1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* png.c - location for general purpose libpng functions 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Last changed in libpng 1.6.19 [November 12, 2015] 33 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson 34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 /* Generate a compiler error if there is an old png.h in the search path. */ 45 typedef png_libpng_version_1_6_23 Your_png_h_is_not_version_1_6_23; 46 47 /* Tells libpng that we have already handled the first "num_bytes" bytes 48 * of the PNG file signature. If the PNG data is embedded into another 49 * stream we can set num_bytes = 8 so that libpng will not attempt to read 50 * or write any of the magic bytes before it starts on the IHDR. 51 */ 52 53 #ifdef PNG_READ_SUPPORTED 54 void PNGAPI 55 png_set_sig_bytes(png_structrp png_ptr, int num_bytes) 56 { 57 unsigned int nb = (unsigned int)num_bytes; 58 59 png_debug(1, "in png_set_sig_bytes"); 60 61 if (png_ptr == NULL) 62 return; 63 64 if (num_bytes < 0) 65 nb = 0; 66 67 if (nb > 8) 68 png_error(png_ptr, "Too many bytes for PNG signature"); 69 70 png_ptr->sig_bytes = (png_byte)nb; 71 } 72 73 /* Checks whether the supplied bytes match the PNG signature. We allow 74 * checking less than the full 8-byte signature so that those apps that 75 * already read the first few bytes of a file to determine the file type 76 * can simply check the remaining bytes for extra assurance. Returns 77 * an integer less than, equal to, or greater than zero if sig is found, 78 * respectively, to be less than, to match, or be greater than the correct 79 * PNG signature (this is the same behavior as strcmp, memcmp, etc). 80 */ 81 int PNGAPI 82 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check) 83 { 84 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; 85 86 if (num_to_check > 8) 87 num_to_check = 8; 88 89 else if (num_to_check < 1) 90 return (-1); 91 92 if (start > 7) 93 return (-1); 94 95 if (start + num_to_check > 8) 96 num_to_check = 8 - start; 97 98 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check))); 99 } 100 101 #endif /* READ */ 102 103 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 104 /* Function to allocate memory for zlib */ 105 PNG_FUNCTION(voidpf /* PRIVATE */, 106 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED) 107 { 108 png_alloc_size_t num_bytes = size; 109 110 if (png_ptr == NULL) 111 return NULL; 112 113 if (items >= (~(png_alloc_size_t)0)/size) 114 { 115 png_warning (png_voidcast(png_structrp, png_ptr), 116 "Potential overflow in png_zalloc()"); 117 return NULL; 118 } 119 120 num_bytes *= items; 121 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes); 122 } 123 124 /* Function to free memory for zlib */ 125 void /* PRIVATE */ 126 png_zfree(voidpf png_ptr, voidpf ptr) 127 { 128 png_free(png_voidcast(png_const_structrp,png_ptr), ptr); 129 } 130 131 /* Reset the CRC variable to 32 bits of 1's. Care must be taken 132 * in case CRC is > 32 bits to leave the top bits 0. 133 */ 134 void /* PRIVATE */ 135 png_reset_crc(png_structrp png_ptr) 136 { 137 /* The cast is safe because the crc is a 32-bit value. */ 138 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); 139 } 140 141 /* Calculate the CRC over a section of data. We can only pass as 142 * much data to this routine as the largest single buffer size. We 143 * also check that this data will actually be used before going to the 144 * trouble of calculating it. 145 */ 146 void /* PRIVATE */ 147 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length) 148 { 149 int need_crc = 1; 150 151 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) 152 { 153 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 154 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 155 need_crc = 0; 156 } 157 158 else /* critical */ 159 { 160 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) 161 need_crc = 0; 162 } 163 164 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some 165 * systems it is a 64-bit value. crc32, however, returns 32 bits so the 166 * following cast is safe. 'uInt' may be no more than 16 bits, so it is 167 * necessary to perform a loop here. 168 */ 169 if (need_crc != 0 && length > 0) 170 { 171 uLong crc = png_ptr->crc; /* Should never issue a warning */ 172 173 do 174 { 175 uInt safe_length = (uInt)length; 176 #ifndef __COVERITY__ 177 if (safe_length == 0) 178 safe_length = (uInt)-1; /* evil, but safe */ 179 #endif 180 181 crc = crc32(crc, ptr, safe_length); 182 183 /* The following should never issue compiler warnings; if they do the 184 * target system has characteristics that will probably violate other 185 * assumptions within the libpng code. 186 */ 187 ptr += safe_length; 188 length -= safe_length; 189 } 190 while (length > 0); 191 192 /* And the following is always safe because the crc is only 32 bits. */ 193 png_ptr->crc = (png_uint_32)crc; 194 } 195 } 196 197 /* Check a user supplied version number, called from both read and write 198 * functions that create a png_struct. 199 */ 200 int 201 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver) 202 { 203 /* Libpng versions 1.0.0 and later are binary compatible if the version 204 * string matches through the second '.'; we must recompile any 205 * applications that use any older library version. 206 */ 207 208 if (user_png_ver != NULL) 209 { 210 int i = -1; 211 int found_dots = 0; 212 213 do 214 { 215 i++; 216 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) 217 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 218 if (user_png_ver[i] == '.') 219 found_dots++; 220 } while (found_dots < 2 && user_png_ver[i] != 0 && 221 PNG_LIBPNG_VER_STRING[i] != 0); 222 } 223 224 else 225 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 226 227 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0) 228 { 229 #ifdef PNG_WARNINGS_SUPPORTED 230 size_t pos = 0; 231 char m[128]; 232 233 pos = png_safecat(m, (sizeof m), pos, 234 "Application built with libpng-"); 235 pos = png_safecat(m, (sizeof m), pos, user_png_ver); 236 pos = png_safecat(m, (sizeof m), pos, " but running with "); 237 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING); 238 PNG_UNUSED(pos) 239 240 png_warning(png_ptr, m); 241 #endif 242 243 #ifdef PNG_ERROR_NUMBERS_SUPPORTED 244 png_ptr->flags = 0; 245 #endif 246 247 return 0; 248 } 249 250 /* Success return. */ 251 return 1; 252 } 253 254 /* Generic function to create a png_struct for either read or write - this 255 * contains the common initialization. 256 */ 257 PNG_FUNCTION(png_structp /* PRIVATE */, 258 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr, 259 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr, 260 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED) 261 { 262 png_struct create_struct; 263 # ifdef PNG_SETJMP_SUPPORTED 264 jmp_buf create_jmp_buf; 265 # endif 266 267 /* This temporary stack-allocated structure is used to provide a place to 268 * build enough context to allow the user provided memory allocator (if any) 269 * to be called. 270 */ 271 memset(&create_struct, 0, (sizeof create_struct)); 272 273 /* Added at libpng-1.2.6 */ 274 # ifdef PNG_USER_LIMITS_SUPPORTED 275 create_struct.user_width_max = PNG_USER_WIDTH_MAX; 276 create_struct.user_height_max = PNG_USER_HEIGHT_MAX; 277 278 # ifdef PNG_USER_CHUNK_CACHE_MAX 279 /* Added at libpng-1.2.43 and 1.4.0 */ 280 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; 281 # endif 282 283 # ifdef PNG_USER_CHUNK_MALLOC_MAX 284 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists 285 * in png_struct regardless. 286 */ 287 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; 288 # endif 289 # endif 290 291 /* The following two API calls simply set fields in png_struct, so it is safe 292 * to do them now even though error handling is not yet set up. 293 */ 294 # ifdef PNG_USER_MEM_SUPPORTED 295 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn); 296 # else 297 PNG_UNUSED(mem_ptr) 298 PNG_UNUSED(malloc_fn) 299 PNG_UNUSED(free_fn) 300 # endif 301 302 /* (*error_fn) can return control to the caller after the error_ptr is set, 303 * this will result in a memory leak unless the error_fn does something 304 * extremely sophisticated. The design lacks merit but is implicit in the 305 * API. 306 */ 307 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn); 308 309 # ifdef PNG_SETJMP_SUPPORTED 310 if (!setjmp(create_jmp_buf)) 311 # endif 312 { 313 # ifdef PNG_SETJMP_SUPPORTED 314 /* Temporarily fake out the longjmp information until we have 315 * successfully completed this function. This only works if we have 316 * setjmp() support compiled in, but it is safe - this stuff should 317 * never happen. 318 */ 319 create_struct.jmp_buf_ptr = &create_jmp_buf; 320 create_struct.jmp_buf_size = 0; /*stack allocation*/ 321 create_struct.longjmp_fn = longjmp; 322 # endif 323 /* Call the general version checker (shared with read and write code): 324 */ 325 if (png_user_version_check(&create_struct, user_png_ver) != 0) 326 { 327 png_structrp png_ptr = png_voidcast(png_structrp, 328 png_malloc_warn(&create_struct, (sizeof *png_ptr))); 329 330 if (png_ptr != NULL) 331 { 332 /* png_ptr->zstream holds a back-pointer to the png_struct, so 333 * this can only be done now: 334 */ 335 create_struct.zstream.zalloc = png_zalloc; 336 create_struct.zstream.zfree = png_zfree; 337 create_struct.zstream.opaque = png_ptr; 338 339 # ifdef PNG_SETJMP_SUPPORTED 340 /* Eliminate the local error handling: */ 341 create_struct.jmp_buf_ptr = NULL; 342 create_struct.jmp_buf_size = 0; 343 create_struct.longjmp_fn = 0; 344 # endif 345 346 *png_ptr = create_struct; 347 348 /* This is the successful return point */ 349 return png_ptr; 350 } 351 } 352 } 353 354 /* A longjmp because of a bug in the application storage allocator or a 355 * simple failure to allocate the png_struct. 356 */ 357 return NULL; 358 } 359 360 /* Allocate the memory for an info_struct for the application. */ 361 PNG_FUNCTION(png_infop,PNGAPI 362 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED) 363 { 364 png_inforp info_ptr; 365 366 png_debug(1, "in png_create_info_struct"); 367 368 if (png_ptr == NULL) 369 return NULL; 370 371 /* Use the internal API that does not (or at least should not) error out, so 372 * that this call always returns ok. The application typically sets up the 373 * error handling *after* creating the info_struct because this is the way it 374 * has always been done in 'example.c'. 375 */ 376 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr, 377 (sizeof *info_ptr))); 378 379 if (info_ptr != NULL) 380 memset(info_ptr, 0, (sizeof *info_ptr)); 381 382 return info_ptr; 383 } 384 385 /* This function frees the memory associated with a single info struct. 386 * Normally, one would use either png_destroy_read_struct() or 387 * png_destroy_write_struct() to free an info struct, but this may be 388 * useful for some applications. From libpng 1.6.0 this function is also used 389 * internally to implement the png_info release part of the 'struct' destroy 390 * APIs. This ensures that all possible approaches free the same data (all of 391 * it). 392 */ 393 void PNGAPI 394 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr) 395 { 396 png_inforp info_ptr = NULL; 397 398 png_debug(1, "in png_destroy_info_struct"); 399 400 if (png_ptr == NULL) 401 return; 402 403 if (info_ptr_ptr != NULL) 404 info_ptr = *info_ptr_ptr; 405 406 if (info_ptr != NULL) 407 { 408 /* Do this first in case of an error below; if the app implements its own 409 * memory management this can lead to png_free calling png_error, which 410 * will abort this routine and return control to the app error handler. 411 * An infinite loop may result if it then tries to free the same info 412 * ptr. 413 */ 414 *info_ptr_ptr = NULL; 415 416 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1); 417 memset(info_ptr, 0, (sizeof *info_ptr)); 418 png_free(png_ptr, info_ptr); 419 } 420 } 421 422 /* Initialize the info structure. This is now an internal function (0.89) 423 * and applications using it are urged to use png_create_info_struct() 424 * instead. Use deprecated in 1.6.0, internal use removed (used internally it 425 * is just a memset). 426 * 427 * NOTE: it is almost inconceivable that this API is used because it bypasses 428 * the user-memory mechanism and the user error handling/warning mechanisms in 429 * those cases where it does anything other than a memset. 430 */ 431 PNG_FUNCTION(void,PNGAPI 432 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size), 433 PNG_DEPRECATED) 434 { 435 png_inforp info_ptr = *ptr_ptr; 436 437 png_debug(1, "in png_info_init_3"); 438 439 if (info_ptr == NULL) 440 return; 441 442 if ((sizeof (png_info)) > png_info_struct_size) 443 { 444 *ptr_ptr = NULL; 445 /* The following line is why this API should not be used: */ 446 free(info_ptr); 447 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, 448 (sizeof *info_ptr))); 449 if (info_ptr == NULL) 450 return; 451 *ptr_ptr = info_ptr; 452 } 453 454 /* Set everything to 0 */ 455 memset(info_ptr, 0, (sizeof *info_ptr)); 456 } 457 458 /* The following API is not called internally */ 459 void PNGAPI 460 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr, 461 int freer, png_uint_32 mask) 462 { 463 png_debug(1, "in png_data_freer"); 464 465 if (png_ptr == NULL || info_ptr == NULL) 466 return; 467 468 if (freer == PNG_DESTROY_WILL_FREE_DATA) 469 info_ptr->free_me |= mask; 470 471 else if (freer == PNG_USER_WILL_FREE_DATA) 472 info_ptr->free_me &= ~mask; 473 474 else 475 png_error(png_ptr, "Unknown freer parameter in png_data_freer"); 476 } 477 478 void PNGAPI 479 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, 480 int num) 481 { 482 png_debug(1, "in png_free_data"); 483 484 if (png_ptr == NULL || info_ptr == NULL) 485 return; 486 487 #ifdef PNG_TEXT_SUPPORTED 488 /* Free text item num or (if num == -1) all text items */ 489 if (info_ptr->text != 0 && 490 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0) 491 { 492 if (num != -1) 493 { 494 png_free(png_ptr, info_ptr->text[num].key); 495 info_ptr->text[num].key = NULL; 496 } 497 498 else 499 { 500 int i; 501 502 for (i = 0; i < info_ptr->num_text; i++) 503 png_free(png_ptr, info_ptr->text[i].key); 504 505 png_free(png_ptr, info_ptr->text); 506 info_ptr->text = NULL; 507 info_ptr->num_text = 0; 508 } 509 } 510 #endif 511 512 #ifdef PNG_tRNS_SUPPORTED 513 /* Free any tRNS entry */ 514 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) 515 { 516 info_ptr->valid &= ~PNG_INFO_tRNS; 517 png_free(png_ptr, info_ptr->trans_alpha); 518 info_ptr->trans_alpha = NULL; 519 info_ptr->num_trans = 0; 520 } 521 #endif 522 523 #ifdef PNG_sCAL_SUPPORTED 524 /* Free any sCAL entry */ 525 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0) 526 { 527 png_free(png_ptr, info_ptr->scal_s_width); 528 png_free(png_ptr, info_ptr->scal_s_height); 529 info_ptr->scal_s_width = NULL; 530 info_ptr->scal_s_height = NULL; 531 info_ptr->valid &= ~PNG_INFO_sCAL; 532 } 533 #endif 534 535 #ifdef PNG_pCAL_SUPPORTED 536 /* Free any pCAL entry */ 537 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0) 538 { 539 png_free(png_ptr, info_ptr->pcal_purpose); 540 png_free(png_ptr, info_ptr->pcal_units); 541 info_ptr->pcal_purpose = NULL; 542 info_ptr->pcal_units = NULL; 543 544 if (info_ptr->pcal_params != NULL) 545 { 546 int i; 547 548 for (i = 0; i < info_ptr->pcal_nparams; i++) 549 png_free(png_ptr, info_ptr->pcal_params[i]); 550 551 png_free(png_ptr, info_ptr->pcal_params); 552 info_ptr->pcal_params = NULL; 553 } 554 info_ptr->valid &= ~PNG_INFO_pCAL; 555 } 556 #endif 557 558 #ifdef PNG_iCCP_SUPPORTED 559 /* Free any profile entry */ 560 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0) 561 { 562 png_free(png_ptr, info_ptr->iccp_name); 563 png_free(png_ptr, info_ptr->iccp_profile); 564 info_ptr->iccp_name = NULL; 565 info_ptr->iccp_profile = NULL; 566 info_ptr->valid &= ~PNG_INFO_iCCP; 567 } 568 #endif 569 570 #ifdef PNG_sPLT_SUPPORTED 571 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */ 572 if (info_ptr->splt_palettes != 0 && 573 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0) 574 { 575 if (num != -1) 576 { 577 png_free(png_ptr, info_ptr->splt_palettes[num].name); 578 png_free(png_ptr, info_ptr->splt_palettes[num].entries); 579 info_ptr->splt_palettes[num].name = NULL; 580 info_ptr->splt_palettes[num].entries = NULL; 581 } 582 583 else 584 { 585 int i; 586 587 for (i = 0; i < info_ptr->splt_palettes_num; i++) 588 { 589 png_free(png_ptr, info_ptr->splt_palettes[i].name); 590 png_free(png_ptr, info_ptr->splt_palettes[i].entries); 591 } 592 593 png_free(png_ptr, info_ptr->splt_palettes); 594 info_ptr->splt_palettes = NULL; 595 info_ptr->splt_palettes_num = 0; 596 info_ptr->valid &= ~PNG_INFO_sPLT; 597 } 598 } 599 #endif 600 601 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED 602 if (info_ptr->unknown_chunks != 0 && 603 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0) 604 { 605 if (num != -1) 606 { 607 png_free(png_ptr, info_ptr->unknown_chunks[num].data); 608 info_ptr->unknown_chunks[num].data = NULL; 609 } 610 611 else 612 { 613 int i; 614 615 for (i = 0; i < info_ptr->unknown_chunks_num; i++) 616 png_free(png_ptr, info_ptr->unknown_chunks[i].data); 617 618 png_free(png_ptr, info_ptr->unknown_chunks); 619 info_ptr->unknown_chunks = NULL; 620 info_ptr->unknown_chunks_num = 0; 621 } 622 } 623 #endif 624 625 #ifdef PNG_hIST_SUPPORTED 626 /* Free any hIST entry */ 627 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0) 628 { 629 png_free(png_ptr, info_ptr->hist); 630 info_ptr->hist = NULL; 631 info_ptr->valid &= ~PNG_INFO_hIST; 632 } 633 #endif 634 635 /* Free any PLTE entry that was internally allocated */ 636 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0) 637 { 638 png_free(png_ptr, info_ptr->palette); 639 info_ptr->palette = NULL; 640 info_ptr->valid &= ~PNG_INFO_PLTE; 641 info_ptr->num_palette = 0; 642 } 643 644 #ifdef PNG_INFO_IMAGE_SUPPORTED 645 /* Free any image bits attached to the info structure */ 646 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0) 647 { 648 if (info_ptr->row_pointers != 0) 649 { 650 png_uint_32 row; 651 for (row = 0; row < info_ptr->height; row++) 652 png_free(png_ptr, info_ptr->row_pointers[row]); 653 654 png_free(png_ptr, info_ptr->row_pointers); 655 info_ptr->row_pointers = NULL; 656 } 657 info_ptr->valid &= ~PNG_INFO_IDAT; 658 } 659 #endif 660 661 if (num != -1) 662 mask &= ~PNG_FREE_MUL; 663 664 info_ptr->free_me &= ~mask; 665 } 666 #endif /* READ || WRITE */ 667 668 /* This function returns a pointer to the io_ptr associated with the user 669 * functions. The application should free any memory associated with this 670 * pointer before png_write_destroy() or png_read_destroy() are called. 