pngpread.c revision b50c217251b086440efcdb273c22f86a06c80cba
1 2/* pngpread.c - read a png file in push mode 3 * 4 * Last changed in libpng 1.6.0 [February 14, 2013] 5 * Copyright (c) 1998-2013 Glenn Randers-Pehrson 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 8 * 9 * This code is released under the libpng license. 10 * For conditions of distribution and use, see the disclaimer 11 * and license in png.h 12 */ 13 14#include "pngpriv.h" 15 16#ifdef PNG_PROGRESSIVE_READ_SUPPORTED 17 18/* Push model modes */ 19#define PNG_READ_SIG_MODE 0 20#define PNG_READ_CHUNK_MODE 1 21#define PNG_READ_IDAT_MODE 2 22#define PNG_SKIP_MODE 3 23#define PNG_READ_tEXt_MODE 4 24#define PNG_READ_zTXt_MODE 5 25#define PNG_READ_DONE_MODE 6 26#define PNG_READ_iTXt_MODE 7 27#define PNG_ERROR_MODE 8 28 29void PNGAPI 30png_process_data(png_structrp png_ptr, png_inforp info_ptr, 31 png_bytep buffer, png_size_t buffer_size) 32{ 33 if (png_ptr == NULL || info_ptr == NULL) 34 return; 35 36 png_push_restore_buffer(png_ptr, buffer, buffer_size); 37 38 while (png_ptr->buffer_size) 39 { 40 png_process_some_data(png_ptr, info_ptr); 41 } 42} 43 44png_size_t PNGAPI 45png_process_data_pause(png_structrp png_ptr, int save) 46{ 47 if (png_ptr != NULL) 48 { 49 /* It's easiest for the caller if we do the save, then the caller doesn't 50 * have to supply the same data again: 51 */ 52 if (save) 53 png_push_save_buffer(png_ptr); 54 else 55 { 56 /* This includes any pending saved bytes: */ 57 png_size_t remaining = png_ptr->buffer_size; 58 png_ptr->buffer_size = 0; 59 60 /* So subtract the saved buffer size, unless all the data 61 * is actually 'saved', in which case we just return 0 62 */ 63 if (png_ptr->save_buffer_size < remaining) 64 return remaining - png_ptr->save_buffer_size; 65 } 66 } 67 68 return 0; 69} 70 71png_uint_32 PNGAPI 72png_process_data_skip(png_structrp png_ptr) 73{ 74 png_uint_32 remaining = 0; 75 76 if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE && 77 png_ptr->skip_length > 0) 78 { 79 /* At the end of png_process_data the buffer size must be 0 (see the loop 80 * above) so we can detect a broken call here: 81 */ 82 if (png_ptr->buffer_size != 0) 83 png_error(png_ptr, 84 "png_process_data_skip called inside png_process_data"); 85 86 /* If is impossible for there to be a saved buffer at this point - 87 * otherwise we could not be in SKIP mode. This will also happen if 88 * png_process_skip is called inside png_process_data (but only very 89 * rarely.) 90 */ 91 if (png_ptr->save_buffer_size != 0) 92 png_error(png_ptr, "png_process_data_skip called with saved data"); 93 94 remaining = png_ptr->skip_length; 95 png_ptr->skip_length = 0; 96 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 97 } 98 99 return remaining; 100} 101 102/* What we do with the incoming data depends on what we were previously 103 * doing before we ran out of data... 104 */ 105void /* PRIVATE */ 106png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 107{ 108 if (png_ptr == NULL) 109 return; 110 111 switch (png_ptr->process_mode) 112 { 113 case PNG_READ_SIG_MODE: 114 { 115 png_push_read_sig(png_ptr, info_ptr); 116 break; 117 } 118 119 case PNG_READ_CHUNK_MODE: 120 { 121 png_push_read_chunk(png_ptr, info_ptr); 122 break; 123 } 124 125 case PNG_READ_IDAT_MODE: 126 { 127 png_push_read_IDAT(png_ptr); 128 break; 129 } 130 131 case PNG_SKIP_MODE: 132 { 133 png_push_crc_finish(png_ptr); 134 break; 135 } 136 137 default: 138 { 139 png_ptr->buffer_size = 0; 140 break; 141 } 142 } 143} 144 145/* Read any remaining signature bytes from the stream and compare them with 146 * the correct PNG signature. It is possible that this routine is called 147 * with bytes already read from the signature, either because they have been 148 * checked by the calling application, or because of multiple calls to this 149 * routine. 