1 /* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3 * 4 * This code is free software; you can redistribute it and/or modify it 5 * under the terms of the GNU General Public License version 2 only, as 6 * published by the Free Software Foundation. Oracle designates this 7 * particular file as subject to the "Classpath" exception as provided 8 * by Oracle in the LICENSE file that accompanied this code. 9 * 10 * This code is distributed in the hope that it will be useful, but WITHOUT 11 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 12 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13 * version 2 for more details (a copy is included in the LICENSE file that 14 * accompanied this code). 15 * 16 * You should have received a copy of the GNU General Public License version 17 * 2 along with this work; if not, write to the Free Software Foundation, 18 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 19 * 20 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 21 * or visit www.oracle.com if you need additional information or have any 22 * questions. 23 */ 24 25 /* pngpread.c - read a png file in push mode 26 * 27 * This file is available under and governed by the GNU General Public 28 * License version 2 only, as published by the Free Software Foundation. 29 * However, the following notice accompanied the original version of this 30 * file and, per its terms, should not be removed: 31 * 32 * Last changed in libpng 1.6.23 [June 9, 2016] 33 * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson 34 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 35 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 36 * 37 * This code is released under the libpng license. 38 * For conditions of distribution and use, see the disclaimer 39 * and license in png.h 40 */ 41 42 #include "pngpriv.h" 43 44 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED 45 46 /* Push model modes */ 47 #define PNG_READ_SIG_MODE 0 48 #define PNG_READ_CHUNK_MODE 1 49 #define PNG_READ_IDAT_MODE 2 50 #define PNG_READ_tEXt_MODE 4 51 #define PNG_READ_zTXt_MODE 5 52 #define PNG_READ_DONE_MODE 6 53 #define PNG_READ_iTXt_MODE 7 54 #define PNG_ERROR_MODE 8 55 56 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \ 57 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \ 58 { png_push_save_buffer(png_ptr); return; } 59 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \ 60 if (png_ptr->buffer_size < N) \ 61 { png_push_save_buffer(png_ptr); return; } 62 63 void PNGAPI 64 png_process_data(png_structrp png_ptr, png_inforp info_ptr, 65 png_bytep buffer, png_size_t buffer_size) 66 { 67 if (png_ptr == NULL || info_ptr == NULL) 68 return; 69 70 png_push_restore_buffer(png_ptr, buffer, buffer_size); 71 72 while (png_ptr->buffer_size) 73 { 74 png_process_some_data(png_ptr, info_ptr); 75 } 76 } 77 78 png_size_t PNGAPI 79 png_process_data_pause(png_structrp png_ptr, int save) 80 { 81 if (png_ptr != NULL) 82 { 83 /* It's easiest for the caller if we do the save; then the caller doesn't 84 * have to supply the same data again: 85 */ 86 if (save != 0) 87 png_push_save_buffer(png_ptr); 88 else 89 { 90 /* This includes any pending saved bytes: */ 91 png_size_t remaining = png_ptr->buffer_size; 92 png_ptr->buffer_size = 0; 93 94 /* So subtract the saved buffer size, unless all the data 95 * is actually 'saved', in which case we just return 0 96 */ 97 if (png_ptr->save_buffer_size < remaining) 98 return remaining - png_ptr->save_buffer_size; 99 } 100 } 101 102 return 0; 103 } 104 105 png_uint_32 PNGAPI 106 png_process_data_skip(png_structrp png_ptr) 107 { 108 /* TODO: Deprecate and remove this API. 109 * Somewhere the implementation of this seems to have been lost, 110 * or abandoned. It was only to support some internal back-door access 111 * to png_struct) in libpng-1.4.x. 112 */ 113 png_app_warning(png_ptr, 114 "png_process_data_skip is not implemented in any current version of libpng"); 115 return 0; 116 } 117 118 /* What we do with the incoming data depends on what we were previously 119 * doing before we ran out of data... 120 */ 121 void /* PRIVATE */ 122 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 123 { 124 if (png_ptr == NULL) 125 return; 126 127 switch (png_ptr->process_mode) 128 { 129 case PNG_READ_SIG_MODE: 130 { 131 png_push_read_sig(png_ptr, info_ptr); 132 break; 133 } 134 135 case PNG_READ_CHUNK_MODE: 136 { 137 png_push_read_chunk(png_ptr, info_ptr); 138 break; 139 } 140 141 case PNG_READ_IDAT_MODE: 142 { 143 png_push_read_IDAT(png_ptr); 144 break; 145 } 146 147 default: 148 { 149 png_ptr->buffer_size = 0; 150 break; 151 } 152 } 153 } 154 155 /* Read any remaining signature bytes from the stream and compare them with 156 * the correct PNG signature. It is possible that this routine is called 157 * with bytes already read from the signature, either because they have been 158 * checked by the calling application, or because of multiple calls to this 159 * routine. 