1/* pngfix.c
2 *
3 * Copyright (c) 2014-2016 John Cunningham Bowler
4 *
5 * Last changed in libpng 1.6.21 [January 15, 2016]
6 *
7 * This code is released under the libpng license.
8 * For conditions of distribution and use, see the disclaimer
9 * and license in png.h
10 *
11 * Tool to check and fix the zlib inflate 'too far back' problem.
12 * See the usage message for more information.
13 */
14#include <stdlib.h>
15#include <stdio.h>
16#include <string.h>
17#include <ctype.h>
18#include <limits.h>
19#include <errno.h>
20#include <assert.h>
21
22#define implies(x,y) assert(!(x) || (y))
23
24#ifdef __GNUC__
25   /* This is used to fix the error:
26    *
27    * pngfix.c:
28    * In function 'zlib_advance':
29    * pngfix.c:181:13: error: assuming signed overflow does not
30    *   occur when simplifying conditional to constant [-Werror=strict-overflow]
31    */
32#  define FIX_GCC volatile
33#else
34#  define FIX_GCC
35#endif
36
37#define PROGRAM_NAME "pngfix"
38
39/* Define the following to use this program against your installed libpng,
40 * rather than the one being built here:
41 */
42#ifdef PNG_FREESTANDING_TESTS
43#  include <png.h>
44#else
45#  include "../../png.h"
46#endif
47
48#if PNG_LIBPNG_VER < 10603 /* 1.6.3 */
49#  error "pngfix will not work with libpng prior to 1.6.3"
50#endif
51
52#ifdef PNG_SETJMP_SUPPORTED
53#include <setjmp.h>
54
55#if defined(PNG_READ_SUPPORTED) && defined(PNG_EASY_ACCESS_SUPPORTED) &&\
56   (defined(PNG_READ_DEINTERLACE_SUPPORTED) ||\
57    defined(PNG_READ_INTERLACING_SUPPORTED))
58
59/* zlib.h defines the structure z_stream, an instance of which is included
60 * in this structure and is required for decompressing the LZ compressed
61 * data in PNG files.
62 */
63#ifndef ZLIB_CONST
64   /* We must ensure that zlib uses 'const' in declarations. */
65#  define ZLIB_CONST
66#endif
67#include <zlib.h>
68#ifdef const
69   /* zlib.h sometimes #defines const to nothing, undo this. */
70#  undef const
71#endif
72
73/* zlib.h has mediocre z_const use before 1.2.6, this stuff is for compatibility
74 * with older builds.
75 */
76#if ZLIB_VERNUM < 0x1260
77#  define PNGZ_MSG_CAST(s) constcast(char*,s)
78#  define PNGZ_INPUT_CAST(b) constcast(png_bytep,b)
79#else
80#  define PNGZ_MSG_CAST(s) (s)
81#  define PNGZ_INPUT_CAST(b) (b)
82#endif
83
84#ifndef PNG_MAXIMUM_INFLATE_WINDOW
85#  error "pngfix not supported in this libpng version"
86#endif
87
88#if ZLIB_VERNUM >= 0x1240
89
90/* Copied from pngpriv.h */
91#ifdef __cplusplus
92#  define voidcast(type, value) static_cast<type>(value)
93#  define constcast(type, value) const_cast<type>(value)
94#  define aligncast(type, value) \
95   static_cast<type>(static_cast<void*>(value))
96#  define aligncastconst(type, value) \
97   static_cast<type>(static_cast<const void*>(value))
98#else
99#  define voidcast(type, value) (value)
100#  define constcast(type, value) ((type)(value))
101#  define aligncast(type, value) ((void*)(value))
102#  define aligncastconst(type, value) ((const void*)(value))
103#endif /* __cplusplus */
104
105#if PNG_LIBPNG_VER < 10700
106/* Chunk tags (copied from pngpriv.h) */
107#define PNG_32b(b,s) ((png_uint_32)(b) << (s))
108#define PNG_U32(b1,b2,b3,b4) \
109   (PNG_32b(b1,24) | PNG_32b(b2,16) | PNG_32b(b3,8) | PNG_32b(b4,0))
110
111/* Constants for known chunk types. */
112#define png_IDAT PNG_U32( 73,  68,  65,  84)
113#define png_IEND PNG_U32( 73,  69,  78,  68)
114#define png_IHDR PNG_U32( 73,  72,  68,  82)
115#define png_PLTE PNG_U32( 80,  76,  84,  69)
116#define png_bKGD PNG_U32( 98,  75,  71,  68)
117#define png_cHRM PNG_U32( 99,  72,  82,  77)
118#define png_fRAc PNG_U32(102,  82,  65,  99) /* registered, not defined */
119#define png_gAMA PNG_U32(103,  65,  77,  65)
120#define png_gIFg PNG_U32(103,  73,  70, 103)
121#define png_gIFt PNG_U32(103,  73,  70, 116) /* deprecated */
122#define png_gIFx PNG_U32(103,  73,  70, 120)
123#define png_hIST PNG_U32(104,  73,  83,  84)
124#define png_iCCP PNG_U32(105,  67,  67,  80)
125#define png_iTXt PNG_U32(105,  84,  88, 116)
126#define png_oFFs PNG_U32(111,  70,  70, 115)
127#define png_pCAL PNG_U32(112,  67,  65,  76)
128#define png_pHYs PNG_U32(112,  72,  89, 115)
129#define png_sBIT PNG_U32(115,  66,  73,  84)
130#define png_sCAL PNG_U32(115,  67,  65,  76)
131#define png_sPLT PNG_U32(115,  80,  76,  84)
132#define png_sRGB PNG_U32(115,  82,  71,  66)
133#define png_sTER PNG_U32(115,  84,  69,  82)
134#define png_tEXt PNG_U32(116,  69,  88, 116)
135#define png_tIME PNG_U32(116,  73,  77,  69)
136#define png_tRNS PNG_U32(116,  82,  78,  83)
137#define png_zTXt PNG_U32(122,  84,  88, 116)
138#endif
139
140/* The 8-byte signature as a pair of 32-bit quantities */
141#define sig1 PNG_U32(137,  80,  78,  71)
142#define sig2 PNG_U32( 13,  10,  26,  10)
143
144/* Is the chunk critical? */
145#define CRITICAL(chunk) (((chunk) & PNG_U32(32,0,0,0)) == 0)
146
147/* Is it safe to copy? */
148#define SAFE_TO_COPY(chunk) (((chunk) & PNG_U32(0,0,0,32)) != 0)
149
150/* Fix ups for builds with limited read support */
151#ifndef PNG_ERROR_TEXT_SUPPORTED
152#  define png_error(a,b) png_err(a)
153#endif
154
155/********************************* UTILITIES **********************************/
156/* UNREACHED is a value to cause an assert to fail. Because of the way the
157 * assert macro is written the string "UNREACHED" is produced in the error
158 * message.
159 */
160#define UNREACHED 0
161
162/* 80-bit number handling - a PNG image can be up to (2^31-1)x(2^31-1) 8-byte
163 * (16-bit RGBA) pixels in size; that's less than 2^65 bytes or 2^68 bits, so
164 * arithmetic of 80-bit numbers is sufficient.  This representation uses an
165 * arbitrary length array of png_uint_16 digits (0..65535).  The representation
166 * is little endian.
167 *
168 * The arithmetic functions take zero to two uarb values together with the
169 * number of digits in those values and write the result to the given uarb
170 * (always the first argument) returning the number of digits in the result.
171 * If the result is negative the return value is also negative (this would
172 * normally be an error).
173 */
174typedef png_uint_16  udigit; /* A 'unum' is an array of these */
175typedef png_uint_16p uarb;
176typedef png_const_uint_16p uarbc;
177
178#define UDIGITS(unum) ((sizeof unum)/(sizeof (udigit))
179   /* IMPORTANT: only apply this to an array, applied to a pointer the result
180    * will typically be '2', which is not useful.
181    */
182
183static int
184uarb_set(uarb result, png_alloc_size_t val)
185   /* Set (initialize) 'result' to 'val'.  The size required for 'result' must
186    * be determined by the caller from a knowledge of the maximum for 'val'.
187    */
188{
189   int ndigits = 0;
190
191   while (val > 0)
192   {
193      result[ndigits++] = (png_uint_16)(val & 0xffff);
194      val >>= 16;
195   }
196
197   return ndigits;
198}
199
200static int
201uarb_copy(uarb to, uarb from, int idigits)
202   /* Copy a uarb, may reduce the digit count */
203{
204   int d, odigits;
205
206   for (d=odigits=0; d<idigits; ++d)
207      if ((to[d] = from[d]) != 0)
208         odigits = d+1;
209
210   return odigits;
211}
212
213static int
214uarb_inc(uarb num, int in_digits, png_int_32 add)
215   /* This is a signed 32-bit add, except that to avoid overflow the value added
216    * or subtracted must be no more than 2^31-65536.  A negative result
217    * indicates a negative number (which is an error below).  The size of
218    * 'num' should be max(in_digits+1,2) for arbitrary 'add' but can be just
219    * in_digits+1 if add is known to be in the range -65535..65535.
220    */
221{
222   FIX_GCC int out_digits = 0;
223
224   while (out_digits < in_digits)
225   {
226      add += num[out_digits];
227      num[out_digits++] = (png_uint_16)(add & 0xffff);
228      add >>= 16;
229   }
230
231   while (add != 0 && add != (-1))
232   {
233      num[out_digits++] = (png_uint_16)(add & 0xffff);
234      add >>= 16;
235   }
236
237   if (add == 0)
238   {
239      while (out_digits > 0 && num[out_digits-1] == 0)
240         --out_digits;
241      return out_digits; /* may be 0 */
242   }
243
244   else /* negative result */
245   {
246      while (out_digits > 1 && num[out_digits-1] == 0xffff)
247         --out_digits;
248
249      return -out_digits;
250   }
251}
252
253static int
254uarb_add32(uarb num, int in_digits, png_uint_32 add)
255   /* As above but this works with any 32-bit value and only does 'add' */
256{
257   if (in_digits > 0)
258   {
259      in_digits = uarb_inc(num, in_digits, add & 0xffff);
260      return uarb_inc(num+1, in_digits-1, add >> 16)+1;
261   }
262
263   return uarb_set(num, add);
264}
265
266static int
267uarb_mult_digit(uarb acc, int a_digits, uarb num, FIX_GCC int n_digits,
268   png_uint_16 val)
269   /* Primitive one-digit multiply - 'val' must be 0..65535. Note that this
270    * primitive is a multiply and accumulate - the result of *num * val is added
271    * to *acc.
272    *
273    * This is a one-digit multiply, so the product may be up to one digit longer
274    * than 'num', however the add to 'acc' means that the caller must ensure
275    * that 'acc' is at least one digit longer than this *and* at least one digit
276    * longer than the current length of 'acc'.  (Or the caller must otherwise
277    * ensure 'adigits' is adequate from knowledge of the values.)
278    */
279{
280   /* The digits in *acc, *num and val are in the range 0..65535, so the
281    * result below is at most (65535*65535)+2*65635 = 65535*(65535+2), which is
282    * exactly 0xffffffff.
283    */
284   if (val > 0 && n_digits > 0) /* Else the product is 0 */
285   {
286      png_uint_32 carry = 0;
287      int out_digits = 0;
288
289      while (out_digits < n_digits || carry > 0)
290      {
291         if (out_digits < a_digits)
292            carry += acc[out_digits];
293
294         if (out_digits < n_digits)
295            carry += (png_uint_32)num[out_digits] * val;
296
297         acc[out_digits++] = (png_uint_16)(carry & 0xffff);
298         carry >>= 16;
299      }
300
301      /* So carry is 0 and all the input digits have been consumed. This means
302       * that it is possible to skip any remaining digits in acc.
303       */
304      if (out_digits > a_digits)
305         return out_digits;
306   }
307
308   return a_digits;
309}
310
311static int
312uarb_mult32(uarb acc, int a_digits, uarb num, int n_digits, png_uint_32 val)
313   /* calculate acc += num * val, 'val' may be any 32-bit value, 'acc' and 'num'
314    * may be any value, returns the number of digits in 'acc'.
315    */
316{
317   if (n_digits > 0 && val > 0)
318   {
319      a_digits = uarb_mult_digit(acc, a_digits, num, n_digits,
320         (png_uint_16)(val & 0xffff));
321
322      val >>= 16;
323      if (val > 0)
324         a_digits = uarb_mult_digit(acc+1, a_digits-1, num, n_digits,
325            (png_uint_16)val) + 1;
326
327      /* Because n_digits and val are >0 the following must be true: */
328      assert(a_digits > 0);
329   }
330
331   return a_digits;
332}
333
334static int
335uarb_shift(uarb inout, int ndigits, unsigned int right_shift)
336   /* Shift inout right by right_shift bits, right_shift must be in the range
337    * 1..15
338    */
339{
340   FIX_GCC int i = ndigits;
341   png_uint_16 carry = 0;
342
343   assert(right_shift >= 1 && right_shift <= 15);
344
345   while (--i >= 0)
346   {
347      png_uint_16 temp = (png_uint_16)(carry | (inout[i] >> right_shift));
348
349      /* Bottom bits to top bits of carry */
350      carry = (png_uint_16)((inout[i] << (16-right_shift)) & 0xffff);
351
352      inout[i] = temp;
353
354      /* The shift may reduce ndigits */
355      if (i == ndigits-1 && temp == 0)
356         ndigits = i;
357   }
358
359   return ndigits;
360}
361
362static int
363uarb_cmp(uarb a, int adigits, uarb b, int bdigits)
364   /* Return -1/0/+1 according as a<b/a==b/a>b */
365{
366   if (adigits < bdigits)
367      return -1;
368
369   if (adigits > bdigits)
370      return 1;
371
372   while (adigits-- > 0)
373      if (a[adigits] < b[adigits])
374         return -1;
375
376      else if (a[adigits] > b[adigits])
377         return 1;
378
379   return 0;
380}
381
382#if 0 /*UNUSED*/
383static int
384uarb_eq32(uarb num, int digits, png_uint_32 val)
385   /* Return true if the uarb is equal to 'val' */
386{
387   switch (digits)
388   {
389      case 0:  return val == 0;
390      case 1:  return val == num[0];
391      case 2:  return (val & 0xffff) == num[0] && (val >> 16) == num[1];
392      default: return 0;
393   }
394}
395#endif
396
397static void
398uarb_printx(uarb num, int digits, FILE *out)
399   /* Print 'num' as a hexadecimal number (easier than decimal!) */
400{
401   while (digits > 0)
402      if (num[--digits] > 0)
403      {
404         fprintf(out, "0x%x", num[digits]);
405
406         while (digits > 0)
407            fprintf(out, "%.4x", num[--digits]);
408      }
409
410      else if (digits == 0) /* the number is 0 */
411         fputs("0x0", out);
412}
413
414static void
415uarb_print(uarb num, int digits, FILE *out)
416   /* Prints 'num' as a decimal if it will fit in an unsigned long, else as a
417    * hexadecimal number.  Notice that the results vary for images over 4GByte
418    * in a system dependent way, and the hexadecimal form doesn't work very well
419    * in awk script input.
420    *
421    *
422    * TODO: write uarb_div10
423    */
424{
425   if (digits * sizeof (udigit) > sizeof (unsigned long))
426      uarb_printx(num, digits, out);
427
428   else
429   {
430      unsigned long n = 0;
431
432      while (digits > 0)
433         n = (n << 16) + num[--digits];
434
435      fprintf(out, "%lu", n);
436   }
437}
438
439/* Generate random bytes.  This uses a boring repeatable algorithm and it
440 * is implemented here so that it gives the same set of numbers on every
441 * architecture.  It's a linear congruential generator (Knuth or Sedgewick
442 * "Algorithms") but it comes from the 'feedback taps' table in Horowitz and
443 * Hill, "The Art of Electronics" (Pseudo-Random Bit Sequences and Noise
444 * Generation.)
445 *
446 * (Copied from contrib/libtests/pngvalid.c)
447 */
448static void
449make_random_bytes(png_uint_32* seed, void* pv, size_t size)
450{
451   png_uint_32 u0 = seed[0], u1 = seed[1];
452   png_bytep bytes = voidcast(png_bytep, pv);
453
454   /* There are thirty-three bits; the next bit in the sequence is bit-33 XOR
455    * bit-20.  The top 1 bit is in u1, the bottom 32 are in u0.
456    */
457   size_t i;
458   for (i=0; i<size; ++i)
459   {
460      /* First generate 8 new bits then shift them in at the end. */
461      png_uint_32 u = ((u0 >> (20-8)) ^ ((u1 << 7) | (u0 >> (32-7)))) & 0xff;
462      u1 <<= 8;
463      u1 |= u0 >> 24;
464      u0 <<= 8;
465      u0 |= u;
466      *bytes++ = (png_byte)u;
467   }
468
469   seed[0] = u0;
470   seed[1] = u1;
471}
472
473/* Clear an object to a random value. */
474static void
475clear(void *pv, size_t size)
476{
477   static png_uint_32 clear_seed[2] = { 0x12345678, 0x9abcdef0 };
478   make_random_bytes(clear_seed, pv, size);
479}
480
481#define CLEAR(object) clear(&(object), sizeof (object))
482
483/* Copied from unreleased 1.7 code.
484 *
485 * CRC checking uses a local pre-built implementation of the Ethernet CRC32.
486 * This is to avoid a function call to the zlib DLL and to optimize the
487 * byte-by-byte case.