150 */ 151void /* PRIVATE */ 152png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 153{ 154 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 155 num_to_check = 8 - num_checked; 156 157 if (png_ptr->buffer_size < num_to_check) 158 { 159 num_to_check = png_ptr->buffer_size; 160 } 161 162 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 163 num_to_check); 164 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 165 166 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 167 { 168 if (num_checked < 4 && 169 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 170 png_error(png_ptr, "Not a PNG file"); 171 172 else 173 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 174 } 175 else 176 { 177 if (png_ptr->sig_bytes >= 8) 178 { 179 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 180 } 181 } 182} 183 184void /* PRIVATE */ 185png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 186{ 187 png_uint_32 chunk_name; 188#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 189 int keep; /* unknown handling method */ 190#endif 191 192 /* First we make sure we have enough data for the 4 byte chunk name 193 * and the 4 byte chunk length before proceeding with decoding the 194 * chunk data. To fully decode each of these chunks, we also make 195 * sure we have enough data in the buffer for the 4 byte CRC at the 196 * end of every chunk (except IDAT, which is handled separately). 197 */ 198 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER)) 199 { 200 png_byte chunk_length[4]; 201 png_byte chunk_tag[4]; 202 203 if (png_ptr->buffer_size < 8) 204 { 205 png_push_save_buffer(png_ptr); 206 return; 207 } 208 209 png_push_fill_buffer(png_ptr, chunk_length, 4); 210 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 211 png_reset_crc(png_ptr); 212 png_crc_read(png_ptr, chunk_tag, 4); 213 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 214 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 215 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 216 } 217 218 chunk_name = png_ptr->chunk_name; 219 220 if (chunk_name == png_IDAT) 221 { 222 if (png_ptr->mode & PNG_AFTER_IDAT) 223 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 224 225 /* If we reach an IDAT chunk, this means we have read all of the 226 * header chunks, and we can start reading the image (or if this 227 * is called after the image has been read - we have an error). 228 */ 229 if (!(png_ptr->mode & PNG_HAVE_IHDR)) 230 png_error(png_ptr, "Missing IHDR before IDAT"); 231 232 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 233 !(png_ptr->mode & PNG_HAVE_PLTE)) 234 png_error(png_ptr, "Missing PLTE before IDAT"); 235 236 png_ptr->mode |= PNG_HAVE_IDAT; 237 238 if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT)) 239 if (png_ptr->push_length == 0) 240 return; 241 242 if (png_ptr->mode & PNG_AFTER_IDAT) 243 png_benign_error(png_ptr, "Too many IDATs found"); 244 } 245 246 if (chunk_name == png_IHDR) 247 { 248 if (png_ptr->push_length != 13) 249 png_error(png_ptr, "Invalid IHDR length"); 250 251 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 252 { 253 png_push_save_buffer(png_ptr); 254 return; 255 } 256 257 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 258 } 259 260 else if (chunk_name == png_IEND) 261 { 262 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 263 { 264 png_push_save_buffer(png_ptr); 265 return; 266 } 267 268 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 269 270 png_ptr->process_mode = PNG_READ_DONE_MODE; 271 png_push_have_end(png_ptr, info_ptr); 272 } 273 274#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 275 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 276 { 277 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 278 { 279 png_push_save_buffer(png_ptr); 280 return; 281 } 282 283 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 284 285 if (chunk_name == png_PLTE) 286 png_ptr->mode |= PNG_HAVE_PLTE; 287 } 288 289#endif 290 else if (chunk_name == png_PLTE) 291 { 292 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 293 { 294 png_push_save_buffer(png_ptr); 295 return; 296 } 297 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 298 } 299 300 else if (chunk_name == png_IDAT) 301 { 302 png_ptr->idat_size = png_ptr->push_length; 303 png_ptr->process_mode = PNG_READ_IDAT_MODE; 304 png_push_have_info(png_ptr, info_ptr); 305 png_ptr->zstream.avail_out = 306 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 307 png_ptr->iwidth) + 1; 308 png_ptr->zstream.next_out = png_ptr->row_buf; 309 return; 310 } 311 312#ifdef PNG_READ_gAMA_SUPPORTED 313 else if (png_ptr->chunk_name == png_gAMA) 314 { 315 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 316 { 317 png_push_save_buffer(png_ptr); 318 return; 319 } 320 321 