1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* pngpread.c - read a png file in push mode 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Last changed in libpng 1.6.18 [July 23, 2015] 33 * Copyright (c) 1998-2015 Glenn Randers-Pehrson 34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED 45 46 /* Push model modes */ 47 #define PNG_READ_SIG_MODE 0 48 #define PNG_READ_CHUNK_MODE 1 49 #define PNG_READ_IDAT_MODE 2 50 #define PNG_READ_tEXt_MODE 4 51 #define PNG_READ_zTXt_MODE 5 52 #define PNG_READ_DONE_MODE 6 53 #define PNG_READ_iTXt_MODE 7 54 #define PNG_ERROR_MODE 8 55 56 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \ 57 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \ 58 { png_push_save_buffer(png_ptr); return; } 59 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \ 60 if (png_ptr->buffer_size < N) \ 61 { png_push_save_buffer(png_ptr); return; } 62 63 void PNGAPI 64 png_process_data(png_structrp png_ptr, png_inforp info_ptr, 65 png_bytep buffer, png_size_t buffer_size) 66 { 67 if (png_ptr == NULL || info_ptr == NULL) 68 return; 69 70 png_push_restore_buffer(png_ptr, buffer, buffer_size); 71 72 while (png_ptr->buffer_size) 73 { 74 png_process_some_data(png_ptr, info_ptr); 75 } 76 } 77 78 png_size_t PNGAPI 79 png_process_data_pause(png_structrp png_ptr, int save) 80 { 81 if (png_ptr != NULL) 82 { 83 /* It's easiest for the caller if we do the save; then the caller doesn't 84 * have to supply the same data again: 85 */ 86 if (save != 0) 87 png_push_save_buffer(png_ptr); 88 else 89 { 90 /* This includes any pending saved bytes: */ 91 png_size_t remaining = png_ptr->buffer_size; 92 png_ptr->buffer_size = 0; 93 94 /* So subtract the saved buffer size, unless all the data 95 * is actually 'saved', in which case we just return 0 96 */ 97 if (png_ptr->save_buffer_size < remaining) 98 return remaining - png_ptr->save_buffer_size; 99 } 100 } 101 102 return 0; 103 } 104 105 png_uint_32 PNGAPI 106 png_process_data_skip(png_structrp png_ptr) 107 { 108 /* TODO: Deprecate and remove this API. 109 * Somewhere the implementation of this seems to have been lost, 110 * or abandoned. It was only to support some internal back-door access 111 * to png_struct) in libpng-1.4.x. 112 */ 113 png_app_warning(png_ptr, 114 "png_process_data_skip is not implemented in any current version of libpng"); 115 return 0; 116 } 117 118 /* What we do with the incoming data depends on what we were previously 119 * doing before we ran out of data... 120 */ 121 void /* PRIVATE */ 122 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 123 { 124 if (png_ptr == NULL) 125 return; 126 127 switch (png_ptr->process_mode) 128 { 129 case PNG_READ_SIG_MODE: 130 { 131 png_push_read_sig(png_ptr, info_ptr); 132 break; 133 } 134 135 case PNG_READ_CHUNK_MODE: 136 { 137 png_push_read_chunk(png_ptr, info_ptr); 138 break; 139 } 140 141 case PNG_READ_IDAT_MODE: 142 { 143 png_push_read_IDAT(png_ptr); 144 break; 145 } 146 147 default: 148 { 149 png_ptr->buffer_size = 0; 150 break; 151 } 152 } 153 } 154 155 /* Read any remaining signature bytes from the stream and compare them with 156 * the correct PNG signature. It is possible that this routine is called 157 * with bytes already read from the signature, either because they have been 158 * checked by the calling application, or because of multiple calls to this 159 * routine. 160 */ 161 void /* PRIVATE */ 162 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 163 { 164 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 165 num_to_check = 8 - num_checked; 166 167 if (png_ptr->buffer_size < num_to_check) 168 { 169 num_to_check = png_ptr->buffer_size; 170 } 171 172 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 173 num_to_check); 174 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 175 176 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 177 { 178 if (num_checked < 4 && 179 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 180 png_error(png_ptr, "Not a PNG file"); 181 182 else 183 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 184 } 185 else 186 { 187 if (png_ptr->sig_bytes >= 8) 188 { 189 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 190 } 191 } 192 } 193 194 void /* PRIVATE */ 195 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 196 { 197 png_uint_32 chunk_name; 198 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 199 int keep; /* unknown handling method */ 200 #endif 201 202 /* First we make sure we have enough data for the 4-byte chunk name 203 * and the 4-byte chunk length before proceeding with decoding the 204 * chunk data. To fully decode each of these chunks, we also make 205 * sure we have enough data in the buffer for the 4-byte CRC at the 206 * end of every chunk (except IDAT, which is handled separately). 