217 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1218 return 1;
1219 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1220 return 1;
1221 dwhite = d;
1222 whiteX = XYZ->red_X;
1223 whiteY = XYZ->red_Y;
1224
1225 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1226 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1227 return 1;
1228 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1229 return 1;
1230 dwhite += d;
1231 whiteX += XYZ->green_X;
1232 whiteY += XYZ->green_Y;
1233
1234 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1235 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1236 return 1;
1237 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1238 return 1;
1239 dwhite += d;
1240 whiteX += XYZ->blue_X;
1241 whiteY += XYZ->blue_Y;
1242
1243 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1244 * thus:
1245 */
1246 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1247 return 1;
1248 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1249 return 1;
1250
1251 return 0;
1252}
1253
1254static int
1255png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1256{
1257 png_fixed_point red_inverse, green_inverse, blue_scale;
1258 png_fixed_point left, right, denominator;
1259
1260 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1261 * have end points with 0 tristimulus values (these are impossible end
1262 * points, but they are used to cover the possible colors). We check
1263 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1264 */
1265 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1266 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1267 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1268 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1269 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1270 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1271 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1272 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1273
1274 /* The reverse calculation is more difficult because the original tristimulus
1275 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1276 * derived values were recorded in the cHRM chunk;
1277 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1278 * therefore an arbitrary ninth value has to be introduced to undo the
1279 * original transformations.
1280 *
1281 * Think of the original end-points as points in (X,Y,Z) space. The
1282 * chromaticity values (c) have the property:
1283 *
1284 * C
1285 * c = ---------
1286 * X + Y + Z
1287 *
1288 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1289 * three chromaticity values (x,y,z) for each end-point obey the
1290 * relationship:
1291 *
1292 * x + y + z = 1
1293 *
1294 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1295 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1296 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1297 * and chromaticity is the intersection of the vector from the origin to the
1298 * (X,Y,Z) value with the chromaticity plane.
1299 *
1300 * To fully invert the chromaticity calculation we would need the three
1301 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1302 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1303 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1304 * given all three of the scale factors since:
1305 *
1306 * color-C = color-c * color-scale
1307 * white-C = red-C + green-C + blue-C
1308 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1309 *
1310 * But cHRM records only white-x and white-y, so we have lost the white scale
1311 * factor:
1312 *
1313 * white-C = white-c*white-scale
1314 *
1315 * To handle this the inverse transformation makes an arbitrary assumption
1316 * about white-scale:
1317 *
1318 * Assume: white-Y = 1.0
1319 * Hence: white-scale = 1/white-y
1320 * Or: red-Y + green-Y + blue-Y = 1.0
1321 *
1322 * Notice the last statement of the assumption gives an equation in three of
1323 * the nine values we want to calculate. 8 more equations come from the
1324 * above routine as summarised at the top above (the chromaticity
1325 * calculation):
1326 *
1327 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1328 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1329 *
1330 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1331 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1332 * determinants, however this is not as bad as it seems because only 28 of
1333 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1334 * Cramer's rule is notoriously numerically unstable because the determinant
1335 * calculation involves the difference of large, but similar, numbers. It is
1336 * difficult to be sure that the calculation is stable for real world values
1337 * and it is certain that it becomes unstable where the end points are close
1338 * together.
1339 *
1340 * So this code uses the perhaps slightly less optimal but more
1341 * understandable and totally obvious approach of calculating color-scale.
1342 *
1343 * This algorithm depends on the precision in white-scale and that is
1344 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1345 * accuracy inherent in the cHRM chunk drops off substantially.
1346 *
1347 * libpng arithmetic: a simple inversion of the above equations
1348 * ------------------------------------------------------------
1349 *
1350 * white_scale = 1/white-y
1351 * white-X = white-x * white-scale
1352 * white-Y = 1.0
1353 * white-Z = (1 - white-x - white-y) * white_scale
1354 *
1355 * white-C = red-C + green-C + blue-C
1356 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1357 *
1358 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1359 * all the coefficients are now known:
1360 *
1361 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1362 * = white-x/white-y
1363 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1364 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1365 * = (1 - white-x - white-y)/white-y
1366 *
1367 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1368 * three equations together to get an alternative third:
1369 *
1370 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1371 *
1372 * So now we have a Cramer's rule solution where the determinants are just
1373 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1374 * multiplication of three coefficients so we can't guarantee to avoid
1375 * overflow in the libpng fixed point representation. Using Cramer's rule in
1376 * floating point is probably a good choice here, but it's not an option for
1377 * fixed point. Instead proceed to simplify the first two equations by
1378 * eliminating what is likely to be the largest value, blue-scale:
1379 *
1380 * blue-scale = white-scale - red-scale - green-scale
1381 *
1382 * Hence:
1383 *
1384 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1385 * (white-x - blue-x)*white-scale
1386 *
1387 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1388 * 1 - blue-y*white-scale
1389 *
1390 * And now we can trivially solve for (red-scale,green-scale):
1391 *
1392 * green-scale =
1393 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1394 * -----------------------------------------------------------
1395 * green-x - blue-x
1396 *
1397 * red-scale =
1398 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1399 * ---------------------------------------------------------
1400 * red-y - blue-y
1401 *
1402 * Hence:
1403 *
1404 * red-scale =
1405 * ( (green-x - blue-x) * (white-y - blue-y) -
1406 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1407 * -------------------------------------------------------------------------
1408 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1409 *
1410 * green-scale =
1411 * ( (red-y - blue-y) * (white-x - blue-x) -
1412 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1413 * -------------------------------------------------------------------------
1414 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1415 *
1416 * Accuracy:
1417 * The input values have 5 decimal digits of accuracy. The values are all in
1418 * the range 0 < value < 1, so simple products are in the same range but may
1419 * need up to 10 decimal digits to preserve the original precision and avoid
1420 * underflow. Because we are using a 32-bit signed representation we cannot
1421 * match this; the best is a little over 9 decimal digits, less than 10.
1422 *
1423 * The approach used here is to preserve the maximum precision within the
1424 * signed representation. Because the red-scale calculation above uses the
1425 * difference between two products of values that must be in the range -1..+1
1426 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1427 * factor is irrelevant in the calculation because it is applied to both
1428 * numerator and denominator.
1429 *
1430 * Note that the values of the differences of the products of the
1431 * chromaticities in the above equations tend to be small, for example for
1432 * the sRGB chromaticities they are:
1433 *
1434 * red numerator: -0.04751
1435 * green numerator: -0.08788
1436 * denominator: -0.2241 (without white-y multiplication)
1437 *
1438 * The resultant Y coefficients from the chromaticities of some widely used
1439 * color space definitions are (to 15 decimal places):
1440 *
1441 * sRGB
1442 * 0.212639005871510 0.715168678767756 0.072192315360734
1443 * Kodak ProPhoto
1444 * 0.288071128229293 0.711843217810102 0.000085653960605
1445 * Adobe RGB
1446 * 0.297344975250536 0.627363566255466 0.075291458493998
1447 * Adobe Wide Gamut RGB
1448 * 0.258728243040113 0.724682314948566 0.016589442011321
1449 */
1450 /* By the argument, above overflow should be impossible here. The return
1451 * value of 2 indicates an internal error to the caller.
1452 */
1453 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1454 return 2;
1455 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1456 return 2;
1457 denominator = left - right;
1458
1459 /* Now find the red numerator. */
1460 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1461 return 2;
1462 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1463 return 2;
1464
1465 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1466 * chunk values. This calculation actually returns the reciprocal of the
1467 * scale value because this allows us to delay the multiplication of white-y
1468 * into the denominator, which tends to produce a small number.
1469 */
1470 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1471 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1472 return 1;
1473
1474 /* Similarly for green_inverse: */
1475 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1476 return 2;
1477 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1478 return 2;
1479 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1480 green_inverse <= xy->whitey)
1481 return 1;
1482
1483 /* And the blue scale, the checks above guarantee this can't overflow but it
1484 * can still produce 0 for extreme cHRM values.
1485 */
1486 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1487 png_reciprocal(green_inverse);
1488 if (blue_scale <= 0)
1489 return 1;
1490
1491
1492 /* And fill in the png_XYZ: */
1493 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1494 return 1;
1495 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1496 return 1;
1497 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1498 red_inverse) == 0)
1499 return 1;
1500
1501 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1502 return 1;
1503 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1504 return 1;
1505 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1506 green_inverse) == 0)
1507 return 1;
1508
1509 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1510 return 1;
1511 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1512 return 1;
1513 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1514 PNG_FP_1) == 0)
1515 return 1;
1516
1517 return 0; /*success*/
1518}
1519
1520static int
1521png_XYZ_normalize(png_XYZ *XYZ)
1522{
1523 png_int_32 Y;
1524
1525 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1526 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1527 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1528 return 1;
1529
1530 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1531 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1532 * relying on addition of two positive values producing a negative one is not
1533 * safe.
1534 */
1535 Y = XYZ->red_Y;
1536 if (0x7fffffff - Y < XYZ->green_X)
1537 return 1;
1538 Y += XYZ->green_Y;
1539 if (0x7fffffff - Y < XYZ->blue_X)
1540 return 1;
1541 Y += XYZ->blue_Y;
1542
1543 if (Y != PNG_FP_1)
1544 {
1545 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1546 return 1;
1547 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1548 return 1;
1549 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1550 return 1;
1551
1552 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1553 return 1;
1554 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1555 return 1;
1556 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1557 return 1;
1558
1559 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1560 return 1;
1561 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1562 return 1;
1563 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1564 return 1;
1565 }
1566
1567 return 0;
1568}
1569
1570static int
1571png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1572{
1573 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1574 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1575 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1576 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1577 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1578 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1579 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1580 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1581 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1582 return 0;
1583 return 1;
1584}
1585
1586/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1587 * chunk chromaticities. Earlier checks used to simply look for the overflow
1588 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1589 * because the chromaticity values are not all distinct.) Despite this it is
1590 * theoretically possible to produce chromaticities that are apparently valid
1591 * but that rapidly degrade to invalid, potentially crashing, sets because of
1592 * arithmetic inaccuracies when calculations are performed on them. The new
1593 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1594 * within a small percentage of the original.
1595 */
1596static int
1597png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1598{
1599 int result;
1600 png_xy xy_test;
1601
1602 /* As a side-effect this routine also returns the XYZ endpoints. */
1603 result = png_XYZ_from_xy(XYZ, xy);
1604 if (result != 0)
1605 return result;
1606
1607 result = png_xy_from_XYZ(&xy_test, XYZ);
1608 if (result != 0)
1609 return result;
1610
1611 if (png_colorspace_endpoints_match(xy, &xy_test,
1612 5/*actually, the math is pretty accurate*/) != 0)
1613 return 0;
1614
1615 /* Too much slip */
1616 return 1;
1617}
1618
1619/* This is the check going the other way. The XYZ is modified to normalize it
1620 * (another side-effect) and the xy chromaticities are returned.
1621 */
1622static int
1623png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1624{
1625 int result;
1626 png_XYZ XYZtemp;
1627
1628 result = png_XYZ_normalize(XYZ);
1629 if (result != 0)
1630 return result;
1631
1632 result = png_xy_from_XYZ(xy, XYZ);
1633 if (result != 0)
1634 return result;
1635
1636 XYZtemp = *XYZ;
1637 return png_colorspace_check_xy(&XYZtemp, xy);
1638}
1639
1640/* Used to check for an endpoint match against sRGB */
1641static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1642{
1643 /* color x y */
1644 /* red */ 64000, 33000,
1645 /* green */ 30000, 60000,
1646 /* blue */ 15000, 6000,
1647 /* white */ 31270, 32900
1648};
1649
1650static int
1651png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1652 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1653 int preferred)
1654{
1655 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1656 return 0;
1657
1658 /* The consistency check is performed on the chromaticities; this factors out
1659 * variations because of the normalization (or not) of the end point Y
1660 * values.
1661 */
1662 if (preferred < 2 &&
1663 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1664 {
1665 /* The end points must be reasonably close to any we already have. The
1666 * following allows an error of up to +/-.001
1667 */
1668 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1669 100) == 0)
1670 {
1671 colorspace->flags |= PNG_COLORSPACE_INVALID;
1672 png_benign_error(png_ptr, "inconsistent chromaticities");
1673 return 0; /* failed */
1674 }
1675
1676 /* Only overwrite with preferred values */
1677 if (preferred == 0)
1678 return 1; /* ok, but no change */
1679 }
1680
1681 colorspace->end_points_xy = *xy;
1682 colorspace->end_points_XYZ = *XYZ;
1683 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1684
1685 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1686 * on this test.