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 322 } 323 324#endif 325#ifdef PNG_READ_sBIT_SUPPORTED 326 else if (png_ptr->chunk_name == png_sBIT) 327 { 328 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 329 { 330 png_push_save_buffer(png_ptr); 331 return; 332 } 333 334 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 335 } 336 337#endif 338#ifdef PNG_READ_cHRM_SUPPORTED 339 else if (png_ptr->chunk_name == png_cHRM) 340 { 341 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 342 { 343 png_push_save_buffer(png_ptr); 344 return; 345 } 346 347 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 348 } 349 350#endif 351#ifdef PNG_READ_sRGB_SUPPORTED 352 else if (chunk_name == png_sRGB) 353 { 354 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 355 { 356 png_push_save_buffer(png_ptr); 357 return; 358 } 359 360 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 361 } 362 363#endif 364#ifdef PNG_READ_iCCP_SUPPORTED 365 else if (png_ptr->chunk_name == png_iCCP) 366 { 367 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 368 { 369 png_push_save_buffer(png_ptr); 370 return; 371 } 372 373 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 374 } 375 376#endif 377#ifdef PNG_READ_sPLT_SUPPORTED 378 else if (chunk_name == png_sPLT) 379 { 380 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 381 { 382 png_push_save_buffer(png_ptr); 383 return; 384 } 385 386 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 387 } 388 389#endif 390#ifdef PNG_READ_tRNS_SUPPORTED 391 else if (chunk_name == png_tRNS) 392 { 393 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 394 { 395 png_push_save_buffer(png_ptr); 396 return; 397 } 398 399 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 400 } 401 402#endif 403#ifdef PNG_READ_bKGD_SUPPORTED 404 else if (chunk_name == png_bKGD) 405 { 406 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 407 { 408 png_push_save_buffer(png_ptr); 409 return; 410 } 411 412 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 413 } 414 415#endif 416#ifdef PNG_READ_hIST_SUPPORTED 417 else if (chunk_name == png_hIST) 418 { 419 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 420 { 421 png_push_save_buffer(png_ptr); 422 return; 423 } 424 425 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 426 } 427 428#endif 429#ifdef PNG_READ_pHYs_SUPPORTED 430 else if (chunk_name == png_pHYs) 431 { 432 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 433 { 434 png_push_save_buffer(png_ptr); 435 return; 436 } 437 438 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 439 } 440 441#endif 442#ifdef PNG_READ_oFFs_SUPPORTED 443 else if (chunk_name == png_oFFs) 444 { 445 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 446 { 447 png_push_save_buffer(png_ptr); 448 return; 449 } 450 451 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 452 } 453#endif 454 455#ifdef PNG_READ_pCAL_SUPPORTED 456 else if (chunk_name == png_pCAL) 457 { 458 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 459 { 460 png_push_save_buffer(png_ptr); 461 return; 462 } 463 464 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 465 } 466 467#endif 468#ifdef PNG_READ_sCAL_SUPPORTED 469 else if (chunk_name == png_sCAL) 470 { 471 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 472 { 473 png_push_save_buffer(png_ptr); 474 return; 475 } 476 477 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 478 } 479 480#endif 481#ifdef PNG_READ_tIME_SUPPORTED 482 else if (chunk_name == png_tIME) 483 { 484 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 485 { 486 png_push_save_buffer(png_ptr); 487 return; 488 } 489 490 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 491 } 492 493#endif 494#ifdef PNG_READ_tEXt_SUPPORTED 495 else if (chunk_name == png_tEXt) 496 { 497 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 498 { 499 png_push_save_buffer(png_ptr); 500 return; 501 } 502 503 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 504 } 505 506#endif 507#ifdef PNG_READ_zTXt_SUPPORTED 508 else if (chunk_name == png_zTXt) 509 { 510 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 511 { 512 png_push_save_buffer(png_ptr); 513 return; 514 } 515 516 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 517 } 518 519#endif 520#ifdef PNG_READ_iTXt_SUPPORTED 521 else if (chunk_name == png_iTXt) 