671 */ 672 png_voidp PNGAPI 673 png_get_io_ptr(png_const_structrp png_ptr) 674 { 675 if (png_ptr == NULL) 676 return (NULL); 677 678 return (png_ptr->io_ptr); 679 } 680 681 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 682 # ifdef PNG_STDIO_SUPPORTED 683 /* Initialize the default input/output functions for the PNG file. If you 684 * use your own read or write routines, you can call either png_set_read_fn() 685 * or png_set_write_fn() instead of png_init_io(). If you have defined 686 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a 687 * function of your own because "FILE *" isn't necessarily available. 688 */ 689 void PNGAPI 690 png_init_io(png_structrp png_ptr, png_FILE_p fp) 691 { 692 png_debug(1, "in png_init_io"); 693 694 if (png_ptr == NULL) 695 return; 696 697 png_ptr->io_ptr = (png_voidp)fp; 698 } 699 # endif 700 701 # ifdef PNG_SAVE_INT_32_SUPPORTED 702 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 703 * defines a cast of a signed integer to an unsigned integer either to preserve 704 * the value, if it is positive, or to calculate: 705 * 706 * (UNSIGNED_MAX+1) + integer 707 * 708 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the 709 * negative integral value is added the result will be an unsigned value 710 * correspnding to the 2's complement representation. 711 */ 712 void PNGAPI 713 png_save_int_32(png_bytep buf, png_int_32 i) 714 { 715 png_save_uint_32(buf, i); 716 } 717 # endif 718 719 # ifdef PNG_TIME_RFC1123_SUPPORTED 720 /* Convert the supplied time into an RFC 1123 string suitable for use in 721 * a "Creation Time" or other text-based time string. 722 */ 723 int PNGAPI 724 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime) 725 { 726 static PNG_CONST char short_months[12][4] = 727 {"Jan", "Feb", "Mar", "Apr", "May", "Jun", 728 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; 729 730 if (out == NULL) 731 return 0; 732 733 if (ptime->year > 9999 /* RFC1123 limitation */ || 734 ptime->month == 0 || ptime->month > 12 || 735 ptime->day == 0 || ptime->day > 31 || 736 ptime->hour > 23 || ptime->minute > 59 || 737 ptime->second > 60) 738 return 0; 739 740 { 741 size_t pos = 0; 742 char number_buf[5]; /* enough for a four-digit year */ 743 744 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string)) 745 # define APPEND_NUMBER(format, value)\ 746 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value))) 747 # define APPEND(ch) if (pos < 28) out[pos++] = (ch) 748 749 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day); 750 APPEND(' '); 751 APPEND_STRING(short_months[(ptime->month - 1)]); 752 APPEND(' '); 753 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year); 754 APPEND(' '); 755 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour); 756 APPEND(':'); 757 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute); 758 APPEND(':'); 759 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); 760 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ 761 PNG_UNUSED (pos) 762 763 # undef APPEND 764 # undef APPEND_NUMBER 765 # undef APPEND_STRING 766 } 767 768 return 1; 769 } 770 771 # if PNG_LIBPNG_VER < 10700 772 /* To do: remove the following from libpng-1.7 */ 773 /* Original API that uses a private buffer in png_struct. 774 * Deprecated because it causes png_struct to carry a spurious temporary 775 * buffer (png_struct::time_buffer), better to have the caller pass this in. 776 */ 777 png_const_charp PNGAPI 778 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime) 779 { 780 if (png_ptr != NULL) 781 { 782 /* The only failure above if png_ptr != NULL is from an invalid ptime */ 783 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0) 784 png_warning(png_ptr, "Ignoring invalid time value"); 785 786 else 787 return png_ptr->time_buffer; 788 } 789 790 return NULL; 791 } 792 # endif /* LIBPNG_VER < 10700 */ 793 # endif /* TIME_RFC1123 */ 794 795 #endif /* READ || WRITE */ 796 797 png_const_charp PNGAPI 798 png_get_copyright(png_const_structrp png_ptr) 799 { 800 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 801 #ifdef PNG_STRING_COPYRIGHT 802 return PNG_STRING_COPYRIGHT 803 #else 804 # ifdef __STDC__ 805 return PNG_STRING_NEWLINE \ 806 "libpng version 1.6.23 - June 9, 2016" PNG_STRING_NEWLINE \ 807 "Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson" \ 808 PNG_STRING_NEWLINE \ 809 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ 810 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ 811 PNG_STRING_NEWLINE; 812 # else 813 return "libpng version 1.6.23 - June 9, 2016\ 814 Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson\ 815 Copyright (c) 1996-1997 Andreas Dilger\ 816 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; 817 # endif 818 #endif 819 } 820 821 /* The following return the library version as a short string in the 822 * format 1.0.0 through 99.99.99zz. To get the version of *.h files 823 * used with your application, print out PNG_LIBPNG_VER_STRING, which 824 * is defined in png.h. 825 * Note: now there is no difference between png_get_libpng_ver() and 826 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard, 827 * it is guaranteed that png.c uses the correct version of png.h. 828 */ 829 png_const_charp PNGAPI 830 png_get_libpng_ver(png_const_structrp png_ptr) 831 { 832 /* Version of *.c files used when building libpng */ 833 return png_get_header_ver(png_ptr); 834 } 835 836 png_const_charp PNGAPI 837 png_get_header_ver(png_const_structrp png_ptr) 838 { 839 /* Version of *.h files used when building libpng */ 840 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 841 return PNG_LIBPNG_VER_STRING; 842 } 843 844 png_const_charp PNGAPI 845 png_get_header_version(png_const_structrp png_ptr) 846 { 847 /* Returns longer string containing both version and date */ 848 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 849 #ifdef __STDC__ 850 return PNG_HEADER_VERSION_STRING 851 # ifndef PNG_READ_SUPPORTED 852 " (NO READ SUPPORT)" 853 # endif 854 PNG_STRING_NEWLINE; 855 #else 856 return PNG_HEADER_VERSION_STRING; 857 #endif 858 } 859 860 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED 861 /* NOTE: this routine is not used internally! */ 862 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth 863 * large of png_color. This lets grayscale images be treated as 864 * paletted. Most useful for gamma correction and simplification 865 * of code. This API is not used internally. 866 */ 867 void PNGAPI 868 png_build_grayscale_palette(int bit_depth, png_colorp palette) 869 { 870 int num_palette; 871 int color_inc; 872 int i; 873 int v; 874 875 png_debug(1, "in png_do_build_grayscale_palette"); 876 877 if (palette == NULL) 878 return; 879 880 switch (bit_depth) 881 { 882 case 1: 883 num_palette = 2; 884 color_inc = 0xff; 885 break; 886 887 case 2: 888 num_palette = 4; 889 color_inc = 0x55; 890 break; 891 892 case 4: 893 num_palette = 16; 894 color_inc = 0x11; 895 break; 896 897 case 8: 898 num_palette = 256; 899 color_inc = 1; 900 break; 901 902 default: 903 num_palette = 0; 904 color_inc = 0; 905 break; 906 } 907 908 for (i = 0, v = 0; i < num_palette; i++, v += color_inc) 909 { 910 palette[i].red = (png_byte)(v & 0xff); 911 palette[i].green = (png_byte)(v & 0xff); 912 palette[i].blue = (png_byte)(v & 0xff); 913 } 914 } 915 #endif 916 917 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED 918 int PNGAPI 919 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name) 920 { 921 /* Check chunk_name and return "keep" value if it's on the list, else 0 */ 922 png_const_bytep p, p_end; 923 924 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0) 925 return PNG_HANDLE_CHUNK_AS_DEFAULT; 926 927 p_end = png_ptr->chunk_list; 928 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */ 929 930 /* The code is the fifth byte after each four byte string. Historically this 931 * code was always searched from the end of the list, this is no longer 932 * necessary because the 'set' routine handles duplicate entries correcty. 933 */ 934 do /* num_chunk_list > 0, so at least one */ 935 { 936 p -= 5; 937 938 if (memcmp(chunk_name, p, 4) == 0) 939 return p[4]; 940 } 941 while (p > p_end); 942 943 /* This means that known chunks should be processed and unknown chunks should 944 * be handled according to the value of png_ptr->unknown_default; this can be 945 * confusing because, as a result, there are two levels of defaulting for 946 * unknown chunks. 947 */ 948 return PNG_HANDLE_CHUNK_AS_DEFAULT; 949 } 950 951 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\ 952 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED) 953 int /* PRIVATE */ 954 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name) 955 { 956 png_byte chunk_string[5]; 957 958 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name); 959 return png_handle_as_unknown(png_ptr, chunk_string); 960 } 961 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */ 962 #endif /* SET_UNKNOWN_CHUNKS */ 963 964 #ifdef PNG_READ_SUPPORTED 965 /* This function, added to libpng-1.0.6g, is untested. */ 966 int PNGAPI 967 png_reset_zstream(png_structrp png_ptr) 968 { 969 if (png_ptr == NULL) 970 return Z_STREAM_ERROR; 971 972 /* WARNING: this resets the window bits to the maximum! */ 973 return (inflateReset(&png_ptr->zstream)); 974 } 975 #endif /* READ */ 976 977 /* This function was added to libpng-1.0.7 */ 978 png_uint_32 PNGAPI 979 png_access_version_number(void) 980 { 981 /* Version of *.c files used when building libpng */ 982 return((png_uint_32)PNG_LIBPNG_VER); 983 } 984 985 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 986 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string. 987 * If it doesn't 'ret' is used to set it to something appropriate, even in cases 988 * like Z_OK or Z_STREAM_END where the error code is apparently a success code. 989 */ 990 void /* PRIVATE */ 991 png_zstream_error(png_structrp png_ptr, int ret) 992 { 993 /* Translate 'ret' into an appropriate error string, priority is given to the 994 * one in zstream if set. This always returns a string, even in cases like 995 * Z_OK or Z_STREAM_END where the error code is a success code. 996 */ 997 if (png_ptr->zstream.msg == NULL) switch (ret) 998 { 999 default: 1000 case Z_OK: 1001 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code"); 1002 break; 1003 1004 case Z_STREAM_END: 1005 /* Normal exit */ 1006 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream"); 1007 break; 1008 1009 case Z_NEED_DICT: 1010 /* This means the deflate stream did not have a dictionary; this 1011 * indicates a bogus PNG. 1012 */ 1013 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary"); 1014 break; 1015 1016 case Z_ERRNO: 1017 /* gz APIs only: should not happen */ 1018 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error"); 1019 break; 1020 1021 case Z_STREAM_ERROR: 1022 /* internal libpng error */ 1023 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib"); 1024 break; 1025 1026 case Z_DATA_ERROR: 1027 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream"); 1028 break; 1029 1030 case Z_MEM_ERROR: 1031 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory"); 1032 break; 1033 1034 case Z_BUF_ERROR: 1035 /* End of input or output; not a problem if the caller is doing 1036 * incremental read or write. 1037 */ 1038 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated"); 1039 break; 1040 1041 case Z_VERSION_ERROR: 1042 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version"); 1043 break; 1044 1045 case PNG_UNEXPECTED_ZLIB_RETURN: 1046 /* Compile errors here mean that zlib now uses the value co-opted in 1047 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above 1048 * and change pngpriv.h. Note that this message is "... return", 1049 * whereas the default/Z_OK one is "... return code". 1050 */ 1051 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return"); 1052 break; 1053 } 1054 } 1055 1056 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted 1057 * at libpng 1.5.5! 1058 */ 1059 1060 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */ 1061 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */ 1062 static int 1063 png_colorspace_check_gamma(png_const_structrp png_ptr, 1064 png_colorspacerp colorspace, png_fixed_point gAMA, int from) 1065 /* This is called to check a new gamma value against an existing one. The 1066 * routine returns false if the new gamma value should not be written. 1067 * 1068 * 'from' says where the new gamma value comes from: 1069 * 1070 * 0: the new gamma value is the libpng estimate for an ICC profile 1071 * 1: the new gamma value comes from a gAMA chunk 1072 * 2: the new gamma value comes from an sRGB chunk 1073 */ 1074 { 1075 png_fixed_point gtest; 1076 1077 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 && 1078 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 || 1079 png_gamma_significant(gtest) != 0)) 1080 { 1081 /* Either this is an sRGB image, in which case the calculated gamma 1082 * approximation should match, or this is an image with a profile and the 1083 * value libpng calculates for the gamma of the profile does not match the 1084 * value recorded in the file. The former, sRGB, case is an error, the 1085 * latter is just a warning. 1086 */ 1087 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2) 1088 { 1089 png_chunk_report(png_ptr, "gamma value does not match sRGB", 1090 PNG_CHUNK_ERROR); 1091 /* Do not overwrite an sRGB value */ 1092 return from == 2; 1093 } 1094 1095 else /* sRGB tag not involved */ 1096 { 1097 png_chunk_report(png_ptr, "gamma value does not match libpng estimate", 1098 PNG_CHUNK_WARNING); 1099 return from == 1; 1100 } 1101 } 1102 1103 return 1; 1104 } 1105 1106 void /* PRIVATE */ 1107 png_colorspace_set_gamma(png_const_structrp png_ptr, 1108 png_colorspacerp colorspace, png_fixed_point gAMA) 1109 { 1110 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't 1111 * occur. Since the fixed point representation is asymetrical it is 1112 * possible for 1/gamma to overflow the limit of 21474 and this means the 1113 * gamma value must be at least 5/100000 and hence at most 20000.0. For 1114 * safety the limits here are a little narrower. The values are 0.00016 to 1115 * 6250.0, which are truly ridiculous gamma values (and will produce 1116 * displays that are all black or all white.) 1117 * 1118 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk 1119 * handling code, which only required the value to be >0. 1120 */ 1121 png_const_charp errmsg; 1122 1123 if (gAMA < 16 || gAMA > 625000000) 1124 errmsg = "gamma value out of range"; 1125 1126 # ifdef PNG_READ_gAMA_SUPPORTED 1127 /* Allow the application to set the gamma value more than once */ 1128 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && 1129 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) 1130 errmsg = "duplicate"; 1131 # endif 1132 1133 /* Do nothing if the colorspace is already invalid */ 1134 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1135 return; 1136 1137 else 1138 { 1139 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1140 1/*from gAMA*/) != 0) 1141 { 1142 /* Store this gamma value. */ 1143 colorspace->gamma = gAMA; 1144 colorspace->flags |= 1145 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA); 1146 } 1147 1148 /* At present if the check_gamma test fails the gamma of the colorspace is 1149 * not updated however the colorspace is not invalidated. This 1150 * corresponds to the case where the existing gamma comes from an sRGB 1151 * chunk or profile. An error message has already been output. 1152 */ 1153 return; 1154 } 1155 1156 /* Error exit - errmsg has been set. */ 1157 colorspace->flags |= PNG_COLORSPACE_INVALID; 1158 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR); 1159 } 1160 1161 void /* PRIVATE */ 1162 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr) 1163 { 1164 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) 1165 { 1166 /* Everything is invalid */ 1167 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB| 1168 PNG_INFO_iCCP); 1169 1170 # ifdef PNG_COLORSPACE_SUPPORTED 1171 /* Clean up the iCCP profile now if it won't be used. */ 1172 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); 1173 # else 1174 PNG_UNUSED(png_ptr) 1175 # endif 1176 } 1177 1178 else 1179 { 1180 # ifdef PNG_COLORSPACE_SUPPORTED 1181 /* Leave the INFO_iCCP flag set if the pngset.c code has already set 1182 * it; this allows a PNG to contain a profile which matches sRGB and 1183 * yet still have that profile retrievable by the application. 1184 */ 1185 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) 1186 info_ptr->valid |= PNG_INFO_sRGB; 1187 1188 else 1189 info_ptr->valid &= ~PNG_INFO_sRGB; 1190 1191 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1192 info_ptr->valid |= PNG_INFO_cHRM; 1193 1194 else 1195 info_ptr->valid &= ~PNG_INFO_cHRM; 1196 # endif 1197 1198 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) 1199 info_ptr->valid |= PNG_INFO_gAMA; 1200 1201 else 1202 info_ptr->valid &= ~PNG_INFO_gAMA; 1203 } 1204 } 1205 1206 #ifdef PNG_READ_SUPPORTED 1207 void /* PRIVATE */ 1208 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr) 1209 { 1210 if (info_ptr == NULL) /* reduce code size; check here not in the caller */ 1211 return; 1212 1213 info_ptr->colorspace = png_ptr->colorspace; 1214 png_colorspace_sync_info(png_ptr, info_ptr); 1215 } 1216 #endif 1217 #endif /* GAMMA */ 1218 1219 #ifdef PNG_COLORSPACE_SUPPORTED 1220 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for 1221 * cHRM, as opposed to using chromaticities. These internal APIs return 1222 * non-zero on a parameter error. The X, Y and Z values are required to be 1223 * positive and less than 1.0. 