1687 */
1688 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1689 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1690
1691 else
1692 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1693 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1694
1695 return 2; /* ok and changed */
1696}
1697
1698int /* PRIVATE */
1699png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1700 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1701{
1702 /* We must check the end points to ensure they are reasonable - in the past
1703 * color management systems have crashed as a result of getting bogus
1704 * colorant values, while this isn't the fault of libpng it is the
1705 * responsibility of libpng because PNG carries the bomb and libpng is in a
1706 * position to protect against it.
1707 */
1708 png_XYZ XYZ;
1709
1710 switch (png_colorspace_check_xy(&XYZ, xy))
1711 {
1712 case 0: /* success */
1713 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1714 preferred);
1715
1716 case 1:
1717 /* We can't invert the chromaticities so we can't produce value XYZ
1718 * values. Likely as not a color management system will fail too.
1719 */
1720 colorspace->flags |= PNG_COLORSPACE_INVALID;
1721 png_benign_error(png_ptr, "invalid chromaticities");
1722 break;
1723
1724 default:
1725 /* libpng is broken; this should be a warning but if it happens we
1726 * want error reports so for the moment it is an error.
1727 */
1728 colorspace->flags |= PNG_COLORSPACE_INVALID;
1729 png_error(png_ptr, "internal error checking chromaticities");
1730 }
1731
1732 return 0; /* failed */
1733}
1734
1735int /* PRIVATE */
1736png_colorspace_set_endpoints(png_const_structrp png_ptr,
1737 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1738{
1739 png_XYZ XYZ = *XYZ_in;
1740 png_xy xy;
1741
1742 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1743 {
1744 case 0:
1745 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1746 preferred);
1747
1748 case 1:
1749 /* End points are invalid. */
1750 colorspace->flags |= PNG_COLORSPACE_INVALID;
1751 png_benign_error(png_ptr, "invalid end points");
1752 break;
1753
1754 default:
1755 colorspace->flags |= PNG_COLORSPACE_INVALID;
1756 png_error(png_ptr, "internal error checking chromaticities");
1757 }
1758
1759 return 0; /* failed */
1760}
1761
1762#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1763/* Error message generation */
1764static char
1765png_icc_tag_char(png_uint_32 byte)
1766{
1767 byte &= 0xff;
1768 if (byte >= 32 && byte <= 126)
1769 return (char)byte;
1770 else
1771 return '?';
1772}
1773
1774static void
1775png_icc_tag_name(char *name, png_uint_32 tag)
1776{
1777 name[0] = '\'';
1778 name[1] = png_icc_tag_char(tag >> 24);
1779 name[2] = png_icc_tag_char(tag >> 16);
1780 name[3] = png_icc_tag_char(tag >> 8);
1781 name[4] = png_icc_tag_char(tag );
1782 name[5] = '\'';
1783}
1784
1785static int
1786is_ICC_signature_char(png_alloc_size_t it)
1787{
1788 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1789 (it >= 97 && it <= 122);
1790}
1791
1792static int
1793is_ICC_signature(png_alloc_size_t it)
1794{
1795 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1796 is_ICC_signature_char((it >> 16) & 0xff) &&
1797 is_ICC_signature_char((it >> 8) & 0xff) &&
1798 is_ICC_signature_char(it & 0xff);
1799}
1800
1801static int
1802png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1803 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1804{
1805 size_t pos;
1806 char message[196]; /* see below for calculation */
1807
1808 if (colorspace != NULL)
1809 colorspace->flags |= PNG_COLORSPACE_INVALID;
1810
1811 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1812 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1813 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1814 if (is_ICC_signature(value) != 0)
1815 {
1816 /* So 'value' is at most 4 bytes and the following cast is safe */
1817 png_icc_tag_name(message+pos, (png_uint_32)value);
1818 pos += 6; /* total +8; less than the else clause */
1819 message[pos++] = ':';
1820 message[pos++] = ' ';
1821 }
1822# ifdef PNG_WARNINGS_SUPPORTED
1823 else
1824 {
1825 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114 */
1826
1827 pos = png_safecat(message, (sizeof message), pos,
1828 png_format_number(number, number+(sizeof number),
1829 PNG_NUMBER_FORMAT_x, value));
1830 pos = png_safecat(message, (sizeof message), pos, "h: "); /* +2 = 116 */
1831 }
1832# endif
1833 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1834 pos = png_safecat(message, (sizeof message), pos, reason);
1835 PNG_UNUSED(pos)
1836
1837 /* This is recoverable, but make it unconditionally an app_error on write to
1838 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1839 * on read, with a warning, but on write unless the app turns off
1840 * application errors the PNG won't be written.)
1841 */
1842 png_chunk_report(png_ptr, message,
1843 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1844
1845 return 0;
1846}
1847#endif /* sRGB || iCCP */
1848
1849#ifdef PNG_sRGB_SUPPORTED
1850int /* PRIVATE */
1851png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1852 int intent)
1853{
1854 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1855 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1856 * because ICC profiles store values adapted to a D50 environment; it is
1857 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1858 * checks and code elsewhere to understand this better.
1859 *
1860 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1861 * coefficients of (6968,23435,2366), which are reduced (because they add up
1862 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1863 * libpng has traditionally used (and are the best values given the 15bit
1864 * algorithm used by the rgb to gray code.)
1865 */
1866 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1867 {
1868 /* color X Y Z */
1869 /* red */ 41239, 21264, 1933,
1870 /* green */ 35758, 71517, 11919,
1871 /* blue */ 18048, 7219, 95053
1872 };
1873
1874 /* Do nothing if the colorspace is already invalidated. */
1875 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1876 return 0;
1877
1878 /* Check the intent, then check for existing settings. It is valid for the
1879 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1880 * be consistent with the correct values. If, however, this function is
1881 * called below because an iCCP chunk matches sRGB then it is quite
1882 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1883 * an incorrect calculation based on the values in the profile - this does
1884 * *not* invalidate the profile (though it still produces an error, which can
1885 * be ignored.)
1886 */
1887 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1888 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1889 (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1890
1891 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1892 colorspace->rendering_intent != intent)
1893 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1894 (png_alloc_size_t)intent, "inconsistent rendering intents");
1895
1896 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1897 {
1898 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1899 return 0;
1900 }
1901
1902 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1903 * warn but overwrite the value with the correct one.
1904 */
1905 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1906 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1907 100))
1908 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1909 PNG_CHUNK_ERROR);
1910
1911 /* This check is just done for the error reporting - the routine always
1912 * returns true when the 'from' argument corresponds to sRGB (2).
1913 */
1914 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1915 2/*from sRGB*/);
1916
1917 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1918 colorspace->rendering_intent = (png_uint_16)intent;
1919 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1920
1921 /* endpoints */
1922 colorspace->end_points_xy = sRGB_xy;
1923 colorspace->end_points_XYZ = sRGB_XYZ;
1924 colorspace->flags |=
1925 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1926
1927 /* gamma */
1928 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1929 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1930
1931 /* Finally record that we have an sRGB profile */
1932 colorspace->flags |=
1933 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1934
1935 return 1; /* set */
1936}
1937#endif /* sRGB */
1938
1939#ifdef PNG_iCCP_SUPPORTED
1940/* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1941 * is XYZ(0.9642,1.0,0.8249), which scales to:
1942 *
1943 * (63189.8112, 65536, 54060.6464)
1944 */
1945static const png_byte D50_nCIEXYZ[12] =
1946 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1947
1948static int /* bool */
1949icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1950 png_const_charp name, png_uint_32 profile_length)
1951{
1952 if (profile_length < 132)
1953 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1954 "too short");
1955 return 1;
1956}
1957
1958#ifdef PNG_READ_iCCP_SUPPORTED
1959int /* PRIVATE */
1960png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1961 png_const_charp name, png_uint_32 profile_length)
1962{
1963 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1964 return 0;
1965
1966 /* This needs to be here because the 'normal' check is in
1967 * png_decompress_chunk, yet this happens after the attempt to
1968 * png_malloc_base the required data. We only need this on read; on write
1969 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1970 * the call to icc_check_length below (the write case).
1971 */
1972# ifdef PNG_SET_USER_LIMITS_SUPPORTED
1973 else if (png_ptr->user_chunk_malloc_max > 0 &&
1974 png_ptr->user_chunk_malloc_max < profile_length)
1975 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1976 "exceeds application limits");
1977# elif PNG_USER_CHUNK_MALLOC_MAX > 0
1978 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
1979 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1980 "exceeds libpng limits");
1981# else /* !SET_USER_LIMITS */
1982 /* This will get compiled out on all 32-bit and better systems. */
1983 else if (PNG_SIZE_MAX < profile_length)
1984 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1985 "exceeds system limits");
1986# endif /* !SET_USER_LIMITS */
1987
1988 return 1;
1989}
1990#endif /* READ_iCCP */
1991
1992int /* PRIVATE */
1993png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
1994 png_const_charp name, png_uint_32 profile_length,
1995 png_const_bytep profile/* first 132 bytes only */, int color_type)
1996{
1997 png_uint_32 temp;
1998
1999 /* Length check; this cannot be ignored in this code because profile_length
2000 * is used later to check the tag table, so even if the profile seems over
2001 * long profile_length from the caller must be correct. The caller can fix
2002 * this up on read or write by just passing in the profile header length.
2003 */
2004 temp = png_get_uint_32(profile);
2005 if (temp != profile_length)
2006 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2007 "length does not match profile");
2008
2009 temp = (png_uint_32) (*(profile+8));
2010 if (temp > 3 && (profile_length & 3))
2011 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2012 "invalid length");
2013
2014 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2015 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2016 profile_length < 132+12*temp) /* truncated tag table */
2017 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2018 "tag count too large");
2019
2020 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2021 * 16 bits.
2022 */
2023 temp = png_get_uint_32(profile+64);
2024 if (temp >= 0xffff) /* The ICC limit */
2025 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2026 "invalid rendering intent");
2027
2028 /* This is just a warning because the profile may be valid in future
2029 * versions.
2030 */
2031 if (temp >= PNG_sRGB_INTENT_LAST)
2032 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2033 "intent outside defined range");
2034
2035 /* At this point the tag table can't be checked because it hasn't necessarily
2036 * been loaded; however, various header fields can be checked. These checks
2037 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2038 * restricts the profiles that can be passed in an iCCP chunk (they must be
2039 * appropriate to processing PNG data!)
2040 */
2041
2042 /* Data checks (could be skipped). These checks must be independent of the
2043 * version number; however, the version number doesn't accommodate changes in
2044 * the header fields (just the known tags and the interpretation of the
2045 * data.)
2046 */
2047 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2048 if (temp != 0x61637370)
2049 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2050 "invalid signature");
2051
2052 /* Currently the PCS illuminant/adopted white point (the computational
2053 * white point) are required to be D50,
2054 * however the profile contains a record of the illuminant so perhaps ICC
2055 * expects to be able to change this in the future (despite the rationale in
2056 * the introduction for using a fixed PCS adopted white.) Consequently the
2057 * following is just a warning.
2058 */
2059 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2060 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2061 "PCS illuminant is not D50");
2062
2063 /* The PNG spec requires this:
2064 * "If the iCCP chunk is present, the image samples conform to the colour
2065 * space represented by the embedded ICC profile as defined by the
2066 * International Color Consortium [ICC]. The colour space of the ICC profile
2067 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2068 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2069 * and 4)."
2070 *
2071 * This checking code ensures the embedded profile (on either read or write)
2072 * conforms to the specification requirements. Notice that an ICC 'gray'
2073 * color-space profile contains the information to transform the monochrome
2074 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2075 * should be used in preference to the standard libpng K channel replication
2076 * into R, G and B channels.
2077 *
2078 * Previously it was suggested that an RGB profile on grayscale data could be
2079 * handled. However it it is clear that using an RGB profile in this context
2080 * must be an error - there is no specification of what it means. Thus it is
2081 * almost certainly more correct to ignore the profile.