207 */ 208 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 209 { 210 png_byte chunk_length[4]; 211 png_byte chunk_tag[4]; 212 213 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 214 png_push_fill_buffer(png_ptr, chunk_length, 4); 215 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 216 png_reset_crc(png_ptr); 217 png_crc_read(png_ptr, chunk_tag, 4); 218 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 219 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 220 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 221 } 222 223 chunk_name = png_ptr->chunk_name; 224 225 if (chunk_name == png_IDAT) 226 { 227 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 228 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 229 230 /* If we reach an IDAT chunk, this means we have read all of the 231 * header chunks, and we can start reading the image (or if this 232 * is called after the image has been read - we have an error). 233 */ 234 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) 235 png_error(png_ptr, "Missing IHDR before IDAT"); 236 237 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 238 (png_ptr->mode & PNG_HAVE_PLTE) == 0) 239 png_error(png_ptr, "Missing PLTE before IDAT"); 240 241 png_ptr->mode |= PNG_HAVE_IDAT; 242 png_ptr->process_mode = PNG_READ_IDAT_MODE; 243 244 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0) 245 if (png_ptr->push_length == 0) 246 return; 247 248 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 249 png_benign_error(png_ptr, "Too many IDATs found"); 250 } 251 252 if (chunk_name == png_IHDR) 253 { 254 if (png_ptr->push_length != 13) 255 png_error(png_ptr, "Invalid IHDR length"); 256 257 PNG_PUSH_SAVE_BUFFER_IF_FULL 258 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 259 } 260 261 else if (chunk_name == png_IEND) 262 { 263 PNG_PUSH_SAVE_BUFFER_IF_FULL 264 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 265 266 png_ptr->process_mode = PNG_READ_DONE_MODE; 267 png_push_have_end(png_ptr, info_ptr); 268 } 269 270 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 271 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 272 { 273 PNG_PUSH_SAVE_BUFFER_IF_FULL 274 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 275 276 if (chunk_name == png_PLTE) 277 png_ptr->mode |= PNG_HAVE_PLTE; 278 } 279 #endif 280 281 else if (chunk_name == png_PLTE) 282 { 283 PNG_PUSH_SAVE_BUFFER_IF_FULL 284 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 285 } 286 287 else if (chunk_name == png_IDAT) 288 { 289 png_ptr->idat_size = png_ptr->push_length; 290 png_ptr->process_mode = PNG_READ_IDAT_MODE; 291 png_push_have_info(png_ptr, info_ptr); 292 png_ptr->zstream.avail_out = 293 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 294 png_ptr->iwidth) + 1; 295 png_ptr->zstream.next_out = png_ptr->row_buf; 296 return; 297 } 298 299 #ifdef PNG_READ_gAMA_SUPPORTED 300 else if (png_ptr->chunk_name == png_gAMA) 301 { 302 PNG_PUSH_SAVE_BUFFER_IF_FULL 303 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 304 } 305 306 #endif 307 #ifdef PNG_READ_sBIT_SUPPORTED 308 else if (png_ptr->chunk_name == png_sBIT) 309 { 310 PNG_PUSH_SAVE_BUFFER_IF_FULL 311 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 312 } 313 314 #endif 315 #ifdef PNG_READ_cHRM_SUPPORTED 316 else if (png_ptr->chunk_name == png_cHRM) 317 { 318 PNG_PUSH_SAVE_BUFFER_IF_FULL 319 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 320 } 321 322 #endif 323 #ifdef PNG_READ_sRGB_SUPPORTED 324 else if (chunk_name == png_sRGB) 325 { 326 PNG_PUSH_SAVE_BUFFER_IF_FULL 327 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 328 } 329 330 #endif 331 #ifdef PNG_READ_iCCP_SUPPORTED 332 else if (png_ptr->chunk_name == png_iCCP) 333 { 334 PNG_PUSH_SAVE_BUFFER_IF_FULL 