1224 */ 1225 static int 1226 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ) 1227 { 1228 png_int_32 d, dwhite, whiteX, whiteY; 1229 1230 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z; 1231 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0) 1232 return 1; 1233 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0) 1234 return 1; 1235 dwhite = d; 1236 whiteX = XYZ->red_X; 1237 whiteY = XYZ->red_Y; 1238 1239 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z; 1240 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0) 1241 return 1; 1242 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0) 1243 return 1; 1244 dwhite += d; 1245 whiteX += XYZ->green_X; 1246 whiteY += XYZ->green_Y; 1247 1248 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z; 1249 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0) 1250 return 1; 1251 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0) 1252 return 1; 1253 dwhite += d; 1254 whiteX += XYZ->blue_X; 1255 whiteY += XYZ->blue_Y; 1256 1257 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors, 1258 * thus: 1259 */ 1260 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0) 1261 return 1; 1262 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0) 1263 return 1; 1264 1265 return 0; 1266 } 1267 1268 static int 1269 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy) 1270 { 1271 png_fixed_point red_inverse, green_inverse, blue_scale; 1272 png_fixed_point left, right, denominator; 1273 1274 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically 1275 * have end points with 0 tristimulus values (these are impossible end 1276 * points, but they are used to cover the possible colors). We check 1277 * xy->whitey against 5, not 0, to avoid a possible integer overflow. 1278 */ 1279 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; 1280 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; 1281 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; 1282 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; 1283 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; 1284 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; 1285 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; 1286 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; 1287 1288 /* The reverse calculation is more difficult because the original tristimulus 1289 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 1290 * derived values were recorded in the cHRM chunk; 1291 * (red,green,blue,white)x(x,y). This loses one degree of freedom and 1292 * therefore an arbitrary ninth value has to be introduced to undo the 1293 * original transformations. 1294 * 1295 * Think of the original end-points as points in (X,Y,Z) space. The 1296 * chromaticity values (c) have the property: 1297 * 1298 * C 1299 * c = --------- 1300 * X + Y + Z 1301 * 1302 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the 1303 * three chromaticity values (x,y,z) for each end-point obey the 1304 * relationship: 1305 * 1306 * x + y + z = 1 1307 * 1308 * This describes the plane in (X,Y,Z) space that intersects each axis at the 1309 * value 1.0; call this the chromaticity plane. Thus the chromaticity 1310 * calculation has scaled each end-point so that it is on the x+y+z=1 plane 1311 * and chromaticity is the intersection of the vector from the origin to the 1312 * (X,Y,Z) value with the chromaticity plane. 1313 * 1314 * To fully invert the chromaticity calculation we would need the three 1315 * end-point scale factors, (red-scale, green-scale, blue-scale), but these 1316 * were not recorded. Instead we calculated the reference white (X,Y,Z) and 1317 * recorded the chromaticity of this. The reference white (X,Y,Z) would have 1318 * given all three of the scale factors since: 1319 * 1320 * color-C = color-c * color-scale 1321 * white-C = red-C + green-C + blue-C 1322 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1323 * 1324 * But cHRM records only white-x and white-y, so we have lost the white scale 1325 * factor: 1326 * 1327 * white-C = white-c*white-scale 1328 * 1329 * To handle this the inverse transformation makes an arbitrary assumption 1330 * about white-scale: 1331 * 1332 * Assume: white-Y = 1.0 1333 * Hence: white-scale = 1/white-y 1334 * Or: red-Y + green-Y + blue-Y = 1.0 1335 * 1336 * Notice the last statement of the assumption gives an equation in three of 1337 * the nine values we want to calculate. 8 more equations come from the 1338 * above routine as summarised at the top above (the chromaticity 1339 * calculation): 1340 * 1341 * Given: color-x = color-X / (color-X + color-Y + color-Z) 1342 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0 1343 * 1344 * This is 9 simultaneous equations in the 9 variables "color-C" and can be 1345 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix 1346 * determinants, however this is not as bad as it seems because only 28 of 1347 * the total of 90 terms in the various matrices are non-zero. Nevertheless 1348 * Cramer's rule is notoriously numerically unstable because the determinant 1349 * calculation involves the difference of large, but similar, numbers. It is 1350 * difficult to be sure that the calculation is stable for real world values 1351 * and it is certain that it becomes unstable where the end points are close 1352 * together. 1353 * 1354 * So this code uses the perhaps slightly less optimal but more 1355 * understandable and totally obvious approach of calculating color-scale. 1356 * 1357 * This algorithm depends on the precision in white-scale and that is 1358 * (1/white-y), so we can immediately see that as white-y approaches 0 the 1359 * accuracy inherent in the cHRM chunk drops off substantially. 1360 * 1361 * libpng arithmetic: a simple inversion of the above equations 1362 * ------------------------------------------------------------ 1363 * 1364 * white_scale = 1/white-y 1365 * white-X = white-x * white-scale 1366 * white-Y = 1.0 1367 * white-Z = (1 - white-x - white-y) * white_scale 1368 * 1369 * white-C = red-C + green-C + blue-C 1370 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1371 * 1372 * This gives us three equations in (red-scale,green-scale,blue-scale) where 1373 * all the coefficients are now known: 1374 * 1375 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale 1376 * = white-x/white-y 1377 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1 1378 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale 1379 * = (1 - white-x - white-y)/white-y 1380 * 1381 * In the last equation color-z is (1 - color-x - color-y) so we can add all 1382 * three equations together to get an alternative third: 1383 * 1384 * red-scale + green-scale + blue-scale = 1/white-y = white-scale 1385 * 1386 * So now we have a Cramer's rule solution where the determinants are just 1387 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve 1388 * multiplication of three coefficients so we can't guarantee to avoid 1389 * overflow in the libpng fixed point representation. Using Cramer's rule in 1390 * floating point is probably a good choice here, but it's not an option for 1391 * fixed point. Instead proceed to simplify the first two equations by 1392 * eliminating what is likely to be the largest value, blue-scale: 1393 * 1394 * blue-scale = white-scale - red-scale - green-scale 1395 * 1396 * Hence: 1397 * 1398 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale = 1399 * (white-x - blue-x)*white-scale 1400 * 1401 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale = 1402 * 1 - blue-y*white-scale 1403 * 1404 * And now we can trivially solve for (red-scale,green-scale): 1405 * 1406 * green-scale = 1407 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale 1408 * ----------------------------------------------------------- 1409 * green-x - blue-x 1410 * 1411 * red-scale = 1412 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale 1413 * --------------------------------------------------------- 1414 * red-y - blue-y 1415 * 1416 * Hence: 1417 * 1418 * red-scale = 1419 * ( (green-x - blue-x) * (white-y - blue-y) - 1420 * (green-y - blue-y) * (white-x - blue-x) ) / white-y 1421 * ------------------------------------------------------------------------- 1422 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1423 * 1424 * green-scale = 1425 * ( (red-y - blue-y) * (white-x - blue-x) - 1426 * (red-x - blue-x) * (white-y - blue-y) ) / white-y 1427 * ------------------------------------------------------------------------- 1428 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1429 * 1430 * Accuracy: 1431 * The input values have 5 decimal digits of accuracy. The values are all in 1432 * the range 0 < value < 1, so simple products are in the same range but may 1433 * need up to 10 decimal digits to preserve the original precision and avoid 1434 * underflow. Because we are using a 32-bit signed representation we cannot 1435 * match this; the best is a little over 9 decimal digits, less than 10. 1436 * 1437 * The approach used here is to preserve the maximum precision within the 1438 * signed representation. Because the red-scale calculation above uses the 1439 * difference between two products of values that must be in the range -1..+1 1440 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The 1441 * factor is irrelevant in the calculation because it is applied to both 1442 * numerator and denominator. 1443 * 1444 * Note that the values of the differences of the products of the 1445 * chromaticities in the above equations tend to be small, for example for 1446 * the sRGB chromaticities they are: 1447 * 1448 * red numerator: -0.04751 1449 * green numerator: -0.08788 1450 * denominator: -0.2241 (without white-y multiplication) 1451 * 1452 * The resultant Y coefficients from the chromaticities of some widely used 1453 * color space definitions are (to 15 decimal places): 1454 * 1455 * sRGB 1456 * 0.212639005871510 0.715168678767756 0.072192315360734 1457 * Kodak ProPhoto 1458 * 0.288071128229293 0.711843217810102 0.000085653960605 1459 * Adobe RGB 1460 * 0.297344975250536 0.627363566255466 0.075291458493998 1461 * Adobe Wide Gamut RGB 1462 * 0.258728243040113 0.724682314948566 0.016589442011321 1463 */ 1464 /* By the argument, above overflow should be impossible here. The return 1465 * value of 2 indicates an internal error to the caller. 1466 */ 1467 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0) 1468 return 2; 1469 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0) 1470 return 2; 1471 denominator = left - right; 1472 1473 /* Now find the red numerator. */ 1474 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1475 return 2; 1476 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1477 return 2; 1478 1479 /* Overflow is possible here and it indicates an extreme set of PNG cHRM 1480 * chunk values. This calculation actually returns the reciprocal of the 1481 * scale value because this allows us to delay the multiplication of white-y 1482 * into the denominator, which tends to produce a small number. 1483 */ 1484 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 || 1485 red_inverse <= xy->whitey /* r+g+b scales = white scale */) 1486 return 1; 1487 1488 /* Similarly for green_inverse: */ 1489 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1490 return 2; 1491 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1492 return 2; 1493 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 || 1494 green_inverse <= xy->whitey) 1495 return 1; 1496 1497 /* And the blue scale, the checks above guarantee this can't overflow but it 1498 * can still produce 0 for extreme cHRM values. 1499 */ 1500 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) - 1501 png_reciprocal(green_inverse); 1502 if (blue_scale <= 0) 1503 return 1; 1504 1505 1506 /* And fill in the png_XYZ: */ 1507 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0) 1508 return 1; 1509 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0) 1510 return 1; 1511 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1, 1512 red_inverse) == 0) 1513 return 1; 1514 1515 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0) 1516 return 1; 1517 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0) 1518 return 1; 1519 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1, 1520 green_inverse) == 0) 1521 return 1; 1522 1523 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0) 1524 return 1; 1525 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0) 1526 return 1; 1527 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale, 1528 PNG_FP_1) == 0) 1529 return 1; 1530 1531 return 0; /*success*/ 1532 } 1533 1534 static int 1535 png_XYZ_normalize(png_XYZ *XYZ) 1536 { 1537 png_int_32 Y; 1538 1539 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 || 1540 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 || 1541 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0) 1542 return 1; 1543 1544 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. 1545 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore 1546 * relying on addition of two positive values producing a negative one is not 1547 * safe. 1548 */ 1549 Y = XYZ->red_Y; 1550 if (0x7fffffff - Y < XYZ->green_X) 1551 return 1; 1552 Y += XYZ->green_Y; 1553 if (0x7fffffff - Y < XYZ->blue_X) 1554 return 1; 1555 Y += XYZ->blue_Y; 1556 1557 if (Y != PNG_FP_1) 1558 { 1559 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0) 1560 return 1; 1561 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0) 1562 return 1; 1563 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0) 1564 return 1; 1565 1566 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0) 1567 return 1; 1568 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0) 1569 return 1; 1570 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0) 1571 return 1; 1572 1573 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0) 1574 return 1; 1575 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0) 1576 return 1; 1577 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0) 1578 return 1; 1579 } 1580 1581 return 0; 1582 } 1583 1584 static int 1585 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta) 1586 { 1587 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */ 1588 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) || 1589 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) || 1590 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) || 1591 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) || 1592 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) || 1593 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) || 1594 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) || 1595 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta)) 1596 return 0; 1597 return 1; 1598 } 1599 1600 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM 1601 * chunk chromaticities. Earlier checks used to simply look for the overflow 1602 * condition (where the determinant of the matrix to solve for XYZ ends up zero 1603 * because the chromaticity values are not all distinct.) Despite this it is 1604 * theoretically possible to produce chromaticities that are apparently valid 1605 * but that rapidly degrade to invalid, potentially crashing, sets because of 1606 * arithmetic inaccuracies when calculations are performed on them. The new 1607 * check is to round-trip xy -> XYZ -> xy and then check that the result is 1608 * within a small percentage of the original. 1609 */ 1610 static int 1611 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy) 1612 { 1613 int result; 1614 png_xy xy_test; 1615 1616 /* As a side-effect this routine also returns the XYZ endpoints. */ 1617 result = png_XYZ_from_xy(XYZ, xy); 1618 if (result != 0) 1619 return result; 1620 1621 result = png_xy_from_XYZ(&xy_test, XYZ); 1622 if (result != 0) 1623 return result; 1624 1625 if (png_colorspace_endpoints_match(xy, &xy_test, 1626 5/*actually, the math is pretty accurate*/) != 0) 1627 return 0; 1628 1629 /* Too much slip */ 1630 return 1; 1631 } 1632 1633 /* This is the check going the other way. The XYZ is modified to normalize it 1634 * (another side-effect) and the xy chromaticities are returned. 1635 */ 1636 static int 1637 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ) 1638 { 1639 int result; 1640 png_XYZ XYZtemp; 1641 1642 result = png_XYZ_normalize(XYZ); 1643 if (result != 0) 1644 return result; 1645 1646 result = png_xy_from_XYZ(xy, XYZ); 1647 if (result != 0) 1648 return result; 1649 1650 XYZtemp = *XYZ; 1651 return png_colorspace_check_xy(&XYZtemp, xy); 1652 } 1653 1654 /* Used to check for an endpoint match against sRGB */ 1655 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */ 1656 { 1657 /* color x y */ 1658 /* red */ 64000, 33000, 1659 /* green */ 30000, 60000, 1660 /* blue */ 15000, 6000, 1661 /* white */ 31270, 32900 1662 }; 1663 1664 static int 1665 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr, 1666 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ, 1667 int preferred) 1668 { 1669 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1670 return 0; 1671 1672 /* The consistency check is performed on the chromaticities; this factors out 1673 * variations because of the normalization (or not) of the end point Y 1674 * values. 1675 */ 1676 if (preferred < 2 && 1677 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1678 { 1679 /* The end points must be reasonably close to any we already have. The 1680 * following allows an error of up to +/-.001 1681 */ 1682 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 1683 100) == 0) 1684 { 1685 colorspace->flags |= PNG_COLORSPACE_INVALID; 1686 png_benign_error(png_ptr, "inconsistent chromaticities"); 1687 return 0; /* failed */ 1688 } 1689 1690 /* Only overwrite with preferred values */ 1691 if (preferred == 0) 1692 return 1; /* ok, but no change */ 1693 } 1694 1695 colorspace->end_points_xy = *xy; 1696 colorspace->end_points_XYZ = *XYZ; 1697 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS; 1698 1699 /* The end points are normally quoted to two decimal digits, so allow +/-0.01 1700 * on this test. 1701 */ 1702 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0) 1703 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB; 1704 1705 else 1706 colorspace->flags &= PNG_COLORSPACE_CANCEL( 1707 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1708 1709 return 2; /* ok and changed */ 1710 } 1711 1712 int /* PRIVATE */ 1713 png_colorspace_set_chromaticities(png_const_structrp png_ptr, 1714 png_colorspacerp colorspace, const png_xy *xy, int preferred) 1715 { 1716 /* We must check the end points to ensure they are reasonable - in the past 1717 * color management systems have crashed as a result of getting bogus 1718 * colorant values, while this isn't the fault of libpng it is the 1719 * responsibility of libpng because PNG carries the bomb and libpng is in a 1720 * position to protect against it. 1721 */ 1722 png_XYZ XYZ; 1723 1724 switch (png_colorspace_check_xy(&XYZ, xy)) 1725 { 1726 case 0: /* success */ 1727 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ, 1728 preferred); 1729 1730 case 1: 1731 /* We can't invert the chromaticities so we can't produce value XYZ 1732 * values. Likely as not a color management system will fail too. 1733 */ 1734 colorspace->flags |= PNG_COLORSPACE_INVALID; 1735 png_benign_error(png_ptr, "invalid chromaticities"); 1736 break; 1737 1738 default: 1739 /* libpng is broken; this should be a warning but if it happens we 1740 * want error reports so for the moment it is an error. 