2082 */
2083 temp = png_get_uint_32(profile+16); /* data colour space field */
2084 switch (temp)
2085 {
2086 case 0x52474220: /* 'RGB ' */
2087 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2088 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2089 "RGB color space not permitted on grayscale PNG");
2090 break;
2091
2092 case 0x47524159: /* 'GRAY' */
2093 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2094 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2095 "Gray color space not permitted on RGB PNG");
2096 break;
2097
2098 default:
2099 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2100 "invalid ICC profile color space");
2101 }
2102
2103 /* It is up to the application to check that the profile class matches the
2104 * application requirements; the spec provides no guidance, but it's pretty
2105 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2106 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2107 * cases. Issue an error for device link or abstract profiles - these don't
2108 * contain the records necessary to transform the color-space to anything
2109 * other than the target device (and not even that for an abstract profile).
2110 * Profiles of these classes may not be embedded in images.
2111 */
2112 temp = png_get_uint_32(profile+12); /* profile/device class */
2113 switch (temp)
2114 {
2115 case 0x73636e72: /* 'scnr' */
2116 case 0x6d6e7472: /* 'mntr' */
2117 case 0x70727472: /* 'prtr' */
2118 case 0x73706163: /* 'spac' */
2119 /* All supported */
2120 break;
2121
2122 case 0x61627374: /* 'abst' */
2123 /* May not be embedded in an image */
2124 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2125 "invalid embedded Abstract ICC profile");
2126
2127 case 0x6c696e6b: /* 'link' */
2128 /* DeviceLink profiles cannot be interpreted in a non-device specific
2129 * fashion, if an app uses the AToB0Tag in the profile the results are
2130 * undefined unless the result is sent to the intended device,
2131 * therefore a DeviceLink profile should not be found embedded in a
2132 * PNG.
2133 */
2134 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2135 "unexpected DeviceLink ICC profile class");
2136
2137 case 0x6e6d636c: /* 'nmcl' */
2138 /* A NamedColor profile is also device specific, however it doesn't
2139 * contain an AToB0 tag that is open to misinterpretation. Almost
2140 * certainly it will fail the tests below.
2141 */
2142 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2143 "unexpected NamedColor ICC profile class");
2144 break;
2145
2146 default:
2147 /* To allow for future enhancements to the profile accept unrecognized
2148 * profile classes with a warning, these then hit the test below on the
2149 * tag content to ensure they are backward compatible with one of the
2150 * understood profiles.
2151 */
2152 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2153 "unrecognized ICC profile class");
2154 break;
2155 }
2156
2157 /* For any profile other than a device link one the PCS must be encoded
2158 * either in XYZ or Lab.
2159 */
2160 temp = png_get_uint_32(profile+20);
2161 switch (temp)
2162 {
2163 case 0x58595a20: /* 'XYZ ' */
2164 case 0x4c616220: /* 'Lab ' */
2165 break;
2166
2167 default:
2168 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2169 "unexpected ICC PCS encoding");
2170 }
2171
2172 return 1;
2173}
2174
2175int /* PRIVATE */
2176png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2177 png_const_charp name, png_uint_32 profile_length,
2178 png_const_bytep profile /* header plus whole tag table */)
2179{
2180 png_uint_32 tag_count = png_get_uint_32(profile+128);
2181 png_uint_32 itag;
2182 png_const_bytep tag = profile+132; /* The first tag */
2183
2184 /* First scan all the tags in the table and add bits to the icc_info value
2185 * (temporarily in 'tags').
2186 */
2187 for (itag=0; itag < tag_count; ++itag, tag += 12)
2188 {
2189 png_uint_32 tag_id = png_get_uint_32(tag+0);
2190 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2191 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2192
2193 /* The ICC specification does not exclude zero length tags, therefore the
2194 * start might actually be anywhere if there is no data, but this would be
2195 * a clear abuse of the intent of the standard so the start is checked for
2196 * being in range. All defined tag types have an 8 byte header - a 4 byte
2197 * type signature then 0.
2198 */
2199
2200 /* This is a hard error; potentially it can cause read outside the
2201 * profile.
2202 */
2203 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2204 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2205 "ICC profile tag outside profile");
2206
2207 if ((tag_start & 3) != 0)
2208 {
2209 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2210 * only a warning here because libpng does not care about the
2211 * alignment.
2212 */
2213 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2214 "ICC profile tag start not a multiple of 4");
2215 }
2216 }
2217
2218 return 1; /* success, maybe with warnings */
2219}
2220
2221#ifdef PNG_sRGB_SUPPORTED
2222#if PNG_sRGB_PROFILE_CHECKS >= 0
2223/* Information about the known ICC sRGB profiles */
2224static const struct
2225{
2226 png_uint_32 adler, crc, length;
2227 png_uint_32 md5[4];
2228 png_byte have_md5;
2229 png_byte is_broken;
2230 png_uint_16 intent;
2231
2232# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2233# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2234 { adler, crc, length, md5, broke, intent },
2235
2236} png_sRGB_checks[] =
2237{
2238 /* This data comes from contrib/tools/checksum-icc run on downloads of
2239 * all four ICC sRGB profiles from www.color.org.
2240 */
2241 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2242 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2243 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2244 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2245
2246 /* ICC sRGB v2 perceptual no black-compensation: */
2247 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2248 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2249 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2250
2251 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2252 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2253 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2254
2255 /* ICC sRGB v4 perceptual */
2256 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2257 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2258 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2259
2260 /* The following profiles have no known MD5 checksum. If there is a match
2261 * on the (empty) MD5 the other fields are used to attempt a match and
2262 * a warning is produced. The first two of these profiles have a 'cprt' tag
2263 * which suggests that they were also made by Hewlett Packard.
2264 */
2265 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2266 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2267 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2268
2269 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2270 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2271 * so the white point is recorded as the un-adapted value.) The profiles
2272 * below only differ in one byte - the intent - and are basically the same as
2273 * the previous profile except for the mediaWhitePointTag error and a missing
2274 * chromaticAdaptationTag.
2275 */
2276 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2277 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2278 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2279
2280 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2281 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2282 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2283};
2284
2285static int
2286png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2287 png_const_bytep profile, uLong adler)
2288{
2289 /* The quick check is to verify just the MD5 signature and trust the
2290 * rest of the data. Because the profile has already been verified for
2291 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2292 * field too, so if the profile has been edited with an intent not defined
2293 * by sRGB (but maybe defined by a later ICC specification) the read of
2294 * the profile will fail at that point.
2295 */
2296
2297 png_uint_32 length = 0;
2298 png_uint_32 intent = 0x10000; /* invalid */
2299#if PNG_sRGB_PROFILE_CHECKS > 1
2300 uLong crc = 0; /* the value for 0 length data */
2301#endif
2302 unsigned int i;
2303
2304#ifdef PNG_SET_OPTION_SUPPORTED
2305 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2306 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2307 PNG_OPTION_ON)
2308 return 0;
2309#endif
2310
2311 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2312 {
2313 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2314 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2315 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2316 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2317 {
2318 /* This may be one of the old HP profiles without an MD5, in that
2319 * case we can only use the length and Adler32 (note that these
2320 * are not used by default if there is an MD5!)
2321 */
2322# if PNG_sRGB_PROFILE_CHECKS == 0
2323 if (png_sRGB_checks[i].have_md5 != 0)
2324 return 1+png_sRGB_checks[i].is_broken;
2325# endif
2326
2327 /* Profile is unsigned or more checks have been configured in. */
2328 if (length == 0)
2329 {
2330 length = png_get_uint_32(profile);
2331 intent = png_get_uint_32(profile+64);
2332 }
2333
2334 /* Length *and* intent must match */
2335 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2336 intent == (png_uint_32) png_sRGB_checks[i].intent)
2337 {
2338 /* Now calculate the adler32 if not done already. */
2339 if (adler == 0)
2340 {
2341 adler = adler32(0, NULL, 0);
2342 adler = adler32(adler, profile, length);
2343 }
2344
2345 if (adler == png_sRGB_checks[i].adler)
2346 {
2347 /* These basic checks suggest that the data has not been
2348 * modified, but if the check level is more than 1 perform
2349 * our own crc32 checksum on the data.
2350 */
2351# if PNG_sRGB_PROFILE_CHECKS > 1
2352 if (crc == 0)
2353 {
2354 crc = crc32(0, NULL, 0);
2355 crc = crc32(crc, profile, length);
2356 }
2357
2358 /* So this check must pass for the 'return' below to happen.
2359 */
2360 if (crc == png_sRGB_checks[i].crc)
2361# endif
2362 {
2363 if (png_sRGB_checks[i].is_broken != 0)
2364 {
2365 /* These profiles are known to have bad data that may cause
2366 * problems if they are used, therefore attempt to
2367 * discourage their use, skip the 'have_md5' warning below,
2368 * which is made irrelevant by this error.
2369 */
2370 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2371 PNG_CHUNK_ERROR);
2372 }
2373
2374 /* Warn that this being done; this isn't even an error since
2375 * the profile is perfectly valid, but it would be nice if
2376 * people used the up-to-date ones.
2377 */
2378 else if (png_sRGB_checks[i].have_md5 == 0)
2379 {
2380 png_chunk_report(png_ptr,
2381 "out-of-date sRGB profile with no signature",
2382 PNG_CHUNK_WARNING);
2383 }
2384
2385 return 1+png_sRGB_checks[i].is_broken;
2386 }
2387 }
2388
2389# if PNG_sRGB_PROFILE_CHECKS > 0
2390 /* The signature matched, but the profile had been changed in some
2391 * way. This probably indicates a data error or uninformed hacking.
2392 * Fall through to "no match".
2393 */
2394 png_chunk_report(png_ptr,
2395 "Not recognizing known sRGB profile that has been edited",
2396 PNG_CHUNK_WARNING);
2397 break;
2398# endif
2399 }
2400 }
2401 }
2402
2403 return 0; /* no match */
2404}
2405
2406void /* PRIVATE */
2407png_icc_set_sRGB(png_const_structrp png_ptr,
2408 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2409{
2410 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2411 * the sRGB information.
2412 */
2413 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2414 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2415 (int)/*already checked*/png_get_uint_32(profile+64));
2416}
2417#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2418#endif /* sRGB */
2419
2420int /* PRIVATE */
2421png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2422 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2423 int color_type)
2424{
2425 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2426 return 0;
2427
2428 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2429 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2430 color_type) != 0 &&
2431 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2432 profile) != 0)
2433 {
2434# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2435 /* If no sRGB support, don't try storing sRGB information */
2436 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2437# endif
2438 return 1;
2439 }
2440
2441 /* Failure case */
2442 return 0;
2443}
2444#endif /* iCCP */
2445
2446#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2447void /* PRIVATE */
2448png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2449{
2450 /* Set the rgb_to_gray coefficients from the colorspace. */
2451 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2452 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2453 {
2454 /* png_set_background has not been called, get the coefficients from the Y
2455 * values of the colorspace colorants.
2456 */
2457 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2458 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2459 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2460 png_fixed_point total = r+g+b;
2461
2462 if (total > 0 &&
2463 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2464 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2465 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2466 r+g+b <= 32769)
2467 {
2468 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2469 * all of the coefficients were rounded up. Handle this by
2470 * reducing the *largest* coefficient by 1; this matches the
2471 * approach used for the default coefficients in pngrtran.c
2472 */
2473 int add = 0;
2474
2475 if (r+g+b > 32768)
2476 add = -1;
2477 else if (r+g+b < 32768)
2478 add = 1;
2479
2480 if (add != 0)
2481 {
2482 if (g >= r && g >= b)
2483 g += add;
2484 else if (r >= g && r >= b)
2485 r += add;
2486 else
2487 b += add;
2488 }
2489
2490 /* Check for an internal error. */
2491 if (r+g+b != 32768)
2492 png_error(png_ptr,
2493 "internal error handling cHRM coefficients");
2494
2495 else
2496 {
2497 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2498 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2499 }
2500 }
2501
2502 /* This is a png_error at present even though it could be ignored -
2503 * it should never happen, but it is important that if it does, the
2504 * bug is fixed.