488 */
489static png_uint_32 crc_table[256] =
490{
491   0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,
492   0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,
493   0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,
494   0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,
495   0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,
496   0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
497   0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,
498   0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,
499   0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,
500   0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,
501   0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,
502   0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,
503   0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,
504   0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,
505   0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,
506   0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,
507   0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,
508   0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,
509   0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,
510   0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,
511   0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,
512   0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,
513   0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,
514   0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,
515   0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,
516   0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,
517   0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,
518   0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,
519   0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,
520   0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,
521   0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,
522   0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,
523   0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,
524   0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,
525   0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,
526   0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,
527   0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,
528   0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,
529   0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,
530   0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,
531   0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,
532   0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,
533   0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,
534   0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,
535   0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,
536   0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,
537   0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,
538   0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,
539   0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,
540   0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,
541   0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,
542   0x2d02ef8d
543};
544
545/* The CRC calculated here *IS* conditioned, the corresponding value used by
546 * zlib and the result value is obtained by XORing with CRC_INIT, which is also
547 * the first value that must be passed in (for the first byte) to crc_one_byte.
548 */
549#define CRC_INIT 0xffffffff
550
551static png_uint_32
552crc_one_byte(png_uint_32 crc, int b)
553{
554   return crc_table[(crc ^ b) & 0xff] ^ (crc >> 8);
555}
556
557static png_uint_32
558crc_init_4(png_uint_32 value)
559{
560   /* This is an alternative to the algorithm used in zlib, which requires four
561    * separate tables to parallelize the four byte operations, it only works for
562    * a CRC of the first four bytes of the stream, but this is what happens in
563    * the parser below where length+chunk-name is read and chunk-name used to
564    * initialize the CRC.  Notice that the calculation here avoids repeated
565    * conditioning (xor with 0xffffffff) by storing the conditioned value.
566    */
567   png_uint_32 crc = crc_table[(~value >> 24)] ^ 0xffffff;
568
569   crc = crc_table[(crc ^ (value >> 16)) & 0xff] ^ (crc >> 8);
570   crc = crc_table[(crc ^ (value >> 8)) & 0xff] ^ (crc >> 8);
571   return crc_table[(crc ^ value) & 0xff] ^ (crc >> 8);
572}
573
574static int
575chunk_type_valid(png_uint_32 c)
576   /* Bit whacking approach to chunk name validation that is intended to avoid
577    * branches.  The cost is that it uses a lot of 32-bit constants, which might
578    * be bad on some architectures.
579    */
580{
581   png_uint_32 t;
582
583   /* Remove bit 5 from all but the reserved byte; this means every
584    * 8-bit unit must be in the range 65-90 to be valid.  So bit 5
585    * must be zero, bit 6 must be set and bit 7 zero.
586    */
587   c &= ~PNG_U32(32,32,0,32);
588   t = (c & ~0x1f1f1f1f) ^ 0x40404040;
589
590   /* Subtract 65 for each 8-bit quantity, this must not overflow
591    * and each byte must then be in the range 0-25.
592    */
593   c -= PNG_U32(65,65,65,65);
594   t |=c ;
595
596   /* Subtract 26, handling the overflow which should set the top
597    * three bits of each byte.
598    */
599   c -= PNG_U32(25,25,25,26);
600   t |= ~c;
601
602   return (t & 0xe0e0e0e0) == 0;
603}
604
605/**************************** CONTROL INFORMATION *****************************/
606
607/* Information about a sequence of IDAT chunks, the chunks have been re-synced
608 * using sync_stream below and the new lengths are recorded here.  Because the
609 * number of chunks is unlimited this is handled using a linked list of these
610 * structures.
611 */
612struct IDAT_list
613{
614   struct IDAT_list *next;     /* Linked list */
615   unsigned int      length;   /* Actual length of the array below */
616   unsigned int      count;    /* Number of entries that are valid */
617#     define IDAT_INIT_LENGTH 16
618   png_uint_32       lengths[IDAT_INIT_LENGTH];
619};
620
621static void
622IDAT_list_init(struct IDAT_list *list)
623{
624   CLEAR(*list);
625
626   list->next = NULL;
627   list->length = IDAT_INIT_LENGTH;
628}
629
630static size_t
631IDAT_list_size(struct IDAT_list *list, unsigned int length)
632   /* Return the size in bytes of an IDAT_list of the given length. */
633{
634   if (list != NULL)
635      length = list->length;
636
637   return sizeof *list - sizeof list->lengths +
638      length * sizeof list->lengths[0];
639}
640
641static void
642IDAT_list_end(struct IDAT_list *IDAT_list)
643{
644   struct IDAT_list *list = IDAT_list->next;
645
646   CLEAR(*IDAT_list);
647
648   while (list != NULL)
649   {
650      struct IDAT_list *next = list->next;
651
652      clear(list, IDAT_list_size(list, 0));
653      free(list);
654      list = next;
655   }
656}
657
658static struct IDAT_list *
659IDAT_list_extend(struct IDAT_list *tail)
660{
661   /* Use the previous cached value if available. */
662   struct IDAT_list *next = tail->next;
663
664   if (next == NULL)
665   {
666      /* Insert a new, malloc'ed, block of IDAT information buffers, this
667       * one twice as large as the previous one:
668       */
669      unsigned int length = 2 * tail->length;
670
671      if (length < tail->length) /* arithmetic overflow */
672         length = tail->length;
673
674      next = voidcast(IDAT_list*, malloc(IDAT_list_size(NULL, length)));
675      CLEAR(*next);
676
677      /* The caller must handle this: */
678      if (next == NULL)
679         return NULL;
680
681      next->next = NULL;
682      next->length = length;
683      tail->next = next;
684   }
685
686   return next;
687}
688
689/* GLOBAL CONTROL STRUCTURE */
690struct global
691{
692   /* PUBLIC GLOBAL VARIABLES: OWNER INITIALIZE */
693   unsigned int   errors        :1; /* print file errors to stderr */
694   unsigned int   warnings      :1; /* print libpng warnings to stderr */
695   unsigned int   optimize_zlib :1; /* Run optimization search */
696   unsigned int   quiet         :2; /* don't output summaries */
697   unsigned int   verbose       :3; /* various internal tracking */
698   unsigned int   skip          :3; /* Non-critical chunks to skip */
699#     define SKIP_NONE      0
700#     define SKIP_BAD_CRC   1    /* Chunks with a bad CRC */
701#     define SKIP_UNSAFE    2    /* Chunks not safe to copy */
702#     define SKIP_UNUSED    3    /* Chunks not used by libpng */
703#     define SKIP_TRANSFORM 4    /* Chunks only used in transforms */
704#     define SKIP_COLOR     5    /* Everything but tRNS, sBIT, gAMA and sRGB */
705#     define SKIP_ALL       6    /* Everything but tRNS and sBIT */
706
707   png_uint_32    idat_max;         /* 0 to perform no re-chunking */
708
709   int            status_code;      /* Accumulated status code */
710#     define TOO_FAR_BACK   0x01 /* found a too-far-back error */
711#     define CRC_ERROR      0x02 /* fixed an invalid CRC */
712#     define STREAM_ERROR   0x04 /* damaged PNG stream (may be fixable) */
713#     define TRUNCATED      0x08 /* truncated but still readable */
714#     define FILE_ERROR     0x10 /* could not read the file */
715#     define WRITE_ERROR    0x20 /* write error (this terminates the read) */
716#     define INTERNAL_ERROR 0x40 /* internal limits/errors encountered */
717
718   /* PUBLIC GLOBAL VARIABLES: USED INTERNALLY BY IDAT READ CODE */
719   struct IDAT_list idat_cache;  /* Cache of file IDAT information buffers */
720      /* The structure is shared across all uses of this global control
721       * structure to avoid reallocation between IDAT streams.
722       */
723};
724
725static int
726global_end(struct global *global)
727{
728
729   int rc;
730
731   IDAT_list_end(&global->idat_cache);
732   rc = global->status_code;
733   CLEAR(*global);
734   return rc;
735}
736
737static void
738global_init(struct global *global)
739   /* Call this once (and only once) to initialize the control */
740{
741   CLEAR(*global);
742
743   /* Globals */
744   global->errors        = 0;
745   global->warnings      = 0;
746   global->quiet         = 0;
747   global->verbose       = 0;
748   global->idat_max      = 0;         /* no re-chunking of IDAT */
749   global->optimize_zlib = 0;
750   global->skip          = SKIP_NONE;
751   global->status_code   = 0;
752
753   IDAT_list_init(&global->idat_cache);
754}
755
756static int
757skip_chunk_type(const struct global *global, png_uint_32 type)
758   /* Return true if this chunk is to be skipped according to the --strip
759    * option.  This code needs to recognize all known ancillary chunks in order
760    * to handle the --strip=unsafe option.
761    */
762{
763   /* Never strip critical chunks: */
764   if (CRITICAL(type))
765      return 0;
766
767   switch (type)
768   {
769      /* Chunks that are treated as, effectively, critical because they affect
770       * correct interpretation of the pixel values:
771       */
772      case png_tRNS: case png_sBIT:
773         return 0;
774
775      /* Chunks that specify gamma encoding which should therefore only be
776       * removed the the user insists:
777       */
778      case png_gAMA: case png_sRGB:
779         if (global->skip >= SKIP_ALL)
780            return 1;
781         return 0;
782
783      /* Chunks that affect color interpretation - not used by libpng and rarely
784       * used by applications, but technically still required for correct
785       * interpretation of the image data:
786       */
787      case png_cHRM: case png_iCCP:
788         if (global->skip >= SKIP_COLOR)
789            return 1;
790         return 0;
791
792      /* Other chunks that are used by libpng in image transformations (as
793       * opposed to known chunks that have get/set APIs but are not otherwise
794       * used.)
795       */
796      case png_bKGD:
797         if (global->skip >= SKIP_TRANSFORM)
798            return 1;
799         return 0;
800
801      /* All other chunks that libpng knows about and affect neither image
802       * interpretation nor libpng transforms - chunks that are effectively
803       * unused by libpng even though libpng might recognize and store them.
804       */
805      case png_fRAc: case png_gIFg: case png_gIFt: case png_gIFx: case png_hIST:
806      case png_iTXt: case png_oFFs: case png_pCAL: case png_pHYs: case png_sCAL:
807      case png_sPLT: case png_sTER: case png_tEXt: case png_tIME: case png_zTXt:
808         if (global->skip >= SKIP_UNUSED)
809            return 1;
810         return 0;
811
812      /* Chunks that libpng does not know about (notice that this depends on the
813       * list above including all known chunks!)  The decision here depends on
814       * whether the safe-to-copy bit is set in the chunk type.
815       */
816      default:
817         if (SAFE_TO_COPY(type))
818         {
819            if (global->skip >= SKIP_UNUSED) /* as above */
820               return 1;
821         }
822
823         else if (global->skip >= SKIP_UNSAFE)
824            return 1;
825
826         return 0;
827   }
828}
829
830/* PER-FILE CONTROL STRUCTURE */
831struct chunk;
832struct IDAT;
833struct file
834{
835   /* ANCESTORS */
836   struct global *global;
837
838   /* PUBLIC PER-FILE VARIABLES: CALLER INITIALIZE */
839   const char *   file_name;
840   const char *   out_name;      /* Name of output file (if required) */
841
842   /* PUBLIC PER-FILE VARIABLES: SET BY PNG READ CODE */
843   /* File specific result codes */
844   int            status_code;   /* Set to a bit mask of the following: */
845   int            read_errno;    /* Records a read error errno */
846   int            write_errno;   /* Records a write error errno */
847
848   /* IHDR information */
849   png_uint_32    width;
850   png_uint_32    height;
851   png_byte       bit_depth;
852   png_byte       color_type;
853   png_byte       compression_method;
854   png_byte       filter_method;
855   png_byte       interlace_method;
856
857   udigit         image_bytes[5];
858   int            image_digits;
859
860   /* PROTECTED PER-FILE VARIABLES: USED BY THE READ CODE */
861   FILE *         file;          /* Original PNG file */
862   FILE *         out;           /* If a new one is being written */
863   jmp_buf        jmpbuf;        /* Set while reading a PNG */
864
865   /* PROTECTED CHUNK SPECIFIC VARIABLES: USED BY CHUNK CODE */
866   /* The following variables are used during reading to record the length, type
867    * and data position of the *next* chunk or, right at the start, the
868    * signature (in length,type).
869    *
870    * When a chunk control structure is instantiated these values are copied
871    * into the structure and can then be overritten with the data for the next
872    * chunk.
873    */
874   fpos_t         data_pos;      /* Position of first byte of chunk data */
875   png_uint_32    length;        /* First word (length or signature start) */
876   png_uint_32    type;          /* Second word (type or signature end) */
877   png_uint_32    crc;           /* Running chunk CRC (used by read_chunk) */
878
879   /* These counts are maintained by the read and write routines below and are
880    * reset by the chunk handling code.  They record the total number of bytes
881    * read or written for the chunk, including the header (length,type) bytes.
882    */
883   png_uint_32    read_count;    /* Count of bytes read (in the chunk) */
884   png_uint_32    write_count;   /* Count of bytes written (in the chunk) */
885   int            state;         /* As defined here: */
886#     define STATE_SIGNATURE  0  /* The signature is being written */
887#     define STATE_CHUNKS     1  /* Non-IDAT chunks are being written */
888#     define STATE_IDAT       2  /* An IDAT stream is being written */
889
890   /* Two pointers used to enable clean-up in the event of fatal errors and to
891    * hold state about the parser process (only one of each at present.)
892    */
893   struct chunk * chunk;
894   struct IDAT *  idat;
895
896   /* Interface to allocate a new chunk or IDAT control structure.  The result
897    * is returned by setting one or other of the above variables.  Note that the
898    * relevant initializer is called by the allocator function.  The alloc_ptr
899    * is used only by the implementation of the allocate function.
900    */
901   void *         alloc_ptr;
902   void         (*alloc)(struct file*,int idat);
903                                  /* idat: allocate IDAT not chunk */
904};
905
906/* Valid longjmp (stop) codes are: */
907#define LIBPNG_WARNING_CODE   1 /* generic png_error */
908#define LIBPNG_ERROR_CODE     2 /* generic png_error */
909#define ZLIB_ERROR_CODE       3 /* generic zlib error */
910#define INVALID_ERROR_CODE    4 /* detected an invalid PNG */
911#define READ_ERROR_CODE       5 /* read failed */
912#define WRITE_ERROR_CODE      6 /* error in write */
913#define UNEXPECTED_ERROR_CODE 7 /* unexpected (internal?) error */
914
915static void
916emit_string(const char *str, FILE *out)
917   /* Print a string with spaces replaced by '_' and non-printing characters by
918    * an octal escape.
919    */
920{
921   for (; *str; ++str)
922      if (isgraph(UCHAR_MAX & *str))
923         putc(*str, out);
924
925      else if (isspace(UCHAR_MAX & *str))
926         putc('_', out);
927
928      else
929         fprintf(out, "\\%.3o", *str);
930}
931
932static const char *
933strcode(int code)
934{
935   switch (code)
936   {
937      case LIBPNG_WARNING_CODE:   return "warning";
938      case LIBPNG_ERROR_CODE:     return "libpng";
939      case ZLIB_ERROR_CODE:       return "zlib";
940      case INVALID_ERROR_CODE:    return "invalid";
941      case READ_ERROR_CODE:       return "read";
942      case WRITE_ERROR_CODE:      return "write";
943      case UNEXPECTED_ERROR_CODE: return "unexpected";
944      default:                    return "INVALID";
945   }
946}
947
948static void
949emit_error(struct file *file, int code, const char *what)
950   /* Generic error message routine, takes a 'stop' code but can be used
951    * elsewhere.  Always outputs a message.
952    */
953{
954   const char *reason;
955   int err = 0;
956
957   switch (code)
958   {
959      case LIBPNG_WARNING_CODE:   reason = "libpng warning:"; break;
960      case LIBPNG_ERROR_CODE:     reason = "libpng error:"; break;
961      case ZLIB_ERROR_CODE:       reason = "zlib error:"; break;
962      case INVALID_ERROR_CODE:    reason = "invalid"; break;
963      case READ_ERROR_CODE:       reason = "read failure:";
964                                  err = file->read_errno;
965                                  break;
966      case WRITE_ERROR_CODE:      reason = "write error";
967                                  err = file->write_errno;
968                                  break;
969      case UNEXPECTED_ERROR_CODE: reason = "unexpected error:";
970                                  err = file->read_errno;
971                                  if (err == 0)
972                                     err = file->write_errno;
973                                  break;
974      default:                    reason = "INVALID (internal error):"; break;
975   }
976
977   if (err != 0)
978      fprintf(stderr, "%s: %s %s [%s]\n", file->file_name, reason, what,
979         strerror(err));
980
981   else
982      fprintf(stderr, "%s: %s %s\n", file->file_name, reason, what);
983}
984
985static void chunk_end(struct chunk **);
986static void IDAT_end(struct IDAT **);
987
988static int
989file_end(struct file *file)
990{
991   int rc;
992
993   /* If either of the chunk pointers are set end them here, the IDAT structure
994    * must be deallocated first as it may deallocate the chunk structure.
995    */
996   if (file->idat != NULL)
997      IDAT_end(&file->idat);
998
999   if (file->chunk != NULL)
1000      chunk_end(&file->chunk);
1001
1002   rc = file->status_code;
1003
1004   if (file->file != NULL)
1005      (void)fclose(file->file);
1006
1007   if (file->out != NULL)
1008   {
1009      /* NOTE: this is bitwise |, all the following functions must execute and
1010       * must succeed.