1741 */ 1742 colorspace->flags |= PNG_COLORSPACE_INVALID; 1743 png_error(png_ptr, "internal error checking chromaticities"); 1744 } 1745 1746 return 0; /* failed */ 1747 } 1748 1749 int /* PRIVATE */ 1750 png_colorspace_set_endpoints(png_const_structrp png_ptr, 1751 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred) 1752 { 1753 png_XYZ XYZ = *XYZ_in; 1754 png_xy xy; 1755 1756 switch (png_colorspace_check_XYZ(&xy, &XYZ)) 1757 { 1758 case 0: 1759 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ, 1760 preferred); 1761 1762 case 1: 1763 /* End points are invalid. */ 1764 colorspace->flags |= PNG_COLORSPACE_INVALID; 1765 png_benign_error(png_ptr, "invalid end points"); 1766 break; 1767 1768 default: 1769 colorspace->flags |= PNG_COLORSPACE_INVALID; 1770 png_error(png_ptr, "internal error checking chromaticities"); 1771 } 1772 1773 return 0; /* failed */ 1774 } 1775 1776 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED) 1777 /* Error message generation */ 1778 static char 1779 png_icc_tag_char(png_uint_32 byte) 1780 { 1781 byte &= 0xff; 1782 if (byte >= 32 && byte <= 126) 1783 return (char)byte; 1784 else 1785 return '?'; 1786 } 1787 1788 static void 1789 png_icc_tag_name(char *name, png_uint_32 tag) 1790 { 1791 name[0] = '\''; 1792 name[1] = png_icc_tag_char(tag >> 24); 1793 name[2] = png_icc_tag_char(tag >> 16); 1794 name[3] = png_icc_tag_char(tag >> 8); 1795 name[4] = png_icc_tag_char(tag ); 1796 name[5] = '\''; 1797 } 1798 1799 static int 1800 is_ICC_signature_char(png_alloc_size_t it) 1801 { 1802 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) || 1803 (it >= 97 && it <= 122); 1804 } 1805 1806 static int 1807 is_ICC_signature(png_alloc_size_t it) 1808 { 1809 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ && 1810 is_ICC_signature_char((it >> 16) & 0xff) && 1811 is_ICC_signature_char((it >> 8) & 0xff) && 1812 is_ICC_signature_char(it & 0xff); 1813 } 1814 1815 static int 1816 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, 1817 png_const_charp name, png_alloc_size_t value, png_const_charp reason) 1818 { 1819 size_t pos; 1820 char message[196]; /* see below for calculation */ 1821 1822 if (colorspace != NULL) 1823 colorspace->flags |= PNG_COLORSPACE_INVALID; 1824 1825 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */ 1826 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */ 1827 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */ 1828 if (is_ICC_signature(value) != 0) 1829 { 1830 /* So 'value' is at most 4 bytes and the following cast is safe */ 1831 png_icc_tag_name(message+pos, (png_uint_32)value); 1832 pos += 6; /* total +8; less than the else clause */ 1833 message[pos++] = ':'; 1834 message[pos++] = ' '; 1835 } 1836 # ifdef PNG_WARNINGS_SUPPORTED 1837 else 1838 { 1839 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ 1840 1841 pos = png_safecat(message, (sizeof message), pos, 1842 png_format_number(number, number+(sizeof number), 1843 PNG_NUMBER_FORMAT_x, value)); 1844 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ 1845 } 1846 # endif 1847 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ 1848 pos = png_safecat(message, (sizeof message), pos, reason); 1849 PNG_UNUSED(pos) 1850 1851 /* This is recoverable, but make it unconditionally an app_error on write to 1852 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them 1853 * on read, with a warning, but on write unless the app turns off 1854 * application errors the PNG won't be written.) 1855 */ 1856 png_chunk_report(png_ptr, message, 1857 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR); 1858 1859 return 0; 1860 } 1861 #endif /* sRGB || iCCP */ 1862 1863 #ifdef PNG_sRGB_SUPPORTED 1864 int /* PRIVATE */ 1865 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 1866 int intent) 1867 { 1868 /* sRGB sets known gamma, end points and (from the chunk) intent. */ 1869 /* IMPORTANT: these are not necessarily the values found in an ICC profile 1870 * because ICC profiles store values adapted to a D50 environment; it is 1871 * expected that the ICC profile mediaWhitePointTag will be D50; see the 1872 * checks and code elsewhere to understand this better. 1873 * 1874 * These XYZ values, which are accurate to 5dp, produce rgb to gray 1875 * coefficients of (6968,23435,2366), which are reduced (because they add up 1876 * to 32769 not 32768) to (6968,23434,2366). These are the values that 1877 * libpng has traditionally used (and are the best values given the 15bit 1878 * algorithm used by the rgb to gray code.) 1879 */ 1880 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */ 1881 { 1882 /* color X Y Z */ 1883 /* red */ 41239, 21264, 1933, 1884 /* green */ 35758, 71517, 11919, 1885 /* blue */ 18048, 7219, 95053 1886 }; 1887 1888 /* Do nothing if the colorspace is already invalidated. */ 1889 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1890 return 0; 1891 1892 /* Check the intent, then check for existing settings. It is valid for the 1893 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must 1894 * be consistent with the correct values. If, however, this function is 1895 * called below because an iCCP chunk matches sRGB then it is quite 1896 * conceivable that an older app recorded incorrect gAMA and cHRM because of 1897 * an incorrect calculation based on the values in the profile - this does 1898 * *not* invalidate the profile (though it still produces an error, which can 1899 * be ignored.) 1900 */ 1901 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST) 1902 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1903 (unsigned)intent, "invalid sRGB rendering intent"); 1904 1905 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 && 1906 colorspace->rendering_intent != intent) 1907 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1908 (unsigned)intent, "inconsistent rendering intents"); 1909 1910 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0) 1911 { 1912 png_benign_error(png_ptr, "duplicate sRGB information ignored"); 1913 return 0; 1914 } 1915 1916 /* If the standard sRGB cHRM chunk does not match the one from the PNG file 1917 * warn but overwrite the value with the correct one. 1918 */ 1919 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 && 1920 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy, 1921 100)) 1922 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB", 1923 PNG_CHUNK_ERROR); 1924 1925 /* This check is just done for the error reporting - the routine always 1926 * returns true when the 'from' argument corresponds to sRGB (2). 1927 */ 1928 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE, 1929 2/*from sRGB*/); 1930 1931 /* intent: bugs in GCC force 'int' to be used as the parameter type. */ 1932 colorspace->rendering_intent = (png_uint_16)intent; 1933 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT; 1934 1935 /* endpoints */ 1936 colorspace->end_points_xy = sRGB_xy; 1937 colorspace->end_points_XYZ = sRGB_XYZ; 1938 colorspace->flags |= 1939 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1940 1941 /* gamma */ 1942 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE; 1943 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA; 1944 1945 /* Finally record that we have an sRGB profile */ 1946 colorspace->flags |= 1947 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB); 1948 1949 return 1; /* set */ 1950 } 1951 #endif /* sRGB */ 1952 1953 #ifdef PNG_iCCP_SUPPORTED 1954 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value 1955 * is XYZ(0.9642,1.0,0.8249), which scales to: 1956 * 1957 * (63189.8112, 65536, 54060.6464) 1958 */ 1959 static const png_byte D50_nCIEXYZ[12] = 1960 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 1961 1962 int /* PRIVATE */ 1963 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1964 png_const_charp name, png_uint_32 profile_length) 1965 { 1966 if (profile_length < 132) 1967 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1968 "too short"); 1969 1970 return 1; 1971 } 1972 1973 int /* PRIVATE */ 1974 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 1975 png_const_charp name, png_uint_32 profile_length, 1976 png_const_bytep profile/* first 132 bytes only */, int color_type) 1977 { 1978 png_uint_32 temp; 1979 1980 /* Length check; this cannot be ignored in this code because profile_length 1981 * is used later to check the tag table, so even if the profile seems over 1982 * long profile_length from the caller must be correct. The caller can fix 1983 * this up on read or write by just passing in the profile header length. 1984 */ 1985 temp = png_get_uint_32(profile); 1986 if (temp != profile_length) 1987 return png_icc_profile_error(png_ptr, colorspace, name, temp, 1988 "length does not match profile"); 1989 1990 temp = (png_uint_32) (*(profile+8)); 1991 if (temp > 3 && (profile_length & 3)) 1992 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1993 "invalid length"); 1994 1995 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */ 1996 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */ 1997 profile_length < 132+12*temp) /* truncated tag table */ 1998 return png_icc_profile_error(png_ptr, colorspace, name, temp, 1999 "tag count too large"); 2000 2001 /* The 'intent' must be valid or we can't store it, ICC limits the intent to 2002 * 16 bits. 2003 */ 2004 temp = png_get_uint_32(profile+64); 2005 if (temp >= 0xffff) /* The ICC limit */ 2006 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2007 "invalid rendering intent"); 2008 2009 /* This is just a warning because the profile may be valid in future 2010 * versions. 2011 */ 2012 if (temp >= PNG_sRGB_INTENT_LAST) 2013 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2014 "intent outside defined range"); 2015 2016 /* At this point the tag table can't be checked because it hasn't necessarily 2017 * been loaded; however, various header fields can be checked. These checks 2018 * are for values permitted by the PNG spec in an ICC profile; the PNG spec 2019 * restricts the profiles that can be passed in an iCCP chunk (they must be 2020 * appropriate to processing PNG data!) 2021 */ 2022 2023 /* Data checks (could be skipped). These checks must be independent of the 2024 * version number; however, the version number doesn't accomodate changes in 2025 * the header fields (just the known tags and the interpretation of the 2026 * data.) 2027 */ 2028 temp = png_get_uint_32(profile+36); /* signature 'ascp' */ 2029 if (temp != 0x61637370) 2030 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2031 "invalid signature"); 2032 2033 /* Currently the PCS illuminant/adopted white point (the computational 2034 * white point) are required to be D50, 2035 * however the profile contains a record of the illuminant so perhaps ICC 2036 * expects to be able to change this in the future (despite the rationale in 2037 * the introduction for using a fixed PCS adopted white.) Consequently the 2038 * following is just a warning. 2039 */ 2040 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0) 2041 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/, 2042 "PCS illuminant is not D50"); 2043 2044 /* The PNG spec requires this: 2045 * "If the iCCP chunk is present, the image samples conform to the colour 2046 * space represented by the embedded ICC profile as defined by the 2047 * International Color Consortium [ICC]. The colour space of the ICC profile 2048 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and 2049 * 6), or a greyscale colour space for greyscale images (PNG colour types 0 2050 * and 4)." 2051 * 2052 * This checking code ensures the embedded profile (on either read or write) 2053 * conforms to the specification requirements. Notice that an ICC 'gray' 2054 * color-space profile contains the information to transform the monochrome 2055 * data to XYZ or L*a*b (according to which PCS the profile uses) and this 2056 * should be used in preference to the standard libpng K channel replication 2057 * into R, G and B channels. 2058 * 2059 * Previously it was suggested that an RGB profile on grayscale data could be 2060 * handled. However it it is clear that using an RGB profile in this context 2061 * must be an error - there is no specification of what it means. Thus it is 2062 * almost certainly more correct to ignore the profile. 2063 */ 2064 temp = png_get_uint_32(profile+16); /* data colour space field */ 2065 switch (temp) 2066 { 2067 case 0x52474220: /* 'RGB ' */ 2068 if ((color_type & PNG_COLOR_MASK_COLOR) == 0) 2069 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2070 "RGB color space not permitted on grayscale PNG"); 2071 break; 2072 2073 case 0x47524159: /* 'GRAY' */ 2074 if ((color_type & PNG_COLOR_MASK_COLOR) != 0) 2075 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2076 "Gray color space not permitted on RGB PNG"); 2077 break; 2078 2079 default: 2080 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2081 "invalid ICC profile color space"); 2082 } 2083 2084 /* It is up to the application to check that the profile class matches the 2085 * application requirements; the spec provides no guidance, but it's pretty 2086 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer 2087 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these 2088 * cases. Issue an error for device link or abstract profiles - these don't 2089 * contain the records necessary to transform the color-space to anything 2090 * other than the target device (and not even that for an abstract profile). 2091 * Profiles of these classes may not be embedded in images. 2092 */ 2093 temp = png_get_uint_32(profile+12); /* profile/device class */ 2094 switch (temp) 2095 { 2096 case 0x73636e72: /* 'scnr' */ 2097 case 0x6d6e7472: /* 'mntr' */ 2098 case 0x70727472: /* 'prtr' */ 2099 case 0x73706163: /* 'spac' */ 2100 /* All supported */ 2101 break; 2102 2103 case 0x61627374: /* 'abst' */ 2104 /* May not be embedded in an image */ 2105 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2106 "invalid embedded Abstract ICC profile"); 2107 2108 case 0x6c696e6b: /* 'link' */ 2109 /* DeviceLink profiles cannot be interpreted in a non-device specific 2110 * fashion, if an app uses the AToB0Tag in the profile the results are 2111 * undefined unless the result is sent to the intended device, 2112 * therefore a DeviceLink profile should not be found embedded in a 2113 * PNG. 2114 */ 2115 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2116 "unexpected DeviceLink ICC profile class"); 2117 2118 case 0x6e6d636c: /* 'nmcl' */ 2119 /* A NamedColor profile is also device specific, however it doesn't 2120 * contain an AToB0 tag that is open to misinterpretation. Almost 2121 * certainly it will fail the tests below. 2122 */ 2123 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2124 "unexpected NamedColor ICC profile class"); 2125 break; 2126 2127 default: 2128 /* To allow for future enhancements to the profile accept unrecognized 2129 * profile classes with a warning, these then hit the test below on the 2130 * tag content to ensure they are backward compatible with one of the 2131 * understood profiles. 2132 */ 2133 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2134 "unrecognized ICC profile class"); 2135 break; 2136 } 2137 2138 /* For any profile other than a device link one the PCS must be encoded 2139 * either in XYZ or Lab. 2140 */ 2141 temp = png_get_uint_32(profile+20); 2142 switch (temp) 2143 { 2144 case 0x58595a20: /* 'XYZ ' */ 2145 case 0x4c616220: /* 'Lab ' */ 2146 break; 2147 2148 default: 2149 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2150 "unexpected ICC PCS encoding"); 2151 } 2152 2153 return 1; 2154 } 2155 2156 int /* PRIVATE */ 2157 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, 2158 png_const_charp name, png_uint_32 profile_length, 2159 png_const_bytep profile /* header plus whole tag table */) 2160 { 2161 png_uint_32 tag_count = png_get_uint_32(profile+128); 2162 png_uint_32 itag; 2163 png_const_bytep tag = profile+132; /* The first tag */ 2164 2165 /* First scan all the tags in the table and add bits to the icc_info value 2166 * (temporarily in 'tags'). 2167 */ 2168 for (itag=0; itag < tag_count; ++itag, tag += 12) 2169 { 2170 png_uint_32 tag_id = png_get_uint_32(tag+0); 2171 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ 2172 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ 2173 2174 /* The ICC specification does not exclude zero length tags, therefore the 2175 * start might actually be anywhere if there is no data, but this would be 2176 * a clear abuse of the intent of the standard so the start is checked for 2177 * being in range. All defined tag types have an 8 byte header - a 4 byte 2178 * type signature then 0. 2179 */ 2180 if ((tag_start & 3) != 0) 2181 { 2182 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is 2183 * only a warning here because libpng does not care about the 2184 * alignment. 2185 */ 2186 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id, 2187 "ICC profile tag start not a multiple of 4"); 2188 } 2189 2190 /* This is a hard error; potentially it can cause read outside the 2191 * profile. 2192 */ 2193 if (tag_start > profile_length || tag_length > profile_length - tag_start) 2194 return png_icc_profile_error(png_ptr, colorspace, name, tag_id, 2195 "ICC profile tag outside profile"); 2196 } 2197 2198 return 1; /* success, maybe with warnings */ 2199 } 2200 2201 #ifdef PNG_sRGB_SUPPORTED 2202 #if PNG_sRGB_PROFILE_CHECKS >= 0 2203 /* Information about the known ICC sRGB profiles */ 2204 static const struct 2205 { 2206 png_uint_32 adler, crc, length; 2207 png_uint_32 md5[4]; 2208 png_byte have_md5; 2209 png_byte is_broken; 2210 png_uint_16 intent; 2211 2212 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0) 2213 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\ 2214 { adler, crc, length, md5, broke, intent }, 2215 2216 } png_sRGB_checks[] = 2217 { 2218 /* This data comes from contrib/tools/checksum-icc run on downloads of 2219 * all four ICC sRGB profiles from www.color.org. 2220 */ 2221 /* adler32, crc32, MD5[4], intent, date, length, file-name */ 2222 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9, 2223 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0, 2224 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc") 2225 2226 /* ICC sRGB v2 perceptual no black-compensation: */ 2227 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21, 2228 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0, 2229 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc") 2230 2231 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae, 2232 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0, 2233 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc") 2234 2235 /* ICC sRGB v4 perceptual */ 2236 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812, 2237 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0, 2238 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc") 2239 2240 /* The following profiles have no known MD5 checksum. If there is a match 2241 * on the (empty) MD5 the other fields are used to attempt a match and 2242 * a warning is produced. The first two of these profiles have a 'cprt' tag 2243 * which suggests that they were also made by Hewlett Packard. 