2505 */
2506 else
2507 png_error(png_ptr, "internal error handling cHRM->XYZ");
2508 }
2509}
2510#endif /* READ_RGB_TO_GRAY */
2511
2512#endif /* COLORSPACE */
2513
2514void /* PRIVATE */
2515png_check_IHDR(png_const_structrp png_ptr,
2516 png_uint_32 width, png_uint_32 height, int bit_depth,
2517 int color_type, int interlace_type, int compression_type,
2518 int filter_type)
2519{
2520 int error = 0;
2521
2522 /* Check for width and height valid values */
2523 if (width == 0)
2524 {
2525 png_warning(png_ptr, "Image width is zero in IHDR");
2526 error = 1;
2527 }
2528
2529 if (width > PNG_UINT_31_MAX)
2530 {
2531 png_warning(png_ptr, "Invalid image width in IHDR");
2532 error = 1;
2533 }
2534
2535 /* The bit mask on the first line below must be at least as big as a
2536 * png_uint_32. "~7U" is not adequate on 16-bit systems because it will
2537 * be an unsigned 16-bit value. Casting to (png_alloc_size_t) makes the
2538 * type of the result at least as bit (in bits) as the RHS of the > operator
2539 * which also avoids a common warning on 64-bit systems that the comparison
2540 * of (png_uint_32) against the constant value on the RHS will always be
2541 * false.
2542 */
2543 if (((width + 7) & ~(png_alloc_size_t)7) >
2544 (((PNG_SIZE_MAX
2545 - 48 /* big_row_buf hack */
2546 - 1) /* filter byte */
2547 / 8) /* 8-byte RGBA pixels */
2548 - 1)) /* extra max_pixel_depth pad */
2549 {
2550 /* The size of the row must be within the limits of this architecture.
2551 * Because the read code can perform arbitrary transformations the
2552 * maximum size is checked here. Because the code in png_read_start_row
2553 * adds extra space "for safety's sake" in several places a conservative
2554 * limit is used here.
2555 *
2556 * NOTE: it would be far better to check the size that is actually used,
2557 * but the effect in the real world is minor and the changes are more
2558 * extensive, therefore much more dangerous and much more difficult to
2559 * write in a way that avoids compiler warnings.
2560 */
2561 png_warning(png_ptr, "Image width is too large for this architecture");
2562 error = 1;
2563 }
2564
2565#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2566 if (width > png_ptr->user_width_max)
2567#else
2568 if (width > PNG_USER_WIDTH_MAX)
2569#endif
2570 {
2571 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2572 error = 1;
2573 }
2574
2575 if (height == 0)
2576 {
2577 png_warning(png_ptr, "Image height is zero in IHDR");
2578 error = 1;
2579 }
2580
2581 if (height > PNG_UINT_31_MAX)
2582 {
2583 png_warning(png_ptr, "Invalid image height in IHDR");
2584 error = 1;
2585 }
2586
2587#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2588 if (height > png_ptr->user_height_max)
2589#else
2590 if (height > PNG_USER_HEIGHT_MAX)
2591#endif
2592 {
2593 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2594 error = 1;
2595 }
2596
2597 /* Check other values */
2598 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2599 bit_depth != 8 && bit_depth != 16)
2600 {
2601 png_warning(png_ptr, "Invalid bit depth in IHDR");
2602 error = 1;
2603 }
2604
2605 if (color_type < 0 || color_type == 1 ||
2606 color_type == 5 || color_type > 6)
2607 {
2608 png_warning(png_ptr, "Invalid color type in IHDR");
2609 error = 1;
2610 }
2611
2612 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2613 ((color_type == PNG_COLOR_TYPE_RGB ||
2614 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2615 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2616 {
2617 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2618 error = 1;
2619 }
2620
2621 if (interlace_type >= PNG_INTERLACE_LAST)
2622 {
2623 png_warning(png_ptr, "Unknown interlace method in IHDR");
2624 error = 1;
2625 }
2626
2627 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2628 {
2629 png_warning(png_ptr, "Unknown compression method in IHDR");
2630 error = 1;
2631 }
2632
2633#ifdef PNG_MNG_FEATURES_SUPPORTED
2634 /* Accept filter_method 64 (intrapixel differencing) only if
2635 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2636 * 2. Libpng did not read a PNG signature (this filter_method is only
2637 * used in PNG datastreams that are embedded in MNG datastreams) and
2638 * 3. The application called png_permit_mng_features with a mask that
2639 * included PNG_FLAG_MNG_FILTER_64 and
2640 * 4. The filter_method is 64 and
2641 * 5. The color_type is RGB or RGBA
2642 */
2643 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2644 png_ptr->mng_features_permitted != 0)
2645 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2646
2647 if (filter_type != PNG_FILTER_TYPE_BASE)
2648 {
2649 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2650 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2651 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2652 (color_type == PNG_COLOR_TYPE_RGB ||
2653 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2654 {
2655 png_warning(png_ptr, "Unknown filter method in IHDR");
2656 error = 1;
2657 }
2658
2659 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2660 {
2661 png_warning(png_ptr, "Invalid filter method in IHDR");
2662 error = 1;
2663 }
2664 }
2665
2666#else
2667 if (filter_type != PNG_FILTER_TYPE_BASE)
2668 {
2669 png_warning(png_ptr, "Unknown filter method in IHDR");
2670 error = 1;
2671 }
2672#endif
2673
2674 if (error == 1)
2675 png_error(png_ptr, "Invalid IHDR data");
2676}
2677
2678#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2679/* ASCII to fp functions */
2680/* Check an ASCII formatted floating point value, see the more detailed
2681 * comments in pngpriv.h
2682 */
2683/* The following is used internally to preserve the sticky flags */
2684#define png_fp_add(state, flags) ((state) |= (flags))
2685#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2686
2687int /* PRIVATE */
2688png_check_fp_number(png_const_charp string, size_t size, int *statep,
2689 size_t *whereami)
2690{
2691 int state = *statep;
2692 size_t i = *whereami;
2693
2694 while (i < size)
2695 {
2696 int type;
2697 /* First find the type of the next character */
2698 switch (string[i])
2699 {
2700 case 43: type = PNG_FP_SAW_SIGN; break;
2701 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2702 case 46: type = PNG_FP_SAW_DOT; break;
2703 case 48: type = PNG_FP_SAW_DIGIT; break;
2704 case 49: case 50: case 51: case 52:
2705 case 53: case 54: case 55: case 56:
2706 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2707 case 69:
2708 case 101: type = PNG_FP_SAW_E; break;
2709 default: goto PNG_FP_End;
2710 }
2711
2712 /* Now deal with this type according to the current
2713 * state, the type is arranged to not overlap the
2714 * bits of the PNG_FP_STATE.
2715 */
2716 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2717 {
2718 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2719 if ((state & PNG_FP_SAW_ANY) != 0)
2720 goto PNG_FP_End; /* not a part of the number */
2721
2722 png_fp_add(state, type);
2723 break;
2724
2725 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2726 /* Ok as trailer, ok as lead of fraction. */
2727 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2728 goto PNG_FP_End;
2729
2730 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2731 png_fp_add(state, type);
2732
2733 else
2734 png_fp_set(state, PNG_FP_FRACTION | type);
2735
2736 break;
2737
2738 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2739 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2740 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2741
2742 png_fp_add(state, type | PNG_FP_WAS_VALID);
2743
2744 break;
2745
2746 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2747 if ((state & PNG_FP_SAW_DIGIT) == 0)
2748 goto PNG_FP_End;
2749
2750 png_fp_set(state, PNG_FP_EXPONENT);
2751
2752 break;
2753
2754 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2755 goto PNG_FP_End; ** no sign in fraction */
2756
2757 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2758 goto PNG_FP_End; ** Because SAW_DOT is always set */
2759
2760 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2761 png_fp_add(state, type | PNG_FP_WAS_VALID);
2762 break;
2763
2764 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2765 /* This is correct because the trailing '.' on an
2766 * integer is handled above - so we can only get here
2767 * with the sequence ".E" (with no preceding digits).
2768 */
2769 if ((state & PNG_FP_SAW_DIGIT) == 0)
2770 goto PNG_FP_End;
2771
2772 png_fp_set(state, PNG_FP_EXPONENT);
2773
2774 break;
2775
2776 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2777 if ((state & PNG_FP_SAW_ANY) != 0)
2778 goto PNG_FP_End; /* not a part of the number */
2779
2780 png_fp_add(state, PNG_FP_SAW_SIGN);
2781
2782 break;
2783
2784 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2785 goto PNG_FP_End; */
2786
2787 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2788 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2789
2790 break;
2791
2792 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2793 goto PNG_FP_End; */
2794
2795 default: goto PNG_FP_End; /* I.e. break 2 */
2796 }
2797
2798 /* The character seems ok, continue. */
2799 ++i;
2800 }
2801
2802PNG_FP_End:
2803 /* Here at the end, update the state and return the correct
2804 * return code.
2805 */
2806 *statep = state;
2807 *whereami = i;
2808
2809 return (state & PNG_FP_SAW_DIGIT) != 0;
2810}
2811
2812
2813/* The same but for a complete string. */
2814int
2815png_check_fp_string(png_const_charp string, size_t size)
2816{
2817 int state=0;
2818 size_t char_index=0;
2819
2820 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2821 (char_index == size || string[char_index] == 0))
2822 return state /* must be non-zero - see above */;
2823
2824 return 0; /* i.e. fail */
2825}
2826#endif /* pCAL || sCAL */
2827
2828#ifdef PNG_sCAL_SUPPORTED
2829# ifdef PNG_FLOATING_POINT_SUPPORTED
2830/* Utility used below - a simple accurate power of ten from an integral
2831 * exponent.
2832 */
2833static double
2834png_pow10(int power)
2835{
2836 int recip = 0;
2837 double d = 1;
2838
2839 /* Handle negative exponent with a reciprocal at the end because
2840 * 10 is exact whereas .1 is inexact in base 2
2841 */
2842 if (power < 0)
2843 {
2844 if (power < DBL_MIN_10_EXP) return 0;
2845 recip = 1; power = -power;
2846 }
2847
2848 if (power > 0)
2849 {
2850 /* Decompose power bitwise. */
2851 double mult = 10;
2852 do
2853 {
2854 if (power & 1) d *= mult;
2855 mult *= mult;
2856 power >>= 1;
2857 }
2858 while (power > 0);
2859
2860 if (recip != 0) d = 1/d;
2861 }
2862 /* else power is 0 and d is 1 */
2863
2864 return d;
2865}
2866
2867/* Function to format a floating point value in ASCII with a given
2868 * precision.
2869 */
2870void /* PRIVATE */
2871png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2872 double fp, unsigned int precision)
2873{
2874 /* We use standard functions from math.h, but not printf because
2875 * that would require stdio. The caller must supply a buffer of
2876 * sufficient size or we will png_error. The tests on size and
2877 * the space in ascii[] consumed are indicated below.
2878 */
2879 if (precision < 1)
2880 precision = DBL_DIG;
2881
2882 /* Enforce the limit of the implementation precision too. */
2883 if (precision > DBL_DIG+1)
2884 precision = DBL_DIG+1;
2885
2886 /* Basic sanity checks */
2887 if (size >= precision+5) /* See the requirements below. */
2888 {
2889 if (fp < 0)
2890 {
2891 fp = -fp;
2892 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2893 --size;
2894 }
2895
2896 if (fp >= DBL_MIN && fp <= DBL_MAX)
2897 {
2898 int exp_b10; /* A base 10 exponent */
2899 double base; /* 10^exp_b10 */
2900
2901 /* First extract a base 10 exponent of the number,
2902 * the calculation below rounds down when converting
2903 * from base 2 to base 10 (multiply by log10(2) -
2904 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2905 * be increased. Note that the arithmetic shift
2906 * performs a floor() unlike C arithmetic - using a
2907 * C multiply would break the following for negative
2908 * exponents.
2909 */
2910 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2911
2912 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2913
2914 /* Avoid underflow here. */
2915 base = png_pow10(exp_b10); /* May underflow */
2916
2917 while (base < DBL_MIN || base < fp)
2918 {
2919 /* And this may overflow. */
2920 double test = png_pow10(exp_b10+1);
2921
2922 if (test <= DBL_MAX)
2923 {
2924 ++exp_b10; base = test;
2925 }
2926
2927 else
2928 break;
2929 }
2930
2931 /* Normalize fp and correct exp_b10, after this fp is in the
2932 * range [.1,1) and exp_b10 is both the exponent and the digit
2933 * *before* which the decimal point should be inserted
2934 * (starting with 0 for the first digit). Note that this
2935 * works even if 10^exp_b10 is out of range because of the
2936 * test on DBL_MAX above.
2937 */
2938 fp /= base;
2939 while (fp >= 1)
2940 {
2941 fp /= 10; ++exp_b10;
2942 }
2943
2944 /* Because of the code above fp may, at this point, be
2945 * less than .1, this is ok because the code below can
2946 * handle the leading zeros this generates, so no attempt
2947 * is made to correct that here.