1011       */
1012      if (ferror(file->out) | fflush(file->out) | fclose(file->out))
1013      {
1014         perror(file->out_name);
1015         emit_error(file, READ_ERROR_CODE, "output write error");
1016         rc |= WRITE_ERROR;
1017      }
1018   }
1019
1020   /* Accumulate the result codes */
1021   file->global->status_code |= rc;
1022
1023   CLEAR(*file);
1024
1025   return rc; /* status code: non-zero on read or write error */
1026}
1027
1028static int
1029file_init(struct file *file, struct global *global, const char *file_name,
1030   const char *out_name, void *alloc_ptr, void (*alloc)(struct file*,int))
1031   /* Initialize a file control structure.  This will open the given files as
1032    * well.  The status code returned is 0 on success, non zero (using the flags
1033    * above) on a file open error.
1034    */
1035{
1036   CLEAR(*file);
1037   file->global = global;
1038
1039   file->file_name = file_name;
1040   file->out_name = out_name;
1041   file->status_code = 0;
1042   file->read_errno = 0;
1043   file->write_errno = 0;
1044
1045   file->file = NULL;
1046   file->out = NULL;
1047   /* jmpbuf is garbage: must be set by read_png */
1048
1049   file->read_count = 0;
1050   file->state = STATE_SIGNATURE;
1051
1052   file->chunk = NULL;
1053   file->idat = NULL;
1054
1055   file->alloc_ptr = alloc_ptr;
1056   file->alloc = alloc;
1057
1058   /* Open the files: */
1059   assert(file_name != NULL);
1060   file->file = fopen(file_name, "rb");
1061
1062   if (file->file == NULL)
1063   {
1064      file->read_errno = errno;
1065      file->status_code |= FILE_ERROR;
1066      /* Always output: please give a readable file! */
1067      perror(file_name);
1068      return FILE_ERROR;
1069   }
1070
1071   if (out_name != NULL)
1072   {
1073      file->out = fopen(out_name, "wb");
1074
1075      if (file->out == NULL)
1076      {
1077         file->write_errno = errno;
1078         file->status_code |= WRITE_ERROR;
1079         perror(out_name);
1080         return WRITE_ERROR;
1081      }
1082   }
1083
1084   return 0;
1085}
1086
1087static void
1088log_error(struct file *file, int code, const char *what)
1089   /* Like emit_error but checks the global 'errors' flag */
1090{
1091   if (file->global->errors)
1092      emit_error(file, code, what);
1093}
1094
1095static char
1096type_char(png_uint_32 v)
1097{
1098   /* In fact because chunk::chunk_type is validated prior to any call to this
1099    * function it will always return a-zA-Z, but the extra codes are just there
1100    * to help in finding internal (programming) errors.  Note that the code only
1101    * ever considers the low 7 bits of the value (so it is not necessary for the
1102    * type_name function to mask of the byte.)
1103    */
1104   if (v & 32)
1105      return "!abcdefghijklmnopqrstuvwxyz56789"[(v-96)&31];
1106
1107   else
1108      return "@ABCDEFGHIJKLMNOPQRSTUVWXYZ01234"[(v-64)&31];
1109}
1110
1111static void
1112type_name(png_uint_32 type, FILE *out)
1113{
1114   putc(type_char(type >> 24), out);
1115   putc(type_char(type >> 16), out);
1116   putc(type_char(type >>  8), out);
1117   putc(type_char(type      ), out);
1118}
1119
1120static void
1121type_sep(FILE *out)
1122{
1123   putc(':', out);
1124   putc(' ', out);
1125}
1126
1127static png_uint_32 current_type(struct file *file, int code);
1128
1129PNG_NORETURN static void
1130stop(struct file *file, int code, const char *what)
1131   /* Return control when a PNG file cannot be read. This outputs an 'ERR'
1132    * summary line too.
1133    */
1134{
1135   log_error(file, code, what);
1136
1137   /* The chunk being read is typically identified by file->chunk or, if this is
1138    * NULL, by file->type.  This may be wrong if libpng reads ahead, but this
1139    * only happens with IDAT where libpng reads the header then jumps around
1140    * finding errors in the previous chunks.  We know that is happening because
1141    * we are at the start of the IDAT (i.e. no IDAT data has yet been written.)
1142    *
1143    * SUMMARY FORMAT (stop):
1144    *
1145    * IDAT ERR status code read-errno write-errno message file
1146    *
1147    * 'uncompressed' will be 0 if there was a problem in the IHDR.  The errno
1148    * values are emit_string(strerror(errno)).
1149    */
1150   if (file->global->quiet < 2) /* need two quiets to stop this. */
1151   {
1152      png_uint_32 type;
1153
1154      if (file->chunk != NULL)
1155         type = current_type(file, code); /* Gropes in struct chunk and IDAT */
1156
1157      else
1158         type = file->type;
1159
1160      if (type)
1161         type_name(type, stdout);
1162
1163      else /* magic: an IDAT header, produces bogons for too many IDATs */
1164         fputs("HEAD", stdout); /* not a registered chunk! */
1165
1166      printf(" ERR %.2x %s ", file->status_code, strcode(code));
1167      /* This only works one strerror at a time, because of the way strerror is
1168       * implemented.
1169       */
1170      emit_string(strerror(file->read_errno), stdout);
1171      putc(' ', stdout);
1172      emit_string(strerror(file->write_errno), stdout);
1173      putc(' ', stdout);
1174      emit_string(what, stdout);
1175      putc(' ', stdout);
1176      fputs(file->file_name, stdout);
1177      putc('\n', stdout);
1178   }
1179
1180   file->status_code |= FILE_ERROR;
1181   longjmp(file->jmpbuf, code);
1182}
1183
1184PNG_NORETURN static void
1185stop_invalid(struct file *file, const char *what)
1186{
1187   stop(file, INVALID_ERROR_CODE, what);
1188}
1189
1190static void
1191type_message(struct file *file, png_uint_32 type, const char *what)
1192   /* Error message for a chunk; the chunk name comes from 'type' */
1193{
1194   if (file->global->errors)
1195   {
1196      fputs(file->file_name, stderr);
1197      type_sep(stderr);
1198      type_name(type, stderr);
1199      type_sep(stderr);
1200      fputs(what, stderr);
1201      putc('\n', stderr);
1202   }
1203}
1204
1205/* Input file positioning - we jump around in the input file while reading
1206 * stuff, these wrappers deal with the error handling.
1207 */
1208static void
1209file_getpos(struct file *file, fpos_t *pos)
1210{
1211   if (fgetpos(file->file, pos))
1212   {
1213      /* This is unexpected, so perror it */
1214      perror(file->file_name);
1215      stop(file, READ_ERROR_CODE, "fgetpos");
1216   }
1217}
1218
1219static void
1220file_setpos(struct file *file, const fpos_t *pos)
1221{
1222   if (fsetpos(file->file, pos))
1223   {
1224      perror(file->file_name);
1225      stop(file, READ_ERROR_CODE, "fsetpos");
1226   }
1227}
1228
1229static void
1230getpos(struct file *file)
1231   /* Get the current position and store it in 'data_pos'.  The corresponding
1232    * setpos() function is chunk specific because it uses the copy of the
1233    * position for the specific chunk.
1234    */
1235{
1236   file_getpos(file, &file->data_pos);
1237}
1238
1239
1240/* Read utility - read a single byte, returns a value in the range 0..255 or EOF
1241 * on a read error.  In the latter case status_code and read_errno are updated
1242 * appropriately.
1243 */
1244static int
1245read_byte(struct file *file)
1246{
1247   int ch = getc(file->file);
1248
1249   if (ch >= 0 && ch <= 255)
1250   {
1251      ++(file->read_count);
1252      return ch;
1253   }
1254
1255   else if (ch != EOF)
1256   {
1257      file->status_code |= INTERNAL_ERROR;
1258      file->read_errno = ERANGE; /* out of range character */
1259
1260      /* This is very unexpected; an error message is always output: */
1261      emit_error(file, UNEXPECTED_ERROR_CODE, "file read");
1262   }
1263
1264#  ifdef EINTR
1265      else if (errno == EINTR) /* Interrupted, try again */
1266      {
1267         errno = 0;
1268         return read_byte(file);
1269      }
1270#  endif
1271
1272   else
1273   {
1274      /* An error, it doesn't really matter what the error is but it gets
1275       * recorded anyway.
1276       */
1277      if (ferror(file->file))
1278         file->read_errno = errno;
1279
1280      else if (feof(file->file))
1281         file->read_errno = 0; /* I.e. a regular EOF, no error */
1282
1283      else /* unexpected */
1284         file->read_errno = EDOM;
1285   }
1286
1287   /* 'TRUNCATED' is used for all cases of failure to read a byte, because of
1288    * the way libpng works a byte read is never attempted unless the byte is
1289    * expected to be there, so EOF should not occur.
1290    */
1291   file->status_code |= TRUNCATED;
1292   return EOF;
1293}
1294
1295static png_byte
1296reread_byte(struct file *file)
1297   /* Read a byte when an error is not expected to happen because the byte has
1298    * been read before without error.
1299    */
1300{
1301   int ch = getc(file->file);
1302
1303   if (errno != 0)
1304      file->read_errno = errno;
1305
1306   if (ch < 0 || ch > 255)
1307      stop(file, UNEXPECTED_ERROR_CODE, "reread");
1308
1309   return (png_byte)ch;
1310}
1311
1312static png_uint_32
1313reread_4(struct file *file)
1314   /* The same but for a four byte quantity */
1315{
1316   png_uint_32 result = 0;
1317   int i = 0;
1318
1319   while (++i <= 4)
1320      result = (result << 8) + reread_byte(file);
1321
1322   return result;
1323}
1324
1325static void
1326skip_12(struct file *file)
1327   /* Skip exactly 12 bytes in the input stream - used to skip a CRC and chunk
1328    * header that has been read before.
1329    */
1330{
1331   /* Since the chunks were read before this shouldn't fail: */
1332   if (fseek(file->file, 12, SEEK_CUR) != 0)
1333   {
1334      if (errno != 0)
1335         file->read_errno = errno;
1336
1337      stop(file, UNEXPECTED_ERROR_CODE, "reskip");
1338   }
1339}
1340
1341static void
1342write_byte(struct file *file, int b)
1343   /* Write one byte to the output - this causes a fatal error if the write
1344    * fails and the read of this PNG file immediately terminates.  Just
1345    * increments the write count if there is no output file.
1346    */
1347{
1348   if (file->out != NULL)
1349   {
1350      if (putc(b, file->out) != b)
1351      {
1352         file->write_errno = errno;
1353         file->status_code |= WRITE_ERROR;
1354         stop(file, WRITE_ERROR_CODE, "write byte");
1355      }
1356   }
1357
1358   ++(file->write_count);
1359}
1360
1361/* Derivatives of the read/write functions. */
1362static unsigned int
1363read_4(struct file *file, png_uint_32 *pu)
1364   /* Read four bytes, returns the number of bytes read successfully and, if all
1365    * four bytes are read, assigns the result to *pu.
1366    */
1367{
1368   unsigned int i = 0;
1369   png_uint_32 val = 0;
1370
1371   do
1372   {
1373      int ch = read_byte(file);
1374
1375      if (ch == EOF)
1376         return i;
1377
1378      val = (val << 8) + ch;
1379   } while (++i < 4);
1380
1381   *pu = val;
1382   return i;
1383}
1384
1385/* CRC handling - read but calculate the CRC while doing so. */
1386static int
1387crc_read_many(struct file *file, png_uint_32 length)
1388   /* Reads 'length' bytes and updates the CRC, returns true on success, false
1389    * if the input is truncated.
1390    */
1391{
1392   if (length > 0)
1393   {
1394      png_uint_32 crc = file->crc;
1395
1396      do
1397      {
1398         int ch = read_byte(file);
1399
1400         if (ch == EOF)
1401            return 0; /* Truncated */
1402
1403         crc = crc_one_byte(crc, ch);
1404      }
1405      while (--length > 0);
1406
1407      file->crc = crc;
1408   }
1409
1410   return 1; /* OK */
1411}
1412
1413static int
1414calc_image_size(struct file *file)
1415   /* Fill in the image_bytes field given the IHDR information, calls stop on
1416    * error.
1417    */
1418{
1419   png_uint_16 pd = file->bit_depth;
1420
1421   switch (file->color_type)
1422   {
1423      default:
1424         stop_invalid(file, "IHDR: colour type");
1425
1426      invalid_bit_depth:
1427         stop_invalid(file, "IHDR: bit depth");
1428
1429      case 0: /* g */
1430         if (pd != 1 && pd != 2 && pd != 4 && pd != 8 && pd != 16)
1431            goto invalid_bit_depth;
1432         break;
1433
1434      case 3:
1435         if (pd != 1 && pd != 2 && pd != 4 && pd != 8)
1436            goto invalid_bit_depth;
1437         break;
1438
1439      case 2: /* rgb */
1440         if (pd != 8 && pd != 16)
1441            goto invalid_bit_depth;
1442
1443         pd = (png_uint_16)(pd * 3);
1444         break;
1445
1446      case 4: /* ga */
1447         if (pd != 8 && pd != 16)
1448            goto invalid_bit_depth;
1449
1450         pd = (png_uint_16)(pd * 2);
1451         break;
1452
1453      case 6: /* rgba */
1454         if (pd != 8 && pd != 16)
1455            goto invalid_bit_depth;
1456
1457         pd = (png_uint_16)(pd * 4);
1458         break;
1459   }
1460
1461   if (file->width < 1 || file->width > 0x7fffffff)
1462      stop_invalid(file, "IHDR: width");
1463
1464   else if (file->height < 1 || file->height > 0x7fffffff)
1465      stop_invalid(file, "IHDR: height");
1466
1467   else if (file->compression_method != 0)
1468      stop_invalid(file, "IHDR: compression method");
1469
1470   else if (file->filter_method != 0)
1471      stop_invalid(file, "IHDR: filter method");
1472
1473   else switch (file->interlace_method)
1474   {
1475      case PNG_INTERLACE_ADAM7:
1476         /* Interlacing makes the image larger because of the replication of
1477          * both the filter byte and the padding to a byte boundary.
1478          */
1479         {
1480            int pass;
1481            int image_digits = 0;
1482            udigit row_width[2], row_bytes[3];
1483
1484            for (pass=0; pass<=6; ++pass)
1485            {
1486               png_uint_32 pw = PNG_PASS_COLS(file->width, pass);
1487
1488               if (pw > 0)
1489               {
1490                  int  digits;
1491
1492                  /* calculate 1+((pw*pd+7)>>3) in row_bytes */
1493                  digits = uarb_mult_digit(row_bytes, uarb_set(row_bytes, 7),
1494                     row_width, uarb_set(row_width, pw), pd);
1495                  digits = uarb_shift(row_bytes, digits, 3);
1496                  digits = uarb_inc(row_bytes, digits, 1);
1497
1498                  /* Add row_bytes * pass-height to the file image_bytes field
1499                   */
1500                  image_digits = uarb_mult32(file->image_bytes, image_digits,
1501                     row_bytes, digits,
1502                     PNG_PASS_ROWS(file->height, pass));
1503               }
1504            }
1505
1506            file->image_digits = image_digits;
1507         }
1508         break;
1509
1510      case PNG_INTERLACE_NONE:
1511         {
1512            int  digits;
1513            udigit row_width[2], row_bytes[3];
1514
1515            /* As above, but use image_width in place of the pass width: */
1516            digits = uarb_mult_digit(row_bytes, uarb_set(row_bytes, 7),
1517               row_width, uarb_set(row_width, file->width), pd);
1518            digits = uarb_shift(row_bytes, digits, 3);
1519            digits = uarb_inc(row_bytes, digits, 1);
1520
1521            /* Set row_bytes * image-height to the file image_bytes field */
1522            file->image_digits = uarb_mult32(file->image_bytes, 0,
1523               row_bytes, digits, file->height);
1524         }
1525         break;
1526
1527      default:
1528         stop_invalid(file, "IHDR: interlace method");
1529   }
1530
1531   assert(file->image_digits >= 1 && file->image_digits <= 5);
1532   return 1;
1533}
1534
1535/* PER-CHUNK CONTROL STRUCTURE
1536 * This structure is instantiated for each chunk, except for the IDAT chunks
1537 * where one chunk control structure is used for the whole of a single stream of
1538 * IDAT chunks (see the IDAT control structure below).
1539 */
1540struct chunk
1541{
1542   /* ANCESTORS */
1543   struct file *         file;
1544   struct global *       global;
1545
1546   /* PUBLIC IDAT INFORMATION: SET BY THE ZLIB CODE */
1547   udigit         uncompressed_bytes[5];
1548   int            uncompressed_digits;
1549   udigit         compressed_bytes[5];
1550   int            compressed_digits;
1551
1552   /* PUBLIC PER-CHUNK INFORMATION: USED BY CHUNK READ CODE */
1553   /* This information is filled in by chunk_init from the data in the file
1554    * control structure, but chunk_length may be changed later.
1555    */
1556   fpos_t         chunk_data_pos;    /* Position of first byte of chunk data */
1557   png_uint_32    chunk_length;      /* From header (or modified below) */
1558   png_uint_32    chunk_type;        /* From header */
1559
1560   /* PUBLIC PER-CHUNK INFORMATION: FOR THE CHUNK WRITE CODE */
1561   png_uint_32    write_crc;         /* Output CRC (may differ from read_crc) */
1562   png_uint_32    rewrite_offset;    /* Count of bytes before rewrite. */
1563   int            rewrite_length;    /* Number of bytes left to change */
1564   png_byte       rewrite_buffer[2]; /* Buffer of new byte values */
1565};
1566
1567static void
1568chunk_message(struct chunk *chunk, const char *message)
1569{
1570   type_message(chunk->file, chunk->chunk_type, message);
1571}
1572
1573static void
1574chunk_end(struct chunk **chunk_var)
1575{
1576   struct chunk *chunk = *chunk_var;
1577
1578   *chunk_var = NULL;
1579   CLEAR(*chunk);
1580}
1581
1582static void
1583chunk_init(struct chunk * const chunk, struct file * const file)
1584   /* When a chunk is initialized the file length/type/pos are copied into the
1585    * corresponding chunk fields and the new chunk is registered in the file
1586    * structure.  There can only be one chunk at a time.
