1 2/* pngpread.c - read a png file in push mode 3 * 4 * Last changed in libpng 1.6.18 [July 23, 2015] 5 * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 8 * 9 * This code is released under the libpng license. 10 * For conditions of distribution and use, see the disclaimer 11 * and license in png.h 12 */ 13 14#include "pngpriv.h" 15 16#ifdef PNG_PROGRESSIVE_READ_SUPPORTED 17 18/* Push model modes */ 19#define PNG_READ_SIG_MODE 0 20#define PNG_READ_CHUNK_MODE 1 21#define PNG_READ_IDAT_MODE 2 22#define PNG_READ_tEXt_MODE 4 23#define PNG_READ_zTXt_MODE 5 24#define PNG_READ_DONE_MODE 6 25#define PNG_READ_iTXt_MODE 7 26#define PNG_ERROR_MODE 8 27 28#define PNG_PUSH_SAVE_BUFFER_IF_FULL \ 29if (png_ptr->push_length + 4 > png_ptr->buffer_size) \ 30 { png_push_save_buffer(png_ptr); return; } 31#define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \ 32if (png_ptr->buffer_size < N) \ 33 { png_push_save_buffer(png_ptr); return; } 34 35void PNGAPI 36png_process_data(png_structrp png_ptr, png_inforp info_ptr, 37 png_bytep buffer, png_size_t buffer_size) 38{ 39 if (png_ptr == NULL || info_ptr == NULL) 40 return; 41 42 png_push_restore_buffer(png_ptr, buffer, buffer_size); 43 44 while (png_ptr->buffer_size) 45 { 46 png_process_some_data(png_ptr, info_ptr); 47 } 48} 49 50png_size_t PNGAPI 51png_process_data_pause(png_structrp png_ptr, int save) 52{ 53 if (png_ptr != NULL) 54 { 55 /* It's easiest for the caller if we do the save; then the caller doesn't 56 * have to supply the same data again: 57 */ 58 if (save != 0) 59 png_push_save_buffer(png_ptr); 60 else 61 { 62 /* This includes any pending saved bytes: */ 63 png_size_t remaining = png_ptr->buffer_size; 64 png_ptr->buffer_size = 0; 65 66 /* So subtract the saved buffer size, unless all the data 67 * is actually 'saved', in which case we just return 0 68 */ 69 if (png_ptr->save_buffer_size < remaining) 70 return remaining - png_ptr->save_buffer_size; 71 } 72 } 73 74 return 0; 75} 76 77png_uint_32 PNGAPI 78png_process_data_skip(png_structrp png_ptr) 79{ 80 /* TODO: Deprecate and remove this API. 81 * Somewhere the implementation of this seems to have been lost, 82 * or abandoned. It was only to support some internal back-door access 83 * to png_struct) in libpng-1.4.x. 84 */ 85 png_app_warning(png_ptr, 86"png_process_data_skip is not implemented in any current version of libpng"); 87 return 0; 88} 89 90/* What we do with the incoming data depends on what we were previously 91 * doing before we ran out of data... 92 */ 93void /* PRIVATE */ 94png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 95{ 96 if (png_ptr == NULL) 97 return; 98 99 switch (png_ptr->process_mode) 100 { 101 case PNG_READ_SIG_MODE: 102 { 103 png_push_read_sig(png_ptr, info_ptr); 104 break; 105 } 106 107 case PNG_READ_CHUNK_MODE: 108 { 109 png_push_read_chunk(png_ptr, info_ptr); 110 break; 111 } 112 113 case PNG_READ_IDAT_MODE: 114 { 115 png_push_read_IDAT(png_ptr); 116 break; 117 } 118 119 default: 120 { 121 png_ptr->buffer_size = 0; 122 break; 123 } 124 } 125} 126 127/* Read any remaining signature bytes from the stream and compare them with 128 * the correct PNG signature. It is possible that this routine is called 129 * with bytes already read from the signature, either because they have been 130 * checked by the calling application, or because of multiple calls to this 131 * routine. 132 */ 133void /* PRIVATE */ 134png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 135{ 136 png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ 137 num_to_check = 8 - num_checked; 138 139 if (png_ptr->buffer_size < num_to_check) 140 { 141 num_to_check = png_ptr->buffer_size; 142 } 143 144 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 145 num_to_check); 146 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 147 148 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check)) 149 { 150 if (num_checked < 4 && 151 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4)) 152 png_error(png_ptr, "Not a PNG file"); 153 154 else 155 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 156 } 157 else 158 { 159 if (png_ptr->sig_bytes >= 8) 160 { 161 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 162 } 163 } 164} 165 166void /* PRIVATE */ 167png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 168{ 169 png_uint_32 chunk_name; 170#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 171 int keep; /* unknown handling method */ 172#endif 173 174 /* First we make sure we have enough data for the 4-byte chunk name 175 * and the 4-byte chunk length before proceeding with decoding the 176 * chunk data. To fully decode each of these chunks, we also make 177 * sure we have enough data in the buffer for the 4-byte CRC at the 178 * end of every chunk (except IDAT, which is handled separately). 