160 */ 161 void /* PRIVATE */ 162 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 163 { 164 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 165 num_to_check = 8 - num_checked; 166 167 if (png_ptr->buffer_size < num_to_check) 168 { 169 num_to_check = png_ptr->buffer_size; 170 } 171 172 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 173 num_to_check); 174 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 175 176 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 177 { 178 if (num_checked < 4 && 179 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 180 png_error(png_ptr, "Not a PNG file"); 181 182 else 183 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 184 } 185 else 186 { 187 if (png_ptr->sig_bytes >= 8) 188 { 189 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 190 } 191 } 192 } 193 194 void /* PRIVATE */ 195 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 196 { 197 png_uint_32 chunk_name; 198 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 199 int keep; /* unknown handling method */ 200 #endif 201 202 /* First we make sure we have enough data for the 4-byte chunk name 203 * and the 4-byte chunk length before proceeding with decoding the 204 * chunk data. To fully decode each of these chunks, we also make 205 * sure we have enough data in the buffer for the 4-byte CRC at the 206 * end of every chunk (except IDAT, which is handled separately). 207 */ 208 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 209 { 210 png_byte chunk_length[4]; 211 png_byte chunk_tag[4]; 212 213 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 214 png_push_fill_buffer(png_ptr, chunk_length, 4); 215 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 216 png_reset_crc(png_ptr); 217 png_crc_read(png_ptr, chunk_tag, 4); 218 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 219 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 220 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 221 } 222 223 chunk_name = png_ptr->chunk_name; 224 225 if (chunk_name == png_IDAT) 226 { 227 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 228 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 229 230 /* If we reach an IDAT chunk, this means we have read all of the 231 * header chunks, and we can start reading the image (or if this 232 * is called after the image has been read - we have an error). 233 */ 234 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) 235 png_error(png_ptr, "Missing IHDR before IDAT"); 236 237 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 238 (png_ptr->mode & PNG_HAVE_PLTE) == 0) 239 png_error(png_ptr, "Missing PLTE before IDAT"); 240 241 png_ptr->process_mode = PNG_READ_IDAT_MODE; 242 243 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) 244 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0) 245 if (png_ptr->push_length == 0) 246 return; 247 248 png_ptr->mode |= PNG_HAVE_IDAT; 249 250 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 251 png_benign_error(png_ptr, "Too many IDATs found"); 252 } 253 254 if (chunk_name == png_IHDR) 255 { 256 if (png_ptr->push_length != 13) 257 png_error(png_ptr, "Invalid IHDR length"); 258 259 PNG_PUSH_SAVE_BUFFER_IF_FULL 260 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 261 } 262 263 else if (chunk_name == png_IEND) 264 { 265 PNG_PUSH_SAVE_BUFFER_IF_FULL 266 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 267 268 png_ptr->process_mode = PNG_READ_DONE_MODE; 269 png_push_have_end(png_ptr, info_ptr); 270 } 271 272 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 273 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 274 { 275 PNG_PUSH_SAVE_BUFFER_IF_FULL 276 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 277 278 if (chunk_name == png_PLTE) 279 png_ptr->mode |= PNG_HAVE_PLTE; 280 } 281 #endif 282 283 else if (chunk_name == png_PLTE) 284 { 285 PNG_PUSH_SAVE_BUFFER_IF_FULL 286 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 287 } 288 289 else if (chunk_name == png_IDAT) 290 { 291 png_ptr->idat_size = png_ptr->push_length; 292 png_ptr->process_mode = PNG_READ_IDAT_MODE; 293 png_push_have_info(png_ptr, info_ptr); 294 png_ptr->zstream.avail_out = 295 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 296 png_ptr->iwidth) + 1; 297 png_ptr->zstream.next_out = png_ptr->row_buf; 298 return; 299 } 300 301 #ifdef PNG_READ_gAMA_SUPPORTED 302 else if (png_ptr->chunk_name == png_gAMA) 303 { 304 PNG_PUSH_SAVE_BUFFER_IF_FULL 305 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 306 } 307 308 #endif 309 #ifdef PNG_READ_sBIT_SUPPORTED 310 else if (png_ptr->chunk_name == png_sBIT) 311 { 312 PNG_PUSH_SAVE_BUFFER_IF_FULL 313 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 314 } 315 316 #endif 317 #ifdef PNG_READ_cHRM_SUPPORTED 318 else if (png_ptr->chunk_name == png_cHRM) 319 { 320 PNG_PUSH_SAVE_BUFFER_IF_FULL 321 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 322 } 323 324 #endif 325 #ifdef PNG_READ_sRGB_SUPPORTED 326 else if (chunk_name == png_sRGB) 327 { 328 PNG_PUSH_SAVE_BUFFER_IF_FULL 329 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 330 } 331 332 #endif 333 #ifdef PNG_READ_iCCP_SUPPORTED 334 else if (png_ptr->chunk_name == png_iCCP) 335 { 336 PNG_PUSH_SAVE_BUFFER_IF_FULL 337 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 338 } 339 340 #endif 341 #ifdef PNG_READ_sPLT_SUPPORTED 342 else if (chunk_name == png_sPLT) 343 { 344 PNG_PUSH_SAVE_BUFFER_IF_FULL 345 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 346 } 347 348 #endif 349 #ifdef PNG_READ_tRNS_SUPPORTED 350 else if (chunk_name == png_tRNS) 351 { 352 PNG_PUSH_SAVE_BUFFER_IF_FULL 353 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 354 } 355 356 #endif 357 #ifdef PNG_READ_bKGD_SUPPORTED 358 else if (chunk_name == png_bKGD) 359 { 360 PNG_PUSH_SAVE_BUFFER_IF_FULL 361 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 362 } 363 364 #endif 365 #ifdef PNG_READ_hIST_SUPPORTED 366 else if (chunk_name == png_hIST) 367 { 368 PNG_PUSH_SAVE_BUFFER_IF_FULL 369 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 370 } 371 372 #endif 373 #ifdef PNG_READ_pHYs_SUPPORTED 374 else if (chunk_name == png_pHYs) 375 { 376 PNG_PUSH_SAVE_BUFFER_IF_FULL 377 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 378 } 379 380 #endif 381 #ifdef PNG_READ_oFFs_SUPPORTED 382 else if (chunk_name == png_oFFs) 383 { 384 PNG_PUSH_SAVE_BUFFER_IF_FULL 385 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 386 } 387 #endif 388 389 #ifdef PNG_READ_pCAL_SUPPORTED 390 else if (chunk_name == png_pCAL) 391 { 392 PNG_PUSH_SAVE_BUFFER_IF_FULL 393 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 394 } 395 396 #endif 397 #ifdef PNG_READ_sCAL_SUPPORTED 398 else if (chunk_name == png_sCAL) 399 { 400 PNG_PUSH_SAVE_BUFFER_IF_FULL 401 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 402 } 403 404 #endif 405 #ifdef PNG_READ_tIME_SUPPORTED 406 else if (chunk_name == png_tIME) 407 { 408 PNG_PUSH_SAVE_BUFFER_IF_FULL 409 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 410 } 411 412 #endif 413 #ifdef PNG_READ_tEXt_SUPPORTED 414 else if (chunk_name == png_tEXt) 415 { 416 PNG_PUSH_SAVE_BUFFER_IF_FULL 417 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 418 } 419 420 #endif 421 #ifdef PNG_READ_zTXt_SUPPORTED 422 else if (chunk_name == png_zTXt) 423 { 424 PNG_PUSH_SAVE_BUFFER_IF_FULL 425 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 426 } 427 428 #endif 429 #ifdef PNG_READ_iTXt_SUPPORTED 430 else if (chunk_name == png_iTXt) 431 { 432 PNG_PUSH_SAVE_BUFFER_IF_FULL 433 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 434 } 435 #endif 436 437 else 438 { 439 PNG_PUSH_SAVE_BUFFER_IF_FULL 440 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 441 PNG_HANDLE_CHUNK_AS_DEFAULT); 442 } 443 444 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 445 } 446 447 void PNGCBAPI 448 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) 449 { 450 png_bytep ptr; 451 452 if (png_ptr == NULL) 453 return; 454 455 ptr = buffer; 456 if (png_ptr->save_buffer_size != 0) 457 { 458 png_size_t save_size; 459 460 if (length < png_ptr->save_buffer_size) 461 save_size = length; 462 463 else 464 save_size = png_ptr->save_buffer_size; 465 466 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 467 length -= save_size; 468 ptr += save_size; 469 png_ptr->buffer_size -= save_size; 470 png_ptr->save_buffer_size -= save_size; 471 png_ptr->save_buffer_ptr += save_size; 472 } 473 if (length != 0 && png_ptr->current_buffer_size != 0) 474 { 475 png_size_t save_size; 476 477 if (length < png_ptr->current_buffer_size) 478 save_size = length; 479 480 