1587    *
1588    * NOTE: this routine must onely be called from the file alloc routine!
1589    */
1590{
1591   assert(file->chunk == NULL);
1592
1593   CLEAR(*chunk);
1594
1595   chunk->file = file;
1596   chunk->global = file->global;
1597
1598   chunk->chunk_data_pos = file->data_pos;
1599   chunk->chunk_length = file->length;
1600   chunk->chunk_type = file->type;
1601
1602   /* Compresssed/uncompressed size information (from the zlib control structure
1603    * that is used to check the compressed data in a chunk.)
1604    */
1605   chunk->uncompressed_digits = 0;
1606   chunk->compressed_digits = 0;
1607
1608   file->chunk = chunk;
1609}
1610
1611static png_uint_32
1612current_type(struct file *file, int code)
1613   /* Guess the actual chunk type that causes a stop() */
1614{
1615   /* This may return png_IDAT for errors detected (late) in the header; that
1616    * includes any inter-chunk consistency check that libpng performs.  Assume
1617    * that if the chunk_type is png_IDAT and the file write count is 8 this is
1618    * what is happening.
1619    */
1620   if (file->chunk != NULL)
1621   {
1622      png_uint_32 type = file->chunk->chunk_type;
1623
1624      /* This is probably wrong for the excess IDATs case, because then libpng
1625       * whines about too many of them (apparently in some cases erroneously)
1626       * when the header is read.
1627       */
1628      if (code <= LIBPNG_ERROR_CODE && type == png_IDAT &&
1629         file->write_count == 8)
1630         type = 0; /* magic */
1631
1632      return type;
1633   }
1634
1635   else
1636      return file->type;
1637}
1638
1639static void
1640setpos(struct chunk *chunk)
1641   /* Reset the position to 'chunk_data_pos' - the start of the data for this
1642    * chunk.  As a side effect the read_count in the file is reset to 8, just
1643    * after the length/type header.
1644    */
1645{
1646   chunk->file->read_count = 8;
1647   file_setpos(chunk->file, &chunk->chunk_data_pos);
1648}
1649
1650/* Specific chunk handling - called for each chunk header, all special chunk
1651 * processing is initiated in these functions.
1652 */
1653/* The next functions handle special processing for those chunks with LZ data,
1654 * the data is identified and checked for validity.  If there are problems which
1655 * cannot be corrected the routines return false, otherwise true (although
1656 * modification to the zlib header may be required.)
1657 *
1658 * The compressed data is in zlib format (RFC1950) and consequently has a
1659 * minimum length of 7 bytes.
1660 */
1661static int zlib_check(struct file *file, png_uint_32 offset);
1662
1663static int
1664process_zTXt_iCCP(struct file *file)
1665   /* zTXt and iCCP have exactly the same form - keyword, null, compression
1666    * method then compressed data.
1667    */
1668{
1669   struct chunk *chunk = file->chunk;
1670   png_uint_32 length;
1671   png_uint_32 index = 0;
1672
1673   assert(chunk != NULL && file->idat == NULL);
1674   length = chunk->chunk_length;
1675   setpos(chunk);
1676
1677   while (length >= 9)
1678   {
1679      --length;
1680      ++index;
1681      if (reread_byte(file) == 0) /* keyword null terminator */
1682      {
1683         --length;
1684         ++index;
1685         (void)reread_byte(file); /* compression method */
1686         return zlib_check(file, index);
1687      }
1688   }
1689
1690   chunk_message(chunk, "too short");
1691   return 0; /* skip */
1692}
1693
1694static int
1695process_iTXt(struct file *file)
1696{
1697   /* Like zTXt but more fields. */
1698   struct chunk *chunk = file->chunk;
1699   png_uint_32 length;
1700   png_uint_32 index = 0;
1701
1702   assert(chunk != NULL && file->idat == NULL);
1703   length = chunk->chunk_length;
1704   setpos(chunk);
1705
1706   while (length >= 5)
1707   {
1708      --length;
1709      ++index;
1710      if (reread_byte(file) == 0) /* keyword null terminator */
1711      {
1712         --length;
1713         ++index;
1714         if (reread_byte(file) == 0) /* uncompressed text */
1715            return 1; /* nothing to check */
1716
1717         --length;
1718         ++index;
1719         (void)reread_byte(file); /* compression method */
1720
1721         /* Skip the language tag (null terminated). */
1722         while (length >= 9)
1723         {
1724            --length;
1725            ++index;
1726            if (reread_byte(file) == 0) /* terminator */
1727            {
1728               /* Skip the translated keyword */
1729               while (length >= 8)
1730               {
1731                  --length;
1732                  ++index;
1733                  if (reread_byte(file) == 0) /* terminator */
1734                     return zlib_check(file, index);
1735               }
1736            }
1737         }
1738
1739         /* Ran out of bytes in the compressed case. */
1740         break;
1741      }
1742   }
1743
1744   log_error(file, INVALID_ERROR_CODE, "iTXt chunk length");
1745
1746   return 0; /* skip */
1747}
1748
1749/* IDAT READ/WRITE CONTROL STRUCTURE */
1750struct IDAT
1751{
1752   /* ANCESTORS */
1753   struct file *         file;
1754   struct global *       global;
1755
1756   /* PROTECTED IDAT INFORMATION: SET BY THE IDAT READ CODE */
1757   struct IDAT_list *idat_list_head; /* START of the list of IDAT information */
1758   struct IDAT_list *idat_list_tail; /* *END* of the list of IDAT information */
1759
1760   /* PROTECTED IDAT INFORMATION: USED BY THE IDAT WRITE CODE */
1761   struct IDAT_list *idat_cur;       /* Current list entry */
1762   unsigned int      idat_count;     /* And the *current* index into the list */
1763   png_uint_32       idat_index;     /* Index of *next* input byte to write */
1764   png_uint_32       idat_length;    /* Cache of current chunk length */
1765};
1766
1767/* NOTE: there is currently no IDAT_reset, so a stream cannot contain more than
1768 * one IDAT sequence (i.e. MNG is not supported).
1769 */
1770
1771static void
1772IDAT_end(struct IDAT **idat_var)
1773{
1774   struct IDAT *idat = *idat_var;
1775   struct file *file = idat->file;
1776
1777   *idat_var = NULL;
1778
1779   CLEAR(*idat);
1780
1781   assert(file->chunk != NULL);
1782   chunk_end(&file->chunk);
1783
1784   /* Regardless of why the IDAT was killed set the state back to CHUNKS (it may
1785    * already be CHUNKS because the state isn't changed until process_IDAT
1786    * returns; a stop will cause IDAT_end to be entered in state CHUNKS!)
1787    */
1788   file->state = STATE_CHUNKS;
1789}
1790
1791static void
1792IDAT_init(struct IDAT * const idat, struct file * const file)
1793   /* When the chunk is png_IDAT instantiate an IDAT control structure in place
1794    * of a chunk control structure.  The IDAT will instantiate a chunk control
1795    * structure using the file alloc routine.
1796    *
1797    * NOTE: this routine must only be called from the file alloc routine!
1798    */
1799{
1800   assert(file->chunk == NULL);
1801   assert(file->idat == NULL);
1802
1803   CLEAR(*idat);
1804
1805   idat->file = file;
1806   idat->global = file->global;
1807
1808   /* Initialize the tail to the pre-allocated buffer and set the count to 0
1809    * (empty.)
1810    */
1811   idat->global->idat_cache.count = 0;
1812   idat->idat_list_head = idat->idat_list_tail = &idat->global->idat_cache;
1813
1814   /* Now the chunk.  The allocator calls the initializer of the new chunk and
1815    * stores the result in file->chunk:
1816    */
1817   file->alloc(file, 0/*chunk*/);
1818   assert(file->chunk != NULL);
1819
1820   /* And store this for cleanup (and to check for double alloc or failure to
1821    * free.)
1822    */
1823   file->idat = idat;
1824}
1825
1826static png_uint_32
1827rechunk_length(struct IDAT *idat)
1828   /* Return the length for the next IDAT chunk, taking into account
1829    * rechunking.
1830    */
1831{
1832   png_uint_32 len = idat->global->idat_max;
1833
1834   if (len == 0) /* use original chunk lengths */
1835   {
1836      const struct IDAT_list *cur;
1837      unsigned int count;
1838
1839      if (idat->idat_index == 0) /* at the new chunk (first time) */
1840         return idat->idat_length; /* use the cache */
1841
1842      /* Otherwise rechunk_length is called at the end of a chunk for the length
1843       * of the next one.
1844       */
1845      cur = idat->idat_cur;
1846      count = idat->idat_count;
1847
1848      assert(idat->idat_index == idat->idat_length &&
1849         idat->idat_length == cur->lengths[count]);
1850
1851      /* Return length of the *next* chunk */
1852      if (++count < cur->count)
1853         return cur->lengths[count];
1854
1855      /* End of this list */
1856      assert(cur != idat->idat_list_tail);
1857      cur = cur->next;
1858      assert(cur != NULL && cur->count > 0);
1859      return cur->lengths[0];
1860   }
1861
1862   else /* rechunking */
1863   {
1864      /* The chunk size is the lesser of file->idat_max and the number
1865       * of remaining bytes.
1866       */
1867      png_uint_32 have = idat->idat_length - idat->idat_index;
1868
1869      if (len > have)
1870      {
1871         struct IDAT_list *cur = idat->idat_cur;
1872         unsigned int j = idat->idat_count+1; /* the next IDAT in the list */
1873
1874         do
1875         {
1876            /* Add up the remaining bytes.  This can't overflow because the
1877             * individual lengths are always <= 0x7fffffff, so when we add two
1878             * of them overflow is not possible.
1879             */
1880            assert(cur != NULL);
1881
1882            for (;;)
1883            {
1884               /* NOTE: IDAT_list::count here, not IDAT_list::length */
1885               for (; j < cur->count; ++j)
1886               {
1887                  have += cur->lengths[j];
1888                  if (len <= have)
1889                     return len;
1890               }
1891
1892               /* If this was the end return the count of the available bytes */
1893               if (cur == idat->idat_list_tail)
1894                  return have;
1895
1896               cur = cur->next;
1897               j = 0;
1898            }
1899         }
1900         while (len > have);
1901      }
1902
1903      return len;
1904   }
1905}
1906
1907static int
1908process_IDAT(struct file *file)
1909   /* Process the IDAT stream, this is the more complex than the preceding
1910    * cases because the compressed data is spread across multiple IDAT chunks
1911    * (typically).  Rechunking of the data is not handled here; all this
1912    * function does is establish whether the zlib header needs to be modified.
1913    *
1914    * Initially the function returns false, indicating that the chunk should not
1915    * be written.  It does this until the last IDAT chunk is passed in, then it
1916    * checks the zlib data and returns true.
1917    *
1918    * It does not return false on a fatal error; it calls stop instead.
1919    *
1920    * The caller must have an instantiated (IDAT) control structure and it must
1921    * have extent over the whole read of the IDAT stream.  For a PNG this means
1922    * the whole PNG read, for MNG it could have lesser extent.
1923    */
1924{
1925   struct IDAT_list *list;
1926
1927   assert(file->idat != NULL && file->chunk != NULL);
1928
1929   /* We need to first check the entire sequence of IDAT chunks to ensure the
1930    * stream is in sync.  Do this by building a list of all the chunks and
1931    * recording the length of each because the length may have been fixed up by
1932    * sync_stream below.
1933    *
1934    * At the end of the list of chunks, where the type of the next chunk is not
1935    * png_IDAT, process the whole stream using the list data to check validity
1936    * then return control to the start and rewrite everything.
1937    */
1938   list = file->idat->idat_list_tail;
1939
1940   if (list->count == list->length)
1941   {
1942      list = IDAT_list_extend(list);
1943
1944      if (list == NULL)
1945         stop(file, READ_ERROR_CODE, "out of memory");
1946
1947      /* Move to the next block */
1948      list->count = 0;
1949      file->idat->idat_list_tail = list;
1950   }
1951
1952   /* And fill in the next IDAT information buffer. */
1953   list->lengths[(list->count)++] = file->chunk->chunk_length;
1954
1955   /* The type of the next chunk was recorded in the file control structure by
1956    * the caller, if this is png_IDAT return 'skip' to the caller.
1957    */
1958   if (file->type == png_IDAT)
1959      return 0; /* skip this for the moment */
1960
1961   /* This is the final IDAT chunk, so run the tests to check for the too far
1962    * back error and possibly optimize the window bits.  This means going back
1963    * to the start of the first chunk data, which is stored in the original
1964    * chunk allocation.
1965    */
1966   setpos(file->chunk);
1967
1968   if (zlib_check(file, 0))
1969   {
1970      struct IDAT *idat;
1971      int cmp;
1972
1973      /* The IDAT stream was successfully uncompressed; see whether it
1974       * contained the correct number of bytes of image data.
1975       */
1976      cmp = uarb_cmp(file->image_bytes, file->image_digits,
1977         file->chunk->uncompressed_bytes, file->chunk->uncompressed_digits);
1978
1979      if (cmp < 0)
1980         type_message(file, png_IDAT, "extra uncompressed data");
1981
1982      else if (cmp > 0)
1983         stop(file, LIBPNG_ERROR_CODE, "IDAT: uncompressed data too small");
1984
1985      /* Return the stream to the start of the first IDAT chunk; the length
1986       * is set in the write case below but the input chunk variables must be
1987       * set (once) here:
1988       */
1989      setpos(file->chunk);
1990
1991      idat = file->idat;
1992      idat->idat_cur = idat->idat_list_head;
1993      idat->idat_length = idat->idat_cur->lengths[0];
1994      idat->idat_count = 0; /* Count of chunks read in current list */
1995      idat->idat_index = 0; /* Index into chunk data */
1996
1997      /* Update the chunk length to the correct value for the IDAT chunk: */
1998      file->chunk->chunk_length = rechunk_length(idat);
1999
2000      /* Change the state to writing IDAT chunks */
2001      file->state = STATE_IDAT;
2002
2003      return 1;
2004   }
2005
2006   else /* Failure to decompress the IDAT stream; give up. */
2007      stop(file, ZLIB_ERROR_CODE, "could not uncompress IDAT");
2008}
2009
2010/* ZLIB CONTROL STRUCTURE */
2011struct zlib
2012{
2013   /* ANCESTORS */
2014   struct IDAT *  idat;          /* NOTE: May be NULL */
2015   struct chunk * chunk;
2016   struct file *  file;
2017   struct global *global;
2018
2019   /* GLOBAL ZLIB INFORMATION: SET BY THE CALLER */
2020   png_uint_32    rewrite_offset;
2021
2022   /* GLOBAL ZLIB INFORMATION: SET BY THE ZLIB READ CODE */
2023   udigit         compressed_bytes[5];
2024   int            compressed_digits;
2025   udigit         uncompressed_bytes[5];
2026   int            uncompressed_digits;
2027   int            file_bits;             /* window bits from the file */
2028   int            ok_bits;               /* Set <16 on a successful read */
2029   int            cksum;                 /* Set on a checksum error */
2030
2031   /* PROTECTED ZLIB INFORMATION: USED BY THE ZLIB ROUTINES */
2032   z_stream       z;
2033   png_uint_32    extra_bytes;   /* Count of extra compressed bytes */
2034   int            state;
2035   int            rc;            /* Last return code */
2036   int            window_bits;   /* 0 if no change */
2037   png_byte       header[2];
2038};
2039
2040static const char *
2041zlib_flevel(struct zlib *zlib)
2042{
2043   switch (zlib->header[1] >> 6)
2044   {
2045      case 0:  return "supfast";
2046      case 1:  return "stdfast";
2047      case 2:  return "default";
2048      case 3:  return "maximum";
2049      default: assert(UNREACHED);
2050   }
2051
2052   return "COMPILER BUG";
2053}
2054
2055static const char *
2056zlib_rc(struct zlib *zlib)
2057   /* Return a string for the zlib return code */
2058{
2059   switch (zlib->rc)
2060   {
2061      case Z_OK:              return "Z_OK";
2062      case Z_STREAM_END:      return "Z_STREAM_END";
2063      case Z_NEED_DICT:       return "Z_NEED_DICT";
2064      case Z_ERRNO:           return "Z_ERRNO";
2065      case Z_STREAM_ERROR:    return "Z_STREAM_ERROR";
2066      case Z_DATA_ERROR:      return "Z_DATA_ERROR";
2067      case Z_MEM_ERROR:       return "Z_MEM_ERROR";
2068      case Z_BUF_ERROR:       return "Z_BUF_ERROR";
2069      case Z_VERSION_ERROR:   return "Z_VERSION_ERROR";
2070      default:                return "Z_*INVALID_RC*";
2071   }
2072}
2073
2074static void
2075zlib_message(struct zlib *zlib, int unexpected)
2076   /* Output a message given a zlib rc */
2077{
2078   if (zlib->global->errors)
2079   {
2080      const char *reason = zlib->z.msg;
2081
2082      if (reason == NULL)
2083         reason = "[no message]";
2084
2085      fputs(zlib->file->file_name, stderr);
2086      type_sep(stderr);
2087      type_name(zlib->chunk->chunk_type, stderr);
2088      fprintf(stderr, ": %szlib error: %d (%s) (%s)\n",
2089         unexpected ? "unexpected " : "", zlib->rc, zlib_rc(zlib), reason);
2090   }
2091}
2092
2093static void
2094zlib_end(struct zlib *zlib)
2095{
2096   /* Output the summary line now; this ensures a summary line always gets
2097    * output regardless of the manner of exit.