335 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 336 } 337 338 #endif 339 #ifdef PNG_READ_sPLT_SUPPORTED 340 else if (chunk_name == png_sPLT) 341 { 342 PNG_PUSH_SAVE_BUFFER_IF_FULL 343 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 344 } 345 346 #endif 347 #ifdef PNG_READ_tRNS_SUPPORTED 348 else if (chunk_name == png_tRNS) 349 { 350 PNG_PUSH_SAVE_BUFFER_IF_FULL 351 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 352 } 353 354 #endif 355 #ifdef PNG_READ_bKGD_SUPPORTED 356 else if (chunk_name == png_bKGD) 357 { 358 PNG_PUSH_SAVE_BUFFER_IF_FULL 359 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 360 } 361 362 #endif 363 #ifdef PNG_READ_hIST_SUPPORTED 364 else if (chunk_name == png_hIST) 365 { 366 PNG_PUSH_SAVE_BUFFER_IF_FULL 367 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 368 } 369 370 #endif 371 #ifdef PNG_READ_pHYs_SUPPORTED 372 else if (chunk_name == png_pHYs) 373 { 374 PNG_PUSH_SAVE_BUFFER_IF_FULL 375 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 376 } 377 378 #endif 379 #ifdef PNG_READ_oFFs_SUPPORTED 380 else if (chunk_name == png_oFFs) 381 { 382 PNG_PUSH_SAVE_BUFFER_IF_FULL 383 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 384 } 385 #endif 386 387 #ifdef PNG_READ_pCAL_SUPPORTED 388 else if (chunk_name == png_pCAL) 389 { 390 PNG_PUSH_SAVE_BUFFER_IF_FULL 391 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 392 } 393 394 #endif 395 #ifdef PNG_READ_sCAL_SUPPORTED 396 else if (chunk_name == png_sCAL) 397 { 398 PNG_PUSH_SAVE_BUFFER_IF_FULL 399 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 400 } 401 402 #endif 403 #ifdef PNG_READ_tIME_SUPPORTED 404 else if (chunk_name == png_tIME) 405 { 406 PNG_PUSH_SAVE_BUFFER_IF_FULL 407 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 408 } 409 410 #endif 411 #ifdef PNG_READ_tEXt_SUPPORTED 412 else if (chunk_name == png_tEXt) 413 { 414 PNG_PUSH_SAVE_BUFFER_IF_FULL 415 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 416 } 417 418 #endif 419 #ifdef PNG_READ_zTXt_SUPPORTED 420 else if (chunk_name == png_zTXt) 421 { 422 PNG_PUSH_SAVE_BUFFER_IF_FULL 423 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 424 } 425 426 #endif 427 #ifdef PNG_READ_iTXt_SUPPORTED 428 else if (chunk_name == png_iTXt) 429 { 430 PNG_PUSH_SAVE_BUFFER_IF_FULL 431 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 432 } 433 #endif 434 435 else 436 { 437 PNG_PUSH_SAVE_BUFFER_IF_FULL 438 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 439 PNG_HANDLE_CHUNK_AS_DEFAULT); 440 } 441 442 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 443 } 444 445 void PNGCBAPI 446 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) 447 { 448 png_bytep ptr; 449 450 if (png_ptr == NULL) 451 return; 452 453 ptr = buffer; 454 if (png_ptr->save_buffer_size != 0) 455 { 456 png_size_t save_size; 457 458 if (length < png_ptr->save_buffer_size) 459 save_size = length; 460 461 else 462 save_size = png_ptr->save_buffer_size; 463 464 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 465 length -= save_size; 466 ptr += save_size; 467 png_ptr->buffer_size -= save_size; 468 png_ptr->save_buffer_size -= save_size; 469 png_ptr->save_buffer_ptr += save_size; 470 } 471 if (length != 0 && png_ptr->current_buffer_size != 0) 472 { 473 png_size_t save_size; 474 475 if (length < png_ptr->current_buffer_size) 476 save_size = length; 477 478 else 479 save_size = png_ptr->current_buffer_size; 480 481 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 482 png_ptr->buffer_size -= save_size; 483 png_ptr->current_buffer_size -= save_size; 484 png_ptr->current_buffer_ptr += save_size; 485 } 486 } 487 488 void /* PRIVATE */ 489 png_push_save_buffer(png_structrp png_ptr) 490 { 491 if (png_ptr->save_buffer_size != 0) 492 { 493 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 494 { 495 png_size_t i, istop; 496 png_bytep sp; 497 png_bytep dp; 498 499 istop = png_ptr->save_buffer_size; 500 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 501 i < istop; i++, sp++, dp++) 502 { 503 *dp = *sp; 504 } 505 } 506 } 507 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 508 png_ptr->save_buffer_max) 509 { 510 png_size_t new_max; 511 png_bytep old_buffer; 512 513 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 514 (png_ptr->current_buffer_size + 256)) 515 { 516 png_error(png_ptr, "Potential overflow of save_buffer"); 517 } 518 519 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 520 old_buffer = png_ptr->save_buffer; 521 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 522 (png_size_t)new_max); 523 524 if (png_ptr->save_buffer == NULL) 525 { 526 png_free(png_ptr, old_buffer); 527 png_error(png_ptr, "Insufficient memory for save_buffer"); 528 } 529 530 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 531 png_free(png_ptr, old_buffer); 532 png_ptr->save_buffer_max = new_max; 533 } 534 if (png_ptr->current_buffer_size) 535 { 536 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 537 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 538 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 539 png_ptr->current_buffer_size = 0; 540 } 541 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 542 png_ptr->buffer_size = 0; 543 } 544 545 void /* PRIVATE */ 546 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 547 png_size_t buffer_length) 548 { 549 png_ptr->current_buffer = buffer; 550 png_ptr->current_buffer_size = buffer_length; 551 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 552 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 553 } 554 555 void /* PRIVATE */ 556 png_push_read_IDAT(png_structrp png_ptr) 557 { 558 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 559 { 560 png_byte chunk_length[4]; 561 png_byte chunk_tag[4]; 562 563 /* TODO: this code can be commoned up with the same code in push_read */ 564 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 565 png_push_fill_buffer(png_ptr, chunk_length, 4); 566 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 567 png_reset_crc(png_ptr); 568 png_crc_read(png_ptr, chunk_tag, 4); 569 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 570 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 571 572 if (png_ptr->chunk_name != png_IDAT) 573 { 574 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 575 576 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 577 png_error(png_ptr, "Not enough compressed data"); 578 579 return; 580 } 581 582 png_ptr->idat_size = png_ptr->push_length; 583 } 584 585 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0) 586 { 587 png_size_t save_size = png_ptr->save_buffer_size; 588 png_uint_32 idat_size = png_ptr->idat_size; 589 590 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 591 * are of different types and we don't know which variable has the fewest 592 * bits. Carefully select the smaller and cast it to the type of the 593 * larger - this cannot overflow. Do not cast in the following test - it 594 * will break on either 16-bit or 64-bit platforms. 595 */ 596 if (idat_size < save_size) 597 save_size = (png_size_t)idat_size; 598 599 else 600 idat_size = (png_uint_32)save_size; 601 602 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 603 604 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 605 606 png_ptr->idat_size -= idat_size; 607 png_ptr->buffer_size -= save_size; 608 png_ptr->save_buffer_size -= save_size; 609 png_ptr->save_buffer_ptr += save_size; 610 } 611 612 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0) 613 { 614 png_size_t save_size = png_ptr->current_buffer_size; 615 png_uint_32 idat_size = png_ptr->idat_size; 616 617 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 618 * are of different types and we don't know which variable has the fewest 619 * bits. Carefully select the smaller and cast it to the type of the 620 * larger - this cannot overflow. 621 */ 622 if (idat_size < save_size) 623 save_size = (png_size_t)idat_size; 624 625 else 626 idat_size = (png_uint_32)save_size; 627 628 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 629 630 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 631 632 png_ptr->idat_size -= idat_size; 633 png_ptr->buffer_size -= save_size; 634 png_ptr->current_buffer_size -= save_size; 635 png_ptr->current_buffer_ptr += save_size; 636 } 637 638 if (png_ptr->idat_size == 0) 639 { 640 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 641 png_crc_finish(png_ptr, 0); 642 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 643 png_ptr->mode |= PNG_AFTER_IDAT; 644 png_ptr->zowner = 0; 645 } 646 } 647 648 void /* PRIVATE */ 649 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 650 png_size_t buffer_length) 651 { 652 /* The caller checks for a non-zero buffer length. */ 653 if (!