else 481 save_size = png_ptr->current_buffer_size; 482 483 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 484 png_ptr->buffer_size -= save_size; 485 png_ptr->current_buffer_size -= save_size; 486 png_ptr->current_buffer_ptr += save_size; 487 } 488 } 489 490 void /* PRIVATE */ 491 png_push_save_buffer(png_structrp png_ptr) 492 { 493 if (png_ptr->save_buffer_size != 0) 494 { 495 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 496 { 497 png_size_t i, istop; 498 png_bytep sp; 499 png_bytep dp; 500 501 istop = png_ptr->save_buffer_size; 502 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 503 i < istop; i++, sp++, dp++) 504 { 505 *dp = *sp; 506 } 507 } 508 } 509 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 510 png_ptr->save_buffer_max) 511 { 512 png_size_t new_max; 513 png_bytep old_buffer; 514 515 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 516 (png_ptr->current_buffer_size + 256)) 517 { 518 png_error(png_ptr, "Potential overflow of save_buffer"); 519 } 520 521 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 522 old_buffer = png_ptr->save_buffer; 523 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 524 (png_size_t)new_max); 525 526 if (png_ptr->save_buffer == NULL) 527 { 528 png_free(png_ptr, old_buffer); 529 png_error(png_ptr, "Insufficient memory for save_buffer"); 530 } 531 532 if (old_buffer) 533 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 534 else if (png_ptr->save_buffer_size) 535 png_error(png_ptr, "save_buffer error"); 536 png_free(png_ptr, old_buffer); 537 png_ptr->save_buffer_max = new_max; 538 } 539 if (png_ptr->current_buffer_size) 540 { 541 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 542 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 543 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 544 png_ptr->current_buffer_size = 0; 545 } 546 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 547 png_ptr->buffer_size = 0; 548 } 549 550 void /* PRIVATE */ 551 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 552 png_size_t buffer_length) 553 { 554 png_ptr->current_buffer = buffer; 555 png_ptr->current_buffer_size = buffer_length; 556 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 557 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 558 } 559 560 void /* PRIVATE */ 561 png_push_read_IDAT(png_structrp png_ptr) 562 { 563 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 564 { 565 png_byte chunk_length[4]; 566 png_byte chunk_tag[4]; 567 568 /* TODO: this code can be commoned up with the same code in push_read */ 569 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 570 png_push_fill_buffer(png_ptr, chunk_length, 4); 571 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 572 png_reset_crc(png_ptr); 573 png_crc_read(png_ptr, chunk_tag, 4); 574 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 575 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 576 577 if (png_ptr->chunk_name != png_IDAT) 578 { 579 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 580 581 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 582 png_error(png_ptr, "Not enough compressed data"); 583 584 return; 585 } 586 587 png_ptr->idat_size = png_ptr->push_length; 588 } 589 590 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0) 591 { 592 png_size_t save_size = png_ptr->save_buffer_size; 593 png_uint_32 idat_size = png_ptr->idat_size; 594 595 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 596 * are of different types and we don't know which variable has the fewest 597 * bits. Carefully select the smaller and cast it to the type of the 598 * larger - this cannot overflow. Do not cast in the following test - it 599 * will break on either 16-bit or 64-bit platforms. 600 */ 601 if (idat_size < save_size) 602 save_size = (png_size_t)idat_size; 603 604 else 605 idat_size = (png_uint_32)save_size; 606 607 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 608 609 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 610 611 png_ptr->idat_size -= idat_size; 612 png_ptr->buffer_size -= save_size; 613 png_ptr->save_buffer_size -= save_size; 614 png_ptr->save_buffer_ptr += save_size; 615 } 616 617 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0) 618 { 619 png_size_t save_size = png_ptr->current_buffer_size; 620 png_uint_32 idat_size = png_ptr->idat_size; 621 622 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 623 * are of different types and we don't know which variable has the fewest 624 * bits. Carefully select the smaller and cast it to the type of the 625 * larger - this cannot overflow. 