2098    */
2099   if (!zlib->global->quiet)
2100   {
2101      if (zlib->ok_bits < 16) /* stream was read ok */
2102      {
2103         const char *reason;
2104
2105         if (zlib->cksum)
2106            reason = "CHK"; /* checksum error */
2107
2108         else if (zlib->ok_bits > zlib->file_bits)
2109            reason = "TFB"; /* fixing a too-far-back error */
2110
2111         else if (zlib->ok_bits == zlib->file_bits)
2112            reason = "OK ";
2113
2114         else
2115            reason = "OPT"; /* optimizing window bits */
2116
2117         /* SUMMARY FORMAT (for a successful zlib inflate):
2118          *
2119          * IDAT reason flevel file-bits ok-bits compressed uncompressed file
2120          */
2121         type_name(zlib->chunk->chunk_type, stdout);
2122         printf(" %s %s %d %d ", reason, zlib_flevel(zlib), zlib->file_bits,
2123            zlib->ok_bits);
2124         uarb_print(zlib->compressed_bytes, zlib->compressed_digits, stdout);
2125         putc(' ', stdout);
2126         uarb_print(zlib->uncompressed_bytes, zlib->uncompressed_digits,
2127            stdout);
2128         putc(' ', stdout);
2129         fputs(zlib->file->file_name, stdout);
2130         putc('\n', stdout);
2131      }
2132
2133      else
2134      {
2135         /* This is a zlib read error; the chunk will be skipped.  For an IDAT
2136          * stream this will also cause a fatal read error (via stop()).
2137          *
2138          * SUMMARY FORMAT:
2139          *
2140          * IDAT SKP flevel file-bits z-rc compressed message file
2141          *
2142          * z-rc is the zlib failure code; message is the error message with
2143          * spaces replaced by '-'.  The compressed byte count indicates where
2144          * in the zlib stream the error occurred.
2145          */
2146         type_name(zlib->chunk->chunk_type, stdout);
2147         printf(" SKP %s %d %s ", zlib_flevel(zlib), zlib->file_bits,
2148            zlib_rc(zlib));
2149         uarb_print(zlib->compressed_bytes, zlib->compressed_digits, stdout);
2150         putc(' ', stdout);
2151         emit_string(zlib->z.msg ? zlib->z.msg : "[no_message]", stdout);
2152         putc(' ', stdout);
2153         fputs(zlib->file->file_name, stdout);
2154         putc('\n', stdout);
2155      }
2156   }
2157
2158   if (zlib->state >= 0)
2159   {
2160      zlib->rc = inflateEnd(&zlib->z);
2161
2162      if (zlib->rc != Z_OK)
2163         zlib_message(zlib, 1/*unexpected*/);
2164   }
2165
2166   CLEAR(*zlib);
2167}
2168
2169static int
2170zlib_reset(struct zlib *zlib, int window_bits)
2171   /* Reinitializes a zlib with a different window_bits */
2172{
2173   assert(zlib->state >= 0); /* initialized by zlib_init */
2174
2175   zlib->z.next_in = Z_NULL;
2176   zlib->z.avail_in = 0;
2177   zlib->z.next_out = Z_NULL;
2178   zlib->z.avail_out = 0;
2179
2180   zlib->window_bits = window_bits;
2181   zlib->compressed_digits = 0;
2182   zlib->uncompressed_digits = 0;
2183
2184   zlib->state = 0; /* initialized, once */
2185   zlib->rc = inflateReset2(&zlib->z, 0);
2186   if (zlib->rc != Z_OK)
2187   {
2188      zlib_message(zlib, 1/*unexpected*/);
2189      return 0;
2190   }
2191
2192   return 1;
2193}
2194
2195static int
2196zlib_init(struct zlib *zlib, struct IDAT *idat, struct chunk *chunk,
2197   int window_bits, png_uint_32 offset)
2198   /* Initialize a zlib_control; the result is true/false */
2199{
2200   CLEAR(*zlib);
2201
2202   zlib->idat = idat;
2203   zlib->chunk = chunk;
2204   zlib->file = chunk->file;
2205   zlib->global = chunk->global;
2206   zlib->rewrite_offset = offset; /* never changed for this zlib */
2207
2208   /* *_out does not need to be set: */
2209   zlib->z.next_in = Z_NULL;
2210   zlib->z.avail_in = 0;
2211   zlib->z.zalloc = Z_NULL;
2212   zlib->z.zfree = Z_NULL;
2213   zlib->z.opaque = Z_NULL;
2214
2215   zlib->state = -1;
2216   zlib->window_bits = window_bits;
2217
2218   zlib->compressed_digits = 0;
2219   zlib->uncompressed_digits = 0;
2220
2221   /* These values are sticky across reset (in addition to the stuff in the
2222    * first block, which is actually constant.)
2223    */
2224   zlib->file_bits = 24;
2225   zlib->ok_bits = 16; /* unset */
2226   zlib->cksum = 0; /* set when a checksum error is detected */
2227
2228   /* '0' means use the header; inflateInit2 should always succeed because it
2229    * does nothing apart from allocating the internal zstate.
2230    */
2231   zlib->rc = inflateInit2(&zlib->z, 0);
2232   if (zlib->rc != Z_OK)
2233   {
2234      zlib_message(zlib, 1/*unexpected*/);
2235      return 0;
2236   }
2237
2238   else
2239   {
2240      zlib->state = 0; /* initialized */
2241      return 1;
2242   }
2243}
2244
2245static int
2246max_window_bits(uarbc size, int ndigits)
2247   /* Return the zlib stream window bits required for data of the given size. */
2248{
2249   png_uint_16 cb;
2250
2251   if (ndigits > 1)
2252      return 15;
2253
2254   cb = size[0];
2255
2256   if (cb > 16384) return 15;
2257   if (cb >  8192) return 14;
2258   if (cb >  4096) return 13;
2259   if (cb >  2048) return 12;
2260   if (cb >  1024) return 11;
2261   if (cb >   512) return 10;
2262   if (cb >   256) return  9;
2263   return 8;
2264}
2265
2266static int
2267zlib_advance(struct zlib *zlib, png_uint_32 nbytes)
2268   /* Read nbytes compressed bytes; the stream will be initialized if required.
2269    * Bytes are always being reread and errors are fatal.  The return code is as
2270    * follows:
2271    *
2272    *    -1: saw the "too far back" error
2273    *     0: ok, keep going
2274    *     1: saw Z_STREAM_END (zlib->extra_bytes indicates too much data)
2275    *     2: a zlib error that cannot be corrected (error message already
2276    *        output if required.)
2277    */
2278#  define ZLIB_TOO_FAR_BACK (-1)
2279#  define ZLIB_OK           0
2280#  define ZLIB_STREAM_END   1
2281#  define ZLIB_FATAL        2
2282{
2283   int state = zlib->state;
2284   int endrc = ZLIB_OK;
2285   png_uint_32 in_bytes = 0;
2286   struct file *file = zlib->file;
2287
2288   assert(state >= 0);
2289
2290   while (in_bytes < nbytes && endrc == ZLIB_OK)
2291   {
2292      png_uint_32 out_bytes;
2293      int flush;
2294      png_byte bIn = reread_byte(file);
2295      png_byte bOut;
2296
2297      switch (state)
2298      {
2299         case 0: /* first header byte */
2300            {
2301               int file_bits = 8+(bIn >> 4);
2302               int new_bits = zlib->window_bits;
2303
2304               zlib->file_bits = file_bits;
2305
2306               /* Check against the existing value - it may not need to be
2307                * changed.  Note that a bogus file_bits is allowed through once,
2308                * to see if it works, but the window_bits value is set to 15,
2309                * the maximum.
2310                */
2311               if (new_bits == 0) /* no change */
2312                  zlib->window_bits = ((file_bits > 15) ? 15 : file_bits);
2313
2314               else if (new_bits != file_bits) /* rewrite required */
2315                  bIn = (png_byte)((bIn & 0xf) + ((new_bits-8) << 4));
2316            }
2317
2318            zlib->header[0] = bIn;
2319            zlib->state = state = 1;
2320            break;
2321
2322         case 1: /* second header byte */
2323            {
2324               int b2 = bIn & 0xe0; /* top 3 bits */
2325
2326               /* The checksum calculation, on the first 11 bits: */
2327               b2 += 0x1f - ((zlib->header[0] << 8) + b2) % 0x1f;
2328
2329               /* Update the checksum byte if required: */
2330               if (bIn != b2)
2331               {
2332                  /* If the first byte wasn't changed this indicates an error in
2333                   * the checksum calculation; signal this by setting 'cksum'.
2334                   */
2335                  if (zlib->file_bits == zlib->window_bits)
2336                     zlib->cksum = 1;
2337
2338                  bIn = (png_byte)b2;
2339               }
2340            }
2341
2342            zlib->header[1] = bIn;
2343            zlib->state = state = 2;
2344            break;
2345
2346         default: /* After the header bytes */
2347            break;
2348      }
2349
2350      /* For some streams, perhaps only those compressed with 'superfast
2351       * compression' (which results in a lot of copying) Z_BUF_ERROR can happen
2352       * immediately after all output has been flushed on the next input byte.
2353       * This is handled below when Z_BUF_ERROR is detected by adding an output
2354       * byte.
2355       */
2356      zlib->z.next_in = &bIn;
2357      zlib->z.avail_in = 1;
2358      zlib->z.next_out = &bOut;
2359      zlib->z.avail_out = 0;     /* Initially */
2360
2361      /* Initially use Z_NO_FLUSH in an attempt to persuade zlib to look at this
2362       * byte without confusing what is going on with output.
2363       */
2364      flush = Z_NO_FLUSH;
2365      out_bytes = 0;
2366
2367      /* NOTE: expression 3 is only evaluted on 'continue', because of the
2368       * 'break' at the end of this loop below.
2369       */
2370      for (;endrc == ZLIB_OK;
2371         flush = Z_SYNC_FLUSH,
2372         zlib->z.next_out = &bOut,
2373         zlib->z.avail_out = 1,
2374         ++out_bytes)
2375      {
2376         zlib->rc = inflate(&zlib->z, flush);
2377         out_bytes -= zlib->z.avail_out;
2378
2379         switch (zlib->rc)
2380         {
2381            case Z_BUF_ERROR:
2382               if (zlib->z.avail_out == 0)
2383                  continue; /* Try another output byte. */
2384
2385               if (zlib->z.avail_in == 0)
2386                  break; /* Try another input byte */
2387
2388               /* Both avail_out and avail_in are 1 yet zlib returned a code
2389                * indicating no progress was possible.  This is unexpected.
2390                */
2391               zlib_message(zlib, 1/*unexpected*/);
2392               endrc = ZLIB_FATAL; /* stop processing */
2393               break;
2394
2395            case Z_OK:
2396               /* Zlib is supposed to have made progress: */
2397               assert(zlib->z.avail_out == 0 || zlib->z.avail_in == 0);
2398               continue;
2399
2400            case Z_STREAM_END:
2401               /* This is the successful end. */
2402               zlib->state = 3; /* end of stream */
2403               endrc = ZLIB_STREAM_END;
2404               break;
2405
2406            case Z_NEED_DICT:
2407               zlib_message(zlib, 0/*stream error*/);
2408               endrc = ZLIB_FATAL;
2409               break;
2410
2411            case Z_DATA_ERROR:
2412               /* The too far back error can be corrected, others cannot: */
2413               if (zlib->z.msg != NULL &&
2414                  strcmp(zlib->z.msg, "invalid distance too far back") == 0)
2415               {
2416                  endrc = ZLIB_TOO_FAR_BACK;
2417                  break;
2418               }
2419               /* FALL THROUGH */
2420
2421            default:
2422               zlib_message(zlib, 0/*stream error*/);
2423               endrc = ZLIB_FATAL;
2424               break;
2425         } /* switch (inflate rc) */
2426
2427         /* Control gets here when further output is not possible; endrc may
2428          * still be ZLIB_OK if more input is required.
2429          */
2430         break;
2431      } /* for (output bytes) */
2432
2433      /* Keep a running count of output byte produced: */
2434      zlib->uncompressed_digits = uarb_add32(zlib->uncompressed_bytes,
2435         zlib->uncompressed_digits, out_bytes);
2436
2437      /* Keep going, the loop will terminate when endrc is no longer set to
2438       * ZLIB_OK or all the input bytes have been consumed; meanwhile keep
2439       * adding input bytes.
2440       */
2441      assert(zlib->z.avail_in == 0 || endrc != ZLIB_OK);
2442
2443      in_bytes += 1 - zlib->z.avail_in;
2444   } /* while (input bytes) */
2445
2446   assert(in_bytes == nbytes || endrc != ZLIB_OK);
2447
2448   /* Update the running total of input bytes consumed */
2449   zlib->compressed_digits = uarb_add32(zlib->compressed_bytes,
2450      zlib->compressed_digits, in_bytes - zlib->z.avail_in);
2451
2452   /* At the end of the stream update the chunk with the accumulated
2453    * information if it is an improvement:
2454    */
2455   if (endrc == ZLIB_STREAM_END && zlib->window_bits < zlib->ok_bits)
2456   {
2457      struct chunk *chunk = zlib->chunk;
2458
2459      chunk->uncompressed_digits = uarb_copy(chunk->uncompressed_bytes,
2460         zlib->uncompressed_bytes, zlib->uncompressed_digits);
2461      chunk->compressed_digits = uarb_copy(chunk->compressed_bytes,
2462         zlib->compressed_bytes, zlib->compressed_digits);
2463      chunk->rewrite_buffer[0] = zlib->header[0];
2464      chunk->rewrite_buffer[1] = zlib->header[1];
2465
2466      if (zlib->window_bits != zlib->file_bits || zlib->cksum)
2467      {
2468         /* A rewrite is required */
2469         chunk->rewrite_offset = zlib->rewrite_offset;
2470         chunk->rewrite_length = 2;
2471      }
2472
2473      else
2474      {
2475         chunk->rewrite_offset = 0;
2476         chunk->rewrite_length = 0;
2477      }
2478
2479      if (in_bytes < nbytes)
2480         chunk_message(chunk, "extra compressed data");
2481
2482      zlib->extra_bytes = nbytes - in_bytes;
2483      zlib->ok_bits = zlib->window_bits;
2484   }
2485
2486   return endrc;
2487}
2488
2489static int
2490zlib_run(struct zlib *zlib)
2491   /* Like zlib_advance but also handles a stream of IDAT chunks. */
2492{
2493   /* The 'extra_bytes' field is set by zlib_advance if there is extra
2494    * compressed data in the chunk it handles (if it sees Z_STREAM_END before
2495    * all the input data has been used.)  This function uses the value to update
2496    * the correct chunk length, so the problem should only ever be detected once
2497    * for each chunk.  zlib_advance outputs the error message, though see the
2498    * IDAT specific check below.
2499    */
2500   zlib->extra_bytes = 0;
2501
2502   if (zlib->idat != NULL)
2503   {
2504      struct IDAT_list *list = zlib->idat->idat_list_head;
2505      struct IDAT_list *last = zlib->idat->idat_list_tail;
2506      int        skip = 0;
2507
2508      /* 'rewrite_offset' is the offset of the LZ data within the chunk, for
2509       * IDAT it should be 0:
2510       */
2511      assert(zlib->rewrite_offset == 0);
2512
2513      /* Process each IDAT_list in turn; the caller has left the stream
2514       * positioned at the start of the first IDAT chunk data.
2515       */
2516      for (;;)
2517      {
2518         const unsigned int count = list->count;
2519         unsigned int i;
2520
2521         for (i = 0; i<count; ++i)
2522         {
2523            int rc;
2524
2525            if (skip > 0) /* Skip CRC and next IDAT header */
2526               skip_12(zlib->file);
2527
2528            skip = 12; /* for the next time */
2529
2530            rc = zlib_advance(zlib, list->lengths[i]);
2531
2532            switch (rc)
2533            {
2534               case ZLIB_OK: /* keep going */
2535                  break;
2536
2537               case ZLIB_STREAM_END: /* stop */
2538                  /* There may be extra chunks; if there are and one of them is
2539                   * not zero length output the 'extra data' message.  Only do
2540                   * this check if errors are being output.
2541                   */
2542                  if (zlib->global->errors && zlib->extra_bytes == 0)
2543                  {
2544                     struct IDAT_list *check = list;
2545                     int j = i+1, jcount = count;
2546
2547                     for (;;)
2548                     {
2549                        for (; j<jcount; ++j)
2550                           if (check->lengths[j] > 0)
2551                           {
2552                              chunk_message(zlib->chunk,
2553                                 "extra compressed data");
2554                              goto end_check;
2555                           }
2556
2557                        if (check == last)
2558                           break;
2559
2560                        check = check->next;
2561                        jcount = check->count;
2562                        j = 0;
2563                     }
2564                  }
2565
2566               end_check:
2567                  /* Terminate the list at the current position, reducing the
2568                   * length of the last IDAT too if required.
