1/* pngpread.c - read a png file in push mode 2 * 3 * Last changed in libpng 1.6.0 [February 14, 2013] 4 * Copyright (c) 1998-2013 Glenn Randers-Pehrson 5 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 6 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 7 * 8 * This code is released under the libpng license. 9 * For conditions of distribution and use, see the disclaimer 10 * and license in png.h 11 */ 12 13#include "pngpriv.h" 14 15#ifdef PNG_PROGRESSIVE_READ_SUPPORTED 16 17/* Push model modes */ 18#define PNG_READ_SIG_MODE 0 19#define PNG_READ_CHUNK_MODE 1 20#define PNG_READ_IDAT_MODE 2 21#define PNG_SKIP_MODE 3 22#define PNG_READ_tEXt_MODE 4 23#define PNG_READ_zTXt_MODE 5 24#define PNG_READ_DONE_MODE 6 25#define PNG_READ_iTXt_MODE 7 26#define PNG_ERROR_MODE 8 27 28void PNGAPI 29png_process_data(png_structrp png_ptr, png_inforp info_ptr, 30 png_bytep buffer, png_size_t buffer_size) 31{ 32 if (png_ptr == NULL || info_ptr == NULL) 33 return; 34 35 png_push_restore_buffer(png_ptr, buffer, buffer_size); 36 37 while (png_ptr->buffer_size) 38 { 39 png_process_some_data(png_ptr, info_ptr); 40 } 41} 42 43png_size_t PNGAPI 44png_process_data_pause(png_structrp png_ptr, int save) 45{ 46 if (png_ptr != NULL) 47 { 48 /* It's easiest for the caller if we do the save, then the caller doesn't 49 * have to supply the same data again: 50 */ 51 if (save) 52 png_push_save_buffer(png_ptr); 53 else 54 { 55 /* This includes any pending saved bytes: */ 56 png_size_t remaining = png_ptr->buffer_size; 57 png_ptr->buffer_size = 0; 58 59 /* So subtract the saved buffer size, unless all the data 60 * is actually 'saved', in which case we just return 0 61 */ 62 if (png_ptr->save_buffer_size < remaining) 63 return remaining - png_ptr->save_buffer_size; 64 } 65 } 66 67 return 0; 68} 69 70png_uint_32 PNGAPI 71png_process_data_skip(png_structrp png_ptr) 72{ 73 png_uint_32 remaining = 0; 74 75 if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE && 76 png_ptr->skip_length > 0) 77 { 78 /* At the end of png_process_data the buffer size must be 0 (see the loop 79 * above) so we can detect a broken call here: 80 */ 81 if (png_ptr->buffer_size != 0) 82 png_error(png_ptr, 83 "png_process_data_skip called inside png_process_data"); 84 85 /* If is impossible for there to be a saved buffer at this point - 86 * otherwise we could not be in SKIP mode. This will also happen if 87 * png_process_skip is called inside png_process_data (but only very 88 * rarely.) 89 */ 90 if (png_ptr->save_buffer_size != 0) 91 png_error(png_ptr, "png_process_data_skip called with saved data"); 92 93 remaining = png_ptr->skip_length; 94 png_ptr->skip_length = 0; 95 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 96 } 97 98 return remaining; 99} 100 101/* What we do with the incoming data depends on what we were previously 102 * doing before we ran out of data... 103 */ 104void /* PRIVATE */ 105png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 106{ 107 if (png_ptr == NULL) 108 return; 109 110 switch (png_ptr->process_mode) 111 { 112 case PNG_READ_SIG_MODE: 113 { 114 png_push_read_sig(png_ptr, info_ptr); 115 break; 116 } 117 118 case PNG_READ_CHUNK_MODE: 119 { 120 png_push_read_chunk(png_ptr, info_ptr); 121 break; 122 } 123 124 case PNG_READ_IDAT_MODE: 125 { 126 png_push_read_IDAT(png_ptr); 127 break; 128 } 129 130 case PNG_SKIP_MODE: 131 { 132 png_push_crc_finish(png_ptr); 133 break; 134 } 135 136 default: 137 { 138 png_ptr->buffer_size = 0; 139 break; 140 } 141 } 142} 143 144/* Read any remaining signature bytes from the stream and compare them with 145 * the correct PNG signature. It is possible that this routine is called 146 * with bytes already read from the signature, either because they have been 147 * checked by the calling application, or because of multiple calls to this 148 * routine. 