2244 */ 2245 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce, 2246 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0, 2247 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc") 2248 2249 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not 2250 * match the D50 PCS illuminant in the header (it is in fact the D65 values, 2251 * so the white point is recorded as the un-adapted value.) The profiles 2252 * below only differ in one byte - the intent - and are basically the same as 2253 * the previous profile except for the mediaWhitePointTag error and a missing 2254 * chromaticAdaptationTag. 2255 */ 2256 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552, 2257 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/, 2258 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual") 2259 2260 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d, 2261 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/, 2262 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") 2263 }; 2264 2265 static int 2266 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, 2267 png_const_bytep profile, uLong adler) 2268 { 2269 /* The quick check is to verify just the MD5 signature and trust the 2270 * rest of the data. Because the profile has already been verified for 2271 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent' 2272 * field too, so if the profile has been edited with an intent not defined 2273 * by sRGB (but maybe defined by a later ICC specification) the read of 2274 * the profile will fail at that point. 2275 */ 2276 2277 png_uint_32 length = 0; 2278 png_uint_32 intent = 0x10000; /* invalid */ 2279 #if PNG_sRGB_PROFILE_CHECKS > 1 2280 uLong crc = 0; /* the value for 0 length data */ 2281 #endif 2282 unsigned int i; 2283 2284 #ifdef PNG_SET_OPTION_SUPPORTED 2285 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */ 2286 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) == 2287 PNG_OPTION_ON) 2288 return 0; 2289 #endif 2290 2291 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i) 2292 { 2293 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] && 2294 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] && 2295 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] && 2296 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3]) 2297 { 2298 /* This may be one of the old HP profiles without an MD5, in that 2299 * case we can only use the length and Adler32 (note that these 2300 * are not used by default if there is an MD5!) 2301 */ 2302 # if PNG_sRGB_PROFILE_CHECKS == 0 2303 if (png_sRGB_checks[i].have_md5 != 0) 2304 return 1+png_sRGB_checks[i].is_broken; 2305 # endif 2306 2307 /* Profile is unsigned or more checks have been configured in. */ 2308 if (length == 0) 2309 { 2310 length = png_get_uint_32(profile); 2311 intent = png_get_uint_32(profile+64); 2312 } 2313 2314 /* Length *and* intent must match */ 2315 if (length == (png_uint_32) png_sRGB_checks[i].length && 2316 intent == (png_uint_32) png_sRGB_checks[i].intent) 2317 { 2318 /* Now calculate the adler32 if not done already. */ 2319 if (adler == 0) 2320 { 2321 adler = adler32(0, NULL, 0); 2322 adler = adler32(adler, profile, length); 2323 } 2324 2325 if (adler == png_sRGB_checks[i].adler) 2326 { 2327 /* These basic checks suggest that the data has not been 2328 * modified, but if the check level is more than 1 perform 2329 * our own crc32 checksum on the data. 2330 */ 2331 # if PNG_sRGB_PROFILE_CHECKS > 1 2332 if (crc == 0) 2333 { 2334 crc = crc32(0, NULL, 0); 2335 crc = crc32(crc, profile, length); 2336 } 2337 2338 /* So this check must pass for the 'return' below to happen. 2339 */ 2340 if (crc == png_sRGB_checks[i].crc) 2341 # endif 2342 { 2343 if (png_sRGB_checks[i].is_broken != 0) 2344 { 2345 /* These profiles are known to have bad data that may cause 2346 * problems if they are used, therefore attempt to 2347 * discourage their use, skip the 'have_md5' warning below, 2348 * which is made irrelevant by this error. 2349 */ 2350 png_chunk_report(png_ptr, "known incorrect sRGB profile", 2351 PNG_CHUNK_ERROR); 2352 } 2353 2354 /* Warn that this being done; this isn't even an error since 2355 * the profile is perfectly valid, but it would be nice if 2356 * people used the up-to-date ones. 2357 */ 2358 else if (png_sRGB_checks[i].have_md5 == 0) 2359 { 2360 png_chunk_report(png_ptr, 2361 "out-of-date sRGB profile with no signature", 2362 PNG_CHUNK_WARNING); 2363 } 2364 2365 return 1+png_sRGB_checks[i].is_broken; 2366 } 2367 } 2368 2369 # if PNG_sRGB_PROFILE_CHECKS > 0 2370 /* The signature matched, but the profile had been changed in some 2371 * way. This probably indicates a data error or uninformed hacking. 2372 * Fall through to "no match". 2373 */ 2374 png_chunk_report(png_ptr, 2375 "Not recognizing known sRGB profile that has been edited", 2376 PNG_CHUNK_WARNING); 2377 break; 2378 # endif 2379 } 2380 } 2381 } 2382 2383 return 0; /* no match */ 2384 } 2385 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ 2386 2387 void /* PRIVATE */ 2388 png_icc_set_sRGB(png_const_structrp png_ptr, 2389 png_colorspacerp colorspace, png_const_bytep profile, uLong adler) 2390 { 2391 /* Is this profile one of the known ICC sRGB profiles? If it is, just set 2392 * the sRGB information. 2393 */ 2394 #if PNG_sRGB_PROFILE_CHECKS >= 0 2395 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0) 2396 #endif 2397 (void)png_colorspace_set_sRGB(png_ptr, colorspace, 2398 (int)/*already checked*/png_get_uint_32(profile+64)); 2399 } 2400 #endif /* sRGB */ 2401 2402 int /* PRIVATE */ 2403 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 2404 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, 2405 int color_type) 2406 { 2407 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 2408 return 0; 2409 2410 if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 2411 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 2412 color_type) != 0 && 2413 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 2414 profile) != 0) 2415 { 2416 # ifdef PNG_sRGB_SUPPORTED 2417 /* If no sRGB support, don't try storing sRGB information */ 2418 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); 2419 # endif 2420 return 1; 2421 } 2422 2423 /* Failure case */ 2424 return 0; 2425 } 2426 #endif /* iCCP */ 2427 2428 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED 2429 void /* PRIVATE */ 2430 png_colorspace_set_rgb_coefficients(png_structrp png_ptr) 2431 { 2432 /* Set the rgb_to_gray coefficients from the colorspace. */ 2433 if (png_ptr->rgb_to_gray_coefficients_set == 0 && 2434 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 2435 { 2436 /* png_set_background has not been called, get the coefficients from the Y 2437 * values of the colorspace colorants. 2438 */ 2439 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y; 2440 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y; 2441 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y; 2442 png_fixed_point total = r+g+b; 2443 2444 if (total > 0 && 2445 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 && 2446 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 && 2447 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 && 2448 r+g+b <= 32769) 2449 { 2450 /* We allow 0 coefficients here. r+g+b may be 32769 if two or 2451 * all of the coefficients were rounded up. Handle this by 2452 * reducing the *largest* coefficient by 1; this matches the 2453 * approach used for the default coefficients in pngrtran.c 2454 */ 2455 int add = 0; 2456 2457 if (r+g+b > 32768) 2458 add = -1; 2459 else if (r+g+b < 32768) 2460 add = 1; 2461 2462 if (add != 0) 2463 { 2464 if (g >= r && g >= b) 2465 g += add; 2466 else if (r >= g && r >= b) 2467 r += add; 2468 else 2469 b += add; 2470 } 2471 2472 /* Check for an internal error. */ 2473 if (r+g+b != 32768) 2474 png_error(png_ptr, 2475 "internal error handling cHRM coefficients"); 2476 2477 else 2478 { 2479 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r; 2480 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g; 2481 } 2482 } 2483 2484 /* This is a png_error at present even though it could be ignored - 2485 * it should never happen, but it is important that if it does, the 2486 * bug is fixed. 2487 */ 2488 else 2489 png_error(png_ptr, "internal error handling cHRM->XYZ"); 2490 } 2491 } 2492 #endif /* READ_RGB_TO_GRAY */ 2493 2494 #endif /* COLORSPACE */ 2495 2496 #ifdef __GNUC__ 2497 /* This exists solely to work round a warning from GNU C. */ 2498 static int /* PRIVATE */ 2499 png_gt(size_t a, size_t b) 2500 { 2501 return a > b; 2502 } 2503 #else 2504 # define png_gt(a,b) ((a) > (b)) 2505 #endif 2506 2507 void /* PRIVATE */ 2508 png_check_IHDR(png_const_structrp png_ptr, 2509 png_uint_32 width, png_uint_32 height, int bit_depth, 2510 int color_type, int interlace_type, int compression_type, 2511 int filter_type) 2512 { 2513 int error = 0; 2514 2515 /* Check for width and height valid values */ 2516 if (width == 0) 2517 { 2518 png_warning(png_ptr, "Image width is zero in IHDR"); 2519 error = 1; 2520 } 2521 2522 if (width > PNG_UINT_31_MAX) 2523 { 2524 png_warning(png_ptr, "Invalid image width in IHDR"); 2525 error = 1; 2526 } 2527 2528 if (png_gt(((width + 7) & (~7)), 2529 ((PNG_SIZE_MAX 2530 - 48 /* big_row_buf hack */ 2531 - 1) /* filter byte */ 2532 / 8) /* 8-byte RGBA pixels */ 2533 - 1)) /* extra max_pixel_depth pad */ 2534 { 2535 /* The size of the row must be within the limits of this architecture. 2536 * Because the read code can perform arbitrary transformations the 2537 * maximum size is checked here. Because the code in png_read_start_row 2538 * adds extra space "for safety's sake" in several places a conservative 2539 * limit is used here. 2540 * 2541 * NOTE: it would be far better to check the size that is actually used, 2542 * but the effect in the real world is minor and the changes are more 2543 * extensive, therefore much more dangerous and much more difficult to 2544 * write in a way that avoids compiler warnings. 2545 */ 2546 png_warning(png_ptr, "Image width is too large for this architecture"); 2547 error = 1; 2548 } 2549 2550 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2551 if (width > png_ptr->user_width_max) 2552 #else 2553 if (width > PNG_USER_WIDTH_MAX) 2554 #endif 2555 { 2556 png_warning(png_ptr, "Image width exceeds user limit in IHDR"); 2557 error = 1; 2558 } 2559 2560 if (height == 0) 2561 { 2562 png_warning(png_ptr, "Image height is zero in IHDR"); 2563 error = 1; 2564 } 2565 2566 if (height > PNG_UINT_31_MAX) 2567 { 2568 png_warning(png_ptr, "Invalid image height in IHDR"); 2569 error = 1; 2570 } 2571 2572 #ifdef PNG_SET_USER_LIMITS_SUPPORTED 2573 if (height > png_ptr->user_height_max) 2574 #else 2575 if (height > PNG_USER_HEIGHT_MAX) 2576 #endif 2577 { 2578 png_warning(png_ptr, "Image height exceeds user limit in IHDR"); 2579 error = 1; 2580 } 2581 2582 /* Check other values */ 2583 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && 2584 bit_depth != 8 && bit_depth != 16) 2585 { 2586 png_warning(png_ptr, "Invalid bit depth in IHDR"); 2587 error = 1; 2588 } 2589 2590 if (color_type < 0 || color_type == 1 || 2591 color_type == 5 || color_type > 6) 2592 { 2593 png_warning(png_ptr, "Invalid color type in IHDR"); 2594 error = 1; 2595 } 2596 2597 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || 2598 ((color_type == PNG_COLOR_TYPE_RGB || 2599 color_type == PNG_COLOR_TYPE_GRAY_ALPHA || 2600 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) 2601 { 2602 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); 2603 error = 1; 2604 } 2605 2606 if (interlace_type >= PNG_INTERLACE_LAST) 2607 { 2608 png_warning(png_ptr, "Unknown interlace method in IHDR"); 2609 error = 1; 2610 } 2611 2612 if (compression_type != PNG_COMPRESSION_TYPE_BASE) 2613 { 2614 png_warning(png_ptr, "Unknown compression method in IHDR"); 2615 error = 1; 2616 } 2617 2618 #ifdef PNG_MNG_FEATURES_SUPPORTED 2619 /* Accept filter_method 64 (intrapixel differencing) only if 2620 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and 2621 * 2. Libpng did not read a PNG signature (this filter_method is only 2622 * used in PNG datastreams that are embedded in MNG datastreams) and 2623 * 3. The application called png_permit_mng_features with a mask that 2624 * included PNG_FLAG_MNG_FILTER_64 and 2625 * 4. The filter_method is 64 and 2626 * 5. The color_type is RGB or RGBA 2627 */ 2628 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && 2629 png_ptr->mng_features_permitted != 0) 2630 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); 2631 2632 if (filter_type != PNG_FILTER_TYPE_BASE) 2633 { 2634 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 && 2635 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && 2636 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && 2637 (color_type == PNG_COLOR_TYPE_RGB || 2638 color_type == PNG_COLOR_TYPE_RGB_ALPHA))) 2639 { 2640 png_warning(png_ptr, "Unknown filter method in IHDR"); 2641 error = 1; 2642 } 2643 2644 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0) 2645 { 2646 png_warning(png_ptr, "Invalid filter method in IHDR"); 2647 error = 1; 2648 } 2649 } 2650 2651 #else 2652 if (filter_type != PNG_FILTER_TYPE_BASE) 2653 { 2654 png_warning(png_ptr, "Unknown filter method in IHDR"); 2655 error = 1; 2656 } 2657 #endif 2658 2659 if (error == 1) 2660 png_error(png_ptr, "Invalid IHDR data"); 2661 } 2662 2663 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) 2664 /* ASCII to fp functions */ 2665 /* Check an ASCII formated floating point value, see the more detailed 2666 * comments in pngpriv.h 2667 */ 2668 /* The following is used internally to preserve the sticky flags */ 2669 #define png_fp_add(state, flags) ((state) |= (flags)) 2670 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY)) 2671 2672 int /* PRIVATE */ 2673 png_check_fp_number(png_const_charp string, png_size_t size, int *statep, 2674 png_size_tp whereami) 2675 { 2676 int state = *statep; 2677 png_size_t i = *whereami; 2678 2679 while (i < size) 2680 { 2681 int type; 2682 /* First find the type of the next character */ 2683 switch (string[i]) 2684 { 2685 case 43: type = PNG_FP_SAW_SIGN; break; 2686 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break; 2687 case 46: type = PNG_FP_SAW_DOT; break; 2688 case 48: type = PNG_FP_SAW_DIGIT; break; 2689 case 49: case 50: case 51: case 52: 2690 case 53: case 54: case 55: case 56: 2691 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break; 2692 case 69: 2693 case 101: type = PNG_FP_SAW_E; break; 2694 default: goto PNG_FP_End; 2695 } 2696 2697 /* Now deal with this type according to the current 2698 * state, the type is arranged to not overlap the 2699 * bits of the PNG_FP_STATE. 2700 */ 2701 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY)) 2702 { 2703 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN: 2704 if ((state & PNG_FP_SAW_ANY) != 0) 2705 goto PNG_FP_End; /* not a part of the number */ 2706 2707 png_fp_add(state, type); 2708 break; 2709 2710 case PNG_FP_INTEGER + PNG_FP_SAW_DOT: 2711 /* Ok as trailer, ok as lead of fraction. */ 2712 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */ 2713 goto PNG_FP_End; 2714 2715 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */ 2716 png_fp_add(state, type); 2717 2718 else 2719 png_fp_set(state, PNG_FP_FRACTION | type); 2720 2721 break; 2722 2723 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT: 2724 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */ 2725 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT); 2726 2727 png_fp_add(state, type | PNG_FP_WAS_VALID); 2728 2729 break; 2730 2731 case PNG_FP_INTEGER + PNG_FP_SAW_E: 2732 if ((state & PNG_FP_SAW_DIGIT) == 0) 2733 goto PNG_FP_End; 2734 2735 png_fp_set(state, PNG_FP_EXPONENT); 2736 2737 break; 2738 2739 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN: 2740 goto PNG_FP_End; ** no sign in fraction */ 2741 2742 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT: 2743 goto PNG_FP_End; ** Because SAW_DOT is always set */ 2744 2745 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT: 2746 png_fp_add(state, type | PNG_FP_WAS_VALID); 2747 break; 2748 2749 case PNG_FP_FRACTION + PNG_FP_SAW_E: 2750 /* This is correct because the trailing '.' on an 2751 * integer is handled above - so we can only get here 2752 * with the sequence ".E" (with no preceding digits). 2753 */ 2754 if ((state & PNG_FP_SAW_DIGIT) == 0) 2755 goto PNG_FP_End; 2756 2757 png_fp_set(state, PNG_FP_EXPONENT); 2758 2759 break; 2760 2761 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN: 2762 if ((state & PNG_FP_SAW_ANY) != 0) 2763 goto PNG_FP_End; /* not a part of the number */ 2764 2765 png_fp_add(state, PNG_FP_SAW_SIGN); 2766 2767 break; 2768 2769 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT: 2770 goto PNG_FP_End; */ 2771 2772 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT: 2773 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID); 2774 2775 break; 2776 2777 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E: 2778 goto PNG_FP_End; */ 2779 2780 default: goto PNG_FP_End; /* I.e. break 2 */ 2781 } 2782 2783 /* The character seems ok, continue. */ 2784 ++i; 2785 } 2786 2787 PNG_FP_End: 2788 /* Here at the end, update the state and return the correct 2789 * return code. 2790 */ 2791 *statep = state; 2792 *whereami = i; 2793 2794 return (state & PNG_FP_SAW_DIGIT) != 0; 2795 } 2796 2797 2798 /* The same but for a complete string. */ 2799 int 2800 png_check_fp_string(png_const_charp string, png_size_t size) 2801 { 2802 int state=0; 2803 png_size_t char_index=0; 2804 2805 if (png_check_fp_number(string, size, &state, &char_index) != 0 && 2806 (char_index == size || string[char_index] == 0)) 2807 return state /* must be non-zero - see above */; 2808 2809 return 0; /* i.e. fail */ 2810 } 2811 #endif /* pCAL || sCAL */ 2812 2813 #ifdef PNG_sCAL_SUPPORTED 2814 # ifdef PNG_FLOATING_POINT_SUPPORTED 2815 /* Utility used below - a simple accurate power of ten from an integral 2816 * exponent. 