179 */ 180 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 181 { 182 png_byte chunk_length[4]; 183 png_byte chunk_tag[4]; 184 185 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 186 png_push_fill_buffer(png_ptr, chunk_length, 4); 187 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 188 png_reset_crc(png_ptr); 189 png_crc_read(png_ptr, chunk_tag, 4); 190 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 191 png_check_chunk_name(png_ptr, png_ptr->chunk_name); 192 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 193 } 194 195 chunk_name = png_ptr->chunk_name; 196 197 if (chunk_name == png_IDAT) 198 { 199 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 200 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 201 202 /* If we reach an IDAT chunk, this means we have read all of the 203 * header chunks, and we can start reading the image (or if this 204 * is called after the image has been read - we have an error). 205 */ 206 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) 207 png_error(png_ptr, "Missing IHDR before IDAT"); 208 209 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 210 (png_ptr->mode & PNG_HAVE_PLTE) == 0) 211 png_error(png_ptr, "Missing PLTE before IDAT"); 212 213 png_ptr->mode |= PNG_HAVE_IDAT; 214 png_ptr->process_mode = PNG_READ_IDAT_MODE; 215 216 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0) 217 if (png_ptr->push_length == 0) 218 return; 219 220 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 221 png_benign_error(png_ptr, "Too many IDATs found"); 222 } 223 224 if (chunk_name == png_IHDR) 225 { 226 if (png_ptr->push_length != 13) 227 png_error(png_ptr, "Invalid IHDR length"); 228 229 PNG_PUSH_SAVE_BUFFER_IF_FULL 230 png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length); 231 } 232 233 else if (chunk_name == png_IEND) 234 { 235 PNG_PUSH_SAVE_BUFFER_IF_FULL 236 png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length); 237 238 png_ptr->process_mode = PNG_READ_DONE_MODE; 239 png_push_have_end(png_ptr, info_ptr); 240 } 241 242#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 243 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 244 { 245 PNG_PUSH_SAVE_BUFFER_IF_FULL 246 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 247 248 if (chunk_name == png_PLTE) 249 png_ptr->mode |= PNG_HAVE_PLTE; 250 } 251#endif 252 253 else if (chunk_name == png_PLTE) 254 { 255 PNG_PUSH_SAVE_BUFFER_IF_FULL 256 png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length); 257 } 258 259 else if (chunk_name == png_IDAT) 260 { 261 png_ptr->idat_size = png_ptr->push_length; 262 png_ptr->process_mode = PNG_READ_IDAT_MODE; 263 png_push_have_info(png_ptr, info_ptr); 264 png_ptr->zstream.avail_out = 265 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 266 png_ptr->iwidth) + 1; 267 png_ptr->zstream.next_out = png_ptr->row_buf; 268 return; 269 } 270 271#ifdef PNG_READ_gAMA_SUPPORTED 272 else if (png_ptr->chunk_name == png_gAMA) 273 { 274 PNG_PUSH_SAVE_BUFFER_IF_FULL 275 png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length); 276 } 277 278#endif 279#ifdef PNG_READ_sBIT_SUPPORTED 280 else if (png_ptr->chunk_name == png_sBIT) 281 { 282 PNG_PUSH_SAVE_BUFFER_IF_FULL 283 png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length); 284 } 285 286#endif 287#ifdef PNG_READ_cHRM_SUPPORTED 288 else if (png_ptr->chunk_name == png_cHRM) 289 { 290 PNG_PUSH_SAVE_BUFFER_IF_FULL 291 png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length); 292 } 293 294#endif 295#ifdef PNG_READ_sRGB_SUPPORTED 296 else if (chunk_name == png_sRGB) 297 { 298 PNG_PUSH_SAVE_BUFFER_IF_FULL 299 png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length); 300 } 301 302#endif 303#ifdef PNG_READ_iCCP_SUPPORTED 304 else if (png_ptr->chunk_name == png_iCCP) 305 { 306 PNG_PUSH_SAVE_BUFFER_IF_FULL 307 png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length); 308 } 309 310#endif 311#ifdef