2948 */
2949
2950 {
2951 unsigned int czero, clead, cdigits;
2952 char exponent[10];
2953
2954 /* Allow up to two leading zeros - this will not lengthen
2955 * the number compared to using E-n.
2956 */
2957 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2958 {
2959 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
2960 exp_b10 = 0; /* Dot added below before first output. */
2961 }
2962 else
2963 czero = 0; /* No zeros to add */
2964
2965 /* Generate the digit list, stripping trailing zeros and
2966 * inserting a '.' before a digit if the exponent is 0.
2967 */
2968 clead = czero; /* Count of leading zeros */
2969 cdigits = 0; /* Count of digits in list. */
2970
2971 do
2972 {
2973 double d;
2974
2975 fp *= 10;
2976 /* Use modf here, not floor and subtract, so that
2977 * the separation is done in one step. At the end
2978 * of the loop don't break the number into parts so
2979 * that the final digit is rounded.
2980 */
2981 if (cdigits+czero+1 < precision+clead)
2982 fp = modf(fp, &d);
2983
2984 else
2985 {
2986 d = floor(fp + .5);
2987
2988 if (d > 9)
2989 {
2990 /* Rounding up to 10, handle that here. */
2991 if (czero > 0)
2992 {
2993 --czero; d = 1;
2994 if (cdigits == 0) --clead;
2995 }
2996 else
2997 {
2998 while (cdigits > 0 && d > 9)
2999 {
3000 int ch = *--ascii;
3001
3002 if (exp_b10 != (-1))
3003 ++exp_b10;
3004
3005 else if (ch == 46)
3006 {
3007 ch = *--ascii; ++size;
3008 /* Advance exp_b10 to '1', so that the
3009 * decimal point happens after the
3010 * previous digit.
3011 */
3012 exp_b10 = 1;
3013 }
3014
3015 --cdigits;
3016 d = ch - 47; /* I.e. 1+(ch-48) */
3017 }
3018
3019 /* Did we reach the beginning? If so adjust the
3020 * exponent but take into account the leading
3021 * decimal point.
3022 */
3023 if (d > 9) /* cdigits == 0 */
3024 {
3025 if (exp_b10 == (-1))
3026 {
3027 /* Leading decimal point (plus zeros?), if
3028 * we lose the decimal point here it must
3029 * be reentered below.
3030 */
3031 int ch = *--ascii;
3032
3033 if (ch == 46)
3034 {
3035 ++size; exp_b10 = 1;
3036 }
3037
3038 /* Else lost a leading zero, so 'exp_b10' is
3039 * still ok at (-1)
3040 */
3041 }
3042 else
3043 ++exp_b10;
3044
3045 /* In all cases we output a '1' */
3046 d = 1;
3047 }
3048 }
3049 }
3050 fp = 0; /* Guarantees termination below. */
3051 }
3052
3053 if (d == 0)
3054 {
3055 ++czero;
3056 if (cdigits == 0) ++clead;
3057 }
3058 else
3059 {
3060 /* Included embedded zeros in the digit count. */
3061 cdigits += czero - clead;
3062 clead = 0;
3063
3064 while (czero > 0)
3065 {
3066 /* exp_b10 == (-1) means we just output the decimal
3067 * place - after the DP don't adjust 'exp_b10' any
3068 * more!
3069 */
3070 if (exp_b10 != (-1))
3071 {
3072 if (exp_b10 == 0)
3073 {
3074 *ascii++ = 46; --size;
3075 }
3076 /* PLUS 1: TOTAL 4 */
3077 --exp_b10;
3078 }
3079 *ascii++ = 48; --czero;
3080 }
3081
3082 if (exp_b10 != (-1))
3083 {
3084 if (exp_b10 == 0)
3085 {
3086 *ascii++ = 46; --size; /* counted above */
3087 }
3088
3089 --exp_b10;
3090 }
3091 *ascii++ = (char)(48 + (int)d); ++cdigits;
3092 }
3093 }
3094 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3095
3096 /* The total output count (max) is now 4+precision */
3097
3098 /* Check for an exponent, if we don't need one we are
3099 * done and just need to terminate the string. At this
3100 * point, exp_b10==(-1) is effectively a flag: it got
3101 * to '-1' because of the decrement, after outputting
3102 * the decimal point above. (The exponent required is
3103 * *not* -1.)
3104 */
3105 if (exp_b10 >= (-1) && exp_b10 <= 2)
3106 {
3107 /* The following only happens if we didn't output the
3108 * leading zeros above for negative exponent, so this
3109 * doesn't add to the digit requirement. Note that the
3110 * two zeros here can only be output if the two leading
3111 * zeros were *not* output, so this doesn't increase
3112 * the output count.
3113 */
3114 while (exp_b10-- > 0) *ascii++ = 48;
3115
3116 *ascii = 0;
3117
3118 /* Total buffer requirement (including the '\0') is
3119 * 5+precision - see check at the start.
3120 */
3121 return;
3122 }
3123
3124 /* Here if an exponent is required, adjust size for
3125 * the digits we output but did not count. The total
3126 * digit output here so far is at most 1+precision - no
3127 * decimal point and no leading or trailing zeros have
3128 * been output.
3129 */
3130 size -= cdigits;
3131
3132 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
3133
3134 /* The following use of an unsigned temporary avoids ambiguities in
3135 * the signed arithmetic on exp_b10 and permits GCC at least to do
3136 * better optimization.
3137 */
3138 {
3139 unsigned int uexp_b10;
3140
3141 if (exp_b10 < 0)
3142 {
3143 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3144 uexp_b10 = 0U-exp_b10;
3145 }
3146
3147 else
3148 uexp_b10 = 0U+exp_b10;
3149
3150 cdigits = 0;
3151
3152 while (uexp_b10 > 0)
3153 {
3154 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3155 uexp_b10 /= 10;
3156 }
3157 }
3158
3159 /* Need another size check here for the exponent digits, so
3160 * this need not be considered above.
3161 */
3162 if (size > cdigits)
3163 {
3164 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3165
3166 *ascii = 0;
3167
3168 return;
3169 }
3170 }
3171 }
3172 else if (!(fp >= DBL_MIN))
3173 {
3174 *ascii++ = 48; /* '0' */
3175 *ascii = 0;
3176 return;
3177 }
3178 else
3179 {
3180 *ascii++ = 105; /* 'i' */
3181 *ascii++ = 110; /* 'n' */
3182 *ascii++ = 102; /* 'f' */
3183 *ascii = 0;
3184 return;
3185 }
3186 }
3187
3188 /* Here on buffer too small. */
3189 png_error(png_ptr, "ASCII conversion buffer too small");
3190}
3191# endif /* FLOATING_POINT */
3192
3193# ifdef PNG_FIXED_POINT_SUPPORTED
3194/* Function to format a fixed point value in ASCII.
3195 */
3196void /* PRIVATE */
3197png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3198 size_t size, png_fixed_point fp)
3199{
3200 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3201 * trailing \0, 13 characters:
3202 */
3203 if (size > 12)
3204 {
3205 png_uint_32 num;
3206
3207 /* Avoid overflow here on the minimum integer. */
3208 if (fp < 0)
3209 {
3210 *ascii++ = 45; num = (png_uint_32)(-fp);
3211 }
3212 else
3213 num = (png_uint_32)fp;
3214
3215 if (num <= 0x80000000) /* else overflowed */
3216 {
3217 unsigned int ndigits = 0, first = 16 /* flag value */;
3218 char digits[10] = {0};
3219
3220 while (num)
3221 {
3222 /* Split the low digit off num: */
3223 unsigned int tmp = num/10;
3224 num -= tmp*10;
3225 digits[ndigits++] = (char)(48 + num);
3226 /* Record the first non-zero digit, note that this is a number
3227 * starting at 1, it's not actually the array index.
3228 */
3229 if (first == 16 && num > 0)
3230 first = ndigits;
3231 num = tmp;
3232 }
3233
3234 if (ndigits > 0)
3235 {
3236 while (ndigits > 5) *ascii++ = digits[--ndigits];
3237 /* The remaining digits are fractional digits, ndigits is '5' or
3238 * smaller at this point. It is certainly not zero. Check for a
3239 * non-zero fractional digit:
3240 */
3241 if (first <= 5)
3242 {
3243 unsigned int i;
3244 *ascii++ = 46; /* decimal point */
3245 /* ndigits may be <5 for small numbers, output leading zeros
3246 * then ndigits digits to first:
3247 */
3248 i = 5;
3249 while (ndigits < i)
3250 {
3251 *ascii++ = 48; --i;
3252 }
3253 while (ndigits >= first) *ascii++ = digits[--ndigits];
3254 /* Don't output the trailing zeros! */
3255 }
3256 }
3257 else
3258 *ascii++ = 48;
3259
3260 /* And null terminate the string: */
3261 *ascii = 0;
3262 return;
3263 }
3264 }
3265
3266 /* Here on buffer too small. */
3267 png_error(png_ptr, "ASCII conversion buffer too small");
3268}
3269# endif /* FIXED_POINT */
3270#endif /* SCAL */
3271
3272#if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3273 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3274 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3275 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3276 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3277 (defined(PNG_sCAL_SUPPORTED) && \
3278 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3279png_fixed_point
3280png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3281{
3282 double r = floor(100000 * fp + .5);
3283
3284 if (r > 2147483647. || r < -2147483648.)
3285 png_fixed_error(png_ptr, text);
3286
3287# ifndef PNG_ERROR_TEXT_SUPPORTED
3288 PNG_UNUSED(text)
3289# endif
3290
3291 return (png_fixed_point)r;
3292}
3293#endif
3294
3295#if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3296 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3297/* muldiv functions */
3298/* This API takes signed arguments and rounds the result to the nearest
3299 * integer (or, for a fixed point number - the standard argument - to
3300 * the nearest .00001). Overflow and divide by zero are signalled in
3301 * the result, a boolean - true on success, false on overflow.
3302 */
3303int
3304png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3305 png_int_32 divisor)
3306{
3307 /* Return a * times / divisor, rounded. */
3308 if (divisor != 0)
3309 {
3310 if (a == 0 || times == 0)
3311 {
3312 *res = 0;
3313 return 1;
3314 }
3315 else
3316 {
3317#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3318 double r = a;
3319 r *= times;
3320 r /= divisor;
3321 r = floor(r+.5);
3322
3323 /* A png_fixed_point is a 32-bit integer. */
3324 if (r <= 2147483647. && r >= -2147483648.)
3325 {
3326 *res = (png_fixed_point)r;
3327 return 1;
3328 }
3329#else
3330 int negative = 0;
3331 png_uint_32 A, T, D;
3332 png_uint_32 s16, s32, s00;
3333
3334 if (a < 0)
3335 negative = 1, A = -a;
3336 else
3337 A = a;
3338
3339 if (times < 0)
3340 negative = !negative, T = -times;
3341 else
3342 T = times;
3343
3344 if (divisor < 0)
3345 negative = !negative, D = -divisor;
3346 else
3347 D = divisor;
3348
3349 /* Following can't overflow because the arguments only
3350 * have 31 bits each, however the result may be 32 bits.
3351 */
3352 s16 = (A >> 16) * (T & 0xffff) +
3353 (A & 0xffff) * (T >> 16);
3354 /* Can't overflow because the a*times bit is only 30
3355 * bits at most.
3356 */
3357 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3358 s00 = (A & 0xffff) * (T & 0xffff);
3359
3360 s16 = (s16 & 0xffff) << 16;
3361 s00 += s16;
3362
3363 if (s00 < s16)
3364 ++s32; /* carry */
3365
3366 if (s32 < D) /* else overflow */
3367 {
3368 /* s32.s00 is now the 64-bit product, do a standard
3369 * division, we know that s32 < D, so the maximum
3370 * required shift is 31.