522 { 523 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 524 { 525 png_push_save_buffer(png_ptr); 526 return; 527 } 528 529 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 530 } 531 532#endif 533 else 534 { 535 if (png_ptr->push_length + 4 > png_ptr->buffer_size) 536 { 537 png_push_save_buffer(png_ptr); 538 return; 539 } 540 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 541 PNG_HANDLE_CHUNK_AS_DEFAULT); 542 } 543 544 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 545} 546 547void /* PRIVATE */ 548png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip) 549{ 550 png_ptr->process_mode = PNG_SKIP_MODE; 551 png_ptr->skip_length = skip; 552} 553 554void /* PRIVATE */ 555png_push_crc_finish(png_structrp png_ptr) 556{ 557 if (png_ptr->skip_length && png_ptr->save_buffer_size) 558 { 559 png_size_t save_size = png_ptr->save_buffer_size; 560 png_uint_32 skip_length = png_ptr->skip_length; 561 562 /* We want the smaller of 'skip_length' and 'save_buffer_size', but 563 * they are of different types and we don't know which variable has the 564 * fewest bits. Carefully select the smaller and cast it to the type of 565 * the larger - this cannot overflow. Do not cast in the following test 566 * - it will break on either 16 or 64 bit platforms. 567 */ 568 if (skip_length < save_size) 569 save_size = (png_size_t)skip_length; 570 571 else 572 skip_length = (png_uint_32)save_size; 573 574 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 575 576 png_ptr->skip_length -= skip_length; 577 png_ptr->buffer_size -= save_size; 578 png_ptr->save_buffer_size -= save_size; 579 png_ptr->save_buffer_ptr += save_size; 580 } 581 if (png_ptr->skip_length && png_ptr->current_buffer_size) 582 { 583 png_size_t save_size = png_ptr->current_buffer_size; 584 png_uint_32 skip_length = png_ptr->skip_length; 585 586 /* We want the smaller of 'skip_length' and 'current_buffer_size', here, 587 * the same problem exists as above and the same solution. 588 */ 589 if (skip_length < save_size) 590 save_size = (png_size_t)skip_length; 591 592 else 593 skip_length = (png_uint_32)save_size; 594 595 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 596 597 png_ptr->skip_length -= skip_length; 598 png_ptr->buffer_size -= save_size; 599 png_ptr->current_buffer_size -= save_size; 600 png_ptr->current_buffer_ptr += save_size; 601 } 602 if (!png_ptr->skip_length) 603 { 604 if (png_ptr->buffer_size < 4) 605 { 606 png_push_save_buffer(png_ptr); 607 return; 608 } 609 610 png_crc_finish(png_ptr, 0); 611 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 612 } 613} 614 615void PNGCBAPI 616png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) 617{ 618 png_bytep ptr; 619 620 if (png_ptr == NULL) 621 return; 622 623 ptr = buffer; 624 if (png_ptr->save_buffer_size) 625 { 626 png_size_t save_size; 627 628 if (length < png_ptr->save_buffer_size) 629 save_size = length; 630 631 else 632 save_size = png_ptr->save_buffer_size; 633 634 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 635 length -= save_size; 636 ptr += save_size; 637 png_ptr->buffer_size -= save_size; 638 png_ptr->save_buffer_size -= save_size; 639 png_ptr->save_buffer_ptr += save_size; 640 } 641 if (length && png_ptr->current_buffer_size) 642 { 643 png_size_t save_size; 644 645 if (length < png_ptr->current_buffer_size) 646 save_size = length; 647 648 else 649 save_size = png_ptr->current_buffer_size; 650 651 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 652 png_ptr->buffer_size -= save_size; 653 png_ptr->current_buffer_size -= save_size; 654 png_ptr->current_buffer_ptr += save_size; 655 } 656} 657 658void /* PRIVATE */ 659png_push_save_buffer(png_structrp png_ptr) 660{ 661 if (png_ptr->save_buffer_size) 662 { 663 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 664 { 665 png_size_t i, istop; 666 png_bytep sp; 667 png_bytep dp; 668 669 istop = png_ptr->save_buffer_size; 670 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 671 i < istop; i++, sp++, dp++) 672 { 673 *dp = *sp; 674 } 675 } 676 } 677 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 678 png_ptr->save_buffer_max) 679 { 680 png_size_t new_max; 681 png_bytep old_buffer; 682 683 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 684 (png_ptr->current_buffer_size + 256)) 685 { 686 