149 */ 150void /* PRIVATE */ 151png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 152{ 153 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 154 num_to_check = 8 - num_checked; 155 156 if (png_ptr->buffer_size < num_to_check) 157 { 158 num_to_check = png_ptr->buffer_size; 159 } 160 161 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 162 num_to_check); 163 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 164 165 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 166 { 167 if (num_checked < 4 && 168 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 169 png_error(png_ptr, "Not a PNG file"); 170 171 else 172 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 173 } 174 else 175 { 176 if (png_ptr->sig_bytes >= 8) 177 { 178 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 179 } 180 } 181} 182 183void /* PRIVATE */ 184png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 185{ 186 png_uint_32 chunk_name; 187#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 188 int keep; /* unknown handling method */ 189#endif 190 191 /* First we make sure we have enough data for the 4 byte chunk name 192 * and the 4 byte chunk length before proceeding with decoding the 193 * chunk data. To fully decode each of these chunks, we also make 194 * sure we have enough data in the buffer for the 4 byte CRC at the 195 * end of every chunk (except IDAT, which is handled separately). 196 */ 197 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER)) 198 { 199 png_byte chunk_length[4]; 200 png_byte chunk_tag[4]; 201 202 if (png_ptr->buffer_size < 8) 203 { 204 png_push_save_buffer(png_ptr); 205 return; 206 } 207 208 png_push_fill_buffer(png_ptr, chunk_length, 4); 209 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 210 png_reset_crc(png_ptr); 211 png_crc_read(png_ptr, chunk_tag, 4); 212 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 213 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 214 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 215 } 216 217 chunk_name = png_ptr->chunk_name; 218 219 if (chunk_name == png_IDAT) 220 { 221 if (png_ptr->mode & PNG_AFTER_IDAT) 222 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 223 224 /* If we reach an IDAT chunk, this means we have read all of the 225 * header chunks, and we can start reading the image (or if this 226 * is called after the image has been read - we have an error). 227 */ 228 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 229 png_error(png_ptr, "Missing IHDR before IDAT"); 230 231 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 232 !(png_ptr->mode & PNG_HAVE_PLTE)) 233 png_error(png_ptr, "Missing PLTE before IDAT"); 234 235 png_ptr->mode |= PNG_HAVE_IDAT; 236 237 if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT)) 238 if (png_ptr->push_length == 0) 239 return; 240 241 if (png_ptr->mode & PNG_AFTER_IDAT) 242 png_benign_error(png_ptr, "Too many IDATs found"); 243 } 244 245 if (chunk_name == png_IHDR) 246 { 247 if (png_ptr->push_length != 13) 248 png_error(png_ptr, "Invalid IHDR length"); 249 250 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 251 { 252 png_push_save_buffer(png_ptr); 253 return; 254 } 255 256 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 257 } 258 259 else if (chunk_name == png_IEND) 260 { 261 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 262 { 263 png_push_save_buffer(png_ptr); 264 return; 265 } 266 267 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 268 269 png_ptr->process_mode = PNG_READ_DONE_MODE; 270 png_push_have_end(png_ptr, info_ptr); 271 } 272 273#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 274 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 275 { 276 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 277 { 278 png_push_save_buffer(png_ptr); 279 return; 280 } 281 282 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 283 284 if (chunk_name == png_PLTE) 285 png_ptr->mode |= PNG_HAVE_PLTE; 286 } 287 288#endif 289 else if (chunk_name == png_PLTE) 290 { 291 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 292 { 293 png_push_save_buffer(png_ptr); 294 return; 295 } 296 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 297 } 298 299 else if (chunk_name == png_IDAT) 300 { 301 png_ptr->idat_size = png_ptr->push_length; 302 png_ptr->process_mode = PNG_READ_IDAT_MODE; 303 png_push_have_info(png_ptr, info_ptr); 304 png_ptr->zstream.avail_out = 305 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 306 png_ptr->iwidth) + 1; 307 png_ptr->zstream.next_out = png_ptr->row_buf; 308 return; 309 } 310 311#ifdef PNG_READ_gAMA_SUPPORTED 312 else if (png_ptr->chunk_name == png_gAMA) 313 { 314 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 315 { 316 png_push_save_buffer(png_ptr); 317 return; 318 } 319 