3371 */
3372 int bitshift = 32;
3373 png_fixed_point result = 0; /* NOTE: signed */
3374
3375 while (--bitshift >= 0)
3376 {
3377 png_uint_32 d32, d00;
3378
3379 if (bitshift > 0)
3380 d32 = D >> (32-bitshift), d00 = D << bitshift;
3381
3382 else
3383 d32 = 0, d00 = D;
3384
3385 if (s32 > d32)
3386 {
3387 if (s00 < d00) --s32; /* carry */
3388 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3389 }
3390
3391 else
3392 if (s32 == d32 && s00 >= d00)
3393 s32 = 0, s00 -= d00, result += 1<<bitshift;
3394 }
3395
3396 /* Handle the rounding. */
3397 if (s00 >= (D >> 1))
3398 ++result;
3399
3400 if (negative != 0)
3401 result = -result;
3402
3403 /* Check for overflow. */
3404 if ((negative != 0 && result <= 0) ||
3405 (negative == 0 && result >= 0))
3406 {
3407 *res = result;
3408 return 1;
3409 }
3410 }
3411#endif
3412 }
3413 }
3414
3415 return 0;
3416}
3417#endif /* READ_GAMMA || INCH_CONVERSIONS */
3418
3419#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3420/* The following is for when the caller doesn't much care about the
3421 * result.
3422 */
3423png_fixed_point
3424png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3425 png_int_32 divisor)
3426{
3427 png_fixed_point result;
3428
3429 if (png_muldiv(&result, a, times, divisor) != 0)
3430 return result;
3431
3432 png_warning(png_ptr, "fixed point overflow ignored");
3433 return 0;
3434}
3435#endif
3436
3437#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3438/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3439png_fixed_point
3440png_reciprocal(png_fixed_point a)
3441{
3442#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3443 double r = floor(1E10/a+.5);
3444
3445 if (r <= 2147483647. && r >= -2147483648.)
3446 return (png_fixed_point)r;
3447#else
3448 png_fixed_point res;
3449
3450 if (png_muldiv(&res, 100000, 100000, a) != 0)
3451 return res;
3452#endif
3453
3454 return 0; /* error/overflow */
3455}
3456
3457/* This is the shared test on whether a gamma value is 'significant' - whether
3458 * it is worth doing gamma correction.
3459 */
3460int /* PRIVATE */
3461png_gamma_significant(png_fixed_point gamma_val)
3462{
3463 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3464 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3465}
3466#endif
3467
3468#ifdef PNG_READ_GAMMA_SUPPORTED
3469#ifdef PNG_16BIT_SUPPORTED
3470/* A local convenience routine. */
3471static png_fixed_point
3472png_product2(png_fixed_point a, png_fixed_point b)
3473{
3474 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3475#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3476 double r = a * 1E-5;
3477 r *= b;
3478 r = floor(r+.5);
3479
3480 if (r <= 2147483647. && r >= -2147483648.)
3481 return (png_fixed_point)r;
3482#else
3483 png_fixed_point res;
3484
3485 if (png_muldiv(&res, a, b, 100000) != 0)
3486 return res;
3487#endif
3488
3489 return 0; /* overflow */
3490}
3491#endif /* 16BIT */
3492
3493/* The inverse of the above. */
3494png_fixed_point
3495png_reciprocal2(png_fixed_point a, png_fixed_point b)
3496{
3497 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3498#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3499 if (a != 0 && b != 0)
3500 {
3501 double r = 1E15/a;
3502 r /= b;
3503 r = floor(r+.5);
3504
3505 if (r <= 2147483647. && r >= -2147483648.)
3506 return (png_fixed_point)r;
3507 }
3508#else
3509 /* This may overflow because the range of png_fixed_point isn't symmetric,
3510 * but this API is only used for the product of file and screen gamma so it
3511 * doesn't matter that the smallest number it can produce is 1/21474, not
3512 * 1/100000
3513 */
3514 png_fixed_point res = png_product2(a, b);
3515
3516 if (res != 0)
3517 return png_reciprocal(res);
3518#endif
3519
3520 return 0; /* overflow */
3521}
3522#endif /* READ_GAMMA */
3523
3524#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3525#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3526/* Fixed point gamma.
3527 *
3528 * The code to calculate the tables used below can be found in the shell script
3529 * contrib/tools/intgamma.sh
3530 *
3531 * To calculate gamma this code implements fast log() and exp() calls using only
3532 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3533 * or 16-bit sample values.
3534 *
3535 * The tables used here were calculated using simple 'bc' programs, but C double
3536 * precision floating point arithmetic would work fine.
3537 *
3538 * 8-bit log table
3539 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3540 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3541 * mantissa. The numbers are 32-bit fractions.
3542 */
3543static const png_uint_32
3544png_8bit_l2[128] =
3545{
3546 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3547 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3548 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3549 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3550 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3551 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3552 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3553 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3554 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3555 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3556 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3557 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3558 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3559 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3560 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3561 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3562 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3563 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3564 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3565 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3566 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3567 24347096U, 0U
3568
3569#if 0
3570 /* The following are the values for 16-bit tables - these work fine for the
3571 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3572 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3573 * use these all the shifts below must be adjusted appropriately.
3574 */
3575 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3576 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3577 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3578 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3579 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3580 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3581 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3582 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3583 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3584 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3585 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3586 1119, 744, 372
3587#endif
3588};
3589
3590static png_int_32
3591png_log8bit(unsigned int x)
3592{
3593 unsigned int lg2 = 0;
3594 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3595 * because the log is actually negate that means adding 1. The final
3596 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3597 * input), return -1 for the overflow (log 0) case, - so the result is
3598 * always at most 19 bits.
3599 */
3600 if ((x &= 0xff) == 0)
3601 return -1;
3602
3603 if ((x & 0xf0) == 0)
3604 lg2 = 4, x <<= 4;
3605
3606 if ((x & 0xc0) == 0)
3607 lg2 += 2, x <<= 2;
3608
3609 if ((x & 0x80) == 0)
3610 lg2 += 1, x <<= 1;
3611
3612 /* result is at most 19 bits, so this cast is safe: */
3613 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3614}
3615
3616/* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3617 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3618 * get an approximation then multiply the approximation by a correction factor
3619 * determined by the remaining up to 8 bits. This requires an additional step
3620 * in the 16-bit case.
3621 *
3622 * We want log2(value/65535), we have log2(v'/255), where:
3623 *
3624 * value = v' * 256 + v''
3625 * = v' * f
3626 *
3627 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3628 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3629 * than 258. The final factor also needs to correct for the fact that our 8-bit
3630 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3631 *
3632 * This gives a final formula using a calculated value 'x' which is value/v' and
3633 * scaling by 65536 to match the above table:
3634 *
3635 * log2(x/257) * 65536
3636 *
3637 * Since these numbers are so close to '1' we can use simple linear
3638 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3639 * (result 367.179). The values used below are scaled by a further 64 to give
3640 * 16-bit precision in the interpolation:
3641 *
3642 * Start (256): -23591
3643 * Zero (257): 0
3644 * End (258): 23499
3645 */
3646#ifdef PNG_16BIT_SUPPORTED
3647static png_int_32
3648png_log16bit(png_uint_32 x)
3649{
3650 unsigned int lg2 = 0;
3651
3652 /* As above, but now the input has 16 bits. */
3653 if ((x &= 0xffff) == 0)
3654 return -1;
3655
3656 if ((x & 0xff00) == 0)
3657 lg2 = 8, x <<= 8;
3658
3659 if ((x & 0xf000) == 0)
3660 lg2 += 4, x <<= 4;
3661
3662 if ((x & 0xc000) == 0)
3663 lg2 += 2, x <<= 2;
3664
3665 if ((x & 0x8000) == 0)
3666 lg2 += 1, x <<= 1;
3667
3668 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3669 * value.
3670 */
3671 lg2 <<= 28;
3672 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3673
3674 /* Now we need to interpolate the factor, this requires a division by the top
3675 * 8 bits. Do this with maximum precision.
3676 */
3677 x = ((x << 16) + (x >> 9)) / (x >> 8);
3678
3679 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3680 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3681 * 16 bits to interpolate to get the low bits of the result. Round the
3682 * answer. Note that the end point values are scaled by 64 to retain overall
3683 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3684 * the overall scaling by 6-12. Round at every step.
3685 */
3686 x -= 1U << 24;
3687
3688 if (x <= 65536U) /* <= '257' */
3689 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3690
3691 else
3692 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3693
3694 /* Safe, because the result can't have more than 20 bits: */
3695 return (png_int_32)((lg2 + 2048) >> 12);
3696}
3697#endif /* 16BIT */
3698
3699/* The 'exp()' case must invert the above, taking a 20-bit fixed point
3700 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3701 * each case only the low 16 bits are relevant - the fraction - since the
3702 * integer bits (the top 4) simply determine a shift.
3703 *
3704 * The worst case is the 16-bit distinction between 65535 and 65534. This
3705 * requires perhaps spurious accuracy in the decoding of the logarithm to
3706 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3707 * of getting this accuracy in practice.
3708 *
3709 * To deal with this the following exp() function works out the exponent of the
3710 * fractional part of the logarithm by using an accurate 32-bit value from the
3711 * top four fractional bits then multiplying in the remaining bits.
3712 */
3713static const png_uint_32
3714png_32bit_exp[16] =
3715{
3716 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3717 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3718 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3719 2553802834U, 2445529972U, 2341847524U, 2242560872U
3720};
3721
3722/* Adjustment table; provided to explain the numbers in the code below. */
3723#if 0
3724for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3725 11 44937.64284865548751208448
3726 10 45180.98734845585101160448
3727 9 45303.31936980687359311872
3728 8 45364.65110595323018870784
3729 7 45395.35850361789624614912
3730 6 45410.72259715102037508096
3731 5 45418.40724413220722311168
3732 4 45422.25021786898173001728
3733 3 45424.17186732298419044352
3734 2 45425.13273269940811464704
3735 1 45425.61317555035558641664
3736 0 45425.85339951654943850496
3737#endif
3738
3739static png_uint_32
3740png_exp(png_fixed_point x)
3741{
3742 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3743 {
3744 /* Obtain a 4-bit approximation */
3745 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3746
3747 /* Incorporate the low 12 bits - these decrease the returned value by
3748 * multiplying by a number less than 1 if the bit is set. The multiplier
3749 * is determined by the above table and the shift. Notice that the values
3750 * converge on 45426 and this is used to allow linear interpolation of the
3751 * low bits.
3752 */
3753 if (x & 0x800)
3754 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3755
3756 if (x & 0x400)
3757 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3758
3759 if (x & 0x200)
3760 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3761
3762 if (x & 0x100)
3763 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3764
3765 if (x & 0x080)
3766 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3767
3768 if (x & 0x040)
3769 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3770
3771 /* And handle the low 6 bits in a single block. */
3772 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3773
3774 /* Handle the upper bits of x. */
3775 e >>= x >> 16;
3776 return e;
3777 }
3778
3779 /* Check for overflow */
3780 if (x <= 0)
3781 return png_32bit_exp[0];
3782
3783 /* Else underflow */
3784 return 0;
3785}
3786
3787static png_byte
3788png_exp8bit(png_fixed_point lg2)
3789{
3790 /* Get a 32-bit value: */
3791 png_uint_32 x = png_exp(lg2);
3792
3793 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3794 * second, rounding, step can't overflow because of the first, subtraction,
3795 * step.
3796 */
3797 x -= x >> 8;
3798 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3799}
3800
3801#ifdef PNG_16BIT_SUPPORTED
3802static png_uint_16
3803png_exp16bit(png_fixed_point lg2)
3804{
3805 /* Get a 32-bit value: */
3806 png_uint_32 x = png_exp(lg2);
3807
3808 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3809 x -= x >> 16;
3810 return (png_uint_16)((x + 32767U) >> 16);
3811}
3812#endif /* 16BIT */
3813#endif /* FLOATING_ARITHMETIC */
3814
3815png_byte
3816png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3817{
3818 if (value > 0 && value < 255)
3819 {
3820# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3821 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3822 * convert this to a floating point value. This includes values that
3823 * would overflow if 'value' were to be converted to 'int'.
3824 *
3825 * Apparently GCC, however, does an intermediate conversion to (int)
3826 * on some (ARM) but not all (x86) platforms, possibly because of
3827 * hardware FP limitations. (E.g. if the hardware conversion always
3828 * assumes the integer register contains a signed value.) This results
3829 * in ANSI-C undefined behavior for large values.
3830 *
3831 * Other implementations on the same machine might actually be ANSI-C90
3832 * conformant and therefore compile spurious extra code for the large
3833 * values.
3834 *
3835 * We can be reasonably sure that an unsigned to float conversion
3836 * won't be faster than an int to float one. Therefore this code
3837 * assumes responsibility for the undefined behavior, which it knows
3838 * can't happen because of the check above.