2817 */ 2818 static double 2819 png_pow10(int power) 2820 { 2821 int recip = 0; 2822 double d = 1; 2823 2824 /* Handle negative exponent with a reciprocal at the end because 2825 * 10 is exact whereas .1 is inexact in base 2 2826 */ 2827 if (power < 0) 2828 { 2829 if (power < DBL_MIN_10_EXP) return 0; 2830 recip = 1, power = -power; 2831 } 2832 2833 if (power > 0) 2834 { 2835 /* Decompose power bitwise. */ 2836 double mult = 10; 2837 do 2838 { 2839 if (power & 1) d *= mult; 2840 mult *= mult; 2841 power >>= 1; 2842 } 2843 while (power > 0); 2844 2845 if (recip != 0) d = 1/d; 2846 } 2847 /* else power is 0 and d is 1 */ 2848 2849 return d; 2850 } 2851 2852 /* Function to format a floating point value in ASCII with a given 2853 * precision. 2854 */ 2855 void /* PRIVATE */ 2856 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size, 2857 double fp, unsigned int precision) 2858 { 2859 /* We use standard functions from math.h, but not printf because 2860 * that would require stdio. The caller must supply a buffer of 2861 * sufficient size or we will png_error. The tests on size and 2862 * the space in ascii[] consumed are indicated below. 2863 */ 2864 if (precision < 1) 2865 precision = DBL_DIG; 2866 2867 /* Enforce the limit of the implementation precision too. */ 2868 if (precision > DBL_DIG+1) 2869 precision = DBL_DIG+1; 2870 2871 /* Basic sanity checks */ 2872 if (size >= precision+5) /* See the requirements below. */ 2873 { 2874 if (fp < 0) 2875 { 2876 fp = -fp; 2877 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */ 2878 --size; 2879 } 2880 2881 if (fp >= DBL_MIN && fp <= DBL_MAX) 2882 { 2883 int exp_b10; /* A base 10 exponent */ 2884 double base; /* 10^exp_b10 */ 2885 2886 /* First extract a base 10 exponent of the number, 2887 * the calculation below rounds down when converting 2888 * from base 2 to base 10 (multiply by log10(2) - 2889 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to 2890 * be increased. Note that the arithmetic shift 2891 * performs a floor() unlike C arithmetic - using a 2892 * C multiply would break the following for negative 2893 * exponents. 2894 */ 2895 (void)frexp(fp, &exp_b10); /* exponent to base 2 */ 2896 2897 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */ 2898 2899 /* Avoid underflow here. */ 2900 base = png_pow10(exp_b10); /* May underflow */ 2901 2902 while (base < DBL_MIN || base < fp) 2903 { 2904 /* And this may overflow. */ 2905 double test = png_pow10(exp_b10+1); 2906 2907 if (test <= DBL_MAX) 2908 ++exp_b10, base = test; 2909 2910 else 2911 break; 2912 } 2913 2914 /* Normalize fp and correct exp_b10, after this fp is in the 2915 * range [.1,1) and exp_b10 is both the exponent and the digit 2916 * *before* which the decimal point should be inserted 2917 * (starting with 0 for the first digit). Note that this 2918 * works even if 10^exp_b10 is out of range because of the 2919 * test on DBL_MAX above. 2920 */ 2921 fp /= base; 2922 while (fp >= 1) fp /= 10, ++exp_b10; 2923 2924 /* Because of the code above fp may, at this point, be 2925 * less than .1, this is ok because the code below can 2926 * handle the leading zeros this generates, so no attempt 2927 * is made to correct that here. 2928 */ 2929 2930 { 2931 unsigned int czero, clead, cdigits; 2932 char exponent[10]; 2933 2934 /* Allow up to two leading zeros - this will not lengthen 2935 * the number compared to using E-n. 2936 */ 2937 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */ 2938 { 2939 czero = -exp_b10; /* PLUS 2 digits: TOTAL 3 */ 2940 exp_b10 = 0; /* Dot added below before first output. */ 2941 } 2942 else 2943 czero = 0; /* No zeros to add */ 2944 2945 /* Generate the digit list, stripping trailing zeros and 2946 * inserting a '.' before a digit if the exponent is 0. 2947 */ 2948 clead = czero; /* Count of leading zeros */ 2949 cdigits = 0; /* Count of digits in list. */ 2950 2951 do 2952 { 2953 double d; 2954 2955 fp *= 10; 2956 /* Use modf here, not floor and subtract, so that 2957 * the separation is done in one step. At the end 2958 * of the loop don't break the number into parts so 2959 * that the final digit is rounded. 2960 */ 2961 if (cdigits+czero+1 < precision+clead) 2962 fp = modf(fp, &d); 2963 2964 else 2965 { 2966 d = floor(fp + .5); 2967 2968 if (d > 9) 2969 { 2970 /* Rounding up to 10, handle that here. */ 2971 if (czero > 0) 2972 { 2973 --czero, d = 1; 2974 if (cdigits == 0) --clead; 2975 } 2976 else 2977 { 2978 while (cdigits > 0 && d > 9) 2979 { 2980 int ch = *--ascii; 2981 2982 if (exp_b10 != (-1)) 2983 ++exp_b10; 2984 2985 else if (ch == 46) 2986 { 2987 ch = *--ascii, ++size; 2988 /* Advance exp_b10 to '1', so that the 2989 * decimal point happens after the 2990 * previous digit. 2991 */ 2992 exp_b10 = 1; 2993 } 2994 2995 --cdigits; 2996 d = ch - 47; /* I.e. 1+(ch-48) */ 2997 } 2998 2999 /* Did we reach the beginning? If so adjust the 3000 * exponent but take into account the leading 3001 * decimal point. 3002 */ 3003 if (d > 9) /* cdigits == 0 */ 3004 { 3005 if (exp_b10 == (-1)) 3006 { 3007 /* Leading decimal point (plus zeros?), if 3008 * we lose the decimal point here it must 3009 * be reentered below. 3010 */ 3011 int ch = *--ascii; 3012 3013 if (ch == 46) 3014 ++size, exp_b10 = 1; 3015 3016 /* Else lost a leading zero, so 'exp_b10' is 3017 * still ok at (-1) 3018 */ 3019 } 3020 else 3021 ++exp_b10; 3022 3023 /* In all cases we output a '1' */ 3024 d = 1; 3025 } 3026 } 3027 } 3028 fp = 0; /* Guarantees termination below. */ 3029 } 3030 3031 if (d == 0) 3032 { 3033 ++czero; 3034 if (cdigits == 0) ++clead; 3035 } 3036 else 3037 { 3038 /* Included embedded zeros in the digit count. */ 3039 cdigits += czero - clead; 3040 clead = 0; 3041 3042 while (czero > 0) 3043 { 3044 /* exp_b10 == (-1) means we just output the decimal 3045 * place - after the DP don't adjust 'exp_b10' any 3046 * more! 3047 */ 3048 if (exp_b10 != (-1)) 3049 { 3050 if (exp_b10 == 0) *ascii++ = 46, --size; 3051 /* PLUS 1: TOTAL 4 */ 3052 --exp_b10; 3053 } 3054 *ascii++ = 48, --czero; 3055 } 3056 3057 if (exp_b10 != (-1)) 3058 { 3059 if (exp_b10 == 0) 3060 *ascii++ = 46, --size; /* counted above */ 3061 3062 --exp_b10; 3063 } 3064 *ascii++ = (char)(48 + (int)d), ++cdigits; 3065 } 3066 } 3067 while (cdigits+czero < precision+clead && fp > DBL_MIN); 3068 3069 /* The total output count (max) is now 4+precision */ 3070 3071 /* Check for an exponent, if we don't need one we are 3072 * done and just need to terminate the string. At 3073 * this point exp_b10==(-1) is effectively if flag - it got 3074 * to '-1' because of the decrement after outputting 3075 * the decimal point above (the exponent required is 3076 * *not* -1!) 3077 */ 3078 if (exp_b10 >= (-1) && exp_b10 <= 2) 3079 { 3080 /* The following only happens if we didn't output the 3081 * leading zeros above for negative exponent, so this 3082 * doesn't add to the digit requirement. Note that the 3083 * two zeros here can only be output if the two leading 3084 * zeros were *not* output, so this doesn't increase 3085 * the output count. 3086 */ 3087 while (--exp_b10 >= 0) *ascii++ = 48; 3088 3089 *ascii = 0; 3090 3091 /* Total buffer requirement (including the '\0') is 3092 * 5+precision - see check at the start. 3093 */ 3094 return; 3095 } 3096 3097 /* Here if an exponent is required, adjust size for 3098 * the digits we output but did not count. The total 3099 * digit output here so far is at most 1+precision - no 3100 * decimal point and no leading or trailing zeros have 3101 * been output. 3102 */ 3103 size -= cdigits; 3104 3105 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */ 3106 3107 /* The following use of an unsigned temporary avoids ambiguities in 3108 * the signed arithmetic on exp_b10 and permits GCC at least to do 3109 * better optimization. 3110 */ 3111 { 3112 unsigned int uexp_b10; 3113 3114 if (exp_b10 < 0) 3115 { 3116 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */ 3117 uexp_b10 = -exp_b10; 3118 } 3119 3120 else 3121 uexp_b10 = exp_b10; 3122 3123 cdigits = 0; 3124 3125 while (uexp_b10 > 0) 3126 { 3127 exponent[cdigits++] = (char)(48 + uexp_b10 % 10); 3128 uexp_b10 /= 10; 3129 } 3130 } 3131 3132 /* Need another size check here for the exponent digits, so 3133 * this need not be considered above. 3134 */ 3135 if (size > cdigits) 3136 { 3137 while (cdigits > 0) *ascii++ = exponent[--cdigits]; 3138 3139 *ascii = 0; 3140 3141 return; 3142 } 3143 } 3144 } 3145 else if (!(fp >= DBL_MIN)) 3146 { 3147 *ascii++ = 48; /* '0' */ 3148 *ascii = 0; 3149 return; 3150 } 3151 else 3152 { 3153 *ascii++ = 105; /* 'i' */ 3154 *ascii++ = 110; /* 'n' */ 3155 *ascii++ = 102; /* 'f' */ 3156 *ascii = 0; 3157 return; 3158 } 3159 } 3160 3161 /* Here on buffer too small. */ 3162 png_error(png_ptr, "ASCII conversion buffer too small"); 3163 } 3164 3165 # endif /* FLOATING_POINT */ 3166 3167 # ifdef PNG_FIXED_POINT_SUPPORTED 3168 /* Function to format a fixed point value in ASCII. 3169 */ 3170 void /* PRIVATE */ 3171 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii, 3172 png_size_t size, png_fixed_point fp) 3173 { 3174 /* Require space for 10 decimal digits, a decimal point, a minus sign and a 3175 * trailing \0, 13 characters: 3176 */ 3177 if (size > 12) 3178 { 3179 png_uint_32 num; 3180 3181 /* Avoid overflow here on the minimum integer. */ 3182 if (fp < 0) 3183 *ascii++ = 45, num = -fp; 3184 else 3185 num = fp; 3186 3187 if (num <= 0x80000000) /* else overflowed */ 3188 { 3189 unsigned int ndigits = 0, first = 16 /* flag value */; 3190 char digits[10]; 3191 3192 while (num) 3193 { 3194 /* Split the low digit off num: */ 3195 unsigned int tmp = num/10; 3196 num -= tmp*10; 3197 digits[ndigits++] = (char)(48 + num); 3198 /* Record the first non-zero digit, note that this is a number 3199 * starting at 1, it's not actually the array index. 3200 */ 3201 if (first == 16 && num > 0) 3202 first = ndigits; 3203 num = tmp; 3204 } 3205 3206 if (ndigits > 0) 3207 { 3208 while (ndigits > 5) *ascii++ = digits[--ndigits]; 3209 /* The remaining digits are fractional digits, ndigits is '5' or 3210 * smaller at this point. It is certainly not zero. Check for a 3211 * non-zero fractional digit: 3212 */ 3213 if (first <= 5) 3214 { 3215 unsigned int i; 3216 *ascii++ = 46; /* decimal point */ 3217 /* ndigits may be <5 for small numbers, output leading zeros 3218 * then ndigits digits to first: 3219 */ 3220 i = 5; 3221 while (ndigits < i) *ascii++ = 48, --i; 3222 while (ndigits >= first) *ascii++ = digits[--ndigits]; 3223 /* Don't output the trailing zeros! */ 3224 } 3225 } 3226 else 3227 *ascii++ = 48; 3228 3229 /* And null terminate the string: */ 3230 *ascii = 0; 3231 return; 3232 } 3233 } 3234 3235 /* Here on buffer too small. */ 3236 png_error(png_ptr, "ASCII conversion buffer too small"); 3237 } 3238 # endif /* FIXED_POINT */ 3239 #endif /* SCAL */ 3240 3241 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \ 3242 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ 3243 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \ 3244 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 3245 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \ 3246 (defined(PNG_sCAL_SUPPORTED) && \ 3247 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED)) 3248 png_fixed_point 3249 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text) 3250 { 3251 double r = floor(100000 * fp + .5); 3252 3253 if (r > 2147483647. || r < -2147483648.) 3254 png_fixed_error(png_ptr, text); 3255 3256 # ifndef PNG_ERROR_TEXT_SUPPORTED 3257 PNG_UNUSED(text) 3258 # endif 3259 3260 return (png_fixed_point)r; 3261 } 3262 #endif 3263 3264 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\ 3265 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED) 3266 /* muldiv functions */ 3267 /* This API takes signed arguments and rounds the result to the nearest 3268 * integer (or, for a fixed point number - the standard argument - to 3269 * the nearest .00001). Overflow and divide by zero are signalled in 3270 * the result, a boolean - true on success, false on overflow. 3271 */ 3272 int 3273 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times, 3274 png_int_32 divisor) 3275 { 3276 /* Return a * times / divisor, rounded. */ 3277 if (divisor != 0) 3278 { 3279 if (a == 0 || times == 0) 3280 { 3281 *res = 0; 3282 return 1; 3283 } 3284 else 3285 { 3286 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3287 double r = a; 3288 r *= times; 3289 r /= divisor; 3290 r = floor(r+.5); 3291 3292 /* A png_fixed_point is a 32-bit integer. */ 3293 if (r <= 2147483647. && r >= -2147483648.) 3294 { 3295 *res = (png_fixed_point)r; 3296 return 1; 3297 } 3298 #else 3299 int negative = 0; 3300 png_uint_32 A, T, D; 3301 png_uint_32 s16, s32, s00; 3302 3303 if (a < 0) 3304 negative = 1, A = -a; 3305 else 3306 A = a; 3307 3308 if (times < 0) 3309 negative = !negative, T = -times; 3310 else 3311 T = times; 3312 3313 if (divisor < 0) 3314 negative = !negative, D = -divisor; 3315 else 3316 D = divisor; 3317 3318 /* Following can't overflow because the arguments only 3319 * have 31 bits each, however the result may be 32 bits. 3320 */ 3321 s16 = (A >> 16) * (T & 0xffff) + 3322 (A & 0xffff) * (T >> 16); 3323 /* Can't overflow because the a*times bit is only 30 3324 * bits at most. 3325 */ 3326 s32 = (A >> 16) * (T >> 16) + (s16 >> 16); 3327 s00 = (A & 0xffff) * (T & 0xffff); 3328 3329 s16 = (s16 & 0xffff) << 16; 3330 s00 += s16; 3331 3332 if (s00 < s16) 3333 ++s32; /* carry */ 3334 3335 if (s32 < D) /* else overflow */ 3336 { 3337 /* s32.s00 is now the 64-bit product, do a standard 3338 * division, we know that s32 < D, so the maximum 3339 * required shift is 31. 3340 */ 3341 int bitshift = 32; 3342 png_fixed_point result = 0; /* NOTE: signed */ 3343 3344 while (--bitshift >= 0) 3345 { 3346 png_uint_32 d32, d00; 3347 3348 if (bitshift > 0) 3349 d32 = D >> (32-bitshift), d00 = D << bitshift; 3350 3351 else 3352 d32 = 0, d00 = D; 3353 3354 if (s32 > d32) 3355 { 3356 if (s00 < d00) --s32; /* carry */ 3357 s32 -= d32, s00 -= d00, result += 1<<bitshift; 3358 } 3359 3360 else 3361 if (s32 == d32 && s00 >= d00) 3362 s32 = 0, s00 -= d00, result += 1<<bitshift; 3363 } 3364 3365 /* Handle the rounding. */ 3366 if (s00 >= (D >> 1)) 3367 ++result; 3368 3369 if (negative != 0) 3370 result = -result; 3371 3372 /* Check for overflow. */ 3373 if ((negative != 0 && result <= 0) || 3374 (negative == 0 && result >= 0)) 3375 { 3376 *res = result; 3377 return 1; 3378 } 3379 } 3380 #endif 3381 } 3382 } 3383 3384 return 0; 3385 } 3386 #endif /* READ_GAMMA || INCH_CONVERSIONS */ 3387 3388 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED) 3389 /* The following is for when the caller doesn't much care about the 3390 * result. 3391 */ 3392 png_fixed_point 3393 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times, 3394 png_int_32 divisor) 3395 { 3396 png_fixed_point result; 3397 3398 if (png_muldiv(&result, a, times, divisor) != 0) 3399 return result; 3400 3401 png_warning(png_ptr, "fixed point overflow ignored"); 3402 return 0; 3403 } 3404 #endif 3405 3406 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */ 3407 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */ 3408 png_fixed_point 3409 png_reciprocal(png_fixed_point a) 3410 { 3411 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3412 double r = floor(1E10/a+.5); 3413 3414 if (r <= 2147483647. && r >= -2147483648.) 3415 return (png_fixed_point)r; 3416 #else 3417 png_fixed_point res; 3418 3419 if (png_muldiv(&res, 100000, 100000, a) != 0) 3420 return res; 3421 #endif 3422 3423 return 0; /* error/overflow */ 3424 } 3425 3426 /* This is the shared test on whether a gamma value is 'significant' - whether 3427 * it is worth doing gamma correction. 3428 */ 3429 int /* PRIVATE */ 3430 png_gamma_significant(png_fixed_point gamma_val) 3431 { 3432 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED || 3433 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED; 3434 } 3435 #endif 3436 3437 #ifdef PNG_READ_GAMMA_SUPPORTED 3438 #ifdef PNG_16BIT_SUPPORTED 3439 /* A local convenience routine. */ 3440 static png_fixed_point 3441 png_product2(png_fixed_point a, png_fixed_point b) 3442 { 3443 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3444 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3445 double r = a * 1E-5; 3446 r *= b; 3447 r = floor(r+.5); 3448 3449 if (r <= 2147483647. && r >= -2147483648.) 3450 return (png_fixed_point)r; 3451 #else 3452 png_fixed_point res; 3453 3454 if (png_muldiv(&res, a, b, 100000) != 0) 3455 return res; 3456 #endif 3457 3458 return 0; /* overflow */ 3459 } 3460 #endif /* 16BIT */ 3461 3462 /* The inverse of the above. */ 3463 png_fixed_point 3464 png_reciprocal2(png_fixed_point a, png_fixed_point b) 3465 { 3466 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3467 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3468 if (a != 0 && b != 0) 3469 { 3470 double r = 1E15/a; 3471 r /= b; 3472 r = floor(r+.5); 3473 3474 if (r <= 2147483647. && r >= -2147483648.) 3475 return (png_fixed_point)r; 3476 } 3477 #else 3478 /* This may overflow because the range of png_fixed_point isn't symmetric, 3479 * but this API is only used for the product of file and screen gamma so it 3480 * doesn't matter that the smallest number it can produce is 1/21474, not 3481 * 1/100000 3482 */ 3483 png_fixed_point res = png_product2(a, b); 3484 3485 if (res != 0) 3486 return png_reciprocal(res); 3487 #endif 3488 3489 return 0; /* overflow */ 3490 } 3491 #endif /* READ_GAMMA */ 3492 3493 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */ 3494 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED 3495 /* Fixed point gamma. 3496 * 3497 * The code to calculate the tables used below can be found in the shell script 3498 * contrib/tools/intgamma.sh 3499 * 3500 * To calculate gamma this code implements fast log() and exp() calls using only 3501 * fixed point arithmetic. This code has sufficient precision for either 8-bit 3502 * or 16-bit sample values. 3503 * 3504 * The tables used here were calculated using simple 'bc' programs, but C double 3505 * precision floating point arithmetic would work fine. 3506 * 3507 * 8-bit log table 3508 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to 3509 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point 3510 * mantissa. The numbers are 32-bit fractions. 