png_error(png_ptr, "Potential overflow of save_buffer"); 687 } 688 689 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 690 old_buffer = png_ptr->save_buffer; 691 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 692 (png_size_t)new_max); 693 694 if (png_ptr->save_buffer == NULL) 695 { 696 png_free(png_ptr, old_buffer); 697 png_error(png_ptr, "Insufficient memory for save_buffer"); 698 } 699 700 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 701 png_free(png_ptr, old_buffer); 702 png_ptr->save_buffer_max = new_max; 703 } 704 if (png_ptr->current_buffer_size) 705 { 706 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 707 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 708 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 709 png_ptr->current_buffer_size = 0; 710 } 711 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 712 png_ptr->buffer_size = 0; 713} 714 715void /* PRIVATE */ 716png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 717 png_size_t buffer_length) 718{ 719 png_ptr->current_buffer = buffer; 720 png_ptr->current_buffer_size = buffer_length; 721 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 722 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 723} 724 725void /* PRIVATE */ 726png_push_read_IDAT(png_structrp png_ptr) 727{ 728 if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER)) 729 { 730 png_byte chunk_length[4]; 731 png_byte chunk_tag[4]; 732 733 /* TODO: this code can be commoned up with the same code in push_read */ 734 if (png_ptr->buffer_size < 8) 735 { 736 png_push_save_buffer(png_ptr); 737 return; 738 } 739 740 png_push_fill_buffer(png_ptr, chunk_length, 4); 741 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 742 png_reset_crc(png_ptr); 743 png_crc_read(png_ptr, chunk_tag, 4); 744 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 745 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 746 747 if (png_ptr->chunk_name != png_IDAT) 748 { 749 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 750 751 if (!(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)) 752 png_error(png_ptr, "Not enough compressed data"); 753 754 return; 755 } 756 757 png_ptr->idat_size = png_ptr->push_length; 758 } 759 760 if (png_ptr->idat_size && png_ptr->save_buffer_size) 761 { 762 png_size_t save_size = png_ptr->save_buffer_size; 763 png_uint_32 idat_size = png_ptr->idat_size; 764 765 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 766 * are of different types and we don't know which variable has the fewest 767 * bits. Carefully select the smaller and cast it to the type of the 768 * larger - this cannot overflow. Do not cast in the following test - it 769 * will break on either 16 or 64 bit platforms. 770 */ 771 if (idat_size < save_size) 772 save_size = (png_size_t)idat_size; 773 774 else 775 idat_size = (png_uint_32)save_size; 776 777 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 778 779 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 780 781 png_ptr->idat_size -= idat_size; 782 png_ptr->buffer_size -= save_size; 783 png_ptr->save_buffer_size -= save_size; 784 png_ptr->save_buffer_ptr += save_size; 785 } 786 787 if (png_ptr->idat_size && png_ptr->current_buffer_size) 788 { 789 png_size_t save_size = png_ptr->current_buffer_size; 790 png_uint_32 idat_size = png_ptr->idat_size; 791 792 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 793 * are of different types and we don't know which variable has the fewest 794 * bits. Carefully select the smaller and cast it to the type of the 795 * larger - this cannot overflow. 796 */ 797 if (idat_size < save_size) 798 save_size = (png_size_t)idat_size; 799 800 else 801 idat_size = (png_uint_32)save_size; 802 803 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 804 805 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 806 807 png_ptr->idat_size -= idat_size; 808 png_ptr->buffer_size -= save_size; 809 png_ptr->current_buffer_size -= save_size; 810 png_ptr->current_buffer_ptr += save_size; 811 } 812 if (!png_ptr->idat_size) 813 { 814 if (png_ptr->buffer_size < 4) 815 { 816 png_push_save_buffer(png_ptr); 817 return; 818 } 819 820 png_crc_finish(png_ptr, 0); 821 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 822 png_ptr->mode |= PNG_AFTER_IDAT; 823 png_ptr->zowner = 0; 824 } 825} 826 827void /* PRIVATE */ 828png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 829 png_size_t buffer_length) 830{ 831 /* The caller checks for a non-zero buffer length. */ 832 if (!