PNG_READ_sPLT_SUPPORTED 312 else if (chunk_name == png_sPLT) 313 { 314 PNG_PUSH_SAVE_BUFFER_IF_FULL 315 png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length); 316 } 317 318#endif 319#ifdef PNG_READ_tRNS_SUPPORTED 320 else if (chunk_name == png_tRNS) 321 { 322 PNG_PUSH_SAVE_BUFFER_IF_FULL 323 png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length); 324 } 325 326#endif 327#ifdef PNG_READ_bKGD_SUPPORTED 328 else if (chunk_name == png_bKGD) 329 { 330 PNG_PUSH_SAVE_BUFFER_IF_FULL 331 png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length); 332 } 333 334#endif 335#ifdef PNG_READ_hIST_SUPPORTED 336 else if (chunk_name == png_hIST) 337 { 338 PNG_PUSH_SAVE_BUFFER_IF_FULL 339 png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length); 340 } 341 342#endif 343#ifdef PNG_READ_pHYs_SUPPORTED 344 else if (chunk_name == png_pHYs) 345 { 346 PNG_PUSH_SAVE_BUFFER_IF_FULL 347 png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length); 348 } 349 350#endif 351#ifdef PNG_READ_oFFs_SUPPORTED 352 else if (chunk_name == png_oFFs) 353 { 354 PNG_PUSH_SAVE_BUFFER_IF_FULL 355 png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length); 356 } 357#endif 358 359#ifdef PNG_READ_pCAL_SUPPORTED 360 else if (chunk_name == png_pCAL) 361 { 362 PNG_PUSH_SAVE_BUFFER_IF_FULL 363 png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length); 364 } 365 366#endif 367#ifdef PNG_READ_sCAL_SUPPORTED 368 else if (chunk_name == png_sCAL) 369 { 370 PNG_PUSH_SAVE_BUFFER_IF_FULL 371 png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length); 372 } 373 374#endif 375#ifdef PNG_READ_tIME_SUPPORTED 376 else if (chunk_name == png_tIME) 377 { 378 PNG_PUSH_SAVE_BUFFER_IF_FULL 379 png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length); 380 } 381 382#endif 383#ifdef PNG_READ_tEXt_SUPPORTED 384 else if (chunk_name == png_tEXt) 385 { 386 PNG_PUSH_SAVE_BUFFER_IF_FULL 387 png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length); 388 } 389 390#endif 391#ifdef PNG_READ_zTXt_SUPPORTED 392 else if (chunk_name == png_zTXt) 393 { 394 PNG_PUSH_SAVE_BUFFER_IF_FULL 395 png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length); 396 } 397 398#endif 399#ifdef PNG_READ_iTXt_SUPPORTED 400 else if (chunk_name == png_iTXt) 401 { 402 PNG_PUSH_SAVE_BUFFER_IF_FULL 403 png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length); 404 } 405#endif 406 407 else 408 { 409 PNG_PUSH_SAVE_BUFFER_IF_FULL 410 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, 411 PNG_HANDLE_CHUNK_AS_DEFAULT); 412 } 413 414 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 415} 416 417void PNGCBAPI 418png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) 419{ 420 png_bytep ptr; 421 422 if (png_ptr == NULL) 423 return; 424 425 ptr = buffer; 426 if (png_ptr->save_buffer_size != 0) 427 { 428 png_size_t save_size; 429 430 if (length < png_ptr->save_buffer_size) 431 save_size = length; 432 433 else 434 save_size = png_ptr->save_buffer_size; 435 436 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 437 length -= save_size; 438 ptr += save_size; 439 png_ptr->buffer_size -= save_size; 440 png_ptr->save_buffer_size -= save_size; 441 png_ptr->save_buffer_ptr += save_size; 442 } 443 if (length != 0 && png_ptr->current_buffer_size != 0) 444 { 445 png_size_t save_size; 446 447 if (length < png_ptr->current_buffer_size) 448 save_size = length; 449 450 else 451 save_size = png_ptr->current_buffer_size; 452 453 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 454 png_ptr->buffer_size -= save_size; 455 png_ptr->current_buffer_size -= save_size; 456 png_ptr->current_buffer_ptr += save_size; 457 } 458} 459 460void /* PRIVATE */ 461png_push_save_buffer(png_structrp png_ptr) 462{ 463 if (png_ptr->save_buffer_size != 0) 464 { 465 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 466 { 467 png_size_t i, istop; 468 png_bytep sp; 469 png_bytep dp; 470 471 istop = png_ptr->save_buffer_size; 472 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 473 i < istop; i++, sp++, dp++) 474 { 475 *dp = *sp; 476 } 477 } 478 } 479 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 480 png_ptr->save_buffer_max) 481 { 482 png_size_t new_max; 483 png_bytep old_buffer; 484 485 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 486 (png_ptr->current_buffer_size + 256)) 487 { 488 png_error(png_ptr, "Potential overflow of save_buffer"); 489 } 490 491 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 492 old_buffer = png_ptr->save_buffer; 493 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 494 (png_size_t)new_max); 495 496 if (png_ptr->save_buffer == NULL) 497 { 498 png_free(png_ptr, old_buffer); 499 png_error(png_ptr, "Insufficient memory for save_buffer"); 500 } 501 502#if 0 503 // This is the code checked into libpng. Calling memcpy with a null 504 // source is undefined, even if count is 0, but libpng does not 505 // currently check for null or 0. The Skia fix is below. 