626 */ 627 if (idat_size < save_size) 628 save_size = (png_size_t)idat_size; 629 630 else 631 idat_size = (png_uint_32)save_size; 632 633 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 634 635 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 636 637 png_ptr->idat_size -= idat_size; 638 png_ptr->buffer_size -= save_size; 639 png_ptr->current_buffer_size -= save_size; 640 png_ptr->current_buffer_ptr += save_size; 641 } 642 643 if (png_ptr->idat_size == 0) 644 { 645 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 646 png_crc_finish(png_ptr, 0); 647 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 648 png_ptr->mode |= PNG_AFTER_IDAT; 649 png_ptr->zowner = 0; 650 } 651 } 652 653 void /* PRIVATE */ 654 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 655 png_size_t buffer_length) 656 { 657 /* The caller checks for a non-zero buffer length. */ 658 if (!(buffer_length > 0) || buffer == NULL) 659 png_error(png_ptr, "No IDAT data (internal error)"); 660 661 /* This routine must process all the data it has been given 662 * before returning, calling the row callback as required to 663 * handle the uncompressed results. 664 */ 665 png_ptr->zstream.next_in = buffer; 666 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 667 png_ptr->zstream.avail_in = (uInt)buffer_length; 668 669 /* Keep going until the decompressed data is all processed 670 * or the stream marked as finished. 671 */ 672 while (png_ptr->zstream.avail_in > 0 && 673 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 674 { 675 int ret; 676 677 /* We have data for zlib, but we must check that zlib 678 * has someplace to put the results. It doesn't matter 679 * if we don't expect any results -- it may be the input 680 * data is just the LZ end code. 681 */ 682 if (!(png_ptr->zstream.avail_out > 0)) 683 { 684 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 685 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 686 png_ptr->iwidth) + 1); 687 688 png_ptr->zstream.next_out = png_ptr->row_buf; 689 } 690 691 /* Using Z_SYNC_FLUSH here means that an unterminated 692 * LZ stream (a stream with a missing end code) can still 693 * be handled, otherwise (Z_NO_FLUSH) a future zlib 694 * implementation might defer output and therefore 695 * change the current behavior (see comments in inflate.c 696 * for why this doesn't happen at present with zlib 1.2.5). 697 */ 698 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); 699 700 /* Check for any failure before proceeding. */ 701 if (ret != Z_OK && ret != Z_STREAM_END) 702 { 703 /* Terminate the decompression. */ 704 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 705 png_ptr->zowner = 0; 706 707 /* This may be a truncated stream (missing or 708 * damaged end code). Treat that as a warning. 709 */ 710 if (png_ptr->row_number >= png_ptr->num_rows || 711 png_ptr->pass > 6) 712 png_warning(png_ptr, "Truncated compressed data in IDAT"); 713 714 else 715 png_error(png_ptr, "Decompression error in IDAT"); 716 717 /* Skip the check on unprocessed input */ 718 return; 719 } 720 721 /* Did inflate output any data? */ 722 if (png_ptr->zstream.next_out != png_ptr->row_buf) 723 { 724 /* Is this unexpected data after the last row? 725 * If it is, artificially terminate the LZ output 726 * here. 727 */ 728 if (png_ptr->row_number >= png_ptr->num_rows || 729 png_ptr->pass > 6) 730 { 731 /* Extra data. */ 732 png_warning(png_ptr, "Extra compressed data in IDAT"); 733 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 734 png_ptr->zowner = 0; 735 736 /* Do no more processing; skip the unprocessed 737 * input check below. 738 */ 739 return; 740 } 741 742 /* Do we have a complete row? */ 743 if (png_ptr->zstream.avail_out == 0) 744 png_push_process_row(png_ptr); 745 } 746 747 /* And check for the end of the stream. */ 748 if (ret == Z_STREAM_END) 749 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 750 } 751 752 /* All the data should have been processed, if anything 753 * is left at this point we have bytes of IDAT data 754 * after the zlib end code. 755 */ 756 if (png_ptr->zstream.avail_in > 0) 757 png_warning(png_ptr, "Extra compression data in IDAT"); 758 } 759 760 void /* PRIVATE */ 761 png_push_process_row(png_structrp png_ptr) 762 { 763 /* 1.5.6: row_info moved out of png_struct to a local here. */ 764 png_row_info row_info; 765 766 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 767 row_info.color_type = png_ptr->color_type; 768 row_info.bit_depth = png_ptr->bit_depth; 769 row_info.channels = png_ptr->channels; 770 row_info.pixel_depth = png_ptr->pixel_depth; 771 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 772 773 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 774 { 775 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 776 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 777 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 778 else 779 png_error(png_ptr, "bad adaptive filter value"); 780 } 781 782 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 783 * 1.5.6, while the buffer really is this big in current versions of libpng 784 * it may not be in the future, so this was changed just to copy the 785 * interlaced row count: 786 */ 787 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 788 789 #ifdef PNG_READ_TRANSFORMS_SUPPORTED 790 if (png_ptr->transformations != 0) 791 png_do_read_transformations(png_ptr, &row_info); 792 #endif 793 794 /* The transformed pixel depth should match the depth now in row_info. */ 795 if (png_ptr->transformed_pixel_depth == 0) 796 { 797 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 798 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 799 png_error(png_ptr, "progressive row overflow"); 800 } 801 802 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 803 png_error(png_ptr, "internal progressive row size calculation error"); 804 805 806 #ifdef PNG_READ_INTERLACING_SUPPORTED 807 /* Expand interlaced rows to full size */ 808 if (png_ptr->interlaced != 0 && 809 (png_ptr->transformations & PNG_INTERLACE) != 0) 810 { 811 if (png_ptr->pass < 6) 812 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 813 png_ptr->transformations); 814 815 switch (png_ptr->pass) 816 { 817 case 0: 818 { 819 int i; 820 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 821 { 822 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 823 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 824 } 825 826 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 827 { 828 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 829 { 830 png_push_have_row(png_ptr, NULL); 831 png_read_push_finish_row(png_ptr); 832 } 833 } 834 835 if (png_ptr->pass == 4 && png_ptr->height <= 4) 836 { 837 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 838 { 839 png_push_have_row(png_ptr, NULL); 840 png_read_push_finish_row(png_ptr); 841 } 842 } 843 844 if (png_ptr->pass == 6 && png_ptr->height <= 4) 845 { 846 png_push_have_row(png_ptr, NULL); 847 png_read_push_finish_row(png_ptr); 848 } 849 850 break; 851 } 852 853 case 1: 854 { 855 int i; 856 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 857 { 858 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 859 png_read_push_finish_row(png_ptr); 860 } 861 862 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 863 { 864 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 865 { 866 png_push_have_row(png_ptr, NULL); 867 png_read_push_finish_row(png_ptr); 868 } 869 } 870 871 break; 872 } 873 874 case 2: 875 { 876 int i; 877 878 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 879 { 880 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 881 png_read_push_finish_row(png_ptr); 882 } 883 884 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 885 { 886 png_push_have_row(png_ptr, NULL); 887 png_read_push_finish_row(png_ptr); 888 } 889 890 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 891 { 892 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 893 { 894 png_push_have_row(png_ptr, NULL); 895 png_read_push_finish_row(png_ptr); 896 } 897 } 898 899 break; 900 } 901 902 case 3: 903 { 904 int i; 905 906 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 907 { 908 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 909 png_read_push_finish_row(png_ptr); 910 } 911 912 if (png_ptr->pass == 4) /* Skip top two generated rows */ 913 { 914 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 915 { 916 png_push_have_row(png_ptr, NULL); 917 png_read_push_finish_row(png_ptr); 918 } 919 } 920 921 break; 922 } 923 924 case 4: 925 { 926 int i; 927 928 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 929 { 930 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 931 png_read_push_finish_row(png_ptr); 932 } 933 934 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 935 { 936 png_push_have_row(png_ptr, NULL); 937 png_read_push_finish_row(png_ptr); 938 } 939 940 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 941 { 942 png_push_have_row(png_ptr, NULL); 