(buffer_length > 0) || buffer == NULL) 833 png_error(png_ptr, "No IDAT data (internal error)"); 834 835 /* This routine must process all the data it has been given 836 * before returning, calling the row callback as required to 837 * handle the uncompressed results. 838 */ 839 png_ptr->zstream.next_in = buffer; 840 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 841 png_ptr->zstream.avail_in = (uInt)buffer_length; 842 843 /* Keep going until the decompressed data is all processed 844 * or the stream marked as finished. 845 */ 846 while (png_ptr->zstream.avail_in > 0 && 847 !(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)) 848 { 849 int ret; 850 851 /* We have data for zlib, but we must check that zlib 852 * has someplace to put the results. It doesn't matter 853 * if we don't expect any results -- it may be the input 854 * data is just the LZ end code. 855 */ 856 if (!(png_ptr->zstream.avail_out > 0)) 857 { 858 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 859 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 860 png_ptr->iwidth) + 1); 861 862 png_ptr->zstream.next_out = png_ptr->row_buf; 863 } 864 865 /* Using Z_SYNC_FLUSH here means that an unterminated 866 * LZ stream (a stream with a missing end code) can still 867 * be handled, otherwise (Z_NO_FLUSH) a future zlib 868 * implementation might defer output and therefore 869 * change the current behavior (see comments in inflate.c 870 * for why this doesn't happen at present with zlib 1.2.5). 871 */ 872 ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH); 873 874 /* Check for any failure before proceeding. */ 875 if (ret != Z_OK && ret != Z_STREAM_END) 876 { 877 /* Terminate the decompression. */ 878 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 879 png_ptr->zowner = 0; 880 881 /* This may be a truncated stream (missing or 882 * damaged end code). Treat that as a warning. 883 */ 884 if (png_ptr->row_number >= png_ptr->num_rows || 885 png_ptr->pass > 6) 886 png_warning(png_ptr, "Truncated compressed data in IDAT"); 887 888 else 889 png_error(png_ptr, "Decompression error in IDAT"); 890 891 /* Skip the check on unprocessed input */ 892 return; 893 } 894 895 /* Did inflate output any data? */ 896 if (png_ptr->zstream.next_out != png_ptr->row_buf) 897 { 898 /* Is this unexpected data after the last row? 899 * If it is, artificially terminate the LZ output 900 * here. 901 */ 902 if (png_ptr->row_number >= png_ptr->num_rows || 903 png_ptr->pass > 6) 904 { 905 /* Extra data. */ 906 png_warning(png_ptr, "Extra compressed data in IDAT"); 907 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 908 png_ptr->zowner = 0; 909 910 /* Do no more processing; skip the unprocessed 911 * input check below. 912 */ 913 return; 914 } 915 916 /* Do we have a complete row? */ 917 if (png_ptr->zstream.avail_out == 0) 918 png_push_process_row(png_ptr); 919 } 920 921 /* And check for the end of the stream. */ 922 if (ret == Z_STREAM_END) 923 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 924 } 925 926 /* All the data should have been processed, if anything 927 * is left at this point we have bytes of IDAT data 928 * after the zlib end code. 929 */ 930 if (png_ptr->zstream.avail_in > 0) 931 png_warning(png_ptr, "Extra compression data in IDAT"); 932} 933 934void /* PRIVATE */ 935png_push_process_row(png_structrp png_ptr) 936{ 937 /* 1.5.6: row_info moved out of png_struct to a local here. */ 938 png_row_info row_info; 939 940 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 941 row_info.color_type = png_ptr->color_type; 942 row_info.bit_depth = png_ptr->bit_depth; 943 row_info.channels = png_ptr->channels; 944 row_info.pixel_depth = png_ptr->pixel_depth; 945 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 946 947 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 948 { 949 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 950 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 951 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 952 else 953 png_error(png_ptr, "bad adaptive filter value"); 954 } 955 956 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 