506 // skbug.com/5390 507 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 508#else 509 if (old_buffer) 510 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 511 else if (png_ptr->save_buffer_size) 512 png_error(png_ptr, "save_buffer error"); 513#endif 514 png_free(png_ptr, old_buffer); 515 png_ptr->save_buffer_max = new_max; 516 } 517 if (png_ptr->current_buffer_size) 518 { 519 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 520 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 521 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 522 png_ptr->current_buffer_size = 0; 523 } 524 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 525 png_ptr->buffer_size = 0; 526} 527 528void /* PRIVATE */ 529png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 530 png_size_t buffer_length) 531{ 532 png_ptr->current_buffer = buffer; 533 png_ptr->current_buffer_size = buffer_length; 534 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 535 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 536} 537 538void /* PRIVATE */ 539png_push_read_IDAT(png_structrp png_ptr) 540{ 541 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 542 { 543 png_byte chunk_length[4]; 544 png_byte chunk_tag[4]; 545 546 /* TODO: this code can be commoned up with the same code in push_read */ 547 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 548 png_push_fill_buffer(png_ptr, chunk_length, 4); 549 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 550 png_reset_crc(png_ptr); 551 png_crc_read(png_ptr, chunk_tag, 4); 552 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 553 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 554 555 if (png_ptr->chunk_name != png_IDAT) 556 { 557 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 558 559 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 560 png_error(png_ptr, "Not enough compressed data"); 561 562 return; 563 } 564 565 png_ptr->idat_size = png_ptr->push_length; 566 } 567 568 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0) 569 { 570 png_size_t save_size = png_ptr->save_buffer_size; 571 png_uint_32 idat_size = png_ptr->idat_size; 572 573 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 574 * are of different types and we don't know which variable has the fewest 575 * bits. Carefully select the smaller and cast it to the type of the 576 * larger - this cannot overflow. Do not cast in the following test - it 577 * will break on either 16-bit or 64-bit platforms. 578 */ 579 if (idat_size < save_size) 580 save_size = (png_size_t)idat_size; 581 582 else 583 idat_size = (png_uint_32)save_size; 584 585 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 586 587 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 588 589 png_ptr->idat_size -= idat_size; 590 png_ptr->buffer_size -= save_size; 591 png_ptr->save_buffer_size -= save_size; 592 png_ptr->save_buffer_ptr += save_size; 593 } 594 595 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0) 596 { 597 png_size_t save_size = png_ptr->current_buffer_size; 598 png_uint_32 idat_size = png_ptr->idat_size; 599 600 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 601 * are of different types and we don't know which variable has the fewest 602 * bits. Carefully select the smaller and cast it to the type of the 603 * larger - this cannot overflow. 604 */ 605 if (idat_size < save_size) 606 save_size = (png_size_t)idat_size; 607 608 else 609 idat_size = (png_uint_32)save_size; 610 611 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 612 613 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 614 615 png_ptr->idat_size -= idat_size; 616 png_ptr->buffer_size -= save_size; 617 png_ptr->current_buffer_size -= save_size; 618 png_ptr->current_buffer_ptr += save_size; 619 } 620 621 if (png_ptr->idat_size == 0) 622 { 623 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 624 png_crc_finish(png_ptr, 0); 625 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 626 png_ptr->mode |= PNG_AFTER_IDAT; 627 png_ptr->zowner = 0; 628 } 629} 630 631void /* PRIVATE */ 632png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 633 png_size_t buffer_length) 634{ 635 /* The caller checks for a non-zero buffer length. */ 636 if (!