2569                   */
2570                  list->lengths[i] -= zlib->extra_bytes;
2571                  list->count = i+1;
2572                  zlib->idat->idat_list_tail = list;
2573                  /* FALL THROUGH */
2574
2575               default:
2576                  return rc;
2577            }
2578         }
2579
2580         /* At the end of the compressed data and Z_STREAM_END was not seen. */
2581         if (list == last)
2582            return ZLIB_OK;
2583
2584         list = list->next;
2585      }
2586   }
2587
2588   else
2589   {
2590      struct chunk *chunk = zlib->chunk;
2591      int rc;
2592
2593      assert(zlib->rewrite_offset < chunk->chunk_length);
2594
2595      rc = zlib_advance(zlib, chunk->chunk_length - zlib->rewrite_offset);
2596
2597      /* The extra bytes in the chunk are handled now by adjusting the chunk
2598       * length to exclude them; the zlib data is always stored at the end of
2599       * the PNG chunk (although clearly this is not necessary.)  zlib_advance
2600       * has already output a warning message.
2601       */
2602      chunk->chunk_length -= zlib->extra_bytes;
2603      return rc;
2604   }
2605}
2606
2607static int /* global function; not a member function */
2608zlib_check(struct file *file, png_uint_32 offset)
2609   /* Check the stream of zlib compressed data in either idat (if given) or (if
2610    * not) chunk.  In fact it is zlib_run that handles the difference in reading
2611    * a single chunk and a list of IDAT chunks.
2612    *
2613    * In either case the input file must be positioned at the first byte of zlib
2614    * compressed data (the first header byte).
2615    *
2616    * The return value is true on success, including the case where the zlib
2617    * header may need to be rewritten, and false on an unrecoverable error.
2618    *
2619    * In the case of IDAT chunks 'offset' should be 0.
2620    */
2621{
2622   fpos_t start_pos;
2623   struct zlib zlib;
2624
2625   /* Record the start of the LZ data to allow a re-read. */
2626   file_getpos(file, &start_pos);
2627
2628   /* First test the existing (file) window bits: */
2629   if (zlib_init(&zlib, file->idat, file->chunk, 0/*window bits*/, offset))
2630   {
2631      int min_bits, max_bits, rc;
2632
2633      /* The first run using the existing window bits. */
2634      rc = zlib_run(&zlib);
2635
2636      switch (rc)
2637      {
2638         case ZLIB_TOO_FAR_BACK:
2639            /* too far back error */
2640            file->status_code |= TOO_FAR_BACK;
2641            min_bits = zlib.window_bits + 1;
2642            max_bits = 15;
2643            break;
2644
2645         case ZLIB_STREAM_END:
2646            if (!zlib.global->optimize_zlib &&
2647               zlib.window_bits == zlib.file_bits && !zlib.cksum)
2648            {
2649               /* The trivial case where the stream is ok and optimization was
2650                * not requested.
2651                */
2652               zlib_end(&zlib);
2653               return 1;
2654            }
2655
2656            max_bits = max_window_bits(zlib.uncompressed_bytes,
2657               zlib.uncompressed_digits);
2658            if (zlib.ok_bits < max_bits)
2659               max_bits = zlib.ok_bits;
2660            min_bits = 8;
2661
2662            /* cksum is set if there is an error in the zlib header checksum
2663             * calculation in the original file (and this may be the only reason
2664             * a rewrite is required).  We can't rely on the file window bits in
2665             * this case, so do the optimization anyway.
2666             */
2667            if (zlib.cksum)
2668               chunk_message(zlib.chunk, "zlib checkum");
2669            break;
2670
2671
2672         case ZLIB_OK:
2673            /* Truncated stream; unrecoverable, gets converted to ZLIB_FATAL */
2674            zlib.z.msg = PNGZ_MSG_CAST("[truncated]");
2675            zlib_message(&zlib, 0/*expected*/);
2676            /* FALL THROUGH */
2677
2678         default:
2679            /* Unrecoverable error; skip the chunk; a zlib_message has already
2680             * been output.
2681             */
2682            zlib_end(&zlib);
2683            return 0;
2684      }
2685
2686      /* Optimize window bits or fix a too-far-back error.  min_bits and
2687       * max_bits have been set appropriately, ok_bits records the bit value
2688       * known to work.
2689       */
2690      while (min_bits < max_bits || max_bits < zlib.ok_bits/*if 16*/)
2691      {
2692         int test_bits = (min_bits + max_bits) >> 1;
2693
2694         if (zlib_reset(&zlib, test_bits))
2695         {
2696            file_setpos(file, &start_pos);
2697            rc = zlib_run(&zlib);
2698
2699            switch (rc)
2700            {
2701               case ZLIB_TOO_FAR_BACK:
2702                  min_bits = test_bits+1;
2703                  if (min_bits > max_bits)
2704                  {
2705                     /* This happens when the stream really is damaged and it
2706                      * contains a distance code that addresses bytes before
2707                      * the start of the uncompressed data.
2708                      */
2709                     assert(test_bits == 15);
2710
2711                     /* Output the error that wasn't output before: */
2712                     if (zlib.z.msg == NULL)
2713                        zlib.z.msg = PNGZ_MSG_CAST(
2714                           "invalid distance too far back");
2715                     zlib_message(&zlib, 0/*stream error*/);
2716                     zlib_end(&zlib);
2717                     return 0;
2718                  }
2719                  break;
2720
2721               case ZLIB_STREAM_END: /* success */
2722                  max_bits = test_bits;
2723                  break;
2724
2725               default:
2726                  /* A fatal error; this happens if a too-far-back error was
2727                   * hiding a more serious error, zlib_advance has already
2728                   * output a zlib_message.
2729                   */
2730                  zlib_end(&zlib);
2731                  return 0;
2732            }
2733         }
2734
2735         else /* inflateReset2 failed */
2736         {
2737            zlib_end(&zlib);
2738            return 0;
2739         }
2740      }
2741
2742      /* The loop guarantees this */
2743      assert(zlib.ok_bits == max_bits);
2744      zlib_end(&zlib);
2745      return 1;
2746   }
2747
2748   else /* zlib initialization failed - skip the chunk */
2749   {
2750      zlib_end(&zlib);
2751      return 0;
2752   }
2753}
2754
2755/***************************** LIBPNG CALLBACKS *******************************/
2756/* The strategy here is to run a regular libpng PNG file read but examine the
2757 * input data (from the file) before passing it to libpng so as to be aware of
2758 * the state we expect libpng to be in.  Warning and error callbacks are also
2759 * intercepted so that they can be quieted and interpreted.  Interpretation
2760 * depends on a somewhat risky string match for known error messages; let us
2761 * hope that this can be fixed in the next version of libpng.
2762 *
2763 * The control structure is pointed to by the libpng error pointer.  It contains
2764 * that set of structures which must persist across multiple read callbacks,
2765 * which is pretty much everything except the 'zlib' control structure.
2766 *
2767 * The file structure is instantiated in the caller of the per-file routine, but
2768 * the per-file routine contains the chunk and IDAT control structures.
2769 */
2770/* The three routines read_chunk, process_chunk and sync_stream can only be
2771 * called via a call to read_chunk and only exit at a return from process_chunk.
2772 * These routines could have been written as one confusing large routine,
2773 * instead this code relies on the compiler to do tail call elimination.  The
2774 * possible calls are as follows:
2775 *
2776 * read_chunk
2777 *    -> sync_stream
2778 *       -> process_chunk
2779 *    -> process_chunk
2780 *       -> read_chunk
2781 *       returns
2782 */
2783static void read_chunk(struct file *file);
2784static void
2785process_chunk(struct file *file, png_uint_32 file_crc, png_uint_32 next_length,
2786   png_uint_32 next_type)
2787   /* Called when the chunk data has been read, next_length and next_type
2788    * will be set for the next chunk (or 0 if this is IEND).
2789    *
2790    * When this routine returns, chunk_length and chunk_type will be set for the
2791    * next chunk to write because if a chunk is skipped this return calls back
2792    * to read_chunk.
2793    */
2794{
2795   const png_uint_32 type = file->type;
2796
2797   if (file->global->verbose > 1)
2798   {
2799      fputs("  ", stderr);
2800      type_name(file->type, stderr);
2801      fprintf(stderr, " %lu 0x%.8x 0x%.8x\n", (unsigned long)file->length,
2802         file->crc ^ 0xffffffff, file_crc);
2803   }
2804
2805   /* The basic structure seems correct but the CRC may not match, in this
2806    * case assume that it is simply a bad CRC, either wrongly calculated or
2807    * because of damaged stream data.
2808    */
2809   if ((file->crc ^ 0xffffffff) != file_crc)
2810   {
2811      /* The behavior is set by the 'skip' setting; if it is anything other
2812       * than SKIP_BAD_CRC ignore the bad CRC and return the chunk, with a
2813       * corrected CRC and possibly processed, to libpng.  Otherwise skip the
2814       * chunk, which will result in a fatal error if the chunk is critical.
2815       */
2816      file->status_code |= CRC_ERROR;
2817
2818      /* Ignore the bad CRC  */
2819      if (file->global->skip != SKIP_BAD_CRC)
2820         type_message(file, type, "bad CRC");
2821
2822      /* This will cause an IEND with a bad CRC to stop */
2823      else if (CRITICAL(type))
2824         stop(file, READ_ERROR_CODE, "bad CRC in critical chunk");
2825
2826      else
2827      {
2828         type_message(file, type, "skipped: bad CRC");
2829
2830         /* NOTE: this cannot be reached for IEND because it is critical. */
2831         goto skip_chunk;
2832      }
2833   }
2834
2835   /* Check for other 'skip' cases and handle these; these only apply to
2836    * ancillary chunks (and not tRNS, which should probably have been a critical
2837    * chunk.)
2838    */
2839   if (skip_chunk_type(file->global, type))
2840      goto skip_chunk;
2841
2842   /* The chunk may still be skipped if problems are detected in the LZ data,
2843    * however the LZ data check requires a chunk.  Handle this by instantiating
2844    * a chunk unless an IDAT is already instantiated (IDAT control structures
2845    * instantiate their own chunk.)
2846    */
2847   if (type != png_IDAT)
2848      file->alloc(file, 0/*chunk*/);
2849
2850   else if (file->idat == NULL)
2851      file->alloc(file, 1/*IDAT*/);
2852
2853   else
2854   {
2855      /* The chunk length must be updated for process_IDAT */
2856      assert(file->chunk != NULL);
2857      assert(file->chunk->chunk_type == png_IDAT);
2858      file->chunk->chunk_length = file->length;
2859   }
2860
2861   /* Record the 'next' information too, now that the original values for
2862    * this chunk have been copied.  Notice that the IDAT chunks only make a
2863    * copy of the position of the first chunk, this is fine - process_IDAT does
2864    * not need the position of this chunk.
2865    */
2866   file->length = next_length;
2867   file->type = next_type;
2868   getpos(file);
2869
2870   /* Do per-type processing, note that if this code does not return from the
2871    * function the chunk will be skipped.  The rewrite is cancelled here so that
2872    * it can be set in the per-chunk processing.
2873    */
2874   file->chunk->rewrite_length = 0;
2875   file->chunk->rewrite_offset = 0;
2876   switch (type)
2877   {
2878      default:
2879         return;
2880
2881      case png_IHDR:
2882         /* Read this now and update the control structure with the information
2883          * it contains.  The header is validated completely to ensure this is a
2884          * PNG.
2885          */
2886         {
2887            struct chunk *chunk = file->chunk;
2888
2889            if (chunk->chunk_length != 13)
2890               stop_invalid(file, "IHDR length");
2891
2892            /* Read all the IHDR information and validate it. */
2893            setpos(chunk);
2894            file->width = reread_4(file);
2895            file->height = reread_4(file);
2896            file->bit_depth = reread_byte(file);
2897            file->color_type = reread_byte(file);
2898            file->compression_method = reread_byte(file);
2899            file->filter_method = reread_byte(file);
2900            file->interlace_method = reread_byte(file);
2901
2902            /* This validates all the fields, and calls stop_invalid if
2903             * there is a problem.
2904             */
2905            calc_image_size(file);
2906         }
2907         return;
2908
2909         /* Ancillary chunks that require further processing: */
2910      case png_zTXt: case png_iCCP:
2911         if (process_zTXt_iCCP(file))
2912            return;
2913         chunk_end(&file->chunk);
2914         file_setpos(file, &file->data_pos);
2915         break;
2916
2917      case png_iTXt:
2918         if (process_iTXt(file))
2919            return;
2920         chunk_end(&file->chunk);
2921         file_setpos(file, &file->data_pos);
2922         break;
2923
2924      case png_IDAT:
2925         if (process_IDAT(file))
2926            return;
2927         /* First pass: */
2928         assert(next_type == png_IDAT);
2929         break;
2930   }
2931
2932   /* Control reaches this point if the chunk must be skipped.  For chunks other
2933    * than IDAT this means that the zlib compressed data is fatally damanged and
2934    * the chunk will not be passed to libpng.  For IDAT it means that the end of
2935    * the IDAT stream has not yet been reached and we must handle the next
2936    * (IDAT) chunk.  If the LZ data in an IDAT stream cannot be read 'stop' must
2937    * be used to halt parsing of the PNG.
2938    */
2939   read_chunk(file);
2940   return;
2941
2942   /* This is the generic code to skip the current chunk; simply jump to the
2943    * next one.
2944    */
2945skip_chunk:
2946   file->length = next_length;
2947   file->type = next_type;
2948   getpos(file);
2949   read_chunk(file);
2950}
2951
2952static png_uint_32
2953get32(png_bytep buffer, int offset)
2954   /* Read a 32-bit value from an 8-byte circular buffer (used only below).
2955    */
2956{
2957   return
2958      (buffer[ offset    & 7] << 24) +
2959      (buffer[(offset+1) & 7] << 16) +
2960      (buffer[(offset+2) & 7] <<  8) +
2961      (buffer[(offset+3) & 7]      );
2962}
2963
2964static void
2965sync_stream(struct file *file)
2966   /* The stream seems to be messed up, attempt to resync from the current chunk
2967    * header.  Executes stop on a fatal error, otherwise calls process_chunk.
2968    */
2969{
2970   png_uint_32 file_crc;
2971
2972   file->status_code |= STREAM_ERROR;
2973
2974   if (file->global->verbose)
2975   {
2976      fputs(" SYNC ", stderr);
2977      type_name(file->type, stderr);
2978      putc('\n', stderr);
2979   }
2980
2981   /* Return to the start of the chunk data */
2982   file_setpos(file, &file->data_pos);
2983   file->read_count = 8;
2984
2985   if (read_4(file, &file_crc) == 4) /* else completely truncated */
2986   {
2987      /* Ignore the recorded chunk length, proceed through the data looking for
2988       * a leading sequence of bytes that match the CRC in the following four
2989       * bytes.  Each time a match is found check the next 8 bytes for a valid
2990       * length, chunk-type pair.
2991       */
2992      png_uint_32 length;
2993      png_uint_32 type = file->type;
2994      png_uint_32 crc = crc_init_4(type);
2995      png_byte buffer[8];
2996      unsigned int nread = 0, nused = 0;
2997
2998      for (length=0; length <= 0x7fffffff; ++length)
2999      {
3000         int ch;
3001
3002         if ((crc ^ 0xffffffff) == file_crc)
3003         {
3004            /* A match on the CRC; for IEND this is sufficient, but for anything
3005             * else expect a following chunk header.
3006             */
3007            if (type == png_IEND)
3008            {
3009               file->length = length;
3010               process_chunk(file, file_crc, 0, 0);
3011               return;
3012            }
3013
3014            else
3015            {
3016               /* Need 8 bytes */
3017               while (nread < 8+nused)
3018               {
3019                  ch = read_byte(file);
3020                  if (ch == EOF)
3021                     goto truncated;
3022                  buffer[(nread++) & 7] = (png_byte)ch;
3023               }
3024
3025               /* Prevent overflow */
3026               nread -= nused & ~7;
3027               nused -= nused & ~7; /* or, nused &= 7 ;-) */
3028
3029               /* Examine the 8 bytes for a valid chunk header. */
3030               {
3031                  png_uint_32 next_length = get32(buffer, nused);
3032
3033                  if (next_length < 0x7fffffff)
3034                  {
3035                     png_uint_32 next_type = get32(buffer, nused+4);
3036
3037                     if (chunk_type_valid(next_type))
3038                     {
3039                        file->read_count -= 8;
3040                        process_chunk(file, file_crc, next_length, next_type);
3041                        return;
3042                     }
3043                  }
3044
3045                  /* Not valid, keep going. */
3046               }
3047            }
3048         }
3049
3050         /* This catches up with the circular buffer which gets filled above
3051          * while checking a chunk header.  This code is slightly tricky - if
3052          * the chunk_type is IEND the buffer will never be used, if it is not
3053          * the code will always read ahead exactly 8 bytes and pass this on to
3054          * process_chunk.  So the invariant that IEND leaves the file position
3055          * after the IEND CRC and other chunk leave it after the *next* chunk
3056          * header is not broken.
3057          */
3058         if (nread <= nused)
3059         {
3060            ch = read_byte(file);
3061
3062            if (ch == EOF)
3063               goto truncated;
3064         }
3065
3066         else
3067            ch = buffer[(++nused) & 7];
3068
3069         crc = crc_one_byte(crc, file_crc >> 24);
3070         file_crc = (file_crc << 8) + ch;
3071      }
3072
3073      /* Control gets to here if when 0x7fffffff bytes (plus 8) have been read,
3074       * ok, treat this as a damaged stream too:
3075       */
3076   }
3077
3078truncated:
3079   stop(file, READ_ERROR_CODE, "damaged PNG stream");
3080}
3081
3082static void
3083read_chunk(struct file *file)
3084   /* On entry file::data_pos must be set to the position of the first byte
3085    * of the chunk data *and* the input file must be at this position.  This
3086    * routine (via process_chunk) instantiates a chunk or IDAT control structure
3087    * based on file::length and file::type and also resets these fields and
3088    * file::data_pos for the chunk after this one.  For an IDAT chunk the whole
3089    * stream of IDATs will be read, until something other than an IDAT is
3090    * encountered, and the file fields will be set for the chunk after the end
3091    * of the stream of IDATs.