(buffer_length > 0) || buffer == NULL) 654 png_error(png_ptr, "No IDAT data (internal error)"); 655 656 /* This routine must process all the data it has been given 657 * before returning, calling the row callback as required to 658 * handle the uncompressed results. 659 */ 660 png_ptr->zstream.next_in = buffer; 661 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 662 png_ptr->zstream.avail_in = (uInt)buffer_length; 663 664 /* Keep going until the decompressed data is all processed 665 * or the stream marked as finished. 666 */ 667 while (png_ptr->zstream.avail_in > 0 && 668 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 669 { 670 int ret; 671 672 /* We have data for zlib, but we must check that zlib 673 * has someplace to put the results. It doesn't matter 674 * if we don't expect any results -- it may be the input 675 * data is just the LZ end code. 676 */ 677 if (!(png_ptr->zstream.avail_out > 0)) 678 { 679 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 680 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 681 png_ptr->iwidth) + 1); 682 683 png_ptr->zstream.next_out = png_ptr->row_buf; 684 } 685 686 /* Using Z_SYNC_FLUSH here means that an unterminated 687 * LZ stream (a stream with a missing end code) can still 688 * be handled, otherwise (Z_NO_FLUSH) a future zlib 689 * implementation might defer output and therefore 690 * change the current behavior (see comments in inflate.c 691 * for why this doesn't happen at present with zlib 1.2.5). 692 */ 693 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); 694 695 /* Check for any failure before proceeding. */ 696 if (ret != Z_OK && ret != Z_STREAM_END) 697 { 698 /* Terminate the decompression. */ 699 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 700 png_ptr->zowner = 0; 701 702 /* This may be a truncated stream (missing or 703 * damaged end code). Treat that as a warning. 704 */ 705 if (png_ptr->row_number >= png_ptr->num_rows || 706 png_ptr->pass > 6) 707 png_warning(png_ptr, "Truncated compressed data in IDAT"); 708 709 else 710 png_error(png_ptr, "Decompression error in IDAT"); 711 712 /* Skip the check on unprocessed input */ 713 return; 714 } 715 716 /* Did inflate output any data? */ 717 if (png_ptr->zstream.next_out != png_ptr->row_buf) 718 { 719 /* Is this unexpected data after the last row? 720 * If it is, artificially terminate the LZ output 721 * here. 722 */ 723 if (png_ptr->row_number >= png_ptr->num_rows || 724 png_ptr->pass > 6) 725 { 726 /* Extra data. */ 727 png_warning(png_ptr, "Extra compressed data in IDAT"); 728 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 729 png_ptr->zowner = 0; 730 731 /* Do no more processing; skip the unprocessed 732 * input check below. 733 */ 734 return; 735 } 736 737 /* Do we have a complete row? */ 738 if (png_ptr->zstream.avail_out == 0) 739 png_push_process_row(png_ptr); 740 } 741 742 /* And check for the end of the stream. */ 743 if (ret == Z_STREAM_END) 744 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 745 } 746 747 /* All the data should have been processed, if anything 748 * is left at this point we have bytes of IDAT data 749 * after the zlib end code. 750 */ 751 if (png_ptr->zstream.avail_in > 0) 752 png_warning(png_ptr, "Extra compression data in IDAT"); 753 } 754 755 void /* PRIVATE */ 756 png_push_process_row(png_structrp png_ptr) 757 { 758 /* 1.5.6: row_info moved out of png_struct to a local here. */ 759 png_row_info row_info; 760 761 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 762 row_info.color_type = png_ptr->color_type; 763 row_info.bit_depth = png_ptr->bit_depth; 764 row_info.channels = png_ptr->channels; 765 row_info.pixel_depth = png_ptr->pixel_depth; 766 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 767 768 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 769 { 770 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 771 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 772 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 773 else 774 png_error(png_ptr, "bad adaptive filter value"); 775 } 776 777 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 778 * 1.5.6, while the buffer really is this big in current versions of libpng 779 * it may not be in the future, so this was changed just to copy the 780 * interlaced row count: 781 */ 782 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 783 784 #ifdef PNG_READ_TRANSFORMS_SUPPORTED 785 if (png_ptr->transformations != 0) 786 png_do_read_transformations(png_ptr, &row_info); 787 #endif 788 789 /* The transformed pixel depth should match the depth now in row_info. */ 790 if (png_ptr->transformed_pixel_depth == 0) 791 { 792 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 793 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 794 png_error(png_ptr, "progressive row overflow"); 795 } 796 797 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 798 png_error(png_ptr, "internal progressive row size calculation error"); 799 800 801 #ifdef PNG_READ_INTERLACING_SUPPORTED 802 /* Expand interlaced rows to full size */ 803 if (png_ptr->interlaced != 0 && 804 (png_ptr->transformations & PNG_INTERLACE) != 0) 805 { 806 if (png_ptr->pass < 6) 807 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 808 png_ptr->transformations); 809 810 switch (png_ptr->pass) 811 { 812 case 0: 813 { 814 int i; 815 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 816 { 817 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 818 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 819 } 820 821 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 822 { 823 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 824 { 825 png_push_have_row(png_ptr, NULL); 826 png_read_push_finish_row(png_ptr); 827 } 828 } 829 830 if (png_ptr->pass == 4 && png_ptr->height <= 4) 831 { 832 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 833 { 834 png_push_have_row(png_ptr, NULL); 835 png_read_push_finish_row(png_ptr); 836 } 837 } 838 839 if (png_ptr->pass == 6 && png_ptr->height <= 4) 840 { 841 png_push_have_row(png_ptr, NULL); 842 png_read_push_finish_row(png_ptr); 843 } 844 845 break; 846 } 847 848 case 1: 849 { 850 int i; 851 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 852 { 853 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 854 png_read_push_finish_row(png_ptr); 855 } 856 857 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 858 { 859 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 860 { 861 png_push_have_row(png_ptr, NULL); 862 png_read_push_finish_row(png_ptr); 863 } 864 } 865 866 break; 867 } 868 869 case 2: 870 { 871 int i; 872 873 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 874 { 875 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 876 png_read_push_finish_row(png_ptr); 877 } 878 879 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 880 { 881 png_push_have_row(png_ptr, NULL); 882 png_read_push_finish_row(png_ptr); 883 } 884 885 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 886 { 887 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 888 { 889 png_push_have_row(png_ptr, NULL); 890 png_read_push_finish_row(png_ptr); 891 } 892 } 893 894 break; 895 } 896 897 case 3: 898 { 899 int i; 900 901 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 902 { 903 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 904 png_read_push_finish_row(png_ptr); 905 } 906 907 if (png_ptr->pass == 4) /* Skip top two generated rows */ 908 { 909 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 910 { 911 png_push_have_row(png_ptr, NULL); 912 png_read_push_finish_row(png_ptr); 913 } 914 } 915 916 break; 917 } 918 919 case 4: 920 { 921 int i; 922 923 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 924 { 925 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 926 png_read_push_finish_row(png_ptr); 927 } 928 929 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 930 { 931 png_push_have_row(png_ptr, NULL); 932 png_read_push_finish_row(png_ptr); 933 } 934 935 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 936 { 937 png_push_have_row(png_ptr, NULL); 938 png_read_push_finish_row(png_ptr); 939 } 940 941 break; 942 } 943 944 case 5: 945 { 946 int i; 947 948 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 949 { 950 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 951 png_read_push_finish_row(png_ptr); 