3511 */ 3512 static const png_uint_32 3513 png_8bit_l2[128] = 3514 { 3515 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U, 3516 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U, 3517 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U, 3518 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U, 3519 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U, 3520 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U, 3521 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U, 3522 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U, 3523 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U, 3524 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U, 3525 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U, 3526 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U, 3527 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U, 3528 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U, 3529 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U, 3530 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U, 3531 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U, 3532 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U, 3533 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U, 3534 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U, 3535 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U, 3536 24347096U, 0U 3537 3538 #if 0 3539 /* The following are the values for 16-bit tables - these work fine for the 3540 * 8-bit conversions but produce very slightly larger errors in the 16-bit 3541 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To 3542 * use these all the shifts below must be adjusted appropriately. 3543 */ 3544 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054, 3545 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803, 3546 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068, 3547 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782, 3548 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887, 3549 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339, 3550 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098, 3551 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132, 3552 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415, 3553 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523, 3554 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495, 3555 1119, 744, 372 3556 #endif 3557 }; 3558 3559 static png_int_32 3560 png_log8bit(unsigned int x) 3561 { 3562 unsigned int lg2 = 0; 3563 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log, 3564 * because the log is actually negate that means adding 1. The final 3565 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1 3566 * input), return -1 for the overflow (log 0) case, - so the result is 3567 * always at most 19 bits. 3568 */ 3569 if ((x &= 0xff) == 0) 3570 return -1; 3571 3572 if ((x & 0xf0) == 0) 3573 lg2 = 4, x <<= 4; 3574 3575 if ((x & 0xc0) == 0) 3576 lg2 += 2, x <<= 2; 3577 3578 if ((x & 0x80) == 0) 3579 lg2 += 1, x <<= 1; 3580 3581 /* result is at most 19 bits, so this cast is safe: */ 3582 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16)); 3583 } 3584 3585 /* The above gives exact (to 16 binary places) log2 values for 8-bit images, 3586 * for 16-bit images we use the most significant 8 bits of the 16-bit value to 3587 * get an approximation then multiply the approximation by a correction factor 3588 * determined by the remaining up to 8 bits. This requires an additional step 3589 * in the 16-bit case. 3590 * 3591 * We want log2(value/65535), we have log2(v'/255), where: 3592 * 3593 * value = v' * 256 + v'' 3594 * = v' * f 3595 * 3596 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128 3597 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less 3598 * than 258. The final factor also needs to correct for the fact that our 8-bit 3599 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535. 3600 * 3601 * This gives a final formula using a calculated value 'x' which is value/v' and 3602 * scaling by 65536 to match the above table: 3603 * 3604 * log2(x/257) * 65536 3605 * 3606 * Since these numbers are so close to '1' we can use simple linear 3607 * interpolation between the two end values 256/257 (result -368.61) and 258/257 3608 * (result 367.179). The values used below are scaled by a further 64 to give 3609 * 16-bit precision in the interpolation: 3610 * 3611 * Start (256): -23591 3612 * Zero (257): 0 3613 * End (258): 23499 3614 */ 3615 #ifdef PNG_16BIT_SUPPORTED 3616 static png_int_32 3617 png_log16bit(png_uint_32 x) 3618 { 3619 unsigned int lg2 = 0; 3620 3621 /* As above, but now the input has 16 bits. */ 3622 if ((x &= 0xffff) == 0) 3623 return -1; 3624 3625 if ((x & 0xff00) == 0) 3626 lg2 = 8, x <<= 8; 3627 3628 if ((x & 0xf000) == 0) 3629 lg2 += 4, x <<= 4; 3630 3631 if ((x & 0xc000) == 0) 3632 lg2 += 2, x <<= 2; 3633 3634 if ((x & 0x8000) == 0) 3635 lg2 += 1, x <<= 1; 3636 3637 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional 3638 * value. 3639 */ 3640 lg2 <<= 28; 3641 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4; 3642 3643 /* Now we need to interpolate the factor, this requires a division by the top 3644 * 8 bits. Do this with maximum precision. 3645 */ 3646 x = ((x << 16) + (x >> 9)) / (x >> 8); 3647 3648 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24, 3649 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly 3650 * 16 bits to interpolate to get the low bits of the result. Round the 3651 * answer. Note that the end point values are scaled by 64 to retain overall 3652 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust 3653 * the overall scaling by 6-12. Round at every step. 3654 */ 3655 x -= 1U << 24; 3656 3657 if (x <= 65536U) /* <= '257' */ 3658 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12); 3659 3660 else 3661 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12); 3662 3663 /* Safe, because the result can't have more than 20 bits: */ 3664 return (png_int_32)((lg2 + 2048) >> 12); 3665 } 3666 #endif /* 16BIT */ 3667 3668 /* The 'exp()' case must invert the above, taking a 20-bit fixed point 3669 * logarithmic value and returning a 16 or 8-bit number as appropriate. In 3670 * each case only the low 16 bits are relevant - the fraction - since the 3671 * integer bits (the top 4) simply determine a shift. 3672 * 3673 * The worst case is the 16-bit distinction between 65535 and 65534. This 3674 * requires perhaps spurious accuracy in the decoding of the logarithm to 3675 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance 3676 * of getting this accuracy in practice. 3677 * 3678 * To deal with this the following exp() function works out the exponent of the 3679 * frational part of the logarithm by using an accurate 32-bit value from the 3680 * top four fractional bits then multiplying in the remaining bits. 3681 */ 3682 static const png_uint_32 3683 png_32bit_exp[16] = 3684 { 3685 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */ 3686 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U, 3687 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U, 3688 2553802834U, 2445529972U, 2341847524U, 2242560872U 3689 }; 3690 3691 /* Adjustment table; provided to explain the numbers in the code below. */ 3692 #if 0 3693 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"} 3694 11 44937.64284865548751208448 3695 10 45180.98734845585101160448 3696 9 45303.31936980687359311872 3697 8 45364.65110595323018870784 3698 7 45395.35850361789624614912 3699 6 45410.72259715102037508096 3700 5 45418.40724413220722311168 3701 4 45422.25021786898173001728 3702 3 45424.17186732298419044352 3703 2 45425.13273269940811464704 3704 1 45425.61317555035558641664 3705 0 45425.85339951654943850496 3706 #endif 3707 3708 static png_uint_32 3709 png_exp(png_fixed_point x) 3710 { 3711 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ 3712 { 3713 /* Obtain a 4-bit approximation */ 3714 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; 3715 3716 /* Incorporate the low 12 bits - these decrease the returned value by 3717 * multiplying by a number less than 1 if the bit is set. The multiplier 3718 * is determined by the above table and the shift. Notice that the values 3719 * converge on 45426 and this is used to allow linear interpolation of the 3720 * low bits. 3721 */ 3722 if (x & 0x800) 3723 e -= (((e >> 16) * 44938U) + 16U) >> 5; 3724 3725 if (x & 0x400) 3726 e -= (((e >> 16) * 45181U) + 32U) >> 6; 3727 3728 if (x & 0x200) 3729 e -= (((e >> 16) * 45303U) + 64U) >> 7; 3730 3731 if (x & 0x100) 3732 e -= (((e >> 16) * 45365U) + 128U) >> 8; 3733 3734 if (x & 0x080) 3735 e -= (((e >> 16) * 45395U) + 256U) >> 9; 3736 3737 if (x & 0x040) 3738 e -= (((e >> 16) * 45410U) + 512U) >> 10; 3739 3740 /* And handle the low 6 bits in a single block. */ 3741 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9; 3742 3743 /* Handle the upper bits of x. */ 3744 e >>= x >> 16; 3745 return e; 3746 } 3747 3748 /* Check for overflow */ 3749 if (x <= 0) 3750 return png_32bit_exp[0]; 3751 3752 /* Else underflow */ 3753 return 0; 3754 } 3755 3756 static png_byte 3757 png_exp8bit(png_fixed_point lg2) 3758 { 3759 /* Get a 32-bit value: */ 3760 png_uint_32 x = png_exp(lg2); 3761 3762 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the 3763 * second, rounding, step can't overflow because of the first, subtraction, 3764 * step. 3765 */ 3766 x -= x >> 8; 3767 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); 3768 } 3769 3770 #ifdef PNG_16BIT_SUPPORTED 3771 static png_uint_16 3772 png_exp16bit(png_fixed_point lg2) 3773 { 3774 /* Get a 32-bit value: */ 3775 png_uint_32 x = png_exp(lg2); 3776 3777 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */ 3778 x -= x >> 16; 3779 return (png_uint_16)((x + 32767U) >> 16); 3780 } 3781 #endif /* 16BIT */ 3782 #endif /* FLOATING_ARITHMETIC */ 3783 3784 png_byte 3785 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val) 3786 { 3787 if (value > 0 && value < 255) 3788 { 3789 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3790 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly 3791 * convert this to a floating point value. This includes values that 3792 * would overflow if 'value' were to be converted to 'int'. 3793 * 3794 * Apparently GCC, however, does an intermediate conversion to (int) 3795 * on some (ARM) but not all (x86) platforms, possibly because of 3796 * hardware FP limitations. (E.g. if the hardware conversion always 3797 * assumes the integer register contains a signed value.) This results 3798 * in ANSI-C undefined behavior for large values. 3799 * 3800 * Other implementations on the same machine might actually be ANSI-C90 3801 * conformant and therefore compile spurious extra code for the large 3802 * values. 3803 * 3804 * We can be reasonably sure that an unsigned to float conversion 3805 * won't be faster than an int to float one. Therefore this code 3806 * assumes responsibility for the undefined behavior, which it knows 3807 * can't happen because of the check above. 3808 * 3809 * Note the argument to this routine is an (unsigned int) because, on 3810 * 16-bit platforms, it is assigned a value which might be out of 3811 * range for an (int); that would result in undefined behavior in the 3812 * caller if the *argument* ('value') were to be declared (int). 3813 */ 3814 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5); 3815 return (png_byte)r; 3816 # else 3817 png_int_32 lg2 = png_log8bit(value); 3818 png_fixed_point res; 3819 3820 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3821 return png_exp8bit(res); 3822 3823 /* Overflow. */ 3824 value = 0; 3825 # endif 3826 } 3827 3828 return (png_byte)(value & 0xff); 3829 } 3830 3831 #ifdef PNG_16BIT_SUPPORTED 3832 png_uint_16 3833 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val) 3834 { 3835 if (value > 0 && value < 65535) 3836 { 3837 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3838 /* The same (unsigned int)->(double) constraints apply here as above, 3839 * however in this case the (unsigned int) to (int) conversion can 3840 * overflow on an ANSI-C90 compliant system so the cast needs to ensure 3841 * that this is not possible. 3842 */ 3843 double r = floor(65535*pow((png_int_32)value/65535., 3844 gamma_val*.00001)+.5); 3845 return (png_uint_16)r; 3846 # else 3847 png_int_32 lg2 = png_log16bit(value); 3848 png_fixed_point res; 3849 3850 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3851 return png_exp16bit(res); 3852 3853 /* Overflow. */ 3854 value = 0; 3855 # endif 3856 } 3857 3858 return (png_uint_16)value; 3859 } 3860 #endif /* 16BIT */ 3861 3862 /* This does the right thing based on the bit_depth field of the 3863 * png_struct, interpreting values as 8-bit or 16-bit. While the result 3864 * is nominally a 16-bit value if bit depth is 8 then the result is 3865 * 8-bit (as are the arguments.) 3866 */ 3867 png_uint_16 /* PRIVATE */ 3868 png_gamma_correct(png_structrp png_ptr, unsigned int value, 3869 png_fixed_point gamma_val) 3870 { 3871 if (png_ptr->bit_depth == 8) 3872 return png_gamma_8bit_correct(value, gamma_val); 3873 3874 #ifdef PNG_16BIT_SUPPORTED 3875 else 3876 return png_gamma_16bit_correct(value, gamma_val); 3877 #else 3878 /* should not reach this */ 3879 return 0; 3880 #endif /* 16BIT */ 3881 } 3882 3883 #ifdef PNG_16BIT_SUPPORTED 3884 /* Internal function to build a single 16-bit table - the table consists of 3885 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount 3886 * to shift the input values right (or 16-number_of_signifiant_bits). 3887 * 3888 * The caller is responsible for ensuring that the table gets cleaned up on 3889 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument 3890 * should be somewhere that will be cleaned. 3891 */ 3892 static void 3893 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable, 3894 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 3895 { 3896 /* Various values derived from 'shift': */ 3897 PNG_CONST unsigned int num = 1U << (8U - shift); 3898 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3899 /* CSE the division and work round wacky GCC warnings (see the comments 3900 * in png_gamma_8bit_correct for where these come from.) 3901 */ 3902 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1); 3903 #endif 3904 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 3905 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift); 3906 unsigned int i; 3907 3908 png_uint_16pp table = *ptable = 3909 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 3910 3911 for (i = 0; i < num; i++) 3912 { 3913 png_uint_16p sub_table = table[i] = 3914 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16))); 3915 3916 /* The 'threshold' test is repeated here because it can arise for one of 3917 * the 16-bit tables even if the others don't hit it. 3918 */ 3919 if (png_gamma_significant(gamma_val) != 0) 3920 { 3921 /* The old code would overflow at the end and this would cause the 3922 * 'pow' function to return a result >1, resulting in an 3923 * arithmetic error. This code follows the spec exactly; ig is 3924 * the recovered input sample, it always has 8-16 bits. 3925 * 3926 * We want input * 65535/max, rounded, the arithmetic fits in 32 3927 * bits (unsigned) so long as max <= 32767. 3928 */ 3929 unsigned int j; 3930 for (j = 0; j < 256; j++) 3931 { 3932 png_uint_32 ig = (j << (8-shift)) + i; 3933 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3934 /* Inline the 'max' scaling operation: */ 3935 /* See png_gamma_8bit_correct for why the cast to (int) is 3936 * required here. 3937 */ 3938 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5); 3939 sub_table[j] = (png_uint_16)d; 3940 # else 3941 if (shift != 0) 3942 ig = (ig * 65535U + max_by_2)/max; 3943 3944 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val); 3945 # endif 3946 } 3947 } 3948 else 3949 { 3950 /* We must still build a table, but do it the fast way. */ 3951 unsigned int j; 3952 3953 for (j = 0; j < 256; j++) 3954 { 3955 png_uint_32 ig = (j << (8-shift)) + i; 3956 3957 if (shift != 0) 3958 ig = (ig * 65535U + max_by_2)/max; 3959 3960 sub_table[j] = (png_uint_16)ig; 3961 } 3962 } 3963 } 3964 } 3965 3966 /* NOTE: this function expects the *inverse* of the overall gamma transformation 3967 * required. 3968 */ 3969 static void 3970 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable, 3971 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 3972 { 3973 PNG_CONST unsigned int num = 1U << (8U - shift); 3974 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 3975 unsigned int i; 3976 png_uint_32 last; 3977 3978 png_uint_16pp table = *ptable = 3979 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 3980 3981 /* 'num' is the number of tables and also the number of low bits of low 3982 * bits of the input 16-bit value used to select a table. Each table is 3983 * itself indexed by the high 8 bits of the value. 3984 */ 3985 for (i = 0; i < num; i++) 3986 table[i] = (png_uint_16p)png_malloc(png_ptr, 3987 256 * (sizeof (png_uint_16))); 3988 3989 /* 'gamma_val' is set to the reciprocal of the value calculated above, so 3990 * pow(out,g) is an *input* value. 'last' is the last input value set. 3991 * 3992 * In the loop 'i' is used to find output values. Since the output is 3993 * 8-bit there are only 256 possible values. The tables are set up to 3994 * select the closest possible output value for each input by finding 3995 * the input value at the boundary between each pair of output values 3996 * and filling the table up to that boundary with the lower output 3997 * value. 3998 * 3999 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit 4000 * values the code below uses a 16-bit value in i; the values start at 4001 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last 4002 * entries are filled with 255). Start i at 128 and fill all 'last' 4003 * table entries <= 'max' 4004 */ 4005 last = 0; 4006 for (i = 0; i < 255; ++i) /* 8-bit output value */ 4007 { 4008 /* Find the corresponding maximum input value */ 4009 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */ 4010 4011 /* Find the boundary value in 16 bits: */ 4012 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val); 4013 4014 /* Adjust (round) to (16-shift) bits: */ 4015 bound = (bound * max + 32768U)/65535U + 1U; 4016 4017 while (last < bound) 4018 { 4019 table[last & (0xffU >> shift)][last >> (8U - shift)] = out; 4020 last++; 4021 } 4022 } 4023 4024 /* And fill in the final entries. */ 4025 while (last < (num << 8)) 4026 { 4027 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U; 4028 last++; 4029 } 4030 } 4031 #endif /* 16BIT */ 4032 4033 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and 4034 * typically much faster). Note that libpng currently does no sBIT processing 4035 * (apparently contrary to the spec) so a 256-entry table is always generated. 