(buffer_length > 0) || buffer == NULL) 637 png_error(png_ptr, "No IDAT data (internal error)"); 638 639 /* This routine must process all the data it has been given 640 * before returning, calling the row callback as required to 641 * handle the uncompressed results. 642 */ 643 png_ptr->zstream.next_in = buffer; 644 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 645 png_ptr->zstream.avail_in = (uInt)buffer_length; 646 647 /* Keep going until the decompressed data is all processed 648 * or the stream marked as finished. 649 */ 650 while (png_ptr->zstream.avail_in > 0 && 651 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 652 { 653 int ret; 654 655 /* We have data for zlib, but we must check that zlib 656 * has someplace to put the results. It doesn't matter 657 * if we don't expect any results -- it may be the input 658 * data is just the LZ end code. 659 */ 660 if (!(png_ptr->zstream.avail_out > 0)) 661 { 662 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 663 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 664 png_ptr->iwidth) + 1); 665 666 png_ptr->zstream.next_out = png_ptr->row_buf; 667 } 668 669 /* Using Z_SYNC_FLUSH here means that an unterminated 670 * LZ stream (a stream with a missing end code) can still 671 * be handled, otherwise (Z_NO_FLUSH) a future zlib 672 * implementation might defer output and therefore 673 * change the current behavior (see comments in inflate.c 674 * for why this doesn't happen at present with zlib 1.2.5). 675 */ 676 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); 677 678 /* Check for any failure before proceeding. */ 679 if (ret != Z_OK && ret != Z_STREAM_END) 680 { 681 /* Terminate the decompression. */ 682 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 683 png_ptr->zowner = 0; 684 685 /* This may be a truncated stream (missing or 686 * damaged end code). Treat that as a warning. 687 */ 688 if (png_ptr->row_number >= png_ptr->num_rows || 689 png_ptr->pass > 6) 690 png_warning(png_ptr, "Truncated compressed data in IDAT"); 691 692 else 693 png_error(png_ptr, "Decompression error in IDAT"); 694 695 /* Skip the check on unprocessed input */ 696 return; 697 } 698 699 /* Did inflate output any data? */ 700 if (png_ptr->zstream.next_out != png_ptr->row_buf) 701 { 702 /* Is this unexpected data after the last row? 703 * If it is, artificially terminate the LZ output 704 * here. 705 */ 706 if (png_ptr->row_number >= png_ptr->num_rows || 707 png_ptr->pass > 6) 708 { 709 /* Extra data. */ 710 png_warning(png_ptr, "Extra compressed data in IDAT"); 711 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 712 png_ptr->zowner = 0; 713 714 /* Do no more processing; skip the unprocessed 715 * input check below. 716 */ 717 return; 718 } 719 720 /* Do we have a complete row? */ 721 if (png_ptr->zstream.avail_out == 0) 722 png_push_process_row(png_ptr); 723 } 724 725 /* And check for the end of the stream. */ 726 if (ret == Z_STREAM_END) 727 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 728 } 729 730 /* All the data should have been processed, if anything 731 * is left at this point we have bytes of IDAT data 732 * after the zlib end code. 733 */ 734 if (png_ptr->zstream.avail_in > 0) 735 png_warning(png_ptr, "Extra compression data in IDAT"); 736} 737 738void /* PRIVATE */ 739png_push_process_row(png_structrp png_ptr) 740{ 741 /* 1.5.6: row_info moved out of png_struct to a local here. */ 742 png_row_info row_info; 743 744 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 745 row_info.color_type = png_ptr->color_type; 746 row_info.bit_depth = png_ptr->bit_depth; 747 row_info.channels = png_ptr->channels; 748 row_info.pixel_depth = png_ptr->pixel_depth; 749 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 750 751 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 752 { 753 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 754 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 755 