3092    *
3093    * For IEND the file::type field will be set to 0, and nothing beyond the end
3094    * of the IEND chunk will have been read.
3095    */
3096{
3097   png_uint_32 length = file->length;
3098   png_uint_32 type = file->type;
3099
3100   /* After IEND file::type is set to 0, if libpng attempts to read
3101    * more data at this point this is a bug in libpng.
3102    */
3103   if (type == 0)
3104      stop(file, UNEXPECTED_ERROR_CODE, "read beyond IEND");
3105
3106   if (file->global->verbose > 2)
3107   {
3108      fputs("   ", stderr);
3109      type_name(type, stderr);
3110      fprintf(stderr, " %lu\n", (unsigned long)length);
3111   }
3112
3113   /* Start the read_crc calculation with the chunk type, then read to the end
3114    * of the chunk data (without processing it in any way) to check that it is
3115    * all there and calculate the CRC.
3116    */
3117   file->crc = crc_init_4(type);
3118   if (crc_read_many(file, length)) /* else it was truncated */
3119   {
3120      png_uint_32 file_crc; /* CRC read from file */
3121      unsigned int nread = read_4(file, &file_crc);
3122
3123      if (nread == 4)
3124      {
3125         if (type != png_IEND) /* do not read beyond IEND */
3126         {
3127            png_uint_32 next_length;
3128
3129            nread += read_4(file, &next_length);
3130            if (nread == 8 && next_length <= 0x7fffffff)
3131            {
3132               png_uint_32 next_type;
3133
3134               nread += read_4(file, &next_type);
3135
3136               if (nread == 12 && chunk_type_valid(next_type))
3137               {
3138                  /* Adjust the read count back to the correct value for this
3139                   * chunk.
3140                   */
3141                  file->read_count -= 8;
3142                  process_chunk(file, file_crc, next_length, next_type);
3143                  return;
3144               }
3145            }
3146         }
3147
3148         else /* IEND */
3149         {
3150            process_chunk(file, file_crc, 0, 0);
3151            return;
3152         }
3153      }
3154   }
3155
3156   /* Control gets to here if the the stream seems invalid or damaged in some
3157    * way.  Either there was a problem reading all the expected data (this
3158    * chunk's data, its CRC and the length and type of the next chunk) or the
3159    * next chunk length/type are invalid.  Notice that the cases that end up
3160    * here all correspond to cases that would otherwise terminate the read of
3161    * the PNG file.
3162    */
3163   sync_stream(file);
3164}
3165
3166/* This returns a file* from a png_struct in an implementation specific way. */
3167static struct file *get_control(png_const_structrp png_ptr);
3168
3169static void PNGCBAPI
3170error_handler(png_structp png_ptr, png_const_charp message)
3171{
3172   stop(get_control(png_ptr),  LIBPNG_ERROR_CODE, message);
3173}
3174
3175static void PNGCBAPI
3176warning_handler(png_structp png_ptr, png_const_charp message)
3177{
3178   struct file *file = get_control(png_ptr);
3179
3180   if (file->global->warnings)
3181      emit_error(file, LIBPNG_WARNING_CODE, message);
3182}
3183
3184/* Read callback - this is where the work gets done to check the stream before
3185 * passing it to libpng
3186 */
3187static void PNGCBAPI
3188read_callback(png_structp png_ptr, png_bytep buffer, size_t count)
3189   /* Return 'count' bytes to libpng in 'buffer' */
3190{
3191   struct file *file = get_control(png_ptr);
3192   png_uint_32 type, length; /* For the chunk be *WRITTEN* */
3193   struct chunk *chunk;
3194
3195   /* libpng should always ask for at least one byte */
3196   if (count == 0)
3197      stop(file, UNEXPECTED_ERROR_CODE, "read callback for 0 bytes");
3198
3199   /* The callback always reads ahead by 8 bytes - the signature or chunk header
3200    * - these bytes are stored in chunk_length and chunk_type.  This block is
3201    * executed once for the signature and once for the first chunk right at the
3202    * start.
3203    */
3204   if (file->read_count < 8)
3205   {
3206      assert(file->read_count == 0);
3207      assert((file->status_code & TRUNCATED) == 0);
3208
3209      (void)read_4(file, &file->length);
3210
3211      if (file->read_count == 4)
3212         (void)read_4(file, &file->type);
3213
3214      if (file->read_count < 8)
3215      {
3216         assert((file->status_code & TRUNCATED) != 0);
3217         stop(file, READ_ERROR_CODE, "not a PNG (too short)");
3218      }
3219
3220      if (file->state == STATE_SIGNATURE)
3221      {
3222         if (file->length != sig1 || file->type != sig2)
3223            stop(file, LIBPNG_ERROR_CODE, "not a PNG (signature)");
3224
3225         /* Else write it (this is the initialization of write_count, prior to
3226          * this it contains CLEAR garbage.)
3227          */
3228         file->write_count = 0;
3229      }
3230
3231      else
3232      {
3233         assert(file->state == STATE_CHUNKS);
3234
3235         /* The first chunk must be a well formed IHDR (this could be relaxed to
3236          * use the checks in process_chunk, but that seems unnecessary.)
3237          */
3238         if (file->length != 13 || file->type != png_IHDR)
3239            stop(file, LIBPNG_ERROR_CODE, "not a PNG (IHDR)");
3240
3241         /* The position of the data must be stored too */
3242         getpos(file);
3243      }
3244   }
3245
3246   /* Retrieve previous state (because the read callbacks are made pretty much
3247    * byte-by-byte in the sequential reader prior to 1.7).
3248    */
3249   chunk = file->chunk;
3250
3251   if (chunk != NULL)
3252   {
3253      length = chunk->chunk_length;
3254      type = chunk->chunk_type;
3255   }
3256
3257   else
3258   {
3259      /* This is the signature case; for IDAT and other chunks these values will
3260       * be overwritten when read_chunk is called below.
3261       */
3262      length = file->length;
3263      type = file->type;
3264   }
3265
3266   do
3267   {
3268      png_uint_32 b;
3269
3270      /* Complete the read of a chunk; as a side effect this also instantiates
3271       * a chunk control structure and sets the file length/type/data_pos fields
3272       * for the *NEXT* chunk header.
3273       *
3274       * NOTE: at an IDAT any following IDAT chunks will also be read and the
3275       * next_ fields will refer to the chunk after the last IDAT.
3276       *
3277       * NOTE: read_chunk only returns when it has read a chunk that must now be
3278       * written.
3279       */
3280      if (file->state != STATE_SIGNATURE && chunk == NULL)
3281      {
3282         assert(file->read_count == 8);
3283         assert(file->idat == NULL);
3284         read_chunk(file);
3285         chunk = file->chunk;
3286         assert(chunk != NULL);
3287
3288         /* Do the initialization that was not done before. */
3289         length = chunk->chunk_length;
3290         type = chunk->chunk_type;
3291
3292         /* And start writing the new chunk. */
3293         file->write_count = 0;
3294      }
3295
3296      /* The chunk_ fields describe a chunk that must be written, or hold the
3297       * signature.  Write the header first.  In the signature case this
3298       * rewrites the signature.
3299       */
3300      switch (file->write_count)
3301      {
3302         case 0: b = length >> 24; break;
3303         case 1: b = length >> 16; break;
3304         case 2: b = length >>  8; break;
3305         case 3: b = length      ; break;
3306
3307         case 4: b = type >> 24; break;
3308         case 5: b = type >> 16; break;
3309         case 6: b = type >>  8; break;
3310         case 7: b = type      ; break;
3311
3312         case 8:
3313            /* The header has been written.  If this is really the signature
3314             * that's all that is required and we can go to normal chunk
3315             * processing.
3316             */
3317            if (file->state == STATE_SIGNATURE)
3318            {
3319               /* The signature has been written, the tail call to read_callback
3320                * below (it's just a goto to the start with a decent compiler)
3321                * will read the IHDR header ahead and validate it.
3322                */
3323               assert(length == sig1 && type == sig2);
3324               file->read_count = 0; /* Forces a header read */
3325               file->state = STATE_CHUNKS; /* IHDR: checked above */
3326               read_callback(png_ptr, buffer, count);
3327               return;
3328            }
3329
3330            else
3331            {
3332               assert(chunk != NULL);
3333
3334               /* Set up for write, notice that repositioning the input stream
3335                * is only necessary if something is to be read from it.  Also
3336                * notice that for the IDAT stream this must only happen once -
3337                * on the first IDAT - to get back to the start of the list and
3338                * this is done inside process_IDAT:
3339                */
3340               chunk->write_crc = crc_init_4(type);
3341               if (file->state != STATE_IDAT && length > 0)
3342                  setpos(chunk);
3343            }
3344            /* FALL THROUGH */
3345
3346         default:
3347            assert(chunk != NULL);
3348
3349            /* NOTE: the arithmetic below overflows and gives a large positive
3350             * png_uint_32 value until the whole chunk data has been written.
3351             */
3352            switch (file->write_count - length)
3353            {
3354               /* Write the chunk data, normally this just comes from
3355                * the file.  The only exception is for that part of a
3356                * chunk which is zlib data and which must be rewritten,
3357                * and IDAT chunks which can be completely
3358                * reconstructed.
3359                */
3360               default:
3361                  if (file->state == STATE_IDAT)
3362                  {
3363                     struct IDAT *idat = file->idat;
3364
3365                     assert(idat != NULL);
3366
3367                     /* Read an IDAT byte from the input stream of IDAT chunks.
3368                      * Because the IDAT stream can be re-chunked this stream is
3369                      * held in the struct IDAT members.  The chunk members, in
3370                      * particular chunk_length (and therefore the length local)
3371                      * refer to the output chunk.
3372                      */
3373                     while (idat->idat_index >= idat->idat_length)
3374                     {
3375                        /* Advance one chunk */
3376                        struct IDAT_list *cur = idat->idat_cur;
3377
3378                        assert(idat->idat_index == idat->idat_length);
3379                        assert(cur != NULL && cur->count > 0);
3380
3381                        /* NOTE: IDAT_list::count here, not IDAT_list::length */
3382                        if (++(idat->idat_count) >= cur->count)
3383                        {
3384                           assert(idat->idat_count == cur->count);
3385
3386                           /* Move on to the next IDAT_list: */
3387                           cur = cur->next;
3388
3389                           /* This is an internal error - read beyond the end of
3390                            * the pre-calculated stream.
3391                            */
3392                           if (cur == NULL || cur->count == 0)
3393                              stop(file, UNEXPECTED_ERROR_CODE,
3394                                 "read beyond end of IDAT");
3395
3396                           idat->idat_count = 0;
3397                           idat->idat_cur = cur;
3398                        }
3399
3400                        idat->idat_index = 0;
3401                        /* Zero length IDAT chunks are permitted, so the length
3402                         * here may be 0.
3403                         */
3404                        idat->idat_length = cur->lengths[idat->idat_count];
3405
3406                        /* And skip 12 bytes to the next chunk data */
3407                        skip_12(file);
3408                     }
3409
3410                     /* The index is always that of the next byte, the rest of
3411                      * the information is always the current IDAT chunk and the
3412                      * current list.
3413                      */
3414                     ++(idat->idat_index);
3415                  }
3416
3417                  /* Read the byte from the stream. */
3418                  b = reread_byte(file);
3419
3420                  /* If the byte must be rewritten handle that here */
3421                  if (chunk->rewrite_length > 0)
3422                  {
3423                     if (chunk->rewrite_offset > 0)
3424                        --(chunk->rewrite_offset);
3425
3426                     else
3427                     {
3428                        b = chunk->rewrite_buffer[0];
3429                        memmove(chunk->rewrite_buffer, chunk->rewrite_buffer+1,
3430                           (sizeof chunk->rewrite_buffer)-
3431                              (sizeof chunk->rewrite_buffer[0]));
3432
3433                        --(chunk->rewrite_length);
3434                     }
3435                  }
3436
3437                  chunk->write_crc = crc_one_byte(chunk->write_crc, b);
3438                  break;
3439
3440               /* The CRC is written at:
3441                *
3442                *    chunk_write == chunk_length+8..chunk_length+11
3443                *
3444                * so 8 to 11.  The CRC is not (yet) conditioned.
3445                */
3446               case  8: b = chunk->write_crc >> 24; goto write_crc;
3447               case  9: b = chunk->write_crc >> 16; goto write_crc;
3448               case 10: b = chunk->write_crc >>  8; goto write_crc;
3449               case 11:
3450                  /* This must happen before the chunk_end below: */
3451                  b = chunk->write_crc;
3452
3453                  if (file->global->verbose > 2)
3454                  {
3455                     fputs("   ", stderr);
3456                     type_name(type, stderr);
3457                     fprintf(stderr, " %lu 0x%.8x\n", (unsigned long)length,
3458                        chunk->write_crc ^ 0xffffffff);
3459                  }
3460
3461                  /* The IDAT stream is written without a call to read_chunk
3462                   * until the end is reached.  rechunk_length() calculates the
3463                   * length of the output chunks.  Control gets to this point at
3464                   * the end of an *output* chunk - the length calculated by
3465                   * rechunk_length.  If this corresponds to the end of the
3466                   * input stream stop writing IDAT chunks, otherwise continue.
3467                   */
3468                  if (file->state == STATE_IDAT &&
3469                     (file->idat->idat_index < file->idat->idat_length ||
3470                      1+file->idat->idat_count < file->idat->idat_cur->count ||
3471                      file->idat->idat_cur != file->idat->idat_list_tail))
3472                  {
3473                     /* Write another IDAT chunk.  Call rechunk_length to
3474                      * calculate the length required.
3475                      */
3476                     length = chunk->chunk_length = rechunk_length(file->idat);
3477                     assert(type == png_IDAT);
3478                     file->write_count = 0; /* for the new chunk */
3479                     --(file->write_count); /* fake out the increment below */
3480                  }
3481
3482                  else
3483                  {
3484                     /* Entered at the end of a non-IDAT chunk and at the end of
3485                      * the IDAT stream.  The rewrite should have been cleared.
3486                      */
3487                     if (chunk->rewrite_length > 0 || chunk->rewrite_offset > 0)
3488                        stop(file, UNEXPECTED_ERROR_CODE, "pending rewrite");
3489
3490                     /* This is the last byte so reset chunk_read for the next
3491                      * chunk and move the input file to the position after the
3492                      * *next* chunk header if required.
3493                      */
3494                     file->read_count = 8;
3495                     file_setpos(file, &file->data_pos);
3496
3497                     if (file->idat == NULL)
3498                        chunk_end(&file->chunk);
3499
3500                     else
3501                        IDAT_end(&file->idat);
3502                  }
3503
3504               write_crc:
3505                  b ^= 0xff; /* conditioning */
3506                  break;
3507            }
3508            break;
3509      }
3510
3511      /* Write one byte */
3512      b &= 0xff;
3513      *buffer++ = (png_byte)b;
3514      --count;
3515      write_byte(file, (png_byte)b); /* increments chunk_write */
3516   }
3517   while (count > 0);
3518}
3519
3520/* Bundle the file and an uninitialized chunk and IDAT control structure
3521 * together to allow implementation of the chunk/IDAT allocate routine.
3522 */
3523struct control
3524{
3525   struct file  file;
3526   struct chunk chunk;
3527   struct IDAT  idat;
3528};
3529
3530static int
3531control_end(struct control *control)
3532{
3533   return file_end(&control->file);
3534}
3535
3536static struct file *
3537get_control(png_const_structrp png_ptr)
3538{
3539   /* This just returns the (file*).  The chunk and idat control structures
3540    * don't always exist.
3541    */
3542   struct control *control = voidcast(struct control*,
3543      png_get_error_ptr(png_ptr));
3544   return &control->file;
3545}
3546
3547static void
3548allocate(struct file *file, int allocate_idat)
3549{
3550   struct control *control = voidcast(struct control*, file->alloc_ptr);
3551
3552   if (allocate_idat)
3553   {
3554      assert(file->idat == NULL);
3555      IDAT_init(&control->idat, file);
3556   }
3557
3558   else /* chunk */
3559   {
3560      assert(file->chunk == NULL);
3561      chunk_init(&control->chunk, file);
3562   }
3563}
3564
3565static int
3566control_init(struct control *control, struct global *global,
3567   const char *file_name, const char *out_name)
3568   /* This wraps file_init(&control::file) and simply returns the result from
3569    * file_init.
3570    */
3571{
3572   return file_init(&control->file, global, file_name, out_name, control,
3573      allocate);
3574}
3575
3576static int
3577read_png(struct control *control)
3578   /* Read a PNG, return 0 on success else an error (status) code; a bit mask as
3579    * defined for file::status_code as above.
3580    */
3581{
3582   png_structp png_ptr;
3583   png_infop info_ptr = NULL;
3584   volatile int rc;
3585
3586   png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control,
3587      error_handler, warning_handler);
3588
3589   if (png_ptr == NULL)
3590   {
3591      /* This is not really expected. */
3592      log_error(&control->file, LIBPNG_ERROR_CODE, "OOM allocating png_struct");
3593      control->file.status_code |= INTERNAL_ERROR;
3594      return LIBPNG_ERROR_CODE;
3595   }
3596
3597   rc = setjmp(control->file.jmpbuf);
3598   if (rc == 0)
3599   {
3600#     ifdef PNG_SET_USER_LIMITS_SUPPORTED
3601         /* Remove any limits on the size of PNG files that can be read,
3602          * without this we may reject files based on built-in safety
3603          * limits.