957 * 1.5.6, while the buffer really is this big in current versions of libpng 958 * it may not be in the future, so this was changed just to copy the 959 * interlaced row count: 960 */ 961 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 962 963#ifdef PNG_READ_TRANSFORMS_SUPPORTED 964 if (png_ptr->transformations) 965 png_do_read_transformations(png_ptr, &row_info); 966#endif 967 968 /* The transformed pixel depth should match the depth now in row_info. */ 969 if (png_ptr->transformed_pixel_depth == 0) 970 { 971 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 972 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 973 png_error(png_ptr, "progressive row overflow"); 974 } 975 976 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 977 png_error(png_ptr, "internal progressive row size calculation error"); 978 979 980#ifdef PNG_READ_INTERLACING_SUPPORTED 981 /* Blow up interlaced rows to full size */ 982 if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE)) 983 { 984 if (png_ptr->pass < 6) 985 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 986 png_ptr->transformations); 987 988 switch (png_ptr->pass) 989 { 990 case 0: 991 { 992 int i; 993 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 994 { 995 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 996 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 997 } 998 999 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 1000 { 1001 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1002 { 1003 png_push_have_row(png_ptr, NULL); 1004 png_read_push_finish_row(png_ptr); 1005 } 1006 } 1007 1008 if (png_ptr->pass == 4 && png_ptr->height <= 4) 1009 { 1010 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1011 { 1012 png_push_have_row(png_ptr, NULL); 1013 png_read_push_finish_row(png_ptr); 1014 } 1015 } 1016 1017 if (png_ptr->pass == 6 && png_ptr->height <= 4) 1018 { 1019 png_push_have_row(png_ptr, NULL); 1020 png_read_push_finish_row(png_ptr); 1021 } 1022 1023 break; 1024 } 1025 1026 case 1: 1027 { 1028 int i; 1029 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 1030 { 1031 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1032 png_read_push_finish_row(png_ptr); 1033 } 1034 1035 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 1036 { 1037 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1038 { 1039 png_push_have_row(png_ptr, NULL); 1040 png_read_push_finish_row(png_ptr); 1041 } 1042 } 1043 1044 break; 1045 } 1046 1047 case 2: 1048 { 1049 int i; 1050 1051 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1052 { 1053 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1054 png_read_push_finish_row(png_ptr); 1055 } 1056 1057 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 1058 { 1059 png_push_have_row(png_ptr, NULL); 1060 png_read_push_finish_row(png_ptr); 1061 } 1062 1063 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 1064 { 1065 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1066 { 1067 png_push_have_row(png_ptr, NULL); 1068 png_read_push_finish_row(png_ptr); 1069 } 1070 } 1071 1072 break; 1073 } 1074 1075 case 3: 1076 { 1077 int i; 1078 1079 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 1080 { 1081 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1082 png_read_push_finish_row(png_ptr); 1083 } 1084 1085 if (png_ptr->pass == 4) /* Skip top two generated rows */ 1086 { 1087 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1088 { 1089 png_push_have_row(png_ptr, NULL); 1090 png_read_push_finish_row(png_ptr); 1091 } 1092 } 1093 1094 break; 1095 } 1096 1097 case 4: 1098 { 1099 int i; 1100 1101 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1102 { 1103 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1104 png_read_push_finish_row(png_ptr); 1105 } 1106 1107 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 1108 { 1109 png_push_have_row(png_ptr, NULL); 1110 png_read_push_finish_row(png_ptr); 1111 } 1112 1113 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 1114 { 1115 png_push_have_row(png_ptr, NULL); 1116 png_read_push_finish_row(png_ptr); 1117 } 1118 1119 break; 1120 } 1121 1122 case 5: 1123 { 1124 int i; 1125 1126 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 1127 { 1128 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1129 png_read_push_finish_row(png_ptr); 