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 756 else 757 png_error(png_ptr, "bad adaptive filter value"); 758 } 759 760 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 761 * 1.5.6, while the buffer really is this big in current versions of libpng 762 * it may not be in the future, so this was changed just to copy the 763 * interlaced row count: 764 */ 765 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 766 767#ifdef PNG_READ_TRANSFORMS_SUPPORTED 768 if (png_ptr->transformations != 0) 769 png_do_read_transformations(png_ptr, &row_info); 770#endif 771 772 /* The transformed pixel depth should match the depth now in row_info. */ 773 if (png_ptr->transformed_pixel_depth == 0) 774 { 775 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 776 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 777 png_error(png_ptr, "progressive row overflow"); 778 } 779 780 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 781 png_error(png_ptr, "internal progressive row size calculation error"); 782 783 784#ifdef PNG_READ_INTERLACING_SUPPORTED 785 /* Expand interlaced rows to full size */ 786 if (png_ptr->interlaced != 0 && 787 (png_ptr->transformations & PNG_INTERLACE) != 0) 788 { 789 if (png_ptr->pass < 6) 790 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 791 png_ptr->transformations); 792 793 switch (png_ptr->pass) 794 { 795 case 0: 796 { 797 int i; 798 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 799 { 800 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 801 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 802 } 803 804 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 805 { 806 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 807 { 808 png_push_have_row(png_ptr, NULL); 809 png_read_push_finish_row(png_ptr); 810 } 811 } 812 813 if (png_ptr->pass == 4 && png_ptr->height <= 4) 814 { 815 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 816 { 817 png_push_have_row(png_ptr, NULL); 818 png_read_push_finish_row(png_ptr); 819 } 820 } 821 822 if (png_ptr->pass == 6 && png_ptr->height <= 4) 823 { 824 png_push_have_row(png_ptr, NULL); 825 png_read_push_finish_row(png_ptr); 826 } 827 828 break; 829 } 830 831 case 1: 832 { 833 int i; 834 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 835 { 836 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 837 png_read_push_finish_row(png_ptr); 838 } 839 840 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 841 { 842 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 843 { 844 png_push_have_row(png_ptr, NULL); 845 png_read_push_finish_row(png_ptr); 846 } 847 } 848 849 break; 850 } 851 852 case 2: 853 { 854 int i; 855 856 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 857 { 858 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 859 png_read_push_finish_row(png_ptr); 860 } 861 862 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 863 { 864 png_push_have_row(png_ptr, NULL); 865 png_read_push_finish_row(png_ptr); 866 } 867 868 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 869 { 870 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 871 { 872 png_push_have_row(png_ptr, NULL); 873 png_read_push_finish_row(png_ptr); 874 } 875 } 876 877 break; 878 } 879 880 case 3: 881 { 882 int i; 883 884 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 885 { 886 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 887 png_read_push_finish_row(png_ptr); 888 } 889 890 if (png_ptr->pass == 4) /* Skip top two generated rows */ 891 { 892 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 893 { 894 png_push_have_row(png_ptr, NULL); 895 png_read_push_finish_row(png_ptr); 896 } 897 } 898 899 break; 900 } 901 902 case 4: 903 { 904 int i; 905 906 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 907 { 908 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 909 png_read_push_finish_row(png_ptr); 910 } 911 912 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 913 { 914 png_push_have_row(png_ptr, NULL); 915 png_read_push_finish_row(png_ptr); 916 } 917 918 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 919 { 920 png_push_have_row(png_ptr, NULL); 921 png_read_push_finish_row(png_ptr); 922 } 923 924 break; 925 } 926 927 case 5: 928 { 929 int i; 930 931 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 932 { 933 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 934 