3839 *
3840 * Note the argument to this routine is an (unsigned int) because, on
3841 * 16-bit platforms, it is assigned a value which might be out of
3842 * range for an (int); that would result in undefined behavior in the
3843 * caller if the *argument* ('value') were to be declared (int).
3844 */
3845 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3846 return (png_byte)r;
3847# else
3848 png_int_32 lg2 = png_log8bit(value);
3849 png_fixed_point res;
3850
3851 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3852 return png_exp8bit(res);
3853
3854 /* Overflow. */
3855 value = 0;
3856# endif
3857 }
3858
3859 return (png_byte)(value & 0xff);
3860}
3861
3862#ifdef PNG_16BIT_SUPPORTED
3863png_uint_16
3864png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3865{
3866 if (value > 0 && value < 65535)
3867 {
3868# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3869 /* The same (unsigned int)->(double) constraints apply here as above,
3870 * however in this case the (unsigned int) to (int) conversion can
3871 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3872 * that this is not possible.
3873 */
3874 double r = floor(65535*pow((png_int_32)value/65535.,
3875 gamma_val*.00001)+.5);
3876 return (png_uint_16)r;
3877# else
3878 png_int_32 lg2 = png_log16bit(value);
3879 png_fixed_point res;
3880
3881 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3882 return png_exp16bit(res);
3883
3884 /* Overflow. */
3885 value = 0;
3886# endif
3887 }
3888
3889 return (png_uint_16)value;
3890}
3891#endif /* 16BIT */
3892
3893/* This does the right thing based on the bit_depth field of the
3894 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3895 * is nominally a 16-bit value if bit depth is 8 then the result is
3896 * 8-bit (as are the arguments.)
3897 */
3898png_uint_16 /* PRIVATE */
3899png_gamma_correct(png_structrp png_ptr, unsigned int value,
3900 png_fixed_point gamma_val)
3901{
3902 if (png_ptr->bit_depth == 8)
3903 return png_gamma_8bit_correct(value, gamma_val);
3904
3905#ifdef PNG_16BIT_SUPPORTED
3906 else
3907 return png_gamma_16bit_correct(value, gamma_val);
3908#else
3909 /* should not reach this */
3910 return 0;
3911#endif /* 16BIT */
3912}
3913
3914#ifdef PNG_16BIT_SUPPORTED
3915/* Internal function to build a single 16-bit table - the table consists of
3916 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3917 * to shift the input values right (or 16-number_of_signifiant_bits).
3918 *
3919 * The caller is responsible for ensuring that the table gets cleaned up on
3920 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3921 * should be somewhere that will be cleaned.
3922 */
3923static void
3924png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3925 unsigned int shift, png_fixed_point gamma_val)
3926{
3927 /* Various values derived from 'shift': */
3928 unsigned int num = 1U << (8U - shift);
3929#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3930 /* CSE the division and work round wacky GCC warnings (see the comments
3931 * in png_gamma_8bit_correct for where these come from.)
3932 */
3933 double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
3934#endif
3935 unsigned int max = (1U << (16U - shift)) - 1U;
3936 unsigned int max_by_2 = 1U << (15U - shift);
3937 unsigned int i;
3938
3939 png_uint_16pp table = *ptable =
3940 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3941
3942 for (i = 0; i < num; i++)
3943 {
3944 png_uint_16p sub_table = table[i] =
3945 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3946
3947 /* The 'threshold' test is repeated here because it can arise for one of
3948 * the 16-bit tables even if the others don't hit it.
3949 */
3950 if (png_gamma_significant(gamma_val) != 0)
3951 {
3952 /* The old code would overflow at the end and this would cause the
3953 * 'pow' function to return a result >1, resulting in an
3954 * arithmetic error. This code follows the spec exactly; ig is
3955 * the recovered input sample, it always has 8-16 bits.
3956 *
3957 * We want input * 65535/max, rounded, the arithmetic fits in 32
3958 * bits (unsigned) so long as max <= 32767.
3959 */
3960 unsigned int j;
3961 for (j = 0; j < 256; j++)
3962 {
3963 png_uint_32 ig = (j << (8-shift)) + i;
3964# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3965 /* Inline the 'max' scaling operation: */
3966 /* See png_gamma_8bit_correct for why the cast to (int) is
3967 * required here.
3968 */
3969 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
3970 sub_table[j] = (png_uint_16)d;
3971# else
3972 if (shift != 0)
3973 ig = (ig * 65535U + max_by_2)/max;
3974
3975 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
3976# endif
3977 }
3978 }
3979 else
3980 {
3981 /* We must still build a table, but do it the fast way. */
3982 unsigned int j;
3983
3984 for (j = 0; j < 256; j++)
3985 {
3986 png_uint_32 ig = (j << (8-shift)) + i;
3987
3988 if (shift != 0)
3989 ig = (ig * 65535U + max_by_2)/max;
3990
3991 sub_table[j] = (png_uint_16)ig;
3992 }
3993 }
3994 }
3995}
3996
3997/* NOTE: this function expects the *inverse* of the overall gamma transformation
3998 * required.
3999 */
4000static void
4001png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4002 unsigned int shift, png_fixed_point gamma_val)
4003{
4004 unsigned int num = 1U << (8U - shift);
4005 unsigned int max = (1U << (16U - shift))-1U;
4006 unsigned int i;
4007 png_uint_32 last;
4008
4009 png_uint_16pp table = *ptable =
4010 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4011
4012 /* 'num' is the number of tables and also the number of low bits of low
4013 * bits of the input 16-bit value used to select a table. Each table is
4014 * itself indexed by the high 8 bits of the value.
4015 */
4016 for (i = 0; i < num; i++)
4017 table[i] = (png_uint_16p)png_malloc(png_ptr,
4018 256 * (sizeof (png_uint_16)));
4019
4020 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4021 * pow(out,g) is an *input* value. 'last' is the last input value set.
4022 *
4023 * In the loop 'i' is used to find output values. Since the output is
4024 * 8-bit there are only 256 possible values. The tables are set up to
4025 * select the closest possible output value for each input by finding
4026 * the input value at the boundary between each pair of output values
4027 * and filling the table up to that boundary with the lower output
4028 * value.
4029 *
4030 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4031 * values the code below uses a 16-bit value in i; the values start at
4032 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4033 * entries are filled with 255). Start i at 128 and fill all 'last'
4034 * table entries <= 'max'
4035 */
4036 last = 0;
4037 for (i = 0; i < 255; ++i) /* 8-bit output value */
4038 {
4039 /* Find the corresponding maximum input value */
4040 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4041
4042 /* Find the boundary value in 16 bits: */
4043 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4044
4045 /* Adjust (round) to (16-shift) bits: */
4046 bound = (bound * max + 32768U)/65535U + 1U;
4047
4048 while (last < bound)
4049 {
4050 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4051 last++;
4052 }
4053 }
4054
4055 /* And fill in the final entries. */
4056 while (last < (num << 8))
4057 {
4058 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4059 last++;
4060 }
4061}
4062#endif /* 16BIT */
4063
4064/* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4065 * typically much faster). Note that libpng currently does no sBIT processing
4066 * (apparently contrary to the spec) so a 256-entry table is always generated.
4067 */
4068static void
4069png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4070 png_fixed_point gamma_val)
4071{
4072 unsigned int i;
4073 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4074
4075 if (png_gamma_significant(gamma_val) != 0)
4076 for (i=0; i<256; i++)
4077 table[i] = png_gamma_8bit_correct(i, gamma_val);
4078
4079 else
4080 for (i=0; i<256; ++i)
4081 table[i] = (png_byte)(i & 0xff);
4082}
4083
4084/* Used from png_read_destroy and below to release the memory used by the gamma
4085 * tables.
4086 */
4087void /* PRIVATE */
4088png_destroy_gamma_table(png_structrp png_ptr)
4089{
4090 png_free(png_ptr, png_ptr->gamma_table);
4091 png_ptr->gamma_table = NULL;
4092
4093#ifdef PNG_16BIT_SUPPORTED
4094 if (png_ptr->gamma_16_table != NULL)
4095 {
4096 int i;
4097 int istop = (1 << (8 - png_ptr->gamma_shift));
4098 for (i = 0; i < istop; i++)
4099 {
4100 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4101 }
4102 png_free(png_ptr, png_ptr->gamma_16_table);
4103 png_ptr->gamma_16_table = NULL;
4104 }
4105#endif /* 16BIT */
4106
4107#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4108 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4109 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4110 png_free(png_ptr, png_ptr->gamma_from_1);
4111 png_ptr->gamma_from_1 = NULL;
4112 png_free(png_ptr, png_ptr->gamma_to_1);
4113 png_ptr->gamma_to_1 = NULL;
4114
4115#ifdef PNG_16BIT_SUPPORTED
4116 if (png_ptr->gamma_16_from_1 != NULL)
4117 {
4118 int i;
4119 int istop = (1 << (8 - png_ptr->gamma_shift));
4120 for (i = 0; i < istop; i++)
4121 {
4122 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4123 }
4124 png_free(png_ptr, png_ptr->gamma_16_from_1);
4125 png_ptr->gamma_16_from_1 = NULL;
4126 }
4127 if (png_ptr->gamma_16_to_1 != NULL)
4128 {
4129 int i;
4130 int istop = (1 << (8 - png_ptr->gamma_shift));
4131 for (i = 0; i < istop; i++)
4132 {
4133 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4134 }
4135 png_free(png_ptr, png_ptr->gamma_16_to_1);
4136 png_ptr->gamma_16_to_1 = NULL;
4137 }
4138#endif /* 16BIT */
4139#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4140}
4141
4142/* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4143 * tables, we don't make a full table if we are reducing to 8-bit in
4144 * the future. Note also how the gamma_16 tables are segmented so that
4145 * we don't need to allocate > 64K chunks for a full 16-bit table.
4146 */
4147void /* PRIVATE */
4148png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4149{
4150 png_debug(1, "in png_build_gamma_table");
4151
4152 /* Remove any existing table; this copes with multiple calls to
4153 * png_read_update_info. The warning is because building the gamma tables
4154 * multiple times is a performance hit - it's harmless but the ability to
4155 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4156 * sensible to warn if the app introduces such a hit.
4157 */
4158 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4159 {
4160 png_warning(png_ptr, "gamma table being rebuilt");
4161 png_destroy_gamma_table(png_ptr);
4162 }
4163
4164 if (bit_depth <= 8)
4165 {
4166 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4167 png_ptr->screen_gamma > 0 ?
4168 png_reciprocal2(png_ptr->colorspace.gamma,
4169 png_ptr->screen_gamma) : PNG_FP_1);
4170
4171#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4172 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4173 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4174 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4175 {
4176 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4177 png_reciprocal(png_ptr->colorspace.gamma));
4178
4179 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4180 png_ptr->screen_gamma > 0 ?
4181 png_reciprocal(png_ptr->screen_gamma) :
4182 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4183 }
4184#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4185 }
4186#ifdef PNG_16BIT_SUPPORTED
4187 else
4188 {
4189 png_byte shift, sig_bit;
4190
4191 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4192 {
4193 sig_bit = png_ptr->sig_bit.red;
4194
4195 if (png_ptr->sig_bit.green > sig_bit)
4196 sig_bit = png_ptr->sig_bit.green;
4197
4198 if (png_ptr->sig_bit.blue > sig_bit)
4199 sig_bit = png_ptr->sig_bit.blue;
4200 }
4201 else
4202 sig_bit = png_ptr->sig_bit.gray;
4203
4204 /* 16-bit gamma code uses this equation:
4205 *
4206 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4207 *
4208 * Where 'iv' is the input color value and 'ov' is the output value -
4209 * pow(iv, gamma).
4210 *
4211 * Thus the gamma table consists of up to 256 256-entry tables. The table
4212 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4213 * of the color value then indexed by the upper 8 bits:
4214 *
4215 * table[low bits][high 8 bits]
4216 *
4217 * So the table 'n' corresponds to all those 'iv' of:
4218 *
4219 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4220 *
4221 */
4222 if (sig_bit > 0 && sig_bit < 16U)
4223 /* shift == insignificant bits */
4224 shift = (png_byte)((16U - sig_bit) & 0xff);
4225
4226 else
4227 shift = 0; /* keep all 16 bits */
4228
4229 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4230 {
4231 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4232 * the significant bits in the *input* when the output will
4233 * eventually be 8 bits. By default it is 11.