943 png_read_push_finish_row(png_ptr); 944 } 945 946 break; 947 } 948 949 case 5: 950 { 951 int i; 952 953 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 954 { 955 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 956 png_read_push_finish_row(png_ptr); 957 } 958 959 if (png_ptr->pass == 6) /* Skip top generated row */ 960 { 961 png_push_have_row(png_ptr, NULL); 962 png_read_push_finish_row(png_ptr); 963 } 964 965 break; 966 } 967 968 default: 969 case 6: 970 { 971 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 972 png_read_push_finish_row(png_ptr); 973 974 if (png_ptr->pass != 6) 975 break; 976 977 png_push_have_row(png_ptr, NULL); 978 png_read_push_finish_row(png_ptr); 979 } 980 } 981 } 982 else 983 #endif 984 { 985 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 986 png_read_push_finish_row(png_ptr); 987 } 988 } 989 990 void /* PRIVATE */ 991 png_read_push_finish_row(png_structrp png_ptr) 992 { 993 #ifdef PNG_READ_INTERLACING_SUPPORTED 994 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 995 996 /* Start of interlace block */ 997 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 998 999 /* Offset to next interlace block */ 1000 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 1001 1002 /* Start of interlace block in the y direction */ 1003 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 1004 1005 /* Offset to next interlace block in the y direction */ 1006 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 1007 1008 /* Height of interlace block. This is not currently used - if you need 1009 * it, uncomment it here and in png.h 1010 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 1011 */ 1012 #endif 1013 1014 png_ptr->row_number++; 1015 if (png_ptr->row_number < png_ptr->num_rows) 1016 return; 1017 1018 #ifdef PNG_READ_INTERLACING_SUPPORTED 1019 if (png_ptr->interlaced != 0) 1020 { 1021 png_ptr->row_number = 0; 1022 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1023 1024 do 1025 { 1026 png_ptr->pass++; 1027 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1028 (png_ptr->pass == 3 && png_ptr->width < 3) || 1029 (png_ptr->pass == 5 && png_ptr->width < 2)) 1030 png_ptr->pass++; 1031 1032 if (png_ptr->pass > 7) 1033 png_ptr->pass--; 1034 1035 if (png_ptr->pass >= 7) 1036 break; 1037 1038 png_ptr->iwidth = (png_ptr->width + 1039 png_pass_inc[png_ptr->pass] - 1 - 1040 png_pass_start[png_ptr->pass]) / 1041 png_pass_inc[png_ptr->pass]; 1042 1043 if ((png_ptr->transformations & PNG_INTERLACE) != 0) 1044 break; 1045 1046 png_ptr->num_rows = (png_ptr->height + 1047 png_pass_yinc[png_ptr->pass] - 1 - 1048 png_pass_ystart[png_ptr->pass]) / 1049 png_pass_yinc[png_ptr->pass]; 1050 1051 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1052 } 1053 #endif /* READ_INTERLACING */ 1054 } 1055 1056 void /* PRIVATE */ 1057 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1058 { 1059 if (png_ptr->info_fn != NULL) 1060 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1061 } 1062 1063 void /* PRIVATE */ 1064 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1065 { 1066 if (png_ptr->end_fn != NULL) 1067 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1068 } 1069 1070 void /* PRIVATE */ 1071 png_push_have_row(png_structrp png_ptr, png_bytep row) 1072 { 1073 if (png_ptr->row_fn != NULL) 1074 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1075 (int)png_ptr->pass); 1076 } 1077 1078 #ifdef PNG_READ_INTERLACING_SUPPORTED 1079 void PNGAPI 1080 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1081 png_const_bytep new_row) 1082 { 1083 if (png_ptr == NULL) 1084 return; 1085 1086 /* new_row is a flag here - if it is NULL then the app callback was called 1087 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1088 * it must be png_ptr->row_buf+1 1089 */ 1090 if (new_row != NULL) 1091 png_combine_row(png_ptr, old_row, 1/*blocky display*/); 1092 } 1093 #endif /* READ_INTERLACING */ 1094 1095 void PNGAPI 1096 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1097 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1098 png_progressive_end_ptr end_fn) 1099 { 1100 if (png_ptr == NULL) 1101 return; 1102 1103 png_ptr->info_fn = info_fn; 1104 png_ptr->row_fn = row_fn; 1105 png_ptr->end_fn = end_fn; 1106 1107 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1108 } 1109 1110 png_voidp PNGAPI 1111 png_get_progressive_ptr(png_const_structrp png_ptr) 1112 { 1113 if (png_ptr == NULL) 1114 return (NULL); 1115 1116 return png_ptr->io_ptr; 1117 } 1118 #endif /* PROGRESSIVE_READ */