952 } 953 954 if (png_ptr->pass == 6) /* Skip top generated row */ 955 { 956 png_push_have_row(png_ptr, NULL); 957 png_read_push_finish_row(png_ptr); 958 } 959 960 break; 961 } 962 963 default: 964 case 6: 965 { 966 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 967 png_read_push_finish_row(png_ptr); 968 969 if (png_ptr->pass != 6) 970 break; 971 972 png_push_have_row(png_ptr, NULL); 973 png_read_push_finish_row(png_ptr); 974 } 975 } 976 } 977 else 978 #endif 979 { 980 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 981 png_read_push_finish_row(png_ptr); 982 } 983 } 984 985 void /* PRIVATE */ 986 png_read_push_finish_row(png_structrp png_ptr) 987 { 988 #ifdef PNG_READ_INTERLACING_SUPPORTED 989 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 990 991 /* Start of interlace block */ 992 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 993 994 /* Offset to next interlace block */ 995 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 996 997 /* Start of interlace block in the y direction */ 998 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 999 1000 /* Offset to next interlace block in the y direction */ 1001 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 1002 1003 /* Height of interlace block. This is not currently used - if you need 1004 * it, uncomment it here and in png.h 1005 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 1006 */ 1007 #endif 1008 1009 png_ptr->row_number++; 1010 if (png_ptr->row_number < png_ptr->num_rows) 1011 return; 1012 1013 #ifdef PNG_READ_INTERLACING_SUPPORTED 1014 if (png_ptr->interlaced != 0) 1015 { 1016 png_ptr->row_number = 0; 1017 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1018 1019 do 1020 { 1021 png_ptr->pass++; 1022 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1023 (png_ptr->pass == 3 && png_ptr->width < 3) || 1024 (png_ptr->pass == 5 && png_ptr->width < 2)) 1025 png_ptr->pass++; 1026 1027 if (png_ptr->pass > 7) 1028 png_ptr->pass--; 1029 1030 if (png_ptr->pass >= 7) 1031 break; 1032 1033 png_ptr->iwidth = (png_ptr->width + 1034 png_pass_inc[png_ptr->pass] - 1 - 1035 png_pass_start[png_ptr->pass]) / 1036 png_pass_inc[png_ptr->pass]; 1037 1038 if ((png_ptr->transformations & PNG_INTERLACE) != 0) 1039 break; 1040 1041 png_ptr->num_rows = (png_ptr->height + 1042 png_pass_yinc[png_ptr->pass] - 1 - 1043 png_pass_ystart[png_ptr->pass]) / 1044 png_pass_yinc[png_ptr->pass]; 1045 1046 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1047 } 1048 #endif /* READ_INTERLACING */ 1049 } 1050 1051 void /* PRIVATE */ 1052 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1053 { 1054 if (png_ptr->info_fn != NULL) 1055 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1056 } 1057 1058 void /* PRIVATE */ 1059 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1060 { 1061 if (png_ptr->end_fn != NULL) 1062 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1063 } 1064 1065 void /* PRIVATE */ 1066 png_push_have_row(png_structrp png_ptr, png_bytep row) 1067 { 1068 if (png_ptr->row_fn != NULL) 1069 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1070 (int)png_ptr->pass); 1071 } 1072 1073 #ifdef PNG_READ_INTERLACING_SUPPORTED 1074 void PNGAPI 1075 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1076 png_const_bytep new_row) 1077 { 1078 if (png_ptr == NULL) 1079 return; 1080 1081 /* new_row is a flag here - if it is NULL then the app callback was called 1082 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1083 * it must be png_ptr->row_buf+1 1084 */ 1085 if (new_row != NULL) 1086 png_combine_row(png_ptr, old_row, 1/*blocky display*/); 1087 } 1088 #endif /* READ_INTERLACING */ 1089 1090 void PNGAPI 1091 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1092 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1093 png_progressive_end_ptr end_fn) 1094 { 1095 if (png_ptr == NULL) 1096 return; 1097 1098 png_ptr->info_fn = info_fn; 1099 png_ptr->row_fn = row_fn; 1100 png_ptr->end_fn = end_fn; 1101 1102 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1103 } 1104 1105 png_voidp PNGAPI 1106 png_get_progressive_ptr(png_const_structrp png_ptr) 1107 { 1108 if (png_ptr == NULL) 1109 return (NULL); 1110 1111 return png_ptr->io_ptr; 1112 } 1113 #endif /* PROGRESSIVE_READ */