320 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 321 } 322 323#endif 324#ifdef PNG_READ_sBIT_SUPPORTED 325 else if (png_ptr->chunk_name == png_sBIT) 326 { 327 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 328 { 329 png_push_save_buffer(png_ptr); 330 return; 331 } 332 333 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 334 } 335 336#endif 337#ifdef PNG_READ_cHRM_SUPPORTED 338 else if (png_ptr->chunk_name == png_cHRM) 339 { 340 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 341 { 342 png_push_save_buffer(png_ptr); 343 return; 344 } 345 346 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 347 } 348 349#endif 350#ifdef PNG_READ_sRGB_SUPPORTED 351 else if (chunk_name == png_sRGB) 352 { 353 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 354 { 355 png_push_save_buffer(png_ptr); 356 return; 357 } 358 359 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 360 } 361 362#endif 363#ifdef PNG_READ_iCCP_SUPPORTED 364 else if (png_ptr->chunk_name == png_iCCP) 365 { 366 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 367 { 368 png_push_save_buffer(png_ptr); 369 return; 370 } 371 372 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 373 } 374 375#endif 376#ifdef PNG_READ_sPLT_SUPPORTED 377 else if (chunk_name == png_sPLT) 378 { 379 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 380 { 381 png_push_save_buffer(png_ptr); 382 return; 383 } 384 385 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 386 } 387 388#endif 389#ifdef PNG_READ_tRNS_SUPPORTED 390 else if (chunk_name == png_tRNS) 391 { 392 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 393 { 394 png_push_save_buffer(png_ptr); 395 return; 396 } 397 398 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 399 } 400 401#endif 402#ifdef PNG_READ_bKGD_SUPPORTED 403 else if (chunk_name == png_bKGD) 404 { 405 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 406 { 407 png_push_save_buffer(png_ptr); 408 return; 409 } 410 411 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 412 } 413 414#endif 415#ifdef PNG_READ_hIST_SUPPORTED 416 else if (chunk_name == png_hIST) 417 { 418 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 419 { 420 png_push_save_buffer(png_ptr); 421 return; 422 } 423 424 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 425 } 426 427#endif 428#ifdef PNG_READ_pHYs_SUPPORTED 429 else if (chunk_name == png_pHYs) 430 { 431 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 432 { 433 png_push_save_buffer(png_ptr); 434 return; 435 } 436 437 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 438 } 439 440#endif 441#ifdef PNG_READ_oFFs_SUPPORTED 442 else if (chunk_name == png_oFFs) 443 { 444 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 445 { 446 png_push_save_buffer(png_ptr); 447 return; 448 } 449 450 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 451 } 452#endif 453 454#ifdef PNG_READ_pCAL_SUPPORTED 455 else if (chunk_name == png_pCAL) 456 { 457 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 458 { 459 png_push_save_buffer(png_ptr); 460 return; 461 } 462 463 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 464 } 465 466#endif 467#ifdef PNG_READ_sCAL_SUPPORTED 468 else if (chunk_name == png_sCAL) 469 { 470 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 471 { 472 png_push_save_buffer(png_ptr); 473 return; 474 } 475 476 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 477 } 478 479#endif 480#ifdef PNG_READ_tIME_SUPPORTED 481 else if (chunk_name == png_tIME) 482 { 483 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 484 { 485 png_push_save_buffer(png_ptr); 486 return; 487 } 488 489 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 490 } 491 492#endif 493#ifdef PNG_READ_tEXt_SUPPORTED 494 else if (chunk_name == png_tEXt) 495 { 496 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 497 { 498 png_push_save_buffer(png_ptr); 499 return; 500 } 501 502 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 503 } 504 505#endif 506#ifdef PNG_READ_zTXt_SUPPORTED 507 else if (chunk_name == png_zTXt) 508 { 509 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 510 { 511 png_push_save_buffer(png_ptr); 512 return; 513 } 514 515 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 516 } 517 518#endif 519#ifdef PNG_READ_iTXt_SUPPORTED 520 else if (chunk_name == png_iTXt) 521 { 522 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 523 { 524 png_push_save_buffer(png_ptr); 525 return; 526 } 527 528 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 529 } 530 531#endif 532 else 533 { 534 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 535 { 536 png_push_save_buffer(png_ptr); 537 return; 538 } 539 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 540 PNG_HANDLE_CHUNK_AS_DEFAULT); 541 } 542 543 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 544} 545 546void /* PRIVATE */ 547png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip) 548{ 549 png_ptr->process_mode = PNG_SKIP_MODE; 550 png_ptr->skip_length = skip; 551} 552 553void /* PRIVATE */ 554png_push_crc_finish(png_structrp png_ptr) 555{ 556 if (png_ptr->skip_length && png_ptr->save_buffer_size) 557 { 558 png_size_t save_size = png_ptr->save_buffer_size; 559 png_uint_32 skip_length = png_ptr->skip_length; 560 561 /* We want the smaller of 'skip_length' and 'save_buffer_size', but 562 * they are of different types and we don't know which variable has the 563 * fewest bits. Carefully select the smaller and cast it to the type of 564 * the larger - this cannot overflow. Do not cast in the following test 565 * - it will break on either 16 or 64 bit platforms. 566 */ 567 if (skip_length < save_size) 568 save_size = (png_size_t)skip_length; 569 570 else 571 skip_length = (png_uint_32)save_size; 572 573 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 574 575 png_ptr->skip_length -= skip_length; 576 png_ptr->buffer_size -= save_size; 577 png_ptr->save_buffer_size -= save_size; 578 png_ptr->save_buffer_ptr += save_size; 579 } 580 if (png_ptr->skip_length && png_ptr->current_buffer_size) 581 { 582 png_size_t save_size = png_ptr->current_buffer_size; 583 png_uint_32 skip_length = png_ptr->skip_length; 584 585 /* We want the smaller of 'skip_length' and 'current_buffer_size', here, 586 * the same problem exists as above and the same solution. 587 */ 588 if (skip_length < save_size) 589 save_size = (png_size_t)skip_length; 590 591 else 592 skip_length = (png_uint_32)save_size; 593 594 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 595 596 png_ptr->skip_length -= skip_length; 597 png_ptr->buffer_size -= save_size; 598 png_ptr->current_buffer_size -= save_size; 599 png_ptr->current_buffer_ptr += save_size; 600 } 601 if (!png_ptr->skip_length) 602 { 603 if (png_ptr->buffer_size < 4) 604 { 605 png_push_save_buffer(png_ptr); 606 return; 607 } 608 609 png_crc_finish(png_ptr, 0); 610 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 611 } 612} 613 614void PNGCBAPI 615png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) 616{ 617 png_bytep ptr; 618 619 if (png_ptr == NULL) 620 return; 621 622 ptr = buffer; 623 if (png_ptr->save_buffer_size) 624 { 625 png_size_t save_size; 626 627 if (length < png_ptr->save_buffer_size) 628 save_size = length; 629 630 else 631 save_size = png_ptr->save_buffer_size; 632 633 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 634 length -= save_size; 635 ptr += save_size; 636 png_ptr->buffer_size -= save_size; 637 png_ptr->save_buffer_size -= save_size; 638 png_ptr->save_buffer_ptr += save_size; 639 } 640 if (length && png_ptr->current_buffer_size) 641 { 642 png_size_t save_size; 643 644 if (length < png_ptr->current_buffer_size) 645 save_size = length; 646 647 else 648 save_size = png_ptr->current_buffer_size; 649 650 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 651 png_ptr->buffer_size -= save_size; 652 png_ptr->current_buffer_size -= save_size; 653 png_ptr->current_buffer_ptr += save_size; 654 } 655} 656 657void /* PRIVATE */ 658png_push_save_buffer(png_structrp png_ptr) 659{ 660 if (png_ptr->save_buffer_size) 661 { 662 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 663 { 664 png_size_t i, istop; 665 png_bytep sp; 666 png_bytep dp; 667 668 istop = png_ptr->save_buffer_size; 669 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 670 i < istop; i++, sp++, dp++) 671 { 672 *dp = *sp; 673 } 674 } 675 } 676 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 677 png_ptr->save_buffer_max) 678 { 679 png_size_t new_max; 680 png_bytep old_buffer; 681 682 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 683 (png_ptr->current_buffer_size + 256)) 684 { 685 png_error(png_ptr, "Potential overflow of save_buffer"); 686 } 687 688 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 689 old_buffer = png_ptr->save_buffer; 690 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 691 (png_size_t)new_max); 692 693 if (png_ptr->save_buffer == NULL) 694 { 695 png_free(png_ptr, old_buffer); 696 png_error(png_ptr, "Insufficient memory for save_buffer"); 697 } 698 699 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 700 png_free(png_ptr, old_buffer); 701 png_ptr->save_buffer_max = new_max; 702 } 703 if (png_ptr->current_buffer_size) 704 { 705 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 706 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 707 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 708 png_ptr->current_buffer_size = 0; 709 } 710 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 711 png_ptr->buffer_size = 0; 712} 713 714void /* PRIVATE */ 715png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 716 png_size_t buffer_length) 717{ 718 png_ptr->current_buffer = buffer; 719 png_ptr->current_buffer_size = buffer_length; 720 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 721 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 722} 723 724void /* PRIVATE */ 725png_push_read_IDAT(png_structrp png_ptr) 726{ 727 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER)) 728 { 729 png_byte chunk_length[4]; 730 png_byte chunk_tag[4]; 731 732 /* TODO: this code can be commoned up with the same code in push_read */ 733 if (png_ptr->buffer_size < 8) 734 { 735 png_push_save_buffer(png_ptr); 736 return; 737 } 738 739 png_push_fill_buffer(png_ptr, chunk_length, 4); 740 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 741 png_reset_crc(png_ptr); 742 png_crc_read(png_ptr, chunk_tag, 4); 743 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 744 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 745 746 if (png_ptr->chunk_name != png_IDAT) 747 { 748 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 749 750 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)) 751 png_error(png_ptr, "Not enough compressed data"); 752 753 return; 754 } 755 756 png_ptr->idat_size = png_ptr->push_length; 757 } 758 759 if (png_ptr->idat_size && png_ptr->save_buffer_size) 760 { 761 png_size_t save_size = png_ptr->save_buffer_size; 762 png_uint_32 idat_size = png_ptr->idat_size; 763 764 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 765 * are of different types and we don't know which variable has the fewest 766 * bits. Carefully select the smaller and cast it to the type of the 767 * larger - this cannot overflow. Do not cast in the following test - it 768 * will break on either 16 or 64 bit platforms. 769 */ 770 if (idat_size < save_size) 771 save_size = (png_size_t)idat_size; 772 773 else 774 idat_size = (png_uint_32)save_size; 775 776 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 777 778 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 779 780 png_ptr->idat_size -= idat_size; 781 png_ptr->buffer_size -= save_size; 782 png_ptr->save_buffer_size -= save_size; 783 png_ptr->save_buffer_ptr += save_size; 784 } 785 786 if (png_ptr->idat_size && png_ptr->current_buffer_size) 787 { 788 png_size_t save_size = png_ptr->current_buffer_size; 789 png_uint_32 idat_size = png_ptr->idat_size; 790 791 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 792 * are of different types and we don't know which variable has the fewest 793 * bits. Carefully select the smaller and cast it to the type of the 794 * larger - this cannot overflow. 795 */ 796 if (idat_size < save_size) 797 save_size = (png_size_t)idat_size; 798 799 else 800 idat_size = (png_uint_32)save_size; 801 802 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 803 804 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 805 806 png_ptr->idat_size -= idat_size; 807 png_ptr->buffer_size -= save_size; 808 png_ptr->current_buffer_size -= save_size; 809 png_ptr->current_buffer_ptr += save_size; 810 } 811 if (!png_ptr->idat_size) 812 { 813 if (png_ptr->buffer_size < 4) 814 { 815 png_push_save_buffer(png_ptr); 816 return; 817 } 818 819 png_crc_finish(png_ptr, 0); 820 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 821 png_ptr->mode |= PNG_AFTER_IDAT; 822 png_ptr->zowner = 0; 823 } 824} 825 826void /* PRIVATE */ 827png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 828 png_size_t buffer_length) 829{ 830 /* The caller checks for a non-zero buffer length. */ 831 if (!