1130 } 1131 1132 if (png_ptr->pass == 6) /* Skip top generated row */ 1133 { 1134 png_push_have_row(png_ptr, NULL); 1135 png_read_push_finish_row(png_ptr); 1136 } 1137 1138 break; 1139 } 1140 1141 default: 1142 case 6: 1143 { 1144 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1145 png_read_push_finish_row(png_ptr); 1146 1147 if (png_ptr->pass != 6) 1148 break; 1149 1150 png_push_have_row(png_ptr, NULL); 1151 png_read_push_finish_row(png_ptr); 1152 } 1153 } 1154 } 1155 else 1156#endif 1157 { 1158 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 1159 png_read_push_finish_row(png_ptr); 1160 } 1161} 1162 1163void /* PRIVATE */ 1164png_read_push_finish_row(png_structrp png_ptr) 1165{ 1166#ifdef PNG_READ_INTERLACING_SUPPORTED 1167 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 1168 1169 /* Start of interlace block */ 1170 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 1171 1172 /* Offset to next interlace block */ 1173 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 1174 1175 /* Start of interlace block in the y direction */ 1176 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 1177 1178 /* Offset to next interlace block in the y direction */ 1179 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 1180 1181 /* Height of interlace block. This is not currently used - if you need 1182 * it, uncomment it here and in png.h 1183 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 1184 */ 1185#endif 1186 1187 png_ptr->row_number++; 1188 if (png_ptr->row_number < png_ptr->num_rows) 1189 return; 1190 1191#ifdef PNG_READ_INTERLACING_SUPPORTED 1192 if (png_ptr->interlaced) 1193 { 1194 png_ptr->row_number = 0; 1195 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1196 1197 do 1198 { 1199 png_ptr->pass++; 1200 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1201 (png_ptr->pass == 3 && png_ptr->width < 3) || 1202 (png_ptr->pass == 5 && png_ptr->width < 2)) 1203 png_ptr->pass++; 1204 1205 if (png_ptr->pass > 7) 1206 png_ptr->pass--; 1207 1208 if (png_ptr->pass >= 7) 1209 break; 1210 1211 png_ptr->iwidth = (png_ptr->width + 1212 png_pass_inc[png_ptr->pass] - 1 - 1213 png_pass_start[png_ptr->pass]) / 1214 png_pass_inc[png_ptr->pass]; 1215 1216 if (png_ptr->transformations & PNG_INTERLACE) 1217 break; 1218 1219 png_ptr->num_rows = (png_ptr->height + 1220 png_pass_yinc[png_ptr->pass] - 1 - 1221 png_pass_ystart[png_ptr->pass]) / 1222 png_pass_yinc[png_ptr->pass]; 1223 1224 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1225 } 1226#endif /* PNG_READ_INTERLACING_SUPPORTED */ 1227} 1228 1229void /* PRIVATE */ 1230png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1231{ 1232 if (png_ptr->info_fn != NULL) 1233 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1234} 1235 1236void /* PRIVATE */ 1237png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1238{ 1239 if (png_ptr->end_fn != NULL) 1240 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1241} 1242 1243void /* PRIVATE */ 1244png_push_have_row(png_structrp png_ptr, png_bytep row) 1245{ 1246 if (png_ptr->row_fn != NULL) 1247 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1248 (int)png_ptr->pass); 1249} 1250 1251#ifdef PNG_READ_INTERLACING_SUPPORTED 1252void PNGAPI 1253png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1254 png_const_bytep new_row) 1255{ 1256 if (png_ptr == NULL) 1257 return; 1258 1259 /* new_row is a flag here - if it is NULL then the app callback was called 1260 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1261 * it must be png_ptr->row_buf+1 1262 */ 1263 if (new_row != NULL) 1264 png_combine_row(png_ptr, old_row, 1/*display*/); 1265} 1266#endif /* PNG_READ_INTERLACING_SUPPORTED */ 1267 1268void PNGAPI 1269png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1270 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1271 png_progressive_end_ptr end_fn) 1272{ 1273 if (png_ptr == NULL) 1274 return; 1275 1276 png_ptr->info_fn = info_fn; 1277 png_ptr->row_fn = row_fn; 1278 png_ptr->end_fn = end_fn; 1279 1280 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1281} 1282 1283png_voidp PNGAPI 1284png_get_progressive_ptr(png_const_structrp png_ptr) 1285{ 1286 if (png_ptr == NULL) 1287 return (NULL); 1288 1289 return png_ptr->io_ptr; 1290} 1291#endif /* PNG_PROGRESSIVE_READ_SUPPORTED */ 1292