3604          */
3605         png_set_user_limits(png_ptr, 0x7fffffff, 0x7fffffff);
3606         png_set_chunk_cache_max(png_ptr, 0);
3607         png_set_chunk_malloc_max(png_ptr, 0);
3608#     endif
3609
3610      png_set_read_fn(png_ptr, control, read_callback);
3611
3612      info_ptr = png_create_info_struct(png_ptr);
3613      if (info_ptr == NULL)
3614         png_error(png_ptr, "OOM allocating info structure");
3615
3616      if (control->file.global->verbose)
3617         fprintf(stderr, " INFO\n");
3618
3619      png_read_info(png_ptr, info_ptr);
3620
3621      {
3622        png_uint_32 height = png_get_image_height(png_ptr, info_ptr);
3623        int passes = png_set_interlace_handling(png_ptr);
3624        int pass;
3625
3626        png_start_read_image(png_ptr);
3627
3628        for (pass = 0; pass < passes; ++pass)
3629        {
3630           png_uint_32 y = height;
3631
3632           /* NOTE: this skips asking libpng to return either version of
3633            * the image row, but libpng still reads the rows.
3634            */
3635           while (y-- > 0)
3636              png_read_row(png_ptr, NULL, NULL);
3637        }
3638      }
3639
3640      if (control->file.global->verbose)
3641         fprintf(stderr, " END\n");
3642
3643      /* Make sure to read to the end of the file: */
3644      png_read_end(png_ptr, info_ptr);
3645   }
3646
3647   png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
3648   return rc;
3649}
3650
3651static int
3652one_file(struct global *global, const char *file_name, const char *out_name)
3653{
3654   int rc;
3655   struct control control;
3656
3657   if (global->verbose)
3658      fprintf(stderr, "FILE %s -> %s\n", file_name,
3659         out_name ? out_name : "<none>");
3660
3661   /* Although control_init can return a failure code the structure is always
3662    * initialized, so control_end can be used to accumulate any status codes.
3663    */
3664   rc = control_init(&control, global, file_name, out_name);
3665
3666   if (rc == 0)
3667      rc = read_png(&control);
3668
3669   rc |= control_end(&control);
3670
3671   return rc;
3672}
3673
3674static void
3675usage(const char *prog)
3676{
3677   /* ANSI C-90 limits strings to 509 characters, so use a string array: */
3678   size_t i;
3679   static const char *usage_string[] = {
3680"  Tests, optimizes and optionally fixes the zlib header in PNG files.",
3681"  Optionally, when fixing, strips ancilliary chunks from the file.",
36820,
3683"OPTIONS",
3684"  OPERATION",
3685"      By default files are just checked for readability with a summary of the",
3686"      of zlib issues founds for each compressed chunk and the IDAT stream in",
3687"      the file.",
3688"    --optimize (-o):",
3689"      Find the smallest deflate window size for the compressed data.",
3690"    --strip=[none|crc|unsafe|unused|transform|color|all]:",
3691"        none (default):   Retain all chunks.",
3692"        crc:    Remove chunks with a bad CRC.",
3693"        unsafe: Remove chunks that may be unsafe to retain if the image data",
3694"                is modified.  This is set automatically if --max is given but",
3695"                may be cancelled by a later --strip=none.",
3696"        unused: Remove chunks not used by libpng when decoding an image.",
3697"                This retains any chunks that might be used by libpng image",
3698"                transformations.",
3699"        transform: unused+bKGD.",
3700"        color:  transform+iCCP and cHRM.",
3701"        all:    color+gAMA and sRGB.",
3702"      Only ancillary chunks are ever removed.  In addition the tRNS and sBIT",
3703"      chunks are never removed as they affect exact interpretation of the",
3704"      image pixel values.  The following known chunks are treated specially",
3705"      by the above options:",
3706"        gAMA, sRGB [all]: These specify the gamma encoding used for the pixel",
3707"            values.",
3708"        cHRM, iCCP [color]: These specify how colors are encoded.  iCCP also",
3709"            specifies the exact encoding of a pixel value; however, in",
3710"            practice most programs will ignore it.",
3711"        bKGD [transform]: This is used by libpng transforms."
3712"    --max=<number>:",
3713"      Use IDAT chunks sized <number>.  If no number is given the the IDAT",
3714"      chunks will be the maximum size permitted; 2^31-1 bytes.  If the option",
3715"      is omitted the original chunk sizes will not be changed.  When the",
3716"      option is given --strip=unsafe is set automatically. This may be",
3717"      cancelled if you know that all unknown unsafe-to-copy chunks really are",
3718"      safe to copy across an IDAT size change.  This is true of all chunks",
3719"      that have ever been formally proposed as PNG extensions.",
3720"  MESSAGES",
3721"      By default the program only outputs summaries for each file.",
3722"    --quiet (-q):",
3723"      Do not output the summaries except for files that cannot be read. With",
3724"      two --quiets these are not output either.",
3725"    --errors (-e):",
3726"      Output errors from libpng and the program (except too-far-back).",
3727"    --warnings (-w):",
3728"      Output warnings from libpng.",
3729"  OUTPUT",
3730"      By default nothing is written.",
3731"    --out=<file>:",
3732"      Write the optimized/corrected version of the next PNG to <file>.  This",
3733"      overrides the following two options",
3734"    --suffix=<suffix>:",
3735"      Set --out=<name><suffix> for all following files unless overridden on",
3736"      a per-file basis by explicit --out.",
3737"    --prefix=<prefix>:",
3738"      Set --out=<prefix><name> for all the following files unless overridden",
3739"      on a per-file basis by explicit --out.",
3740"      These two options can be used together to produce a suffix and prefix.",
3741"  INTERNAL OPTIONS",
3742#if 0 /*NYI*/
3743#ifdef PNG_MAXIMUM_INFLATE_WINDOW
3744"    --test:",
3745"      Test the PNG_MAXIMUM_INFLATE_WINDOW option.  Setting this disables",
3746"      output as this would produce a broken file.",
3747#endif
3748#endif
37490,
3750"EXIT CODES",
3751"  *** SUBJECT TO CHANGE ***",
3752"  The program exit code is value in the range 0..127 holding a bit mask of",
3753"  the following codes.  Notice that the results for each file are combined",
3754"  together - check one file at a time to get a meaningful error code!",
3755"    0x01: The zlib too-far-back error existed in at least one chunk.",
3756"    0x02: At least one chunk had a CRC error.",
3757"    0x04: A chunk length was incorrect.",
3758"    0x08: The file was truncated.",
3759"  Errors less than 16 are potentially recoverable, for a single file if the",
3760"  exit code is less than 16 the file could be read (with corrections if a",
3761"  non-zero code is returned).",
3762"    0x10: The file could not be read, even with corrections.",
3763"    0x20: The output file could not be written.",
3764"    0x40: An unexpected, potentially internal, error occurred.",
3765"  If the command line arguments are incorrect the program exits with exit",
3766"  255.  Some older operating systems only support 7-bit exit codes, on those",
3767"  systems it is suggested that this program is first tested by supplying",
3768"  invalid arguments.",
37690,
3770"DESCRIPTION",
3771"  " PROGRAM_NAME ":",
3772"  checks each PNG file on the command line for errors.  By default errors are",
3773"  not output and the program just returns an exit code and prints a summary.",
3774"  With the --quiet (-q) option the summaries are suppressed too and the",
3775"  program only outputs unexpected errors (internal errors and file open",
3776"  errors).",
3777"  Various known problems in PNG files are fixed while the file is being read",
3778"  The exit code says what problems were fixed.  In particular the zlib error:",
37790,
3780"        \"invalid distance too far back\"",
37810,
3782"  caused by an incorrect optimization of a zlib stream is fixed in any",
3783"  compressed chunk in which it is encountered.  An integrity problem of the",
3784"  PNG stream caused by a bug in libpng which wrote an incorrect chunk length",
3785"  is also fixed.  Chunk CRC errors are automatically fixed up.",
37860,
3787"  Setting one of the \"OUTPUT\" options causes the possibly modified file to",
3788"  be written to a new file.",
37890,
3790"  Notice that some PNG files with the zlib optimization problem can still be",
3791"  read by libpng under some circumstances.  This program will still detect",
3792"  and, if requested, correct the error.",
37930,
3794"  The program will reliably process all files on the command line unless",
3795"  either an invalid argument causes the usage message (this message) to be",
3796"  produced or the program crashes.",
37970,
3798"  The summary lines describe issues encountered with the zlib compressed",
3799"  stream of a chunk.  They have the following format, which is SUBJECT TO",
3800"  CHANGE in the future:",
38010,
3802"     chunk reason comp-level p1 p2 p3 p4 file",
38030,
3804"  p1 through p4 vary according to the 'reason'.  There are always 8 space",
3805"  separated fields.  Reasons specific formats are:",
38060,
3807"     chunk ERR status code read-errno write-errno message file",
3808"     chunk SKP comp-level file-bits zlib-rc compressed message file",
3809"     chunk ??? comp-level file-bits ok-bits compressed uncompress file",
38100,
3811"  The various fields are",
38120,
3813"$1 chunk:      The chunk type of a chunk in the file or 'HEAD' if a problem",
3814"               is reported by libpng at the start of the IDAT stream.",
3815"$2 reason:     One of:",
3816"          CHK: A zlib header checksum was detected and fixed.",
3817"          TFB: The zlib too far back error was detected and fixed.",
3818"          OK : No errors were detected in the zlib stream and optimization",
3819"               was not requested, or was not possible.",
3820"          OPT: The zlib stream window bits value could be improved (and was).",
3821"          SKP: The chunk was skipped because of a zlib issue (zlib-rc) with",
3822"               explanation 'message'",
3823"          ERR: The read of the file was aborted.  The parameters explain why.",
3824"$3 status:     For 'ERR' the accumulated status code from 'EXIT CODES' above.",
3825"               This is printed as a 2 digit hexadecimal value",
3826"   comp-level: The recorded compression level (FLEVEL) of a zlib stream",
3827"               expressed as a string {supfast,stdfast,default,maximum}",
3828"$4 code:       The file exit code; where stop was called, as a fairly terse",
3829"               string {warning,libpng,zlib,invalid,read,write,unexpected}.",
3830"   file-bits:  The zlib window bits recorded in the file.",
3831"$5 read-errno: A system errno value from a read translated by strerror(3).",
3832"   zlib-rc:    A zlib return code as a string (see zlib.h).",
3833"   ok-bits:    The smallest zlib window bits value that works.",
3834"$6 write-errno:A system errno value from a write translated by strerror(3).",
3835"   compressed: The count of compressed bytes in the zlib stream, when the",
3836"               reason is 'SKP'; this is a count of the bytes read from the",
3837"               stream when the fatal error was encountered.",
3838"$7 message:    An error message (spaces replaced by _, as in all parameters),",
3839"   uncompress: The count of bytes from uncompressing the zlib stream; this",
3840"               may not be the same as the number of bytes in the image.",
3841"$8 file:       The name of the file (this may contain spaces).",
3842};
3843
3844   fprintf(stderr, "Usage: %s {[options] png-file}\n", prog);
3845
3846   for (i=0; i < (sizeof usage_string)/(sizeof usage_string[0]); ++i)
3847   {
3848      if (usage_string[i] != 0)
3849         fputs(usage_string[i], stderr);
3850
3851      fputc('\n', stderr);
3852   }
3853
3854   exit(255);
3855}
3856
3857int
3858main(int argc, const char **argv)
3859{
3860   char temp_name[FILENAME_MAX+1];
3861   const char *  prog = *argv;
3862   const char *  outfile = NULL;
3863   const char *  suffix = NULL;
3864   const char *  prefix = NULL;
3865   int           done = 0; /* if at least one file is processed */
3866   struct global global;
3867
3868   global_init(&global);
3869
3870   while (--argc > 0)
3871   {
3872      ++argv;
3873
3874      if (strcmp(*argv, "--debug") == 0)
3875      {
3876         /* To help debugging problems: */
3877         global.errors = global.warnings = 1;
3878         global.quiet = 0;
3879         global.verbose = 7;
3880      }
3881
3882      else if (strncmp(*argv, "--max=", 6) == 0)
3883      {
3884         global.idat_max = (png_uint_32)atol(6+*argv);
3885
3886         if (global.skip < SKIP_UNSAFE)
3887            global.skip = SKIP_UNSAFE;
3888      }
3889
3890      else if (strcmp(*argv, "--max") == 0)
3891      {
3892         global.idat_max = 0x7fffffff;
3893
3894         if (global.skip < SKIP_UNSAFE)
3895            global.skip = SKIP_UNSAFE;
3896      }
3897
3898      else if (strcmp(*argv, "--optimize") == 0 || strcmp(*argv, "-o") == 0)
3899         global.optimize_zlib = 1;
3900
3901      else if (strncmp(*argv, "--out=", 6) == 0)
3902         outfile = 6+*argv;
3903
3904      else if (strncmp(*argv, "--suffix=", 9) == 0)
3905         suffix = 9+*argv;
3906
3907      else if (strncmp(*argv, "--prefix=", 9) == 0)
3908         prefix = 9+*argv;
3909
3910      else if (strcmp(*argv, "--strip=none") == 0)
3911         global.skip = SKIP_NONE;
3912
3913      else if (strcmp(*argv, "--strip=crc") == 0)
3914         global.skip = SKIP_BAD_CRC;
3915
3916      else if (strcmp(*argv, "--strip=unsafe") == 0)
3917         global.skip = SKIP_UNSAFE;
3918
3919      else if (strcmp(*argv, "--strip=unused") == 0)
3920         global.skip = SKIP_UNUSED;
3921
3922      else if (strcmp(*argv, "--strip=transform") == 0)
3923         global.skip = SKIP_TRANSFORM;
3924
3925      else if (strcmp(*argv, "--strip=color") == 0)
3926         global.skip = SKIP_COLOR;
3927
3928      else if (strcmp(*argv, "--strip=all") == 0)
3929         global.skip = SKIP_ALL;
3930
3931      else if (strcmp(*argv, "--errors") == 0 || strcmp(*argv, "-e") == 0)
3932         global.errors = 1;
3933
3934      else if (strcmp(*argv, "--warnings") == 0 || strcmp(*argv, "-w") == 0)
3935         global.warnings = 1;
3936
3937      else if (strcmp(*argv, "--quiet") == 0 || strcmp(*argv, "-q") == 0)
3938      {
3939         if (global.quiet)
3940            global.quiet = 2;
3941
3942         else
3943            global.quiet = 1;
3944      }
3945
3946      else if (strcmp(*argv, "--verbose") == 0 || strcmp(*argv, "-v") == 0)
3947         ++global.verbose;
3948
3949#if 0
3950      /* NYI */
3951#     ifdef PNG_MAXIMUM_INFLATE_WINDOW
3952         else if (strcmp(*argv, "--test") == 0)
3953            ++set_option;
3954#     endif
3955#endif
3956
3957      else if ((*argv)[0] == '-')
3958         usage(prog);
3959
3960      else
3961      {
3962         size_t outlen = strlen(*argv);
3963
3964         if (outfile == NULL) /* else this takes precedence */
3965         {
3966            /* Consider the prefix/suffix options */
3967            if (prefix != NULL)
3968            {
3969               size_t prefixlen = strlen(prefix);
3970
3971               if (prefixlen+outlen > FILENAME_MAX)
3972               {
3973                  fprintf(stderr, "%s: output file name too long: %s%s%s\n",
3974                     prog, prefix, *argv, suffix ? suffix : "");
3975                  global.status_code |= WRITE_ERROR;
3976                  continue;
3977               }
3978
3979               memcpy(temp_name, prefix, prefixlen);
3980               memcpy(temp_name+prefixlen, *argv, outlen);
3981               outlen += prefixlen;
3982               outfile = temp_name;
3983            }
3984
3985            else if (suffix != NULL)
3986               memcpy(temp_name, *argv, outlen);
3987
3988            temp_name[outlen] = 0;
3989
3990            if (suffix != NULL)
3991            {
3992               size_t suffixlen = strlen(suffix);
3993
3994               if (outlen+suffixlen > FILENAME_MAX)
3995               {
3996                  fprintf(stderr, "%s: output file name too long: %s%s\n",
3997                     prog, *argv, suffix);
3998                  global.status_code |= WRITE_ERROR;
3999                  continue;
4000               }
4001
4002               memcpy(temp_name+outlen, suffix, suffixlen);
4003               outlen += suffixlen;
4004               temp_name[outlen] = 0;
4005               outfile = temp_name;
4006            }
4007         }
4008
4009         (void)one_file(&global, *argv, outfile);
4010         ++done;
4011         outfile = NULL;
4012      }
4013   }
4014
4015   if (!done)
4016      usage(prog);
4017
4018   return global_end(&global);
4019}
4020
4021#else /* ZLIB_VERNUM < 0x1240 */
4022int
4023main(void)
4024{
4025   fprintf(stderr,
4026      "pngfix needs libpng with a zlib >=1.2.4 (not 0x%x)\n",
4027      ZLIB_VERNUM);
4028   return 77;
4029}
4030#endif /* ZLIB_VERNUM */
4031
4032#else /* No read support */
4033
4034int
4035main(void)
4036{
4037   fprintf(stderr, "pngfix does not work without read deinterlace support\n");
4038   return 77;
4039}
4040#endif /* PNG_READ_SUPPORTED && PNG_EASY_ACCESS_SUPPORTED */
4041#else /* No setjmp support */
4042int
4043main(void)
4044{
4045   fprintf(stderr, "pngfix does not work without setjmp support\n");
4046   return 77;
4047}
4048#endif /* PNG_SETJMP_SUPPORTED */
4049
4050