(buffer_length > 0) || buffer == NULL) 832 png_error(png_ptr, "No IDAT data (internal error)"); 833 834 /* This routine must process all the data it has been given 835 * before returning, calling the row callback as required to 836 * handle the uncompressed results. 837 */ 838 png_ptr->zstream.next_in = buffer; 839 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 840 png_ptr->zstream.avail_in = (uInt)buffer_length; 841 842 /* Keep going until the decompressed data is all processed 843 * or the stream marked as finished. 844 */ 845 while (png_ptr->zstream.avail_in > 0 && 846 !(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)) 847 { 848 int ret; 849 850 /* We have data for zlib, but we must check that zlib 851 * has someplace to put the results. It doesn't matter 852 * if we don't expect any results -- it may be the input 853 * data is just the LZ end code. 854 */ 855 if (!(png_ptr->zstream.avail_out > 0)) 856 { 857 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 858 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 859 png_ptr->iwidth) + 1); 860 861 png_ptr->zstream.next_out = png_ptr->row_buf; 862 } 863 864 /* Using Z_SYNC_FLUSH here means that an unterminated 865 * LZ stream (a stream with a missing end code) can still 866 * be handled, otherwise (Z_NO_FLUSH) a future zlib 867 * implementation might defer output and therefore 868 * change the current behavior (see comments in inflate.c 869 * for why this doesn't happen at present with zlib 1.2.5). 870 */ 871 ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH); 872 873 /* Check for any failure before proceeding. */ 874 if (ret != Z_OK && ret != Z_STREAM_END) 875 { 876 /* Terminate the decompression. */ 877 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 878 png_ptr->zowner = 0; 879 880 /* This may be a truncated stream (missing or 881 * damaged end code). Treat that as a warning. 882 */ 883 if (png_ptr->row_number >= png_ptr->num_rows || 884 png_ptr->pass > 6) 885 png_warning(png_ptr, "Truncated compressed data in IDAT"); 886 887 else 888 png_error(png_ptr, "Decompression error in IDAT"); 889 890 /* Skip the check on unprocessed input */ 891 return; 892 } 893 894 /* Did inflate output any data? */ 895 if (png_ptr->zstream.next_out != png_ptr->row_buf) 896 { 897 /* Is this unexpected data after the last row? 898 * If it is, artificially terminate the LZ output 899 * here. 900 */ 901 if (png_ptr->row_number >= png_ptr->num_rows || 902 png_ptr->pass > 6) 903 { 904 /* Extra data. */ 905 png_warning(png_ptr, "Extra compressed data in IDAT"); 906 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 907 png_ptr->zowner = 0; 908 909 /* Do no more processing; skip the unprocessed 910 * input check below. 911 */ 912 return; 913 } 914 915 /* Do we have a complete row? */ 916 if (png_ptr->zstream.avail_out == 0) 917 png_push_process_row(png_ptr); 918 } 919 920 /* And check for the end of the stream. */ 921 if (ret == Z_STREAM_END) 922 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 923 } 924 925 /* All the data should have been processed, if anything 926 * is left at this point we have bytes of IDAT data 927 * after the zlib end code. 928 */ 929 if (png_ptr->zstream.avail_in > 0) 930 png_warning(png_ptr, "Extra compression data in IDAT"); 931} 932 933void /* PRIVATE */ 934png_push_process_row(png_structrp png_ptr) 935{ 936 /* 1.5.6: row_info moved out of png_struct to a local here. */ 937 png_row_info row_info; 938 939 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 940 row_info.color_type = png_ptr->color_type; 941 row_info.bit_depth = png_ptr->bit_depth; 942 row_info.channels = png_ptr->channels; 943 row_info.pixel_depth = png_ptr->pixel_depth; 944 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 945 946 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 947 { 948 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 949 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 950 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 951 else 952 png_error(png_ptr, "bad adaptive filter value"); 953 } 954 955 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 956 * 1.5.6, while the buffer really is this big in current versions of libpng 957 * it may not be in the future, so this was changed just to copy the 958 * interlaced row count: 959 */ 960 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 961 962#ifdef PNG_READ_TRANSFORMS_SUPPORTED 963 if (png_ptr->transformations) 964 png_do_read_transformations(png_ptr, &row_info); 965#endif 966 967 /* The transformed pixel depth should match the depth now in row_info. */ 968 if (png_ptr->transformed_pixel_depth == 0) 969 { 970 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 971 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 972 png_error(png_ptr, "progressive row overflow"); 973 } 974 975 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 976 png_error(png_ptr, "internal progressive row size calculation error"); 977 978 979#ifdef PNG_READ_INTERLACING_SUPPORTED 980 /* Blow up interlaced rows to full size */ 981 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE)) 982 { 983 if (png_ptr->pass < 6) 984 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 985 png_ptr->transformations); 986 987 switch (png_ptr->pass) 988 { 989 case 0: 990 { 991 int i; 992 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 993 { 994 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 995 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 996 } 997 998 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 999 { 1000 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1001 { 1002 png_push_have_row(png_ptr, NULL); 1003 png_read_push_finish_row(png_ptr); 1004 } 1005 } 1006 1007 if (png_ptr->pass == 4 && png_ptr->height <= 4) 1008 { 1009 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1010 { 1011 png_push_have_row(png_ptr, NULL); 1012 png_read_push_finish_row(png_ptr); 1013 } 1014 } 1015 1016 if (png_ptr->pass == 6 && png_ptr->height <= 4) 1017 { 1018 png_push_have_row(png_ptr, NULL); 1019 png_read_push_finish_row(png_ptr); 1020 } 1021 1022 break; 1023 } 1024 1025 case 1: 1026 { 1027 int i; 1028 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 1029 { 1030 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1031 png_read_push_finish_row(png_ptr); 1032 } 1033 1034 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 1035 { 1036 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1037 { 1038 png_push_have_row(png_ptr, NULL); 1039 png_read_push_finish_row(png_ptr); 1040 } 1041 } 1042 1043 break; 1044 } 1045 1046 case 2: 1047 { 1048 int i; 1049 1050 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1051 { 1052 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1053 png_read_push_finish_row(png_ptr); 1054 } 1055 1056 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1057 { 1058 png_push_have_row(png_ptr, NULL); 1059 png_read_push_finish_row(png_ptr); 1060 } 1061 1062 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 1063 { 1064 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1065 { 1066 png_push_have_row(png_ptr, NULL); 1067 png_read_push_finish_row(png_ptr); 1068 } 1069 } 1070 1071 break; 1072 } 1073 1074 case 3: 1075 { 1076 int i; 1077 1078 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 1079 { 1080 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1081 png_read_push_finish_row(png_ptr); 1082 } 1083 1084 if (png_ptr->pass == 4) /* Skip top two generated rows */ 1085 { 1086 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1087 { 1088 png_push_have_row(png_ptr, NULL); 1089 png_read_push_finish_row(png_ptr); 1090 } 1091 } 1092 1093 break; 1094 } 1095 1096 case 4: 1097 { 1098 int i; 1099 1100 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1101 { 1102 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1103 png_read_push_finish_row(png_ptr); 1104 } 1105 1106 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1107 { 1108 png_push_have_row(png_ptr, NULL); 1109 png_read_push_finish_row(png_ptr); 1110 } 1111 1112 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 1113 { 1114 png_push_have_row(png_ptr, NULL); 1115 png_read_push_finish_row(png_ptr); 1116 } 1117 1118 break; 1119 } 1120 1121 case 5: 1122 { 1123 int i; 1124 1125 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 1126 { 1127 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1128 png_read_push_finish_row(png_ptr); 1129 } 1130 1131 if (png_ptr->pass == 6) /* Skip top generated row */ 1132 { 1133 png_push_have_row(png_ptr, NULL); 1134 png_read_push_finish_row(png_ptr); 1135 } 1136 1137 break; 1138 } 1139 1140 default: 1141 case 6: 1142 { 1143 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1144 png_read_push_finish_row(png_ptr); 1145 1146 if (png_ptr->pass != 6) 1147 break; 1148 1149 png_push_have_row(png_ptr, NULL); 1150 png_read_push_finish_row(png_ptr); 1151 } 1152 } 1153 } 1154 else 1155#endif 1156 { 1157 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1158 png_read_push_finish_row(png_ptr); 1159 } 1160} 1161 1162void /* PRIVATE */ 1163png_read_push_finish_row(png_structrp png_ptr) 1164{ 1165#ifdef PNG_READ_INTERLACING_SUPPORTED 1166 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 1167 1168 /* Start of interlace block */ 1169 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 1170 1171 /* Offset to next interlace block */ 1172 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 1173 1174 /* Start of interlace block in the y direction */ 1175 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 1176 1177 /* Offset to next interlace block in the y direction */ 1178 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 1179 1180 /* Height of interlace block. This is not currently used - if you need 1181 * it, uncomment it here and in png.h 1182 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 1183 */ 1184#endif 1185 1186 png_ptr->row_number++; 1187 if (png_ptr->row_number < png_ptr->num_rows) 1188 return; 1189 1190#ifdef PNG_READ_INTERLACING_SUPPORTED 1191 if (png_ptr->interlaced) 1192 { 1193 png_ptr->row_number = 0; 1194 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1195 1196 do 1197 { 1198 png_ptr->pass++; 1199 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1200 (png_ptr->pass == 3 && png_ptr->width < 3) || 1201 (png_ptr->pass == 5 && png_ptr->width < 2)) 1202 png_ptr->pass++; 1203 1204 if (png_ptr->pass > 7) 1205 png_ptr->pass--; 1206 1207 if (png_ptr->pass >= 7) 1208 break; 1209 1210 png_ptr->iwidth = (png_ptr->width + 1211 png_pass_inc[png_ptr->pass] - 1 - 1212 png_pass_start[png_ptr->pass]) / 1213 png_pass_inc[png_ptr->pass]; 1214 1215 if (png_ptr->transformations & PNG_INTERLACE) 1216 break; 1217 1218 png_ptr->num_rows = (png_ptr->height + 1219 png_pass_yinc[png_ptr->pass] - 1 - 1220 png_pass_ystart[png_ptr->pass]) / 1221 png_pass_yinc[png_ptr->pass]; 1222 1223 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1224 } 1225#endif /* PNG_READ_INTERLACING_SUPPORTED */ 1226} 1227 1228void /* PRIVATE */ 1229png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1230{ 1231 if (png_ptr->info_fn != NULL) 1232 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1233} 1234 1235void /* PRIVATE */ 1236png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1237{ 1238 if (png_ptr->end_fn != NULL) 1239 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1240} 1241 1242void /* PRIVATE */ 1243png_push_have_row(png_structrp png_ptr, png_bytep row) 1244{ 1245 if (png_ptr->row_fn != NULL) 1246 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1247 (int)png_ptr->pass); 1248} 1249 1250#ifdef PNG_READ_INTERLACING_SUPPORTED 1251void PNGAPI 1252png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1253 png_const_bytep new_row) 1254{ 1255 if (png_ptr == NULL) 1256 return; 1257 1258 /* new_row is a flag here - if it is NULL then the app callback was called 1259 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1260 * it must be png_ptr->row_buf+1 1261 */ 1262 if (new_row != NULL) 1263 png_combine_row(png_ptr, old_row, 1/*display*/); 1264} 1265#endif /* PNG_READ_INTERLACING_SUPPORTED */ 1266 1267void PNGAPI 1268png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1269 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1270 png_progressive_end_ptr end_fn) 1271{ 1272 if (png_ptr == NULL) 1273 return; 1274 1275 png_ptr->info_fn = info_fn; 1276 png_ptr->row_fn = row_fn; 1277 png_ptr->end_fn = end_fn; 1278 1279 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1280} 1281 1282png_voidp PNGAPI 1283png_get_progressive_ptr(png_const_structrp png_ptr) 1284{ 1285 if (png_ptr == NULL) 1286 return (NULL); 1287 1288 return png_ptr->io_ptr; 1289} 1290#endif /* PNG_PROGRESSIVE_READ_SUPPORTED */ 1291