png_read_push_finish_row(png_ptr); 935 } 936 937 if (png_ptr->pass == 6) /* Skip top generated row */ 938 { 939 png_push_have_row(png_ptr, NULL); 940 png_read_push_finish_row(png_ptr); 941 } 942 943 break; 944 } 945 946 default: 947 case 6: 948 { 949 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 950 png_read_push_finish_row(png_ptr); 951 952 if (png_ptr->pass != 6) 953 break; 954 955 png_push_have_row(png_ptr, NULL); 956 png_read_push_finish_row(png_ptr); 957 } 958 } 959 } 960 else 961#endif 962 { 963 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 964 png_read_push_finish_row(png_ptr); 965 } 966} 967 968void /* PRIVATE */ 969png_read_push_finish_row(png_structrp png_ptr) 970{ 971#ifdef PNG_READ_INTERLACING_SUPPORTED 972 /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ 973 974 /* Start of interlace block */ 975 static PNG_CONST png_byte png_pass_start[] = {0, 4, 0, 2, 0, 1, 0}; 976 977 /* Offset to next interlace block */ 978 static PNG_CONST png_byte png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1}; 979 980 /* Start of interlace block in the y direction */ 981 static PNG_CONST png_byte png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1}; 982 983 /* Offset to next interlace block in the y direction */ 984 static PNG_CONST png_byte png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2}; 985 986 /* Height of interlace block. This is not currently used - if you need 987 * it, uncomment it here and in png.h 988 static PNG_CONST png_byte png_pass_height[] = {8, 8, 4, 4, 2, 2, 1}; 989 */ 990#endif 991 992 png_ptr->row_number++; 993 if (png_ptr->row_number < png_ptr->num_rows) 994 return; 995 996#ifdef PNG_READ_INTERLACING_SUPPORTED 997 if (png_ptr->interlaced != 0) 998 { 999 png_ptr->row_number = 0; 1000 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1001 1002 do 1003 { 1004 png_ptr->pass++; 1005 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1006 (png_ptr->pass == 3 && png_ptr->width < 3) || 1007 (png_ptr->pass == 5 && png_ptr->width < 2)) 1008 png_ptr->pass++; 1009 1010 if (png_ptr->pass > 7) 1011 png_ptr->pass--; 1012 1013 if (png_ptr->pass >= 7) 1014 break; 1015 1016 png_ptr->iwidth = (png_ptr->width + 1017 png_pass_inc[png_ptr->pass] - 1 - 1018 png_pass_start[png_ptr->pass]) / 1019 png_pass_inc[png_ptr->pass]; 1020 1021 if ((png_ptr->transformations & PNG_INTERLACE) != 0) 1022 break; 1023 1024 png_ptr->num_rows = (png_ptr->height + 1025 png_pass_yinc[png_ptr->pass] - 1 - 1026 png_pass_ystart[png_ptr->pass]) / 1027 png_pass_yinc[png_ptr->pass]; 1028 1029 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1030 } 1031#endif /* READ_INTERLACING */ 1032} 1033 1034void /* PRIVATE */ 1035png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1036{ 1037 if (png_ptr->info_fn != NULL) 1038 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1039} 1040 1041void /* PRIVATE */ 1042png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1043{ 1044 if (png_ptr->end_fn != NULL) 1045 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1046} 1047 1048void /* PRIVATE */ 1049png_push_have_row(png_structrp png_ptr, png_bytep row) 1050{ 1051 if (png_ptr->row_fn != NULL) 1052 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1053 (int)png_ptr->pass); 1054} 1055 1056#ifdef PNG_READ_INTERLACING_SUPPORTED 1057void PNGAPI 1058png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1059 png_const_bytep new_row) 1060{ 1061 if (png_ptr == NULL) 1062 return; 1063 1064 /* new_row is a flag here - if it is NULL then the app callback was called 1065 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1066 * it must be png_ptr->row_buf+1 1067 */ 1068 if (new_row != NULL) 1069 png_combine_row(png_ptr, old_row, 1/*blocky display*/); 1070} 1071#endif /* READ_INTERLACING */ 1072 1073void PNGAPI 1074png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1075 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1076 png_progressive_end_ptr end_fn) 1077{ 1078 if (png_ptr == NULL) 1079 return; 1080 1081 png_ptr->info_fn = info_fn; 1082 png_ptr->row_fn = row_fn; 1083 png_ptr->end_fn = end_fn; 1084 1085 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1086} 1087 1088png_voidp PNGAPI 1089png_get_progressive_ptr(png_const_structrp png_ptr) 1090{ 1091 if (png_ptr == NULL) 1092 return (NULL); 1093 1094 return png_ptr->io_ptr; 1095} 1096#endif /* PROGRESSIVE_READ */ 1097