4036 */ 4037 static void 4038 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable, 4039 PNG_CONST png_fixed_point gamma_val) 4040 { 4041 unsigned int i; 4042 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256); 4043 4044 if (png_gamma_significant(gamma_val) != 0) 4045 for (i=0; i<256; i++) 4046 table[i] = png_gamma_8bit_correct(i, gamma_val); 4047 4048 else 4049 for (i=0; i<256; ++i) 4050 table[i] = (png_byte)(i & 0xff); 4051 } 4052 4053 /* Used from png_read_destroy and below to release the memory used by the gamma 4054 * tables. 4055 */ 4056 void /* PRIVATE */ 4057 png_destroy_gamma_table(png_structrp png_ptr) 4058 { 4059 png_free(png_ptr, png_ptr->gamma_table); 4060 png_ptr->gamma_table = NULL; 4061 4062 #ifdef PNG_16BIT_SUPPORTED 4063 if (png_ptr->gamma_16_table != NULL) 4064 { 4065 int i; 4066 int istop = (1 << (8 - png_ptr->gamma_shift)); 4067 for (i = 0; i < istop; i++) 4068 { 4069 png_free(png_ptr, png_ptr->gamma_16_table[i]); 4070 } 4071 png_free(png_ptr, png_ptr->gamma_16_table); 4072 png_ptr->gamma_16_table = NULL; 4073 } 4074 #endif /* 16BIT */ 4075 4076 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4077 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4078 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4079 png_free(png_ptr, png_ptr->gamma_from_1); 4080 png_ptr->gamma_from_1 = NULL; 4081 png_free(png_ptr, png_ptr->gamma_to_1); 4082 png_ptr->gamma_to_1 = NULL; 4083 4084 #ifdef PNG_16BIT_SUPPORTED 4085 if (png_ptr->gamma_16_from_1 != NULL) 4086 { 4087 int i; 4088 int istop = (1 << (8 - png_ptr->gamma_shift)); 4089 for (i = 0; i < istop; i++) 4090 { 4091 png_free(png_ptr, png_ptr->gamma_16_from_1[i]); 4092 } 4093 png_free(png_ptr, png_ptr->gamma_16_from_1); 4094 png_ptr->gamma_16_from_1 = NULL; 4095 } 4096 if (png_ptr->gamma_16_to_1 != NULL) 4097 { 4098 int i; 4099 int istop = (1 << (8 - png_ptr->gamma_shift)); 4100 for (i = 0; i < istop; i++) 4101 { 4102 png_free(png_ptr, png_ptr->gamma_16_to_1[i]); 4103 } 4104 png_free(png_ptr, png_ptr->gamma_16_to_1); 4105 png_ptr->gamma_16_to_1 = NULL; 4106 } 4107 #endif /* 16BIT */ 4108 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4109 } 4110 4111 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit 4112 * tables, we don't make a full table if we are reducing to 8-bit in 4113 * the future. Note also how the gamma_16 tables are segmented so that 4114 * we don't need to allocate > 64K chunks for a full 16-bit table. 4115 */ 4116 void /* PRIVATE */ 4117 png_build_gamma_table(png_structrp png_ptr, int bit_depth) 4118 { 4119 png_debug(1, "in png_build_gamma_table"); 4120 4121 /* Remove any existing table; this copes with multiple calls to 4122 * png_read_update_info. The warning is because building the gamma tables 4123 * multiple times is a performance hit - it's harmless but the ability to call 4124 * png_read_update_info() multiple times is new in 1.5.6 so it seems sensible 4125 * to warn if the app introduces such a hit. 4126 */ 4127 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL) 4128 { 4129 png_warning(png_ptr, "gamma table being rebuilt"); 4130 png_destroy_gamma_table(png_ptr); 4131 } 4132 4133 if (bit_depth <= 8) 4134 { 4135 png_build_8bit_table(png_ptr, &png_ptr->gamma_table, 4136 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4137 png_ptr->screen_gamma) : PNG_FP_1); 4138 4139 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4140 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4141 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4142 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4143 { 4144 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1, 4145 png_reciprocal(png_ptr->colorspace.gamma)); 4146 4147 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1, 4148 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4149 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4150 } 4151 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4152 } 4153 #ifdef PNG_16BIT_SUPPORTED 4154 else 4155 { 4156 png_byte shift, sig_bit; 4157 4158 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) 4159 { 4160 sig_bit = png_ptr->sig_bit.red; 4161 4162 if (png_ptr->sig_bit.green > sig_bit) 4163 sig_bit = png_ptr->sig_bit.green; 4164 4165 if (png_ptr->sig_bit.blue > sig_bit) 4166 sig_bit = png_ptr->sig_bit.blue; 4167 } 4168 else 4169 sig_bit = png_ptr->sig_bit.gray; 4170 4171 /* 16-bit gamma code uses this equation: 4172 * 4173 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8] 4174 * 4175 * Where 'iv' is the input color value and 'ov' is the output value - 4176 * pow(iv, gamma). 4177 * 4178 * Thus the gamma table consists of up to 256 256-entry tables. The table 4179 * is selected by the (8-gamma_shift) most significant of the low 8 bits of 4180 * the color value then indexed by the upper 8 bits: 4181 * 4182 * table[low bits][high 8 bits] 4183 * 4184 * So the table 'n' corresponds to all those 'iv' of: 4185 * 4186 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1> 4187 * 4188 */ 4189 if (sig_bit > 0 && sig_bit < 16U) 4190 /* shift == insignificant bits */ 4191 shift = (png_byte)((16U - sig_bit) & 0xff); 4192 4193 else 4194 shift = 0; /* keep all 16 bits */ 4195 4196 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4197 { 4198 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively 4199 * the significant bits in the *input* when the output will 4200 * eventually be 8 bits. By default it is 11. 4201 */ 4202 if (shift < (16U - PNG_MAX_GAMMA_8)) 4203 shift = (16U - PNG_MAX_GAMMA_8); 4204 } 4205 4206 if (shift > 8U) 4207 shift = 8U; /* Guarantees at least one table! */ 4208 4209 png_ptr->gamma_shift = shift; 4210 4211 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now 4212 * PNG_COMPOSE). This effectively smashed the background calculation for 4213 * 16-bit output because the 8-bit table assumes the result will be reduced 4214 * to 8 bits. 4215 */ 4216 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4217 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift, 4218 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma, 4219 png_ptr->screen_gamma) : PNG_FP_1); 4220 4221 else 4222 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift, 4223 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4224 png_ptr->screen_gamma) : PNG_FP_1); 4225 4226 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4227 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4228 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4229 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4230 { 4231 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift, 4232 png_reciprocal(png_ptr->colorspace.gamma)); 4233 4234 /* Notice that the '16 from 1' table should be full precision, however 4235 * the lookup on this table still uses gamma_shift, so it can't be. 4236 * TODO: fix this. 4237 */ 4238 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift, 4239 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4240 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4241 } 4242 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4243 } 4244 #endif /* 16BIT */ 4245 } 4246 #endif /* READ_GAMMA */ 4247 4248 /* HARDWARE OR SOFTWARE OPTION SUPPORT */ 4249 #ifdef PNG_SET_OPTION_SUPPORTED 4250 int PNGAPI 4251 png_set_option(png_structrp png_ptr, int option, int onoff) 4252 { 4253 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT && 4254 (option & 1) == 0) 4255 { 4256 int mask = 3 << option; 4257 int setting = (2 + (onoff != 0)) << option; 4258 int current = png_ptr->options; 4259 4260 png_ptr->options = (png_byte)(((current & ~mask) | setting) & 0xff); 4261 4262 return (current & mask) >> option; 4263 } 4264 4265 return PNG_OPTION_INVALID; 4266 } 4267 #endif 4268 4269 /* sRGB support */ 4270 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4271 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4272 /* sRGB conversion tables; these are machine generated with the code in 4273 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the 4274 * specification (see the article at http://en.wikipedia.org/wiki/SRGB) 4275 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. 4276 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). 4277 * The inverse (linear to sRGB) table has accuracies as follows: 4278 * 4279 * For all possible (255*65535+1) input values: 4280 * 4281 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact 4282 * 4283 * For the input values corresponding to the 65536 16-bit values: 4284 * 4285 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact 4286 * 4287 * In all cases the inexact readings are only off by one. 4288 */ 4289 4290 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4291 /* The convert-to-sRGB table is only currently required for read. */ 4292 const png_uint_16 png_sRGB_table[256] = 4293 { 4294 0,20,40,60,80,99,119,139, 4295 159,179,199,219,241,264,288,313, 4296 340,367,396,427,458,491,526,562, 4297 599,637,677,718,761,805,851,898, 4298 947,997,1048,1101,1156,1212,1270,1330, 4299 1391,1453,1517,1583,1651,1720,1790,1863, 4300 1937,2013,2090,2170,2250,2333,2418,2504, 4301 2592,2681,2773,2866,2961,3058,3157,3258, 4302 3360,3464,3570,3678,3788,3900,4014,4129, 4303 4247,4366,4488,4611,4736,4864,4993,5124, 4304 5257,5392,5530,5669,5810,5953,6099,6246, 4305 6395,6547,6700,6856,7014,7174,7335,7500, 4306 7666,7834,8004,8177,8352,8528,8708,8889, 4307 9072,9258,9445,9635,9828,10022,10219,10417, 4308 10619,10822,11028,11235,11446,11658,11873,12090, 4309 12309,12530,12754,12980,13209,13440,13673,13909, 4310 14146,14387,14629,14874,15122,15371,15623,15878, 4311 16135,16394,16656,16920,17187,17456,17727,18001, 4312 18277,18556,18837,19121,19407,19696,19987,20281, 4313 20577,20876,21177,21481,21787,22096,22407,22721, 4314 23038,23357,23678,24002,24329,24658,24990,25325, 4315 25662,26001,26344,26688,27036,27386,27739,28094, 4316 28452,28813,29176,29542,29911,30282,30656,31033, 4317 31412,31794,32179,32567,32957,33350,33745,34143, 4318 34544,34948,35355,35764,36176,36591,37008,37429, 4319 37852,38278,38706,39138,39572,40009,40449,40891, 4320 41337,41785,42236,42690,43147,43606,44069,44534, 4321 45002,45473,45947,46423,46903,47385,47871,48359, 4322 48850,49344,49841,50341,50844,51349,51858,52369, 4323 52884,53401,53921,54445,54971,55500,56032,56567, 4324 57105,57646,58190,58737,59287,59840,60396,60955, 4325 61517,62082,62650,63221,63795,64372,64952,65535 4326 }; 4327 #endif /* SIMPLIFIED_READ */ 4328 4329 /* The base/delta tables are required for both read and write (but currently 4330 * only the simplified versions.) 4331 */ 4332 const png_uint_16 png_sRGB_base[512] = 4333 { 4334 128,1782,3383,4644,5675,6564,7357,8074, 4335 8732,9346,9921,10463,10977,11466,11935,12384, 4336 12816,13233,13634,14024,14402,14769,15125,15473, 4337 15812,16142,16466,16781,17090,17393,17690,17981, 4338 18266,18546,18822,19093,19359,19621,19879,20133, 4339 20383,20630,20873,21113,21349,21583,21813,22041, 4340 22265,22487,22707,22923,23138,23350,23559,23767, 4341 23972,24175,24376,24575,24772,24967,25160,25352, 4342 25542,25730,25916,26101,26284,26465,26645,26823, 4343 27000,27176,27350,27523,27695,27865,28034,28201, 4344 28368,28533,28697,28860,29021,29182,29341,29500, 4345 29657,29813,29969,30123,30276,30429,30580,30730, 4346 30880,31028,31176,31323,31469,31614,31758,31902, 4347 32045,32186,32327,32468,32607,32746,32884,33021, 4348 33158,33294,33429,33564,33697,33831,33963,34095, 4349 34226,34357,34486,34616,34744,34873,35000,35127, 4350 35253,35379,35504,35629,35753,35876,35999,36122, 4351 36244,36365,36486,36606,36726,36845,36964,37083, 4352 37201,37318,37435,37551,37668,37783,37898,38013, 4353 38127,38241,38354,38467,38580,38692,38803,38915, 4354 39026,39136,39246,39356,39465,39574,39682,39790, 4355 39898,40005,40112,40219,40325,40431,40537,40642, 4356 40747,40851,40955,41059,41163,41266,41369,41471, 4357 41573,41675,41777,41878,41979,42079,42179,42279, 4358 42379,42478,42577,42676,42775,42873,42971,43068, 4359 43165,43262,43359,43456,43552,43648,43743,43839, 4360 43934,44028,44123,44217,44311,44405,44499,44592, 4361 44685,44778,44870,44962,45054,45146,45238,45329, 4362 45420,45511,45601,45692,45782,45872,45961,46051, 4363 46140,46229,46318,46406,46494,46583,46670,46758, 4364 46846,46933,47020,47107,47193,47280,47366,47452, 4365 47538,47623,47709,47794,47879,47964,48048,48133, 4366 48217,48301,48385,48468,48552,48635,48718,48801, 4367 48884,48966,49048,49131,49213,49294,49376,49458, 4368 49539,49620,49701,49782,49862,49943,50023,50103, 4369 50183,50263,50342,50422,50501,50580,50659,50738, 4370 50816,50895,50973,51051,51129,51207,51285,51362, 4371 51439,51517,51594,51671,51747,51824,51900,51977, 4372 52053,52129,52205,52280,52356,52432,52507,52582, 4373 52657,52732,52807,52881,52956,53030,53104,53178, 4374 53252,53326,53400,53473,53546,53620,53693,53766, 4375 53839,53911,53984,54056,54129,54201,54273,54345, 4376 54417,54489,54560,54632,54703,54774,54845,54916, 4377 54987,55058,55129,55199,55269,55340,55410,55480, 4378 55550,55620,55689,55759,55828,55898,55967,56036, 4379 56105,56174,56243,56311,56380,56448,56517,56585, 4380 56653,56721,56789,56857,56924,56992,57059,57127, 4381 57194,57261,57328,57395,57462,57529,57595,57662, 4382 57728,57795,57861,57927,57993,58059,58125,58191, 4383 58256,58322,58387,58453,58518,58583,58648,58713, 4384 58778,58843,58908,58972,59037,59101,59165,59230, 4385 59294,59358,59422,59486,59549,59613,59677,59740, 4386 59804,59867,59930,59993,60056,60119,60182,60245, 4387 60308,60370,60433,60495,60558,60620,60682,60744, 4388 60806,60868,60930,60992,61054,61115,61177,61238, 4389 61300,61361,61422,61483,61544,61605,61666,61727, 4390 61788,61848,61909,61969,62030,62090,62150,62211, 4391 62271,62331,62391,62450,62510,62570,62630,62689, 4392 62749,62808,62867,62927,62986,63045,63104,63163, 4393 63222,63281,63340,63398,63457,63515,63574,63632, 4394 63691,63749,63807,63865,63923,63981,64039,64097, 4395 64155,64212,64270,64328,64385,64443,64500,64557, 4396 64614,64672,64729,64786,64843,64900,64956,65013, 4397 65070,65126,65183,65239,65296,65352,65409,65465 4398 }; 4399 4400 const png_byte png_sRGB_delta[512] = 4401 { 4402 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54, 4403 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36, 4404 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28, 4405 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24, 4406 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21, 4407 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19, 4408 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17, 4409 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16, 4410 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15, 4411 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14, 4412 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13, 4413 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12, 4414 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12, 4415 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11, 4416 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4417 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4418 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4419 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4420 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4421 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4422 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4423 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4424 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4425 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4426 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4427 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4428 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4429 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4430 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7, 4431 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4432 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4433 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7 4434 }; 4435 #endif /* SIMPLIFIED READ/WRITE sRGB support */ 4436 4437 /* SIMPLIFIED READ/WRITE SUPPORT */ 4438 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4439 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4440 static int 4441 png_image_free_function(png_voidp argument) 4442 { 4443 png_imagep image = png_voidcast(png_imagep, argument); 4444 png_controlp cp = image->opaque; 4445 png_control c; 4446 4447 /* Double check that we have a png_ptr - it should be impossible to get here 4448 * without one. 4449 */ 4450 if (cp->png_ptr == NULL) 4451 return 0; 4452 4453 /* First free any data held in the control structure. */ 4454 # ifdef PNG_STDIO_SUPPORTED 4455 if (cp->owned_file != 0) 4456 { 4457 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr); 4458 cp->owned_file = 0; 4459 4460 /* Ignore errors here. */ 4461 if (fp != NULL) 4462 { 4463 cp->png_ptr->io_ptr = NULL; 4464 (void)fclose(fp); 4465 } 4466 } 4467 # endif 4468 4469 /* Copy the control structure so that the original, allocated, version can be 4470 * safely freed. Notice that a png_error here stops the remainder of the 4471 * cleanup, but this is probably fine because that would indicate bad memory 4472 * problems anyway. 4473 */ 4474 c = *cp; 4475 image->opaque = &c; 4476 png_free(c.png_ptr, cp); 4477 4478 /* Then the structures, calling the correct API. */ 4479 if (c.for_write != 0) 4480 { 4481 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED 4482 png_destroy_write_struct(&c.png_ptr, &c.info_ptr); 4483 # else 4484 png_error(c.png_ptr, "simplified write not supported"); 4485 # endif 4486 } 4487 else 4488 { 4489 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4490 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL); 4491 # else 4492 png_error(c.png_ptr, "simplified read not supported"); 4493 # endif 4494 } 4495 4496 /* Success. */ 4497 return 1; 4498 } 4499 4500 void PNGAPI 4501 png_image_free(png_imagep image) 4502 { 4503 /* Safely call the real function, but only if doing so is safe at this point 4504 * (if not inside an error handling context). Otherwise assume 4505 * png_safe_execute will call this API after the return. 4506 */ 4507 if (image != NULL && image->opaque != NULL && 4508 image->opaque->error_buf == NULL) 4509 { 4510 /* Ignore errors here: */ 4511 (void)png_safe_execute(image, png_image_free_function, image); 4512 image->opaque = NULL; 4513 } 4514 } 4515 4516 int /* PRIVATE */ 4517 png_image_error(png_imagep image, png_const_charp error_message) 4518 { 4519 /* Utility to log an error. */ 4520 png_safecat(image->message, (sizeof image->message), 0, error_message); 4521 image->warning_or_error |= PNG_IMAGE_ERROR; 4522 png_image_free(image); 4523 return 0; 4524 } 4525 4526 #endif /* SIMPLIFIED READ/WRITE */ 4527 #endif /* READ || WRITE */