4234 */
4235 if (shift < (16U - PNG_MAX_GAMMA_8))
4236 shift = (16U - PNG_MAX_GAMMA_8);
4237 }
4238
4239 if (shift > 8U)
4240 shift = 8U; /* Guarantees at least one table! */
4241
4242 png_ptr->gamma_shift = shift;
4243
4244 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4245 * PNG_COMPOSE). This effectively smashed the background calculation for
4246 * 16-bit output because the 8-bit table assumes the result will be
4247 * reduced to 8 bits.
4248 */
4249 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4250 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4251 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4252 png_ptr->screen_gamma) : PNG_FP_1);
4253
4254 else
4255 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4256 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4257 png_ptr->screen_gamma) : PNG_FP_1);
4258
4259#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4260 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4261 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4262 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4263 {
4264 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4265 png_reciprocal(png_ptr->colorspace.gamma));
4266
4267 /* Notice that the '16 from 1' table should be full precision, however
4268 * the lookup on this table still uses gamma_shift, so it can't be.
4269 * TODO: fix this.
4270 */
4271 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4272 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4273 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4274 }
4275#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4276 }
4277#endif /* 16BIT */
4278}
4279#endif /* READ_GAMMA */
4280
4281/* HARDWARE OR SOFTWARE OPTION SUPPORT */
4282#ifdef PNG_SET_OPTION_SUPPORTED
4283int PNGAPI
4284png_set_option(png_structrp png_ptr, int option, int onoff)
4285{
4286 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4287 (option & 1) == 0)
4288 {
4289 png_uint_32 mask = 3U << option;
4290 png_uint_32 setting = (2U + (onoff != 0)) << option;
4291 png_uint_32 current = png_ptr->options;
4292
4293 png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4294
4295 return (int)(current & mask) >> option;
4296 }
4297
4298 return PNG_OPTION_INVALID;
4299}
4300#endif
4301
4302/* sRGB support */
4303#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4304 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4305/* sRGB conversion tables; these are machine generated with the code in
4306 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4307 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4308 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4309 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4310 * The inverse (linear to sRGB) table has accuracies as follows:
4311 *
4312 * For all possible (255*65535+1) input values:
4313 *
4314 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4315 *
4316 * For the input values corresponding to the 65536 16-bit values:
4317 *
4318 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4319 *
4320 * In all cases the inexact readings are only off by one.
4321 */
4322
4323#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4324/* The convert-to-sRGB table is only currently required for read. */
4325const png_uint_16 png_sRGB_table[256] =
4326{
4327 0,20,40,60,80,99,119,139,
4328 159,179,199,219,241,264,288,313,
4329 340,367,396,427,458,491,526,562,
4330 599,637,677,718,761,805,851,898,
4331 947,997,1048,1101,1156,1212,1270,1330,
4332 1391,1453,1517,1583,1651,1720,1790,1863,
4333 1937,2013,2090,2170,2250,2333,2418,2504,
4334 2592,2681,2773,2866,2961,3058,3157,3258,
4335 3360,3464,3570,3678,3788,3900,4014,4129,
4336 4247,4366,4488,4611,4736,4864,4993,5124,
4337 5257,5392,5530,5669,5810,5953,6099,6246,
4338 6395,6547,6700,6856,7014,7174,7335,7500,
4339 7666,7834,8004,8177,8352,8528,8708,8889,
4340 9072,9258,9445,9635,9828,10022,10219,10417,
4341 10619,10822,11028,11235,11446,11658,11873,12090,
4342 12309,12530,12754,12980,13209,13440,13673,13909,
4343 14146,14387,14629,14874,15122,15371,15623,15878,
4344 16135,16394,16656,16920,17187,17456,17727,18001,
4345 18277,18556,18837,19121,19407,19696,19987,20281,
4346 20577,20876,21177,21481,21787,22096,22407,22721,
4347 23038,23357,23678,24002,24329,24658,24990,25325,
4348 25662,26001,26344,26688,27036,27386,27739,28094,
4349 28452,28813,29176,29542,29911,30282,30656,31033,
4350 31412,31794,32179,32567,32957,33350,33745,34143,
4351 34544,34948,35355,35764,36176,36591,37008,37429,
4352 37852,38278,38706,39138,39572,40009,40449,40891,
4353 41337,41785,42236,42690,43147,43606,44069,44534,
4354 45002,45473,45947,46423,46903,47385,47871,48359,
4355 48850,49344,49841,50341,50844,51349,51858,52369,
4356 52884,53401,53921,54445,54971,55500,56032,56567,
4357 57105,57646,58190,58737,59287,59840,60396,60955,
4358 61517,62082,62650,63221,63795,64372,64952,65535
4359};
4360#endif /* SIMPLIFIED_READ */
4361
4362/* The base/delta tables are required for both read and write (but currently
4363 * only the simplified versions.)
4364 */
4365const png_uint_16 png_sRGB_base[512] =
4366{
4367 128,1782,3383,4644,5675,6564,7357,8074,
4368 8732,9346,9921,10463,10977,11466,11935,12384,
4369 12816,13233,13634,14024,14402,14769,15125,15473,
4370 15812,16142,16466,16781,17090,17393,17690,17981,
4371 18266,18546,18822,19093,19359,19621,19879,20133,
4372 20383,20630,20873,21113,21349,21583,21813,22041,
4373 22265,22487,22707,22923,23138,23350,23559,23767,
4374 23972,24175,24376,24575,24772,24967,25160,25352,
4375 25542,25730,25916,26101,26284,26465,26645,26823,
4376 27000,27176,27350,27523,27695,27865,28034,28201,
4377 28368,28533,28697,28860,29021,29182,29341,29500,
4378 29657,29813,29969,30123,30276,30429,30580,30730,
4379 30880,31028,31176,31323,31469,31614,31758,31902,
4380 32045,32186,32327,32468,32607,32746,32884,33021,
4381 33158,33294,33429,33564,33697,33831,33963,34095,
4382 34226,34357,34486,34616,34744,34873,35000,35127,
4383 35253,35379,35504,35629,35753,35876,35999,36122,
4384 36244,36365,36486,36606,36726,36845,36964,37083,
4385 37201,37318,37435,37551,37668,37783,37898,38013,
4386 38127,38241,38354,38467,38580,38692,38803,38915,
4387 39026,39136,39246,39356,39465,39574,39682,39790,
4388 39898,40005,40112,40219,40325,40431,40537,40642,
4389 40747,40851,40955,41059,41163,41266,41369,41471,
4390 41573,41675,41777,41878,41979,42079,42179,42279,
4391 42379,42478,42577,42676,42775,42873,42971,43068,
4392 43165,43262,43359,43456,43552,43648,43743,43839,
4393 43934,44028,44123,44217,44311,44405,44499,44592,
4394 44685,44778,44870,44962,45054,45146,45238,45329,
4395 45420,45511,45601,45692,45782,45872,45961,46051,
4396 46140,46229,46318,46406,46494,46583,46670,46758,
4397 46846,46933,47020,47107,47193,47280,47366,47452,
4398 47538,47623,47709,47794,47879,47964,48048,48133,
4399 48217,48301,48385,48468,48552,48635,48718,48801,
4400 48884,48966,49048,49131,49213,49294,49376,49458,
4401 49539,49620,49701,49782,49862,49943,50023,50103,
4402 50183,50263,50342,50422,50501,50580,50659,50738,
4403 50816,50895,50973,51051,51129,51207,51285,51362,
4404 51439,51517,51594,51671,51747,51824,51900,51977,
4405 52053,52129,52205,52280,52356,52432,52507,52582,
4406 52657,52732,52807,52881,52956,53030,53104,53178,
4407 53252,53326,53400,53473,53546,53620,53693,53766,
4408 53839,53911,53984,54056,54129,54201,54273,54345,
4409 54417,54489,54560,54632,54703,54774,54845,54916,
4410 54987,55058,55129,55199,55269,55340,55410,55480,
4411 55550,55620,55689,55759,55828,55898,55967,56036,
4412 56105,56174,56243,56311,56380,56448,56517,56585,
4413 56653,56721,56789,56857,56924,56992,57059,57127,
4414 57194,57261,57328,57395,57462,57529,57595,57662,
4415 57728,57795,57861,57927,57993,58059,58125,58191,
4416 58256,58322,58387,58453,58518,58583,58648,58713,
4417 58778,58843,58908,58972,59037,59101,59165,59230,
4418 59294,59358,59422,59486,59549,59613,59677,59740,
4419 59804,59867,59930,59993,60056,60119,60182,60245,
4420 60308,60370,60433,60495,60558,60620,60682,60744,
4421 60806,60868,60930,60992,61054,61115,61177,61238,
4422 61300,61361,61422,61483,61544,61605,61666,61727,
4423 61788,61848,61909,61969,62030,62090,62150,62211,
4424 62271,62331,62391,62450,62510,62570,62630,62689,
4425 62749,62808,62867,62927,62986,63045,63104,63163,
4426 63222,63281,63340,63398,63457,63515,63574,63632,
4427 63691,63749,63807,63865,63923,63981,64039,64097,
4428 64155,64212,64270,64328,64385,64443,64500,64557,
4429 64614,64672,64729,64786,64843,64900,64956,65013,
4430 65070,65126,65183,65239,65296,65352,65409,65465
4431};
4432
4433const png_byte png_sRGB_delta[512] =
4434{
4435 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4436 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4437 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4438 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4439 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4440 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4441 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4442 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4443 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4444 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4445 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4446 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4447 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4448 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4449 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4450 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4451 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4452 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4453 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4454 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4455 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4456 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4457 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4458 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4459 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4460 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4461 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4462 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4463 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4464 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4465 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4466 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4467};
4468#endif /* SIMPLIFIED READ/WRITE sRGB support */
4469
4470/* SIMPLIFIED READ/WRITE SUPPORT */
4471#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4472 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4473static int
4474png_image_free_function(png_voidp argument)
4475{
4476 png_imagep image = png_voidcast(png_imagep, argument);
4477 png_controlp cp = image->opaque;
4478 png_control c;
4479
4480 /* Double check that we have a png_ptr - it should be impossible to get here
4481 * without one.
4482 */
4483 if (cp->png_ptr == NULL)
4484 return 0;
4485
4486 /* First free any data held in the control structure. */
4487# ifdef PNG_STDIO_SUPPORTED
4488 if (cp->owned_file != 0)
4489 {
4490 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4491 cp->owned_file = 0;
4492
4493 /* Ignore errors here. */
4494 if (fp != NULL)
4495 {
4496 cp->png_ptr->io_ptr = NULL;
4497 (void)fclose(fp);
4498 }
4499 }
4500# endif
4501
4502 /* Copy the control structure so that the original, allocated, version can be
4503 * safely freed. Notice that a png_error here stops the remainder of the
4504 * cleanup, but this is probably fine because that would indicate bad memory
4505 * problems anyway.
4506 */
4507 c = *cp;
4508 image->opaque = &c;
4509 png_free(c.png_ptr, cp);
4510
4511 /* Then the structures, calling the correct API. */
4512 if (c.for_write != 0)
4513 {
4514# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4515 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4516# else
4517 png_error(c.png_ptr, "simplified write not supported");
4518# endif
4519 }
4520 else
4521 {
4522# ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4523 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4524# else
4525 png_error(c.png_ptr, "simplified read not supported");
4526# endif
4527 }
4528
4529 /* Success. */
4530 return 1;
4531}
4532
4533void PNGAPI
4534png_image_free(png_imagep image)
4535{
4536 /* Safely call the real function, but only if doing so is safe at this point
4537 * (if not inside an error handling context). Otherwise assume
4538 * png_safe_execute will call this API after the return.
4539 */
4540 if (image != NULL && image->opaque != NULL &&
4541 image->opaque->error_buf == NULL)
4542 {
4543 png_image_free_function(image);
4544 image->opaque = NULL;
4545 }
4546}
4547
4548int /* PRIVATE */
4549png_image_error(png_imagep image, png_const_charp error_message)
4550{
4551 /* Utility to log an error. */
4552 png_safecat(image->message, (sizeof image->message), 0, error_message);
4553 image->warning_or_error |= PNG_IMAGE_ERROR;
4554 png_image_free(image);
4555 return 0;
4556}
4557
4558#endif /* SIMPLIFIED READ/WRITE */
4559#endif /* READ || WRITE */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette