png.c revision 9b1fe63dcc7ba076b9730b7bfa031cc0dbc25561
1 2/* png.c - location for general purpose libpng functions 3 * 4 * Last changed in libpng 1.6.19 [November 12, 2015] 5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson 6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) 7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) 8 * 9 * This code is released under the libpng license. 10 * For conditions of distribution and use, see the disclaimer 11 * and license in png.h 12 */ 13 14#include "pngpriv.h" 15 16/* Generate a compiler error if there is an old png.h in the search path. */ 17typedef png_libpng_version_1_6_19 Your_png_h_is_not_version_1_6_19; 18 19/* Tells libpng that we have already handled the first "num_bytes" bytes 20 * of the PNG file signature. If the PNG data is embedded into another 21 * stream we can set num_bytes = 8 so that libpng will not attempt to read 22 * or write any of the magic bytes before it starts on the IHDR. 23 */ 24 25#ifdef PNG_READ_SUPPORTED 26void PNGAPI 27png_set_sig_bytes(png_structrp png_ptr, int num_bytes) 28{ 29 unsigned int nb = (unsigned int)num_bytes; 30 31 png_debug(1, "in png_set_sig_bytes"); 32 33 if (png_ptr == NULL) 34 return; 35 36 if (num_bytes < 0) 37 nb = 0; 38 39 if (nb > 8) 40 png_error(png_ptr, "Too many bytes for PNG signature"); 41 42 png_ptr->sig_bytes = (png_byte)nb; 43} 44 45/* Checks whether the supplied bytes match the PNG signature. We allow 46 * checking less than the full 8-byte signature so that those apps that 47 * already read the first few bytes of a file to determine the file type 48 * can simply check the remaining bytes for extra assurance. Returns 49 * an integer less than, equal to, or greater than zero if sig is found, 50 * respectively, to be less than, to match, or be greater than the correct 51 * PNG signature (this is the same behavior as strcmp, memcmp, etc). 52 */ 53int PNGAPI 54png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check) 55{ 56 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10}; 57 58 if (num_to_check > 8) 59 num_to_check = 8; 60 61 else if (num_to_check < 1) 62 return (-1); 63 64 if (start > 7) 65 return (-1); 66 67 if (start + num_to_check > 8) 68 num_to_check = 8 - start; 69 70 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check))); 71} 72 73#endif /* READ */ 74 75#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 76/* Function to allocate memory for zlib */ 77PNG_FUNCTION(voidpf /* PRIVATE */, 78png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED) 79{ 80 png_alloc_size_t num_bytes = size; 81 82 if (png_ptr == NULL) 83 return NULL; 84 85 if (items >= (~(png_alloc_size_t)0)/size) 86 { 87 png_warning (png_voidcast(png_structrp, png_ptr), 88 "Potential overflow in png_zalloc()"); 89 return NULL; 90 } 91 92 num_bytes *= items; 93 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes); 94} 95 96/* Function to free memory for zlib */ 97void /* PRIVATE */ 98png_zfree(voidpf png_ptr, voidpf ptr) 99{ 100 png_free(png_voidcast(png_const_structrp,png_ptr), ptr); 101} 102 103/* Reset the CRC variable to 32 bits of 1's. Care must be taken 104 * in case CRC is > 32 bits to leave the top bits 0. 105 */ 106void /* PRIVATE */ 107png_reset_crc(png_structrp png_ptr) 108{ 109 /* The cast is safe because the crc is a 32-bit value. */ 110 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); 111} 112 113/* Calculate the CRC over a section of data. We can only pass as 114 * much data to this routine as the largest single buffer size. We 115 * also check that this data will actually be used before going to the 116 * trouble of calculating it. 117 */ 118void /* PRIVATE */ 119png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length) 120{ 121 int need_crc = 1; 122 123 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0) 124 { 125 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) == 126 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN)) 127 need_crc = 0; 128 } 129 130 else /* critical */ 131 { 132 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0) 133 need_crc = 0; 134 } 135 136 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some 137 * systems it is a 64-bit value. crc32, however, returns 32 bits so the 138 * following cast is safe. 'uInt' may be no more than 16 bits, so it is 139 * necessary to perform a loop here. 140 */ 141 if (need_crc != 0 && length > 0) 142 { 143 uLong crc = png_ptr->crc; /* Should never issue a warning */ 144 145 do 146 { 147 uInt safe_length = (uInt)length; 148#ifndef __COVERITY__ 149 if (safe_length == 0) 150 safe_length = (uInt)-1; /* evil, but safe */ 151#endif 152 153 crc = crc32(crc, ptr, safe_length); 154 155 /* The following should never issue compiler warnings; if they do the 156 * target system has characteristics that will probably violate other 157 * assumptions within the libpng code. 158 */ 159 ptr += safe_length; 160 length -= safe_length; 161 } 162 while (length > 0); 163 164 /* And the following is always safe because the crc is only 32 bits. */ 165 png_ptr->crc = (png_uint_32)crc; 166 } 167} 168 169/* Check a user supplied version number, called from both read and write 170 * functions that create a png_struct. 171 */ 172int 173png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver) 174{ 175 /* Libpng versions 1.0.0 and later are binary compatible if the version 176 * string matches through the second '.'; we must recompile any 177 * applications that use any older library version. 178 */ 179 180 if (user_png_ver != NULL) 181 { 182 int i = -1; 183 int found_dots = 0; 184 185 do 186 { 187 i++; 188 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i]) 189 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 190 if (user_png_ver[i] == '.') 191 found_dots++; 192 } while (found_dots < 2 && user_png_ver[i] != 0 && 193 PNG_LIBPNG_VER_STRING[i] != 0); 194 } 195 196 else 197 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH; 198 199 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0) 200 { 201#ifdef PNG_WARNINGS_SUPPORTED 202 size_t pos = 0; 203 char m[128]; 204 205 pos = png_safecat(m, (sizeof m), pos, 206 "Application built with libpng-"); 207 pos = png_safecat(m, (sizeof m), pos, user_png_ver); 208 pos = png_safecat(m, (sizeof m), pos, " but running with "); 209 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING); 210 PNG_UNUSED(pos) 211 212 png_warning(png_ptr, m); 213#endif 214 215#ifdef PNG_ERROR_NUMBERS_SUPPORTED 216 png_ptr->flags = 0; 217#endif 218 219 return 0; 220 } 221 222 /* Success return. */ 223 return 1; 224} 225 226/* Generic function to create a png_struct for either read or write - this 227 * contains the common initialization. 228 */ 229PNG_FUNCTION(png_structp /* PRIVATE */, 230png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr, 231 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr, 232 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED) 233{ 234 png_struct create_struct; 235# ifdef PNG_SETJMP_SUPPORTED 236 jmp_buf create_jmp_buf; 237# endif 238 239 /* This temporary stack-allocated structure is used to provide a place to 240 * build enough context to allow the user provided memory allocator (if any) 241 * to be called. 242 */ 243 memset(&create_struct, 0, (sizeof create_struct)); 244 245 /* Added at libpng-1.2.6 */ 246# ifdef PNG_USER_LIMITS_SUPPORTED 247 create_struct.user_width_max = PNG_USER_WIDTH_MAX; 248 create_struct.user_height_max = PNG_USER_HEIGHT_MAX; 249 250# ifdef PNG_USER_CHUNK_CACHE_MAX 251 /* Added at libpng-1.2.43 and 1.4.0 */ 252 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; 253# endif 254 255# ifdef PNG_USER_CHUNK_MALLOC_MAX 256 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists 257 * in png_struct regardless. 258 */ 259 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; 260# endif 261# endif 262 263 /* The following two API calls simply set fields in png_struct, so it is safe 264 * to do them now even though error handling is not yet set up. 265 */ 266# ifdef PNG_USER_MEM_SUPPORTED 267 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn); 268# else 269 PNG_UNUSED(mem_ptr) 270 PNG_UNUSED(malloc_fn) 271 PNG_UNUSED(free_fn) 272# endif 273 274 /* (*error_fn) can return control to the caller after the error_ptr is set, 275 * this will result in a memory leak unless the error_fn does something 276 * extremely sophisticated. The design lacks merit but is implicit in the 277 * API. 278 */ 279 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn); 280 281# ifdef PNG_SETJMP_SUPPORTED 282 if (!setjmp(create_jmp_buf)) 283# endif 284 { 285# ifdef PNG_SETJMP_SUPPORTED 286 /* Temporarily fake out the longjmp information until we have 287 * successfully completed this function. This only works if we have 288 * setjmp() support compiled in, but it is safe - this stuff should 289 * never happen. 290 */ 291 create_struct.jmp_buf_ptr = &create_jmp_buf; 292 create_struct.jmp_buf_size = 0; /*stack allocation*/ 293 create_struct.longjmp_fn = longjmp; 294# endif 295 /* Call the general version checker (shared with read and write code): 296 */ 297 if (png_user_version_check(&create_struct, user_png_ver) != 0) 298 { 299 png_structrp png_ptr = png_voidcast(png_structrp, 300 png_malloc_warn(&create_struct, (sizeof *png_ptr))); 301 302 if (png_ptr != NULL) 303 { 304 /* png_ptr->zstream holds a back-pointer to the png_struct, so 305 * this can only be done now: 306 */ 307 create_struct.zstream.zalloc = png_zalloc; 308 create_struct.zstream.zfree = png_zfree; 309 create_struct.zstream.opaque = png_ptr; 310 311# ifdef PNG_SETJMP_SUPPORTED 312 /* Eliminate the local error handling: */ 313 create_struct.jmp_buf_ptr = NULL; 314 create_struct.jmp_buf_size = 0; 315 create_struct.longjmp_fn = 0; 316# endif 317 318 *png_ptr = create_struct; 319 320 /* This is the successful return point */ 321 return png_ptr; 322 } 323 } 324 } 325 326 /* A longjmp because of a bug in the application storage allocator or a 327 * simple failure to allocate the png_struct. 328 */ 329 return NULL; 330} 331 332/* Allocate the memory for an info_struct for the application. */ 333PNG_FUNCTION(png_infop,PNGAPI 334png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED) 335{ 336 png_inforp info_ptr; 337 338 png_debug(1, "in png_create_info_struct"); 339 340 if (png_ptr == NULL) 341 return NULL; 342 343 /* Use the internal API that does not (or at least should not) error out, so 344 * that this call always returns ok. The application typically sets up the 345 * error handling *after* creating the info_struct because this is the way it 346 * has always been done in 'example.c'. 347 */ 348 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr, 349 (sizeof *info_ptr))); 350 351 if (info_ptr != NULL) 352 memset(info_ptr, 0, (sizeof *info_ptr)); 353 354 return info_ptr; 355} 356 357/* This function frees the memory associated with a single info struct. 358 * Normally, one would use either png_destroy_read_struct() or 359 * png_destroy_write_struct() to free an info struct, but this may be 360 * useful for some applications. From libpng 1.6.0 this function is also used 361 * internally to implement the png_info release part of the 'struct' destroy 362 * APIs. This ensures that all possible approaches free the same data (all of 363 * it). 364 */ 365void PNGAPI 366png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr) 367{ 368 png_inforp info_ptr = NULL; 369 370 png_debug(1, "in png_destroy_info_struct"); 371 372 if (png_ptr == NULL) 373 return; 374 375 if (info_ptr_ptr != NULL) 376 info_ptr = *info_ptr_ptr; 377 378 if (info_ptr != NULL) 379 { 380 /* Do this first in case of an error below; if the app implements its own 381 * memory management this can lead to png_free calling png_error, which 382 * will abort this routine and return control to the app error handler. 383 * An infinite loop may result if it then tries to free the same info 384 * ptr. 385 */ 386 *info_ptr_ptr = NULL; 387 388 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1); 389 memset(info_ptr, 0, (sizeof *info_ptr)); 390 png_free(png_ptr, info_ptr); 391 } 392} 393 394/* Initialize the info structure. This is now an internal function (0.89) 395 * and applications using it are urged to use png_create_info_struct() 396 * instead. Use deprecated in 1.6.0, internal use removed (used internally it 397 * is just a memset). 398 * 399 * NOTE: it is almost inconceivable that this API is used because it bypasses 400 * the user-memory mechanism and the user error handling/warning mechanisms in 401 * those cases where it does anything other than a memset. 402 */ 403PNG_FUNCTION(void,PNGAPI 404png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size), 405 PNG_DEPRECATED) 406{ 407 png_inforp info_ptr = *ptr_ptr; 408 409 png_debug(1, "in png_info_init_3"); 410 411 if (info_ptr == NULL) 412 return; 413 414 if ((sizeof (png_info)) > png_info_struct_size) 415 { 416 *ptr_ptr = NULL; 417 /* The following line is why this API should not be used: */ 418 free(info_ptr); 419 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, 420 (sizeof *info_ptr))); 421 if (info_ptr == NULL) 422 return; 423 *ptr_ptr = info_ptr; 424 } 425 426 /* Set everything to 0 */ 427 memset(info_ptr, 0, (sizeof *info_ptr)); 428} 429 430/* The following API is not called internally */ 431void PNGAPI 432png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr, 433 int freer, png_uint_32 mask) 434{ 435 png_debug(1, "in png_data_freer"); 436 437 if (png_ptr == NULL || info_ptr == NULL) 438 return; 439 440 if (freer == PNG_DESTROY_WILL_FREE_DATA) 441 info_ptr->free_me |= mask; 442 443 else if (freer == PNG_USER_WILL_FREE_DATA) 444 info_ptr->free_me &= ~mask; 445 446 else 447 png_error(png_ptr, "Unknown freer parameter in png_data_freer"); 448} 449 450void PNGAPI 451png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask, 452 int num) 453{ 454 png_debug(1, "in png_free_data"); 455 456 if (png_ptr == NULL || info_ptr == NULL) 457 return; 458 459#ifdef PNG_TEXT_SUPPORTED 460 /* Free text item num or (if num == -1) all text items */ 461 if (info_ptr->text != 0 && 462 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0) 463 { 464 if (num != -1) 465 { 466 png_free(png_ptr, info_ptr->text[num].key); 467 info_ptr->text[num].key = NULL; 468 } 469 470 else 471 { 472 int i; 473 474 for (i = 0; i < info_ptr->num_text; i++) 475 png_free(png_ptr, info_ptr->text[i].key); 476 477 png_free(png_ptr, info_ptr->text); 478 info_ptr->text = NULL; 479 info_ptr->num_text = 0; 480 } 481 } 482#endif 483 484#ifdef PNG_tRNS_SUPPORTED 485 /* Free any tRNS entry */ 486 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) 487 { 488 info_ptr->valid &= ~PNG_INFO_tRNS; 489 png_free(png_ptr, info_ptr->trans_alpha); 490 info_ptr->trans_alpha = NULL; 491 info_ptr->num_trans = 0; 492 } 493#endif 494 495#ifdef PNG_sCAL_SUPPORTED 496 /* Free any sCAL entry */ 497 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0) 498 { 499 png_free(png_ptr, info_ptr->scal_s_width); 500 png_free(png_ptr, info_ptr->scal_s_height); 501 info_ptr->scal_s_width = NULL; 502 info_ptr->scal_s_height = NULL; 503 info_ptr->valid &= ~PNG_INFO_sCAL; 504 } 505#endif 506 507#ifdef PNG_pCAL_SUPPORTED 508 /* Free any pCAL entry */ 509 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0) 510 { 511 png_free(png_ptr, info_ptr->pcal_purpose); 512 png_free(png_ptr, info_ptr->pcal_units); 513 info_ptr->pcal_purpose = NULL; 514 info_ptr->pcal_units = NULL; 515 516 if (info_ptr->pcal_params != NULL) 517 { 518 int i; 519 520 for (i = 0; i < info_ptr->pcal_nparams; i++) 521 png_free(png_ptr, info_ptr->pcal_params[i]); 522 523 png_free(png_ptr, info_ptr->pcal_params); 524 info_ptr->pcal_params = NULL; 525 } 526 info_ptr->valid &= ~PNG_INFO_pCAL; 527 } 528#endif 529 530#ifdef PNG_iCCP_SUPPORTED 531 /* Free any profile entry */ 532 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0) 533 { 534 png_free(png_ptr, info_ptr->iccp_name); 535 png_free(png_ptr, info_ptr->iccp_profile); 536 info_ptr->iccp_name = NULL; 537 info_ptr->iccp_profile = NULL; 538 info_ptr->valid &= ~PNG_INFO_iCCP; 539 } 540#endif 541 542#ifdef PNG_sPLT_SUPPORTED 543 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */ 544 if (info_ptr->splt_palettes != 0 && 545 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0) 546 { 547 if (num != -1) 548 { 549 png_free(png_ptr, info_ptr->splt_palettes[num].name); 550 png_free(png_ptr, info_ptr->splt_palettes[num].entries); 551 info_ptr->splt_palettes[num].name = NULL; 552 info_ptr->splt_palettes[num].entries = NULL; 553 } 554 555 else 556 { 557 int i; 558 559 for (i = 0; i < info_ptr->splt_palettes_num; i++) 560 { 561 png_free(png_ptr, info_ptr->splt_palettes[i].name); 562 png_free(png_ptr, info_ptr->splt_palettes[i].entries); 563 } 564 565 png_free(png_ptr, info_ptr->splt_palettes); 566 info_ptr->splt_palettes = NULL; 567 info_ptr->splt_palettes_num = 0; 568 info_ptr->valid &= ~PNG_INFO_sPLT; 569 } 570 } 571#endif 572 573#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED 574 if (info_ptr->unknown_chunks != 0 && 575 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0) 576 { 577 if (num != -1) 578 { 579 png_free(png_ptr, info_ptr->unknown_chunks[num].data); 580 info_ptr->unknown_chunks[num].data = NULL; 581 } 582 583 else 584 { 585 int i; 586 587 for (i = 0; i < info_ptr->unknown_chunks_num; i++) 588 png_free(png_ptr, info_ptr->unknown_chunks[i].data); 589 590 png_free(png_ptr, info_ptr->unknown_chunks); 591 info_ptr->unknown_chunks = NULL; 592 info_ptr->unknown_chunks_num = 0; 593 } 594 } 595#endif 596 597#ifdef PNG_hIST_SUPPORTED 598 /* Free any hIST entry */ 599 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0) 600 { 601 png_free(png_ptr, info_ptr->hist); 602 info_ptr->hist = NULL; 603 info_ptr->valid &= ~PNG_INFO_hIST; 604 } 605#endif 606 607 /* Free any PLTE entry that was internally allocated */ 608 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0) 609 { 610 png_free(png_ptr, info_ptr->palette); 611 info_ptr->palette = NULL; 612 info_ptr->valid &= ~PNG_INFO_PLTE; 613 info_ptr->num_palette = 0; 614 } 615 616#ifdef PNG_INFO_IMAGE_SUPPORTED 617 /* Free any image bits attached to the info structure */ 618 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0) 619 { 620 if (info_ptr->row_pointers != 0) 621 { 622 png_uint_32 row; 623 for (row = 0; row < info_ptr->height; row++) 624 png_free(png_ptr, info_ptr->row_pointers[row]); 625 626 png_free(png_ptr, info_ptr->row_pointers); 627 info_ptr->row_pointers = NULL; 628 } 629 info_ptr->valid &= ~PNG_INFO_IDAT; 630 } 631#endif 632 633 if (num != -1) 634 mask &= ~PNG_FREE_MUL; 635 636 info_ptr->free_me &= ~mask; 637} 638#endif /* READ || WRITE */ 639 640/* This function returns a pointer to the io_ptr associated with the user 641 * functions. The application should free any memory associated with this 642 * pointer before png_write_destroy() or png_read_destroy() are called. 643 */ 644png_voidp PNGAPI 645png_get_io_ptr(png_const_structrp png_ptr) 646{ 647 if (png_ptr == NULL) 648 return (NULL); 649 650 return (png_ptr->io_ptr); 651} 652 653#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 654# ifdef PNG_STDIO_SUPPORTED 655/* Initialize the default input/output functions for the PNG file. If you 656 * use your own read or write routines, you can call either png_set_read_fn() 657 * or png_set_write_fn() instead of png_init_io(). If you have defined 658 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a 659 * function of your own because "FILE *" isn't necessarily available. 660 */ 661void PNGAPI 662png_init_io(png_structrp png_ptr, png_FILE_p fp) 663{ 664 png_debug(1, "in png_init_io"); 665 666 if (png_ptr == NULL) 667 return; 668 669 png_ptr->io_ptr = (png_voidp)fp; 670} 671# endif 672 673# ifdef PNG_SAVE_INT_32_SUPPORTED 674/* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 675 * defines a cast of a signed integer to an unsigned integer either to preserve 676 * the value, if it is positive, or to calculate: 677 * 678 * (UNSIGNED_MAX+1) + integer 679 * 680 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the 681 * negative integral value is added the result will be an unsigned value 682 * correspnding to the 2's complement representation. 683 */ 684void PNGAPI 685png_save_int_32(png_bytep buf, png_int_32 i) 686{ 687 png_save_uint_32(buf, i); 688} 689# endif 690 691# ifdef PNG_TIME_RFC1123_SUPPORTED 692/* Convert the supplied time into an RFC 1123 string suitable for use in 693 * a "Creation Time" or other text-based time string. 694 */ 695int PNGAPI 696png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime) 697{ 698 static PNG_CONST char short_months[12][4] = 699 {"Jan", "Feb", "Mar", "Apr", "May", "Jun", 700 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; 701 702 if (out == NULL) 703 return 0; 704 705 if (ptime->year > 9999 /* RFC1123 limitation */ || 706 ptime->month == 0 || ptime->month > 12 || 707 ptime->day == 0 || ptime->day > 31 || 708 ptime->hour > 23 || ptime->minute > 59 || 709 ptime->second > 60) 710 return 0; 711 712 { 713 size_t pos = 0; 714 char number_buf[5]; /* enough for a four-digit year */ 715 716# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string)) 717# define APPEND_NUMBER(format, value)\ 718 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value))) 719# define APPEND(ch) if (pos < 28) out[pos++] = (ch) 720 721 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day); 722 APPEND(' '); 723 APPEND_STRING(short_months[(ptime->month - 1)]); 724 APPEND(' '); 725 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year); 726 APPEND(' '); 727 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour); 728 APPEND(':'); 729 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute); 730 APPEND(':'); 731 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); 732 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ 733 PNG_UNUSED (pos) 734 735# undef APPEND 736# undef APPEND_NUMBER 737# undef APPEND_STRING 738 } 739 740 return 1; 741} 742 743# if PNG_LIBPNG_VER < 10700 744/* To do: remove the following from libpng-1.7 */ 745/* Original API that uses a private buffer in png_struct. 746 * Deprecated because it causes png_struct to carry a spurious temporary 747 * buffer (png_struct::time_buffer), better to have the caller pass this in. 748 */ 749png_const_charp PNGAPI 750png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime) 751{ 752 if (png_ptr != NULL) 753 { 754 /* The only failure above if png_ptr != NULL is from an invalid ptime */ 755 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0) 756 png_warning(png_ptr, "Ignoring invalid time value"); 757 758 else 759 return png_ptr->time_buffer; 760 } 761 762 return NULL; 763} 764# endif /* LIBPNG_VER < 10700 */ 765# endif /* TIME_RFC1123 */ 766 767#endif /* READ || WRITE */ 768 769png_const_charp PNGAPI 770png_get_copyright(png_const_structrp png_ptr) 771{ 772 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 773#ifdef PNG_STRING_COPYRIGHT 774 return PNG_STRING_COPYRIGHT 775#else 776# ifdef __STDC__ 777 return PNG_STRING_NEWLINE \ 778 "libpng version 1.6.19 - November 12, 2015" PNG_STRING_NEWLINE \ 779 "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ 780 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ 781 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ 782 PNG_STRING_NEWLINE; 783# else 784 return "libpng version 1.6.19 - November 12, 2015\ 785 Copyright (c) 1998-2015 Glenn Randers-Pehrson\ 786 Copyright (c) 1996-1997 Andreas Dilger\ 787 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; 788# endif 789#endif 790} 791 792/* The following return the library version as a short string in the 793 * format 1.0.0 through 99.99.99zz. To get the version of *.h files 794 * used with your application, print out PNG_LIBPNG_VER_STRING, which 795 * is defined in png.h. 796 * Note: now there is no difference between png_get_libpng_ver() and 797 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard, 798 * it is guaranteed that png.c uses the correct version of png.h. 799 */ 800png_const_charp PNGAPI 801png_get_libpng_ver(png_const_structrp png_ptr) 802{ 803 /* Version of *.c files used when building libpng */ 804 return png_get_header_ver(png_ptr); 805} 806 807png_const_charp PNGAPI 808png_get_header_ver(png_const_structrp png_ptr) 809{ 810 /* Version of *.h files used when building libpng */ 811 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 812 return PNG_LIBPNG_VER_STRING; 813} 814 815png_const_charp PNGAPI 816png_get_header_version(png_const_structrp png_ptr) 817{ 818 /* Returns longer string containing both version and date */ 819 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */ 820#ifdef __STDC__ 821 return PNG_HEADER_VERSION_STRING 822# ifndef PNG_READ_SUPPORTED 823 " (NO READ SUPPORT)" 824# endif 825 PNG_STRING_NEWLINE; 826#else 827 return PNG_HEADER_VERSION_STRING; 828#endif 829} 830 831#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED 832/* NOTE: this routine is not used internally! */ 833/* Build a grayscale palette. Palette is assumed to be 1 << bit_depth 834 * large of png_color. This lets grayscale images be treated as 835 * paletted. Most useful for gamma correction and simplification 836 * of code. This API is not used internally. 837 */ 838void PNGAPI 839png_build_grayscale_palette(int bit_depth, png_colorp palette) 840{ 841 int num_palette; 842 int color_inc; 843 int i; 844 int v; 845 846 png_debug(1, "in png_do_build_grayscale_palette"); 847 848 if (palette == NULL) 849 return; 850 851 switch (bit_depth) 852 { 853 case 1: 854 num_palette = 2; 855 color_inc = 0xff; 856 break; 857 858 case 2: 859 num_palette = 4; 860 color_inc = 0x55; 861 break; 862 863 case 4: 864 num_palette = 16; 865 color_inc = 0x11; 866 break; 867 868 case 8: 869 num_palette = 256; 870 color_inc = 1; 871 break; 872 873 default: 874 num_palette = 0; 875 color_inc = 0; 876 break; 877 } 878 879 for (i = 0, v = 0; i < num_palette; i++, v += color_inc) 880 { 881 palette[i].red = (png_byte)(v & 0xff); 882 palette[i].green = (png_byte)(v & 0xff); 883 palette[i].blue = (png_byte)(v & 0xff); 884 } 885} 886#endif 887 888#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED 889int PNGAPI 890png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name) 891{ 892 /* Check chunk_name and return "keep" value if it's on the list, else 0 */ 893 png_const_bytep p, p_end; 894 895 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0) 896 return PNG_HANDLE_CHUNK_AS_DEFAULT; 897 898 p_end = png_ptr->chunk_list; 899 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */ 900 901 /* The code is the fifth byte after each four byte string. Historically this 902 * code was always searched from the end of the list, this is no longer 903 * necessary because the 'set' routine handles duplicate entries correcty. 904 */ 905 do /* num_chunk_list > 0, so at least one */ 906 { 907 p -= 5; 908 909 if (memcmp(chunk_name, p, 4) == 0) 910 return p[4]; 911 } 912 while (p > p_end); 913 914 /* This means that known chunks should be processed and unknown chunks should 915 * be handled according to the value of png_ptr->unknown_default; this can be 916 * confusing because, as a result, there are two levels of defaulting for 917 * unknown chunks. 918 */ 919 return PNG_HANDLE_CHUNK_AS_DEFAULT; 920} 921 922#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\ 923 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED) 924int /* PRIVATE */ 925png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name) 926{ 927 png_byte chunk_string[5]; 928 929 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name); 930 return png_handle_as_unknown(png_ptr, chunk_string); 931} 932#endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */ 933#endif /* SET_UNKNOWN_CHUNKS */ 934 935#ifdef PNG_READ_SUPPORTED 936/* This function, added to libpng-1.0.6g, is untested. */ 937int PNGAPI 938png_reset_zstream(png_structrp png_ptr) 939{ 940 if (png_ptr == NULL) 941 return Z_STREAM_ERROR; 942 943 /* WARNING: this resets the window bits to the maximum! */ 944 return (inflateReset(&png_ptr->zstream)); 945} 946#endif /* READ */ 947 948/* This function was added to libpng-1.0.7 */ 949png_uint_32 PNGAPI 950png_access_version_number(void) 951{ 952 /* Version of *.c files used when building libpng */ 953 return((png_uint_32)PNG_LIBPNG_VER); 954} 955 956#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) 957/* Ensure that png_ptr->zstream.msg holds some appropriate error message string. 958 * If it doesn't 'ret' is used to set it to something appropriate, even in cases 959 * like Z_OK or Z_STREAM_END where the error code is apparently a success code. 960 */ 961void /* PRIVATE */ 962png_zstream_error(png_structrp png_ptr, int ret) 963{ 964 /* Translate 'ret' into an appropriate error string, priority is given to the 965 * one in zstream if set. This always returns a string, even in cases like 966 * Z_OK or Z_STREAM_END where the error code is a success code. 967 */ 968 if (png_ptr->zstream.msg == NULL) switch (ret) 969 { 970 default: 971 case Z_OK: 972 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code"); 973 break; 974 975 case Z_STREAM_END: 976 /* Normal exit */ 977 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream"); 978 break; 979 980 case Z_NEED_DICT: 981 /* This means the deflate stream did not have a dictionary; this 982 * indicates a bogus PNG. 983 */ 984 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary"); 985 break; 986 987 case Z_ERRNO: 988 /* gz APIs only: should not happen */ 989 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error"); 990 break; 991 992 case Z_STREAM_ERROR: 993 /* internal libpng error */ 994 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib"); 995 break; 996 997 case Z_DATA_ERROR: 998 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream"); 999 break; 1000 1001 case Z_MEM_ERROR: 1002 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory"); 1003 break; 1004 1005 case Z_BUF_ERROR: 1006 /* End of input or output; not a problem if the caller is doing 1007 * incremental read or write. 1008 */ 1009 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated"); 1010 break; 1011 1012 case Z_VERSION_ERROR: 1013 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version"); 1014 break; 1015 1016 case PNG_UNEXPECTED_ZLIB_RETURN: 1017 /* Compile errors here mean that zlib now uses the value co-opted in 1018 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above 1019 * and change pngpriv.h. Note that this message is "... return", 1020 * whereas the default/Z_OK one is "... return code". 1021 */ 1022 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return"); 1023 break; 1024 } 1025} 1026 1027/* png_convert_size: a PNGAPI but no longer in png.h, so deleted 1028 * at libpng 1.5.5! 1029 */ 1030 1031/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */ 1032#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */ 1033static int 1034png_colorspace_check_gamma(png_const_structrp png_ptr, 1035 png_colorspacerp colorspace, png_fixed_point gAMA, int from) 1036 /* This is called to check a new gamma value against an existing one. The 1037 * routine returns false if the new gamma value should not be written. 1038 * 1039 * 'from' says where the new gamma value comes from: 1040 * 1041 * 0: the new gamma value is the libpng estimate for an ICC profile 1042 * 1: the new gamma value comes from a gAMA chunk 1043 * 2: the new gamma value comes from an sRGB chunk 1044 */ 1045{ 1046 png_fixed_point gtest; 1047 1048 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 && 1049 (png_muldiv(>est, colorspace->gamma, PNG_FP_1, gAMA) == 0 || 1050 png_gamma_significant(gtest) != 0)) 1051 { 1052 /* Either this is an sRGB image, in which case the calculated gamma 1053 * approximation should match, or this is an image with a profile and the 1054 * value libpng calculates for the gamma of the profile does not match the 1055 * value recorded in the file. The former, sRGB, case is an error, the 1056 * latter is just a warning. 1057 */ 1058 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2) 1059 { 1060 png_chunk_report(png_ptr, "gamma value does not match sRGB", 1061 PNG_CHUNK_ERROR); 1062 /* Do not overwrite an sRGB value */ 1063 return from == 2; 1064 } 1065 1066 else /* sRGB tag not involved */ 1067 { 1068 png_chunk_report(png_ptr, "gamma value does not match libpng estimate", 1069 PNG_CHUNK_WARNING); 1070 return from == 1; 1071 } 1072 } 1073 1074 return 1; 1075} 1076 1077void /* PRIVATE */ 1078png_colorspace_set_gamma(png_const_structrp png_ptr, 1079 png_colorspacerp colorspace, png_fixed_point gAMA) 1080{ 1081 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't 1082 * occur. Since the fixed point representation is asymetrical it is 1083 * possible for 1/gamma to overflow the limit of 21474 and this means the 1084 * gamma value must be at least 5/100000 and hence at most 20000.0. For 1085 * safety the limits here are a little narrower. The values are 0.00016 to 1086 * 6250.0, which are truly ridiculous gamma values (and will produce 1087 * displays that are all black or all white.) 1088 * 1089 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk 1090 * handling code, which only required the value to be >0. 1091 */ 1092 png_const_charp errmsg; 1093 1094 if (gAMA < 16 || gAMA > 625000000) 1095 errmsg = "gamma value out of range"; 1096 1097# ifdef PNG_READ_gAMA_SUPPORTED 1098 /* Allow the application to set the gamma value more than once */ 1099 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && 1100 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) 1101 errmsg = "duplicate"; 1102# endif 1103 1104 /* Do nothing if the colorspace is already invalid */ 1105 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1106 return; 1107 1108 else 1109 { 1110 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA, 1111 1/*from gAMA*/) != 0) 1112 { 1113 /* Store this gamma value. */ 1114 colorspace->gamma = gAMA; 1115 colorspace->flags |= 1116 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA); 1117 } 1118 1119 /* At present if the check_gamma test fails the gamma of the colorspace is 1120 * not updated however the colorspace is not invalidated. This 1121 * corresponds to the case where the existing gamma comes from an sRGB 1122 * chunk or profile. An error message has already been output. 1123 */ 1124 return; 1125 } 1126 1127 /* Error exit - errmsg has been set. */ 1128 colorspace->flags |= PNG_COLORSPACE_INVALID; 1129 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR); 1130} 1131 1132void /* PRIVATE */ 1133png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr) 1134{ 1135 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0) 1136 { 1137 /* Everything is invalid */ 1138 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB| 1139 PNG_INFO_iCCP); 1140 1141# ifdef PNG_COLORSPACE_SUPPORTED 1142 /* Clean up the iCCP profile now if it won't be used. */ 1143 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); 1144# else 1145 PNG_UNUSED(png_ptr) 1146# endif 1147 } 1148 1149 else 1150 { 1151# ifdef PNG_COLORSPACE_SUPPORTED 1152 /* Leave the INFO_iCCP flag set if the pngset.c code has already set 1153 * it; this allows a PNG to contain a profile which matches sRGB and 1154 * yet still have that profile retrievable by the application. 1155 */ 1156 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) 1157 info_ptr->valid |= PNG_INFO_sRGB; 1158 1159 else 1160 info_ptr->valid &= ~PNG_INFO_sRGB; 1161 1162 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1163 info_ptr->valid |= PNG_INFO_cHRM; 1164 1165 else 1166 info_ptr->valid &= ~PNG_INFO_cHRM; 1167# endif 1168 1169 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) 1170 info_ptr->valid |= PNG_INFO_gAMA; 1171 1172 else 1173 info_ptr->valid &= ~PNG_INFO_gAMA; 1174 } 1175} 1176 1177#ifdef PNG_READ_SUPPORTED 1178void /* PRIVATE */ 1179png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr) 1180{ 1181 if (info_ptr == NULL) /* reduce code size; check here not in the caller */ 1182 return; 1183 1184 info_ptr->colorspace = png_ptr->colorspace; 1185 png_colorspace_sync_info(png_ptr, info_ptr); 1186} 1187#endif 1188#endif /* GAMMA */ 1189 1190#ifdef PNG_COLORSPACE_SUPPORTED 1191/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for 1192 * cHRM, as opposed to using chromaticities. These internal APIs return 1193 * non-zero on a parameter error. The X, Y and Z values are required to be 1194 * positive and less than 1.0. 1195 */ 1196static int 1197png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ) 1198{ 1199 png_int_32 d, dwhite, whiteX, whiteY; 1200 1201 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z; 1202 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0) 1203 return 1; 1204 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0) 1205 return 1; 1206 dwhite = d; 1207 whiteX = XYZ->red_X; 1208 whiteY = XYZ->red_Y; 1209 1210 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z; 1211 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0) 1212 return 1; 1213 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0) 1214 return 1; 1215 dwhite += d; 1216 whiteX += XYZ->green_X; 1217 whiteY += XYZ->green_Y; 1218 1219 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z; 1220 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0) 1221 return 1; 1222 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0) 1223 return 1; 1224 dwhite += d; 1225 whiteX += XYZ->blue_X; 1226 whiteY += XYZ->blue_Y; 1227 1228 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors, 1229 * thus: 1230 */ 1231 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0) 1232 return 1; 1233 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0) 1234 return 1; 1235 1236 return 0; 1237} 1238 1239static int 1240png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy) 1241{ 1242 png_fixed_point red_inverse, green_inverse, blue_scale; 1243 png_fixed_point left, right, denominator; 1244 1245 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically 1246 * have end points with 0 tristimulus values (these are impossible end 1247 * points, but they are used to cover the possible colors). We check 1248 * xy->whitey against 5, not 0, to avoid a possible integer overflow. 1249 */ 1250 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; 1251 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; 1252 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; 1253 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; 1254 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; 1255 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; 1256 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; 1257 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; 1258 1259 /* The reverse calculation is more difficult because the original tristimulus 1260 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 1261 * derived values were recorded in the cHRM chunk; 1262 * (red,green,blue,white)x(x,y). This loses one degree of freedom and 1263 * therefore an arbitrary ninth value has to be introduced to undo the 1264 * original transformations. 1265 * 1266 * Think of the original end-points as points in (X,Y,Z) space. The 1267 * chromaticity values (c) have the property: 1268 * 1269 * C 1270 * c = --------- 1271 * X + Y + Z 1272 * 1273 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the 1274 * three chromaticity values (x,y,z) for each end-point obey the 1275 * relationship: 1276 * 1277 * x + y + z = 1 1278 * 1279 * This describes the plane in (X,Y,Z) space that intersects each axis at the 1280 * value 1.0; call this the chromaticity plane. Thus the chromaticity 1281 * calculation has scaled each end-point so that it is on the x+y+z=1 plane 1282 * and chromaticity is the intersection of the vector from the origin to the 1283 * (X,Y,Z) value with the chromaticity plane. 1284 * 1285 * To fully invert the chromaticity calculation we would need the three 1286 * end-point scale factors, (red-scale, green-scale, blue-scale), but these 1287 * were not recorded. Instead we calculated the reference white (X,Y,Z) and 1288 * recorded the chromaticity of this. The reference white (X,Y,Z) would have 1289 * given all three of the scale factors since: 1290 * 1291 * color-C = color-c * color-scale 1292 * white-C = red-C + green-C + blue-C 1293 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1294 * 1295 * But cHRM records only white-x and white-y, so we have lost the white scale 1296 * factor: 1297 * 1298 * white-C = white-c*white-scale 1299 * 1300 * To handle this the inverse transformation makes an arbitrary assumption 1301 * about white-scale: 1302 * 1303 * Assume: white-Y = 1.0 1304 * Hence: white-scale = 1/white-y 1305 * Or: red-Y + green-Y + blue-Y = 1.0 1306 * 1307 * Notice the last statement of the assumption gives an equation in three of 1308 * the nine values we want to calculate. 8 more equations come from the 1309 * above routine as summarised at the top above (the chromaticity 1310 * calculation): 1311 * 1312 * Given: color-x = color-X / (color-X + color-Y + color-Z) 1313 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0 1314 * 1315 * This is 9 simultaneous equations in the 9 variables "color-C" and can be 1316 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix 1317 * determinants, however this is not as bad as it seems because only 28 of 1318 * the total of 90 terms in the various matrices are non-zero. Nevertheless 1319 * Cramer's rule is notoriously numerically unstable because the determinant 1320 * calculation involves the difference of large, but similar, numbers. It is 1321 * difficult to be sure that the calculation is stable for real world values 1322 * and it is certain that it becomes unstable where the end points are close 1323 * together. 1324 * 1325 * So this code uses the perhaps slightly less optimal but more 1326 * understandable and totally obvious approach of calculating color-scale. 1327 * 1328 * This algorithm depends on the precision in white-scale and that is 1329 * (1/white-y), so we can immediately see that as white-y approaches 0 the 1330 * accuracy inherent in the cHRM chunk drops off substantially. 1331 * 1332 * libpng arithmetic: a simple inversion of the above equations 1333 * ------------------------------------------------------------ 1334 * 1335 * white_scale = 1/white-y 1336 * white-X = white-x * white-scale 1337 * white-Y = 1.0 1338 * white-Z = (1 - white-x - white-y) * white_scale 1339 * 1340 * white-C = red-C + green-C + blue-C 1341 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale 1342 * 1343 * This gives us three equations in (red-scale,green-scale,blue-scale) where 1344 * all the coefficients are now known: 1345 * 1346 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale 1347 * = white-x/white-y 1348 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1 1349 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale 1350 * = (1 - white-x - white-y)/white-y 1351 * 1352 * In the last equation color-z is (1 - color-x - color-y) so we can add all 1353 * three equations together to get an alternative third: 1354 * 1355 * red-scale + green-scale + blue-scale = 1/white-y = white-scale 1356 * 1357 * So now we have a Cramer's rule solution where the determinants are just 1358 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve 1359 * multiplication of three coefficients so we can't guarantee to avoid 1360 * overflow in the libpng fixed point representation. Using Cramer's rule in 1361 * floating point is probably a good choice here, but it's not an option for 1362 * fixed point. Instead proceed to simplify the first two equations by 1363 * eliminating what is likely to be the largest value, blue-scale: 1364 * 1365 * blue-scale = white-scale - red-scale - green-scale 1366 * 1367 * Hence: 1368 * 1369 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale = 1370 * (white-x - blue-x)*white-scale 1371 * 1372 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale = 1373 * 1 - blue-y*white-scale 1374 * 1375 * And now we can trivially solve for (red-scale,green-scale): 1376 * 1377 * green-scale = 1378 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale 1379 * ----------------------------------------------------------- 1380 * green-x - blue-x 1381 * 1382 * red-scale = 1383 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale 1384 * --------------------------------------------------------- 1385 * red-y - blue-y 1386 * 1387 * Hence: 1388 * 1389 * red-scale = 1390 * ( (green-x - blue-x) * (white-y - blue-y) - 1391 * (green-y - blue-y) * (white-x - blue-x) ) / white-y 1392 * ------------------------------------------------------------------------- 1393 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1394 * 1395 * green-scale = 1396 * ( (red-y - blue-y) * (white-x - blue-x) - 1397 * (red-x - blue-x) * (white-y - blue-y) ) / white-y 1398 * ------------------------------------------------------------------------- 1399 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x) 1400 * 1401 * Accuracy: 1402 * The input values have 5 decimal digits of accuracy. The values are all in 1403 * the range 0 < value < 1, so simple products are in the same range but may 1404 * need up to 10 decimal digits to preserve the original precision and avoid 1405 * underflow. Because we are using a 32-bit signed representation we cannot 1406 * match this; the best is a little over 9 decimal digits, less than 10. 1407 * 1408 * The approach used here is to preserve the maximum precision within the 1409 * signed representation. Because the red-scale calculation above uses the 1410 * difference between two products of values that must be in the range -1..+1 1411 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The 1412 * factor is irrelevant in the calculation because it is applied to both 1413 * numerator and denominator. 1414 * 1415 * Note that the values of the differences of the products of the 1416 * chromaticities in the above equations tend to be small, for example for 1417 * the sRGB chromaticities they are: 1418 * 1419 * red numerator: -0.04751 1420 * green numerator: -0.08788 1421 * denominator: -0.2241 (without white-y multiplication) 1422 * 1423 * The resultant Y coefficients from the chromaticities of some widely used 1424 * color space definitions are (to 15 decimal places): 1425 * 1426 * sRGB 1427 * 0.212639005871510 0.715168678767756 0.072192315360734 1428 * Kodak ProPhoto 1429 * 0.288071128229293 0.711843217810102 0.000085653960605 1430 * Adobe RGB 1431 * 0.297344975250536 0.627363566255466 0.075291458493998 1432 * Adobe Wide Gamut RGB 1433 * 0.258728243040113 0.724682314948566 0.016589442011321 1434 */ 1435 /* By the argument, above overflow should be impossible here. The return 1436 * value of 2 indicates an internal error to the caller. 1437 */ 1438 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0) 1439 return 2; 1440 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0) 1441 return 2; 1442 denominator = left - right; 1443 1444 /* Now find the red numerator. */ 1445 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1446 return 2; 1447 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1448 return 2; 1449 1450 /* Overflow is possible here and it indicates an extreme set of PNG cHRM 1451 * chunk values. This calculation actually returns the reciprocal of the 1452 * scale value because this allows us to delay the multiplication of white-y 1453 * into the denominator, which tends to produce a small number. 1454 */ 1455 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 || 1456 red_inverse <= xy->whitey /* r+g+b scales = white scale */) 1457 return 1; 1458 1459 /* Similarly for green_inverse: */ 1460 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0) 1461 return 2; 1462 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0) 1463 return 2; 1464 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 || 1465 green_inverse <= xy->whitey) 1466 return 1; 1467 1468 /* And the blue scale, the checks above guarantee this can't overflow but it 1469 * can still produce 0 for extreme cHRM values. 1470 */ 1471 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) - 1472 png_reciprocal(green_inverse); 1473 if (blue_scale <= 0) 1474 return 1; 1475 1476 1477 /* And fill in the png_XYZ: */ 1478 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0) 1479 return 1; 1480 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0) 1481 return 1; 1482 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1, 1483 red_inverse) == 0) 1484 return 1; 1485 1486 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0) 1487 return 1; 1488 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0) 1489 return 1; 1490 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1, 1491 green_inverse) == 0) 1492 return 1; 1493 1494 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0) 1495 return 1; 1496 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0) 1497 return 1; 1498 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale, 1499 PNG_FP_1) == 0) 1500 return 1; 1501 1502 return 0; /*success*/ 1503} 1504 1505static int 1506png_XYZ_normalize(png_XYZ *XYZ) 1507{ 1508 png_int_32 Y; 1509 1510 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 || 1511 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 || 1512 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0) 1513 return 1; 1514 1515 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. 1516 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore 1517 * relying on addition of two positive values producing a negative one is not 1518 * safe. 1519 */ 1520 Y = XYZ->red_Y; 1521 if (0x7fffffff - Y < XYZ->green_X) 1522 return 1; 1523 Y += XYZ->green_Y; 1524 if (0x7fffffff - Y < XYZ->blue_X) 1525 return 1; 1526 Y += XYZ->blue_Y; 1527 1528 if (Y != PNG_FP_1) 1529 { 1530 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0) 1531 return 1; 1532 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0) 1533 return 1; 1534 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0) 1535 return 1; 1536 1537 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0) 1538 return 1; 1539 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0) 1540 return 1; 1541 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0) 1542 return 1; 1543 1544 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0) 1545 return 1; 1546 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0) 1547 return 1; 1548 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0) 1549 return 1; 1550 } 1551 1552 return 0; 1553} 1554 1555static int 1556png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta) 1557{ 1558 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */ 1559 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) || 1560 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) || 1561 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) || 1562 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) || 1563 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) || 1564 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) || 1565 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) || 1566 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta)) 1567 return 0; 1568 return 1; 1569} 1570 1571/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM 1572 * chunk chromaticities. Earlier checks used to simply look for the overflow 1573 * condition (where the determinant of the matrix to solve for XYZ ends up zero 1574 * because the chromaticity values are not all distinct.) Despite this it is 1575 * theoretically possible to produce chromaticities that are apparently valid 1576 * but that rapidly degrade to invalid, potentially crashing, sets because of 1577 * arithmetic inaccuracies when calculations are performed on them. The new 1578 * check is to round-trip xy -> XYZ -> xy and then check that the result is 1579 * within a small percentage of the original. 1580 */ 1581static int 1582png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy) 1583{ 1584 int result; 1585 png_xy xy_test; 1586 1587 /* As a side-effect this routine also returns the XYZ endpoints. */ 1588 result = png_XYZ_from_xy(XYZ, xy); 1589 if (result != 0) 1590 return result; 1591 1592 result = png_xy_from_XYZ(&xy_test, XYZ); 1593 if (result != 0) 1594 return result; 1595 1596 if (png_colorspace_endpoints_match(xy, &xy_test, 1597 5/*actually, the math is pretty accurate*/) != 0) 1598 return 0; 1599 1600 /* Too much slip */ 1601 return 1; 1602} 1603 1604/* This is the check going the other way. The XYZ is modified to normalize it 1605 * (another side-effect) and the xy chromaticities are returned. 1606 */ 1607static int 1608png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ) 1609{ 1610 int result; 1611 png_XYZ XYZtemp; 1612 1613 result = png_XYZ_normalize(XYZ); 1614 if (result != 0) 1615 return result; 1616 1617 result = png_xy_from_XYZ(xy, XYZ); 1618 if (result != 0) 1619 return result; 1620 1621 XYZtemp = *XYZ; 1622 return png_colorspace_check_xy(&XYZtemp, xy); 1623} 1624 1625/* Used to check for an endpoint match against sRGB */ 1626static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */ 1627{ 1628 /* color x y */ 1629 /* red */ 64000, 33000, 1630 /* green */ 30000, 60000, 1631 /* blue */ 15000, 6000, 1632 /* white */ 31270, 32900 1633}; 1634 1635static int 1636png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr, 1637 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ, 1638 int preferred) 1639{ 1640 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1641 return 0; 1642 1643 /* The consistency check is performed on the chromaticities; this factors out 1644 * variations because of the normalization (or not) of the end point Y 1645 * values. 1646 */ 1647 if (preferred < 2 && 1648 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 1649 { 1650 /* The end points must be reasonably close to any we already have. The 1651 * following allows an error of up to +/-.001 1652 */ 1653 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy, 1654 100) == 0) 1655 { 1656 colorspace->flags |= PNG_COLORSPACE_INVALID; 1657 png_benign_error(png_ptr, "inconsistent chromaticities"); 1658 return 0; /* failed */ 1659 } 1660 1661 /* Only overwrite with preferred values */ 1662 if (preferred == 0) 1663 return 1; /* ok, but no change */ 1664 } 1665 1666 colorspace->end_points_xy = *xy; 1667 colorspace->end_points_XYZ = *XYZ; 1668 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS; 1669 1670 /* The end points are normally quoted to two decimal digits, so allow +/-0.01 1671 * on this test. 1672 */ 1673 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0) 1674 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB; 1675 1676 else 1677 colorspace->flags &= PNG_COLORSPACE_CANCEL( 1678 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1679 1680 return 2; /* ok and changed */ 1681} 1682 1683int /* PRIVATE */ 1684png_colorspace_set_chromaticities(png_const_structrp png_ptr, 1685 png_colorspacerp colorspace, const png_xy *xy, int preferred) 1686{ 1687 /* We must check the end points to ensure they are reasonable - in the past 1688 * color management systems have crashed as a result of getting bogus 1689 * colorant values, while this isn't the fault of libpng it is the 1690 * responsibility of libpng because PNG carries the bomb and libpng is in a 1691 * position to protect against it. 1692 */ 1693 png_XYZ XYZ; 1694 1695 switch (png_colorspace_check_xy(&XYZ, xy)) 1696 { 1697 case 0: /* success */ 1698 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ, 1699 preferred); 1700 1701 case 1: 1702 /* We can't invert the chromaticities so we can't produce value XYZ 1703 * values. Likely as not a color management system will fail too. 1704 */ 1705 colorspace->flags |= PNG_COLORSPACE_INVALID; 1706 png_benign_error(png_ptr, "invalid chromaticities"); 1707 break; 1708 1709 default: 1710 /* libpng is broken; this should be a warning but if it happens we 1711 * want error reports so for the moment it is an error. 1712 */ 1713 colorspace->flags |= PNG_COLORSPACE_INVALID; 1714 png_error(png_ptr, "internal error checking chromaticities"); 1715 } 1716 1717 return 0; /* failed */ 1718} 1719 1720int /* PRIVATE */ 1721png_colorspace_set_endpoints(png_const_structrp png_ptr, 1722 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred) 1723{ 1724 png_XYZ XYZ = *XYZ_in; 1725 png_xy xy; 1726 1727 switch (png_colorspace_check_XYZ(&xy, &XYZ)) 1728 { 1729 case 0: 1730 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ, 1731 preferred); 1732 1733 case 1: 1734 /* End points are invalid. */ 1735 colorspace->flags |= PNG_COLORSPACE_INVALID; 1736 png_benign_error(png_ptr, "invalid end points"); 1737 break; 1738 1739 default: 1740 colorspace->flags |= PNG_COLORSPACE_INVALID; 1741 png_error(png_ptr, "internal error checking chromaticities"); 1742 } 1743 1744 return 0; /* failed */ 1745} 1746 1747#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED) 1748/* Error message generation */ 1749static char 1750png_icc_tag_char(png_uint_32 byte) 1751{ 1752 byte &= 0xff; 1753 if (byte >= 32 && byte <= 126) 1754 return (char)byte; 1755 else 1756 return '?'; 1757} 1758 1759static void 1760png_icc_tag_name(char *name, png_uint_32 tag) 1761{ 1762 name[0] = '\''; 1763 name[1] = png_icc_tag_char(tag >> 24); 1764 name[2] = png_icc_tag_char(tag >> 16); 1765 name[3] = png_icc_tag_char(tag >> 8); 1766 name[4] = png_icc_tag_char(tag ); 1767 name[5] = '\''; 1768} 1769 1770static int 1771is_ICC_signature_char(png_alloc_size_t it) 1772{ 1773 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) || 1774 (it >= 97 && it <= 122); 1775} 1776 1777static int 1778is_ICC_signature(png_alloc_size_t it) 1779{ 1780 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ && 1781 is_ICC_signature_char((it >> 16) & 0xff) && 1782 is_ICC_signature_char((it >> 8) & 0xff) && 1783 is_ICC_signature_char(it & 0xff); 1784} 1785 1786static int 1787png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, 1788 png_const_charp name, png_alloc_size_t value, png_const_charp reason) 1789{ 1790 size_t pos; 1791 char message[196]; /* see below for calculation */ 1792 1793 if (colorspace != NULL) 1794 colorspace->flags |= PNG_COLORSPACE_INVALID; 1795 1796 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */ 1797 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */ 1798 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */ 1799 if (is_ICC_signature(value) != 0) 1800 { 1801 /* So 'value' is at most 4 bytes and the following cast is safe */ 1802 png_icc_tag_name(message+pos, (png_uint_32)value); 1803 pos += 6; /* total +8; less than the else clause */ 1804 message[pos++] = ':'; 1805 message[pos++] = ' '; 1806 } 1807# ifdef PNG_WARNINGS_SUPPORTED 1808 else 1809 { 1810 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ 1811 1812 pos = png_safecat(message, (sizeof message), pos, 1813 png_format_number(number, number+(sizeof number), 1814 PNG_NUMBER_FORMAT_x, value)); 1815 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ 1816 } 1817# endif 1818 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ 1819 pos = png_safecat(message, (sizeof message), pos, reason); 1820 PNG_UNUSED(pos) 1821 1822 /* This is recoverable, but make it unconditionally an app_error on write to 1823 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them 1824 * on read, with a warning, but on write unless the app turns off 1825 * application errors the PNG won't be written.) 1826 */ 1827 png_chunk_report(png_ptr, message, 1828 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR); 1829 1830 return 0; 1831} 1832#endif /* sRGB || iCCP */ 1833 1834#ifdef PNG_sRGB_SUPPORTED 1835int /* PRIVATE */ 1836png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, 1837 int intent) 1838{ 1839 /* sRGB sets known gamma, end points and (from the chunk) intent. */ 1840 /* IMPORTANT: these are not necessarily the values found in an ICC profile 1841 * because ICC profiles store values adapted to a D50 environment; it is 1842 * expected that the ICC profile mediaWhitePointTag will be D50; see the 1843 * checks and code elsewhere to understand this better. 1844 * 1845 * These XYZ values, which are accurate to 5dp, produce rgb to gray 1846 * coefficients of (6968,23435,2366), which are reduced (because they add up 1847 * to 32769 not 32768) to (6968,23434,2366). These are the values that 1848 * libpng has traditionally used (and are the best values given the 15bit 1849 * algorithm used by the rgb to gray code.) 1850 */ 1851 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */ 1852 { 1853 /* color X Y Z */ 1854 /* red */ 41239, 21264, 1933, 1855 /* green */ 35758, 71517, 11919, 1856 /* blue */ 18048, 7219, 95053 1857 }; 1858 1859 /* Do nothing if the colorspace is already invalidated. */ 1860 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 1861 return 0; 1862 1863 /* Check the intent, then check for existing settings. It is valid for the 1864 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must 1865 * be consistent with the correct values. If, however, this function is 1866 * called below because an iCCP chunk matches sRGB then it is quite 1867 * conceivable that an older app recorded incorrect gAMA and cHRM because of 1868 * an incorrect calculation based on the values in the profile - this does 1869 * *not* invalidate the profile (though it still produces an error, which can 1870 * be ignored.) 1871 */ 1872 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST) 1873 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1874 (unsigned)intent, "invalid sRGB rendering intent"); 1875 1876 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 && 1877 colorspace->rendering_intent != intent) 1878 return png_icc_profile_error(png_ptr, colorspace, "sRGB", 1879 (unsigned)intent, "inconsistent rendering intents"); 1880 1881 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0) 1882 { 1883 png_benign_error(png_ptr, "duplicate sRGB information ignored"); 1884 return 0; 1885 } 1886 1887 /* If the standard sRGB cHRM chunk does not match the one from the PNG file 1888 * warn but overwrite the value with the correct one. 1889 */ 1890 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 && 1891 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy, 1892 100)) 1893 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB", 1894 PNG_CHUNK_ERROR); 1895 1896 /* This check is just done for the error reporting - the routine always 1897 * returns true when the 'from' argument corresponds to sRGB (2). 1898 */ 1899 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE, 1900 2/*from sRGB*/); 1901 1902 /* intent: bugs in GCC force 'int' to be used as the parameter type. */ 1903 colorspace->rendering_intent = (png_uint_16)intent; 1904 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT; 1905 1906 /* endpoints */ 1907 colorspace->end_points_xy = sRGB_xy; 1908 colorspace->end_points_XYZ = sRGB_XYZ; 1909 colorspace->flags |= 1910 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB); 1911 1912 /* gamma */ 1913 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE; 1914 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA; 1915 1916 /* Finally record that we have an sRGB profile */ 1917 colorspace->flags |= 1918 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB); 1919 1920 return 1; /* set */ 1921} 1922#endif /* sRGB */ 1923 1924#ifdef PNG_iCCP_SUPPORTED 1925/* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value 1926 * is XYZ(0.9642,1.0,0.8249), which scales to: 1927 * 1928 * (63189.8112, 65536, 54060.6464) 1929 */ 1930static const png_byte D50_nCIEXYZ[12] = 1931 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d }; 1932 1933int /* PRIVATE */ 1934png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace, 1935 png_const_charp name, png_uint_32 profile_length) 1936{ 1937 if (profile_length < 132) 1938 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1939 "too short"); 1940 1941 return 1; 1942} 1943 1944int /* PRIVATE */ 1945png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace, 1946 png_const_charp name, png_uint_32 profile_length, 1947 png_const_bytep profile/* first 132 bytes only */, int color_type) 1948{ 1949 png_uint_32 temp; 1950 1951 /* Length check; this cannot be ignored in this code because profile_length 1952 * is used later to check the tag table, so even if the profile seems over 1953 * long profile_length from the caller must be correct. The caller can fix 1954 * this up on read or write by just passing in the profile header length. 1955 */ 1956 temp = png_get_uint_32(profile); 1957 if (temp != profile_length) 1958 return png_icc_profile_error(png_ptr, colorspace, name, temp, 1959 "length does not match profile"); 1960 1961 temp = (png_uint_32) (*(profile+8)); 1962 if (temp > 3 && (profile_length & 3)) 1963 return png_icc_profile_error(png_ptr, colorspace, name, profile_length, 1964 "invalid length"); 1965 1966 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */ 1967 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */ 1968 profile_length < 132+12*temp) /* truncated tag table */ 1969 return png_icc_profile_error(png_ptr, colorspace, name, temp, 1970 "tag count too large"); 1971 1972 /* The 'intent' must be valid or we can't store it, ICC limits the intent to 1973 * 16 bits. 1974 */ 1975 temp = png_get_uint_32(profile+64); 1976 if (temp >= 0xffff) /* The ICC limit */ 1977 return png_icc_profile_error(png_ptr, colorspace, name, temp, 1978 "invalid rendering intent"); 1979 1980 /* This is just a warning because the profile may be valid in future 1981 * versions. 1982 */ 1983 if (temp >= PNG_sRGB_INTENT_LAST) 1984 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 1985 "intent outside defined range"); 1986 1987 /* At this point the tag table can't be checked because it hasn't necessarily 1988 * been loaded; however, various header fields can be checked. These checks 1989 * are for values permitted by the PNG spec in an ICC profile; the PNG spec 1990 * restricts the profiles that can be passed in an iCCP chunk (they must be 1991 * appropriate to processing PNG data!) 1992 */ 1993 1994 /* Data checks (could be skipped). These checks must be independent of the 1995 * version number; however, the version number doesn't accomodate changes in 1996 * the header fields (just the known tags and the interpretation of the 1997 * data.) 1998 */ 1999 temp = png_get_uint_32(profile+36); /* signature 'ascp' */ 2000 if (temp != 0x61637370) 2001 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2002 "invalid signature"); 2003 2004 /* Currently the PCS illuminant/adopted white point (the computational 2005 * white point) are required to be D50, 2006 * however the profile contains a record of the illuminant so perhaps ICC 2007 * expects to be able to change this in the future (despite the rationale in 2008 * the introduction for using a fixed PCS adopted white.) Consequently the 2009 * following is just a warning. 2010 */ 2011 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0) 2012 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/, 2013 "PCS illuminant is not D50"); 2014 2015 /* The PNG spec requires this: 2016 * "If the iCCP chunk is present, the image samples conform to the colour 2017 * space represented by the embedded ICC profile as defined by the 2018 * International Color Consortium [ICC]. The colour space of the ICC profile 2019 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and 2020 * 6), or a greyscale colour space for greyscale images (PNG colour types 0 2021 * and 4)." 2022 * 2023 * This checking code ensures the embedded profile (on either read or write) 2024 * conforms to the specification requirements. Notice that an ICC 'gray' 2025 * color-space profile contains the information to transform the monochrome 2026 * data to XYZ or L*a*b (according to which PCS the profile uses) and this 2027 * should be used in preference to the standard libpng K channel replication 2028 * into R, G and B channels. 2029 * 2030 * Previously it was suggested that an RGB profile on grayscale data could be 2031 * handled. However it it is clear that using an RGB profile in this context 2032 * must be an error - there is no specification of what it means. Thus it is 2033 * almost certainly more correct to ignore the profile. 2034 */ 2035 temp = png_get_uint_32(profile+16); /* data colour space field */ 2036 switch (temp) 2037 { 2038 case 0x52474220: /* 'RGB ' */ 2039 if ((color_type & PNG_COLOR_MASK_COLOR) == 0) 2040 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2041 "RGB color space not permitted on grayscale PNG"); 2042 break; 2043 2044 case 0x47524159: /* 'GRAY' */ 2045 if ((color_type & PNG_COLOR_MASK_COLOR) != 0) 2046 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2047 "Gray color space not permitted on RGB PNG"); 2048 break; 2049 2050 default: 2051 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2052 "invalid ICC profile color space"); 2053 } 2054 2055 /* It is up to the application to check that the profile class matches the 2056 * application requirements; the spec provides no guidance, but it's pretty 2057 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer 2058 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these 2059 * cases. Issue an error for device link or abstract profiles - these don't 2060 * contain the records necessary to transform the color-space to anything 2061 * other than the target device (and not even that for an abstract profile). 2062 * Profiles of these classes may not be embedded in images. 2063 */ 2064 temp = png_get_uint_32(profile+12); /* profile/device class */ 2065 switch (temp) 2066 { 2067 case 0x73636e72: /* 'scnr' */ 2068 case 0x6d6e7472: /* 'mntr' */ 2069 case 0x70727472: /* 'prtr' */ 2070 case 0x73706163: /* 'spac' */ 2071 /* All supported */ 2072 break; 2073 2074 case 0x61627374: /* 'abst' */ 2075 /* May not be embedded in an image */ 2076 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2077 "invalid embedded Abstract ICC profile"); 2078 2079 case 0x6c696e6b: /* 'link' */ 2080 /* DeviceLink profiles cannot be interpreted in a non-device specific 2081 * fashion, if an app uses the AToB0Tag in the profile the results are 2082 * undefined unless the result is sent to the intended device, 2083 * therefore a DeviceLink profile should not be found embedded in a 2084 * PNG. 2085 */ 2086 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2087 "unexpected DeviceLink ICC profile class"); 2088 2089 case 0x6e6d636c: /* 'nmcl' */ 2090 /* A NamedColor profile is also device specific, however it doesn't 2091 * contain an AToB0 tag that is open to misinterpretation. Almost 2092 * certainly it will fail the tests below. 2093 */ 2094 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2095 "unexpected NamedColor ICC profile class"); 2096 break; 2097 2098 default: 2099 /* To allow for future enhancements to the profile accept unrecognized 2100 * profile classes with a warning, these then hit the test below on the 2101 * tag content to ensure they are backward compatible with one of the 2102 * understood profiles. 2103 */ 2104 (void)png_icc_profile_error(png_ptr, NULL, name, temp, 2105 "unrecognized ICC profile class"); 2106 break; 2107 } 2108 2109 /* For any profile other than a device link one the PCS must be encoded 2110 * either in XYZ or Lab. 2111 */ 2112 temp = png_get_uint_32(profile+20); 2113 switch (temp) 2114 { 2115 case 0x58595a20: /* 'XYZ ' */ 2116 case 0x4c616220: /* 'Lab ' */ 2117 break; 2118 2119 default: 2120 return png_icc_profile_error(png_ptr, colorspace, name, temp, 2121 "unexpected ICC PCS encoding"); 2122 } 2123 2124 return 1; 2125} 2126 2127int /* PRIVATE */ 2128png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace, 2129 png_const_charp name, png_uint_32 profile_length, 2130 png_const_bytep profile /* header plus whole tag table */) 2131{ 2132 png_uint_32 tag_count = png_get_uint_32(profile+128); 2133 png_uint_32 itag; 2134 png_const_bytep tag = profile+132; /* The first tag */ 2135 2136 /* First scan all the tags in the table and add bits to the icc_info value 2137 * (temporarily in 'tags'). 2138 */ 2139 for (itag=0; itag < tag_count; ++itag, tag += 12) 2140 { 2141 png_uint_32 tag_id = png_get_uint_32(tag+0); 2142 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */ 2143 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */ 2144 2145 /* The ICC specification does not exclude zero length tags, therefore the 2146 * start might actually be anywhere if there is no data, but this would be 2147 * a clear abuse of the intent of the standard so the start is checked for 2148 * being in range. All defined tag types have an 8 byte header - a 4 byte 2149 * type signature then 0. 2150 */ 2151 if ((tag_start & 3) != 0) 2152 { 2153 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is 2154 * only a warning here because libpng does not care about the 2155 * alignment. 2156 */ 2157 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id, 2158 "ICC profile tag start not a multiple of 4"); 2159 } 2160 2161 /* This is a hard error; potentially it can cause read outside the 2162 * profile. 2163 */ 2164 if (tag_start > profile_length || tag_length > profile_length - tag_start) 2165 return png_icc_profile_error(png_ptr, colorspace, name, tag_id, 2166 "ICC profile tag outside profile"); 2167 } 2168 2169 return 1; /* success, maybe with warnings */ 2170} 2171 2172#ifdef PNG_sRGB_SUPPORTED 2173#if PNG_sRGB_PROFILE_CHECKS >= 0 2174/* Information about the known ICC sRGB profiles */ 2175static const struct 2176{ 2177 png_uint_32 adler, crc, length; 2178 png_uint_32 md5[4]; 2179 png_byte have_md5; 2180 png_byte is_broken; 2181 png_uint_16 intent; 2182 2183# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0) 2184# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\ 2185 { adler, crc, length, md5, broke, intent }, 2186 2187} png_sRGB_checks[] = 2188{ 2189 /* This data comes from contrib/tools/checksum-icc run on downloads of 2190 * all four ICC sRGB profiles from www.color.org. 2191 */ 2192 /* adler32, crc32, MD5[4], intent, date, length, file-name */ 2193 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9, 2194 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0, 2195 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc") 2196 2197 /* ICC sRGB v2 perceptual no black-compensation: */ 2198 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21, 2199 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0, 2200 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc") 2201 2202 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae, 2203 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0, 2204 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc") 2205 2206 /* ICC sRGB v4 perceptual */ 2207 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812, 2208 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0, 2209 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc") 2210 2211 /* The following profiles have no known MD5 checksum. If there is a match 2212 * on the (empty) MD5 the other fields are used to attempt a match and 2213 * a warning is produced. The first two of these profiles have a 'cprt' tag 2214 * which suggests that they were also made by Hewlett Packard. 2215 */ 2216 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce, 2217 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0, 2218 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc") 2219 2220 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not 2221 * match the D50 PCS illuminant in the header (it is in fact the D65 values, 2222 * so the white point is recorded as the un-adapted value.) The profiles 2223 * below only differ in one byte - the intent - and are basically the same as 2224 * the previous profile except for the mediaWhitePointTag error and a missing 2225 * chromaticAdaptationTag. 2226 */ 2227 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552, 2228 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/, 2229 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual") 2230 2231 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d, 2232 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/, 2233 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative") 2234}; 2235 2236static int 2237png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr, 2238 png_const_bytep profile, uLong adler) 2239{ 2240 /* The quick check is to verify just the MD5 signature and trust the 2241 * rest of the data. Because the profile has already been verified for 2242 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent' 2243 * field too, so if the profile has been edited with an intent not defined 2244 * by sRGB (but maybe defined by a later ICC specification) the read of 2245 * the profile will fail at that point. 2246 */ 2247 2248 png_uint_32 length = 0; 2249 png_uint_32 intent = 0x10000; /* invalid */ 2250#if PNG_sRGB_PROFILE_CHECKS > 1 2251 uLong crc = 0; /* the value for 0 length data */ 2252#endif 2253 unsigned int i; 2254 2255#ifdef PNG_SET_OPTION_SUPPORTED 2256 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */ 2257 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) == 2258 PNG_OPTION_ON) 2259 return 0; 2260#endif 2261 2262 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i) 2263 { 2264 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] && 2265 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] && 2266 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] && 2267 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3]) 2268 { 2269 /* This may be one of the old HP profiles without an MD5, in that 2270 * case we can only use the length and Adler32 (note that these 2271 * are not used by default if there is an MD5!) 2272 */ 2273# if PNG_sRGB_PROFILE_CHECKS == 0 2274 if (png_sRGB_checks[i].have_md5 != 0) 2275 return 1+png_sRGB_checks[i].is_broken; 2276# endif 2277 2278 /* Profile is unsigned or more checks have been configured in. */ 2279 if (length == 0) 2280 { 2281 length = png_get_uint_32(profile); 2282 intent = png_get_uint_32(profile+64); 2283 } 2284 2285 /* Length *and* intent must match */ 2286 if (length == (png_uint_32) png_sRGB_checks[i].length && 2287 intent == (png_uint_32) png_sRGB_checks[i].intent) 2288 { 2289 /* Now calculate the adler32 if not done already. */ 2290 if (adler == 0) 2291 { 2292 adler = adler32(0, NULL, 0); 2293 adler = adler32(adler, profile, length); 2294 } 2295 2296 if (adler == png_sRGB_checks[i].adler) 2297 { 2298 /* These basic checks suggest that the data has not been 2299 * modified, but if the check level is more than 1 perform 2300 * our own crc32 checksum on the data. 2301 */ 2302# if PNG_sRGB_PROFILE_CHECKS > 1 2303 if (crc == 0) 2304 { 2305 crc = crc32(0, NULL, 0); 2306 crc = crc32(crc, profile, length); 2307 } 2308 2309 /* So this check must pass for the 'return' below to happen. 2310 */ 2311 if (crc == png_sRGB_checks[i].crc) 2312# endif 2313 { 2314 if (png_sRGB_checks[i].is_broken != 0) 2315 { 2316 /* These profiles are known to have bad data that may cause 2317 * problems if they are used, therefore attempt to 2318 * discourage their use, skip the 'have_md5' warning below, 2319 * which is made irrelevant by this error. 2320 */ 2321 png_chunk_report(png_ptr, "known incorrect sRGB profile", 2322 PNG_CHUNK_ERROR); 2323 } 2324 2325 /* Warn that this being done; this isn't even an error since 2326 * the profile is perfectly valid, but it would be nice if 2327 * people used the up-to-date ones. 2328 */ 2329 else if (png_sRGB_checks[i].have_md5 == 0) 2330 { 2331 png_chunk_report(png_ptr, 2332 "out-of-date sRGB profile with no signature", 2333 PNG_CHUNK_WARNING); 2334 } 2335 2336 return 1+png_sRGB_checks[i].is_broken; 2337 } 2338 } 2339 2340# if PNG_sRGB_PROFILE_CHECKS > 0 2341 /* The signature matched, but the profile had been changed in some 2342 * way. This probably indicates a data error or uninformed hacking. 2343 * Fall through to "no match". 2344 */ 2345 png_chunk_report(png_ptr, 2346 "Not recognizing known sRGB profile that has been edited", 2347 PNG_CHUNK_WARNING); 2348 break; 2349# endif 2350 } 2351 } 2352 } 2353 2354 return 0; /* no match */ 2355} 2356#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ 2357 2358void /* PRIVATE */ 2359png_icc_set_sRGB(png_const_structrp png_ptr, 2360 png_colorspacerp colorspace, png_const_bytep profile, uLong adler) 2361{ 2362 /* Is this profile one of the known ICC sRGB profiles? If it is, just set 2363 * the sRGB information. 2364 */ 2365#if PNG_sRGB_PROFILE_CHECKS >= 0 2366 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0) 2367#endif 2368 (void)png_colorspace_set_sRGB(png_ptr, colorspace, 2369 (int)/*already checked*/png_get_uint_32(profile+64)); 2370} 2371#endif /* sRGB */ 2372 2373int /* PRIVATE */ 2374png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, 2375 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile, 2376 int color_type) 2377{ 2378 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0) 2379 return 0; 2380 2381 if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 && 2382 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile, 2383 color_type) != 0 && 2384 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length, 2385 profile) != 0) 2386 { 2387# ifdef PNG_sRGB_SUPPORTED 2388 /* If no sRGB support, don't try storing sRGB information */ 2389 png_icc_set_sRGB(png_ptr, colorspace, profile, 0); 2390# endif 2391 return 1; 2392 } 2393 2394 /* Failure case */ 2395 return 0; 2396} 2397#endif /* iCCP */ 2398 2399#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED 2400void /* PRIVATE */ 2401png_colorspace_set_rgb_coefficients(png_structrp png_ptr) 2402{ 2403 /* Set the rgb_to_gray coefficients from the colorspace. */ 2404 if (png_ptr->rgb_to_gray_coefficients_set == 0 && 2405 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) 2406 { 2407 /* png_set_background has not been called, get the coefficients from the Y 2408 * values of the colorspace colorants. 2409 */ 2410 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y; 2411 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y; 2412 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y; 2413 png_fixed_point total = r+g+b; 2414 2415 if (total > 0 && 2416 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 && 2417 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 && 2418 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 && 2419 r+g+b <= 32769) 2420 { 2421 /* We allow 0 coefficients here. r+g+b may be 32769 if two or 2422 * all of the coefficients were rounded up. Handle this by 2423 * reducing the *largest* coefficient by 1; this matches the 2424 * approach used for the default coefficients in pngrtran.c 2425 */ 2426 int add = 0; 2427 2428 if (r+g+b > 32768) 2429 add = -1; 2430 else if (r+g+b < 32768) 2431 add = 1; 2432 2433 if (add != 0) 2434 { 2435 if (g >= r && g >= b) 2436 g += add; 2437 else if (r >= g && r >= b) 2438 r += add; 2439 else 2440 b += add; 2441 } 2442 2443 /* Check for an internal error. */ 2444 if (r+g+b != 32768) 2445 png_error(png_ptr, 2446 "internal error handling cHRM coefficients"); 2447 2448 else 2449 { 2450 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r; 2451 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g; 2452 } 2453 } 2454 2455 /* This is a png_error at present even though it could be ignored - 2456 * it should never happen, but it is important that if it does, the 2457 * bug is fixed. 2458 */ 2459 else 2460 png_error(png_ptr, "internal error handling cHRM->XYZ"); 2461 } 2462} 2463#endif /* READ_RGB_TO_GRAY */ 2464 2465#endif /* COLORSPACE */ 2466 2467#ifdef __GNUC__ 2468/* This exists solely to work round a warning from GNU C. */ 2469static int /* PRIVATE */ 2470png_gt(size_t a, size_t b) 2471{ 2472 return a > b; 2473} 2474#else 2475# define png_gt(a,b) ((a) > (b)) 2476#endif 2477 2478void /* PRIVATE */ 2479png_check_IHDR(png_const_structrp png_ptr, 2480 png_uint_32 width, png_uint_32 height, int bit_depth, 2481 int color_type, int interlace_type, int compression_type, 2482 int filter_type) 2483{ 2484 int error = 0; 2485 2486 /* Check for width and height valid values */ 2487 if (width == 0) 2488 { 2489 png_warning(png_ptr, "Image width is zero in IHDR"); 2490 error = 1; 2491 } 2492 2493 if (width > PNG_UINT_31_MAX) 2494 { 2495 png_warning(png_ptr, "Invalid image width in IHDR"); 2496 error = 1; 2497 } 2498 2499 if (png_gt(((width + 7) & (~7)), 2500 ((PNG_SIZE_MAX 2501 - 48 /* big_row_buf hack */ 2502 - 1) /* filter byte */ 2503 / 8) /* 8-byte RGBA pixels */ 2504 - 1)) /* extra max_pixel_depth pad */ 2505 { 2506 /* The size of the row must be within the limits of this architecture. 2507 * Because the read code can perform arbitrary transformations the 2508 * maximum size is checked here. Because the code in png_read_start_row 2509 * adds extra space "for safety's sake" in several places a conservative 2510 * limit is used here. 2511 * 2512 * NOTE: it would be far better to check the size that is actually used, 2513 * but the effect in the real world is minor and the changes are more 2514 * extensive, therefore much more dangerous and much more difficult to 2515 * write in a way that avoids compiler warnings. 2516 */ 2517 png_warning(png_ptr, "Image width is too large for this architecture"); 2518 error = 1; 2519 } 2520 2521#ifdef PNG_SET_USER_LIMITS_SUPPORTED 2522 if (width > png_ptr->user_width_max) 2523#else 2524 if (width > PNG_USER_WIDTH_MAX) 2525#endif 2526 { 2527 png_warning(png_ptr, "Image width exceeds user limit in IHDR"); 2528 error = 1; 2529 } 2530 2531 if (height == 0) 2532 { 2533 png_warning(png_ptr, "Image height is zero in IHDR"); 2534 error = 1; 2535 } 2536 2537 if (height > PNG_UINT_31_MAX) 2538 { 2539 png_warning(png_ptr, "Invalid image height in IHDR"); 2540 error = 1; 2541 } 2542 2543#ifdef PNG_SET_USER_LIMITS_SUPPORTED 2544 if (height > png_ptr->user_height_max) 2545#else 2546 if (height > PNG_USER_HEIGHT_MAX) 2547#endif 2548 { 2549 png_warning(png_ptr, "Image height exceeds user limit in IHDR"); 2550 error = 1; 2551 } 2552 2553 /* Check other values */ 2554 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 && 2555 bit_depth != 8 && bit_depth != 16) 2556 { 2557 png_warning(png_ptr, "Invalid bit depth in IHDR"); 2558 error = 1; 2559 } 2560 2561 if (color_type < 0 || color_type == 1 || 2562 color_type == 5 || color_type > 6) 2563 { 2564 png_warning(png_ptr, "Invalid color type in IHDR"); 2565 error = 1; 2566 } 2567 2568 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) || 2569 ((color_type == PNG_COLOR_TYPE_RGB || 2570 color_type == PNG_COLOR_TYPE_GRAY_ALPHA || 2571 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8)) 2572 { 2573 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR"); 2574 error = 1; 2575 } 2576 2577 if (interlace_type >= PNG_INTERLACE_LAST) 2578 { 2579 png_warning(png_ptr, "Unknown interlace method in IHDR"); 2580 error = 1; 2581 } 2582 2583 if (compression_type != PNG_COMPRESSION_TYPE_BASE) 2584 { 2585 png_warning(png_ptr, "Unknown compression method in IHDR"); 2586 error = 1; 2587 } 2588 2589#ifdef PNG_MNG_FEATURES_SUPPORTED 2590 /* Accept filter_method 64 (intrapixel differencing) only if 2591 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and 2592 * 2. Libpng did not read a PNG signature (this filter_method is only 2593 * used in PNG datastreams that are embedded in MNG datastreams) and 2594 * 3. The application called png_permit_mng_features with a mask that 2595 * included PNG_FLAG_MNG_FILTER_64 and 2596 * 4. The filter_method is 64 and 2597 * 5. The color_type is RGB or RGBA 2598 */ 2599 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && 2600 png_ptr->mng_features_permitted != 0) 2601 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); 2602 2603 if (filter_type != PNG_FILTER_TYPE_BASE) 2604 { 2605 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 && 2606 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) && 2607 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) && 2608 (color_type == PNG_COLOR_TYPE_RGB || 2609 color_type == PNG_COLOR_TYPE_RGB_ALPHA))) 2610 { 2611 png_warning(png_ptr, "Unknown filter method in IHDR"); 2612 error = 1; 2613 } 2614 2615 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0) 2616 { 2617 png_warning(png_ptr, "Invalid filter method in IHDR"); 2618 error = 1; 2619 } 2620 } 2621 2622#else 2623 if (filter_type != PNG_FILTER_TYPE_BASE) 2624 { 2625 png_warning(png_ptr, "Unknown filter method in IHDR"); 2626 error = 1; 2627 } 2628#endif 2629 2630 if (error == 1) 2631 png_error(png_ptr, "Invalid IHDR data"); 2632} 2633 2634#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) 2635/* ASCII to fp functions */ 2636/* Check an ASCII formated floating point value, see the more detailed 2637 * comments in pngpriv.h 2638 */ 2639/* The following is used internally to preserve the sticky flags */ 2640#define png_fp_add(state, flags) ((state) |= (flags)) 2641#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY)) 2642 2643int /* PRIVATE */ 2644png_check_fp_number(png_const_charp string, png_size_t size, int *statep, 2645 png_size_tp whereami) 2646{ 2647 int state = *statep; 2648 png_size_t i = *whereami; 2649 2650 while (i < size) 2651 { 2652 int type; 2653 /* First find the type of the next character */ 2654 switch (string[i]) 2655 { 2656 case 43: type = PNG_FP_SAW_SIGN; break; 2657 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break; 2658 case 46: type = PNG_FP_SAW_DOT; break; 2659 case 48: type = PNG_FP_SAW_DIGIT; break; 2660 case 49: case 50: case 51: case 52: 2661 case 53: case 54: case 55: case 56: 2662 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break; 2663 case 69: 2664 case 101: type = PNG_FP_SAW_E; break; 2665 default: goto PNG_FP_End; 2666 } 2667 2668 /* Now deal with this type according to the current 2669 * state, the type is arranged to not overlap the 2670 * bits of the PNG_FP_STATE. 2671 */ 2672 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY)) 2673 { 2674 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN: 2675 if ((state & PNG_FP_SAW_ANY) != 0) 2676 goto PNG_FP_End; /* not a part of the number */ 2677 2678 png_fp_add(state, type); 2679 break; 2680 2681 case PNG_FP_INTEGER + PNG_FP_SAW_DOT: 2682 /* Ok as trailer, ok as lead of fraction. */ 2683 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */ 2684 goto PNG_FP_End; 2685 2686 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */ 2687 png_fp_add(state, type); 2688 2689 else 2690 png_fp_set(state, PNG_FP_FRACTION | type); 2691 2692 break; 2693 2694 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT: 2695 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */ 2696 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT); 2697 2698 png_fp_add(state, type | PNG_FP_WAS_VALID); 2699 2700 break; 2701 2702 case PNG_FP_INTEGER + PNG_FP_SAW_E: 2703 if ((state & PNG_FP_SAW_DIGIT) == 0) 2704 goto PNG_FP_End; 2705 2706 png_fp_set(state, PNG_FP_EXPONENT); 2707 2708 break; 2709 2710 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN: 2711 goto PNG_FP_End; ** no sign in fraction */ 2712 2713 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT: 2714 goto PNG_FP_End; ** Because SAW_DOT is always set */ 2715 2716 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT: 2717 png_fp_add(state, type | PNG_FP_WAS_VALID); 2718 break; 2719 2720 case PNG_FP_FRACTION + PNG_FP_SAW_E: 2721 /* This is correct because the trailing '.' on an 2722 * integer is handled above - so we can only get here 2723 * with the sequence ".E" (with no preceding digits). 2724 */ 2725 if ((state & PNG_FP_SAW_DIGIT) == 0) 2726 goto PNG_FP_End; 2727 2728 png_fp_set(state, PNG_FP_EXPONENT); 2729 2730 break; 2731 2732 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN: 2733 if ((state & PNG_FP_SAW_ANY) != 0) 2734 goto PNG_FP_End; /* not a part of the number */ 2735 2736 png_fp_add(state, PNG_FP_SAW_SIGN); 2737 2738 break; 2739 2740 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT: 2741 goto PNG_FP_End; */ 2742 2743 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT: 2744 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID); 2745 2746 break; 2747 2748 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E: 2749 goto PNG_FP_End; */ 2750 2751 default: goto PNG_FP_End; /* I.e. break 2 */ 2752 } 2753 2754 /* The character seems ok, continue. */ 2755 ++i; 2756 } 2757 2758PNG_FP_End: 2759 /* Here at the end, update the state and return the correct 2760 * return code. 2761 */ 2762 *statep = state; 2763 *whereami = i; 2764 2765 return (state & PNG_FP_SAW_DIGIT) != 0; 2766} 2767 2768 2769/* The same but for a complete string. */ 2770int 2771png_check_fp_string(png_const_charp string, png_size_t size) 2772{ 2773 int state=0; 2774 png_size_t char_index=0; 2775 2776 if (png_check_fp_number(string, size, &state, &char_index) != 0 && 2777 (char_index == size || string[char_index] == 0)) 2778 return state /* must be non-zero - see above */; 2779 2780 return 0; /* i.e. fail */ 2781} 2782#endif /* pCAL || sCAL */ 2783 2784#ifdef PNG_sCAL_SUPPORTED 2785# ifdef PNG_FLOATING_POINT_SUPPORTED 2786/* Utility used below - a simple accurate power of ten from an integral 2787 * exponent. 2788 */ 2789static double 2790png_pow10(int power) 2791{ 2792 int recip = 0; 2793 double d = 1; 2794 2795 /* Handle negative exponent with a reciprocal at the end because 2796 * 10 is exact whereas .1 is inexact in base 2 2797 */ 2798 if (power < 0) 2799 { 2800 if (power < DBL_MIN_10_EXP) return 0; 2801 recip = 1, power = -power; 2802 } 2803 2804 if (power > 0) 2805 { 2806 /* Decompose power bitwise. */ 2807 double mult = 10; 2808 do 2809 { 2810 if (power & 1) d *= mult; 2811 mult *= mult; 2812 power >>= 1; 2813 } 2814 while (power > 0); 2815 2816 if (recip != 0) d = 1/d; 2817 } 2818 /* else power is 0 and d is 1 */ 2819 2820 return d; 2821} 2822 2823/* Function to format a floating point value in ASCII with a given 2824 * precision. 2825 */ 2826void /* PRIVATE */ 2827png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size, 2828 double fp, unsigned int precision) 2829{ 2830 /* We use standard functions from math.h, but not printf because 2831 * that would require stdio. The caller must supply a buffer of 2832 * sufficient size or we will png_error. The tests on size and 2833 * the space in ascii[] consumed are indicated below. 2834 */ 2835 if (precision < 1) 2836 precision = DBL_DIG; 2837 2838 /* Enforce the limit of the implementation precision too. */ 2839 if (precision > DBL_DIG+1) 2840 precision = DBL_DIG+1; 2841 2842 /* Basic sanity checks */ 2843 if (size >= precision+5) /* See the requirements below. */ 2844 { 2845 if (fp < 0) 2846 { 2847 fp = -fp; 2848 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */ 2849 --size; 2850 } 2851 2852 if (fp >= DBL_MIN && fp <= DBL_MAX) 2853 { 2854 int exp_b10; /* A base 10 exponent */ 2855 double base; /* 10^exp_b10 */ 2856 2857 /* First extract a base 10 exponent of the number, 2858 * the calculation below rounds down when converting 2859 * from base 2 to base 10 (multiply by log10(2) - 2860 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to 2861 * be increased. Note that the arithmetic shift 2862 * performs a floor() unlike C arithmetic - using a 2863 * C multiply would break the following for negative 2864 * exponents. 2865 */ 2866 (void)frexp(fp, &exp_b10); /* exponent to base 2 */ 2867 2868 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */ 2869 2870 /* Avoid underflow here. */ 2871 base = png_pow10(exp_b10); /* May underflow */ 2872 2873 while (base < DBL_MIN || base < fp) 2874 { 2875 /* And this may overflow. */ 2876 double test = png_pow10(exp_b10+1); 2877 2878 if (test <= DBL_MAX) 2879 ++exp_b10, base = test; 2880 2881 else 2882 break; 2883 } 2884 2885 /* Normalize fp and correct exp_b10, after this fp is in the 2886 * range [.1,1) and exp_b10 is both the exponent and the digit 2887 * *before* which the decimal point should be inserted 2888 * (starting with 0 for the first digit). Note that this 2889 * works even if 10^exp_b10 is out of range because of the 2890 * test on DBL_MAX above. 2891 */ 2892 fp /= base; 2893 while (fp >= 1) fp /= 10, ++exp_b10; 2894 2895 /* Because of the code above fp may, at this point, be 2896 * less than .1, this is ok because the code below can 2897 * handle the leading zeros this generates, so no attempt 2898 * is made to correct that here. 2899 */ 2900 2901 { 2902 unsigned int czero, clead, cdigits; 2903 char exponent[10]; 2904 2905 /* Allow up to two leading zeros - this will not lengthen 2906 * the number compared to using E-n. 2907 */ 2908 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */ 2909 { 2910 czero = -exp_b10; /* PLUS 2 digits: TOTAL 3 */ 2911 exp_b10 = 0; /* Dot added below before first output. */ 2912 } 2913 else 2914 czero = 0; /* No zeros to add */ 2915 2916 /* Generate the digit list, stripping trailing zeros and 2917 * inserting a '.' before a digit if the exponent is 0. 2918 */ 2919 clead = czero; /* Count of leading zeros */ 2920 cdigits = 0; /* Count of digits in list. */ 2921 2922 do 2923 { 2924 double d; 2925 2926 fp *= 10; 2927 /* Use modf here, not floor and subtract, so that 2928 * the separation is done in one step. At the end 2929 * of the loop don't break the number into parts so 2930 * that the final digit is rounded. 2931 */ 2932 if (cdigits+czero+1 < precision+clead) 2933 fp = modf(fp, &d); 2934 2935 else 2936 { 2937 d = floor(fp + .5); 2938 2939 if (d > 9) 2940 { 2941 /* Rounding up to 10, handle that here. */ 2942 if (czero > 0) 2943 { 2944 --czero, d = 1; 2945 if (cdigits == 0) --clead; 2946 } 2947 else 2948 { 2949 while (cdigits > 0 && d > 9) 2950 { 2951 int ch = *--ascii; 2952 2953 if (exp_b10 != (-1)) 2954 ++exp_b10; 2955 2956 else if (ch == 46) 2957 { 2958 ch = *--ascii, ++size; 2959 /* Advance exp_b10 to '1', so that the 2960 * decimal point happens after the 2961 * previous digit. 2962 */ 2963 exp_b10 = 1; 2964 } 2965 2966 --cdigits; 2967 d = ch - 47; /* I.e. 1+(ch-48) */ 2968 } 2969 2970 /* Did we reach the beginning? If so adjust the 2971 * exponent but take into account the leading 2972 * decimal point. 2973 */ 2974 if (d > 9) /* cdigits == 0 */ 2975 { 2976 if (exp_b10 == (-1)) 2977 { 2978 /* Leading decimal point (plus zeros?), if 2979 * we lose the decimal point here it must 2980 * be reentered below. 2981 */ 2982 int ch = *--ascii; 2983 2984 if (ch == 46) 2985 ++size, exp_b10 = 1; 2986 2987 /* Else lost a leading zero, so 'exp_b10' is 2988 * still ok at (-1) 2989 */ 2990 } 2991 else 2992 ++exp_b10; 2993 2994 /* In all cases we output a '1' */ 2995 d = 1; 2996 } 2997 } 2998 } 2999 fp = 0; /* Guarantees termination below. */ 3000 } 3001 3002 if (d == 0) 3003 { 3004 ++czero; 3005 if (cdigits == 0) ++clead; 3006 } 3007 else 3008 { 3009 /* Included embedded zeros in the digit count. */ 3010 cdigits += czero - clead; 3011 clead = 0; 3012 3013 while (czero > 0) 3014 { 3015 /* exp_b10 == (-1) means we just output the decimal 3016 * place - after the DP don't adjust 'exp_b10' any 3017 * more! 3018 */ 3019 if (exp_b10 != (-1)) 3020 { 3021 if (exp_b10 == 0) *ascii++ = 46, --size; 3022 /* PLUS 1: TOTAL 4 */ 3023 --exp_b10; 3024 } 3025 *ascii++ = 48, --czero; 3026 } 3027 3028 if (exp_b10 != (-1)) 3029 { 3030 if (exp_b10 == 0) 3031 *ascii++ = 46, --size; /* counted above */ 3032 3033 --exp_b10; 3034 } 3035 *ascii++ = (char)(48 + (int)d), ++cdigits; 3036 } 3037 } 3038 while (cdigits+czero < precision+clead && fp > DBL_MIN); 3039 3040 /* The total output count (max) is now 4+precision */ 3041 3042 /* Check for an exponent, if we don't need one we are 3043 * done and just need to terminate the string. At 3044 * this point exp_b10==(-1) is effectively if flag - it got 3045 * to '-1' because of the decrement after outputting 3046 * the decimal point above (the exponent required is 3047 * *not* -1!) 3048 */ 3049 if (exp_b10 >= (-1) && exp_b10 <= 2) 3050 { 3051 /* The following only happens if we didn't output the 3052 * leading zeros above for negative exponent, so this 3053 * doesn't add to the digit requirement. Note that the 3054 * two zeros here can only be output if the two leading 3055 * zeros were *not* output, so this doesn't increase 3056 * the output count. 3057 */ 3058 while (--exp_b10 >= 0) *ascii++ = 48; 3059 3060 *ascii = 0; 3061 3062 /* Total buffer requirement (including the '\0') is 3063 * 5+precision - see check at the start. 3064 */ 3065 return; 3066 } 3067 3068 /* Here if an exponent is required, adjust size for 3069 * the digits we output but did not count. The total 3070 * digit output here so far is at most 1+precision - no 3071 * decimal point and no leading or trailing zeros have 3072 * been output. 3073 */ 3074 size -= cdigits; 3075 3076 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */ 3077 3078 /* The following use of an unsigned temporary avoids ambiguities in 3079 * the signed arithmetic on exp_b10 and permits GCC at least to do 3080 * better optimization. 3081 */ 3082 { 3083 unsigned int uexp_b10; 3084 3085 if (exp_b10 < 0) 3086 { 3087 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */ 3088 uexp_b10 = -exp_b10; 3089 } 3090 3091 else 3092 uexp_b10 = exp_b10; 3093 3094 cdigits = 0; 3095 3096 while (uexp_b10 > 0) 3097 { 3098 exponent[cdigits++] = (char)(48 + uexp_b10 % 10); 3099 uexp_b10 /= 10; 3100 } 3101 } 3102 3103 /* Need another size check here for the exponent digits, so 3104 * this need not be considered above. 3105 */ 3106 if (size > cdigits) 3107 { 3108 while (cdigits > 0) *ascii++ = exponent[--cdigits]; 3109 3110 *ascii = 0; 3111 3112 return; 3113 } 3114 } 3115 } 3116 else if (!(fp >= DBL_MIN)) 3117 { 3118 *ascii++ = 48; /* '0' */ 3119 *ascii = 0; 3120 return; 3121 } 3122 else 3123 { 3124 *ascii++ = 105; /* 'i' */ 3125 *ascii++ = 110; /* 'n' */ 3126 *ascii++ = 102; /* 'f' */ 3127 *ascii = 0; 3128 return; 3129 } 3130 } 3131 3132 /* Here on buffer too small. */ 3133 png_error(png_ptr, "ASCII conversion buffer too small"); 3134} 3135 3136# endif /* FLOATING_POINT */ 3137 3138# ifdef PNG_FIXED_POINT_SUPPORTED 3139/* Function to format a fixed point value in ASCII. 3140 */ 3141void /* PRIVATE */ 3142png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii, 3143 png_size_t size, png_fixed_point fp) 3144{ 3145 /* Require space for 10 decimal digits, a decimal point, a minus sign and a 3146 * trailing \0, 13 characters: 3147 */ 3148 if (size > 12) 3149 { 3150 png_uint_32 num; 3151 3152 /* Avoid overflow here on the minimum integer. */ 3153 if (fp < 0) 3154 *ascii++ = 45, num = -fp; 3155 else 3156 num = fp; 3157 3158 if (num <= 0x80000000) /* else overflowed */ 3159 { 3160 unsigned int ndigits = 0, first = 16 /* flag value */; 3161 char digits[10]; 3162 3163 while (num) 3164 { 3165 /* Split the low digit off num: */ 3166 unsigned int tmp = num/10; 3167 num -= tmp*10; 3168 digits[ndigits++] = (char)(48 + num); 3169 /* Record the first non-zero digit, note that this is a number 3170 * starting at 1, it's not actually the array index. 3171 */ 3172 if (first == 16 && num > 0) 3173 first = ndigits; 3174 num = tmp; 3175 } 3176 3177 if (ndigits > 0) 3178 { 3179 while (ndigits > 5) *ascii++ = digits[--ndigits]; 3180 /* The remaining digits are fractional digits, ndigits is '5' or 3181 * smaller at this point. It is certainly not zero. Check for a 3182 * non-zero fractional digit: 3183 */ 3184 if (first <= 5) 3185 { 3186 unsigned int i; 3187 *ascii++ = 46; /* decimal point */ 3188 /* ndigits may be <5 for small numbers, output leading zeros 3189 * then ndigits digits to first: 3190 */ 3191 i = 5; 3192 while (ndigits < i) *ascii++ = 48, --i; 3193 while (ndigits >= first) *ascii++ = digits[--ndigits]; 3194 /* Don't output the trailing zeros! */ 3195 } 3196 } 3197 else 3198 *ascii++ = 48; 3199 3200 /* And null terminate the string: */ 3201 *ascii = 0; 3202 return; 3203 } 3204 } 3205 3206 /* Here on buffer too small. */ 3207 png_error(png_ptr, "ASCII conversion buffer too small"); 3208} 3209# endif /* FIXED_POINT */ 3210#endif /* SCAL */ 3211 3212#if defined(PNG_FLOATING_POINT_SUPPORTED) && \ 3213 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ 3214 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \ 3215 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 3216 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \ 3217 (defined(PNG_sCAL_SUPPORTED) && \ 3218 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED)) 3219png_fixed_point 3220png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text) 3221{ 3222 double r = floor(100000 * fp + .5); 3223 3224 if (r > 2147483647. || r < -2147483648.) 3225 png_fixed_error(png_ptr, text); 3226 3227# ifndef PNG_ERROR_TEXT_SUPPORTED 3228 PNG_UNUSED(text) 3229# endif 3230 3231 return (png_fixed_point)r; 3232} 3233#endif 3234 3235#if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\ 3236 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED) 3237/* muldiv functions */ 3238/* This API takes signed arguments and rounds the result to the nearest 3239 * integer (or, for a fixed point number - the standard argument - to 3240 * the nearest .00001). Overflow and divide by zero are signalled in 3241 * the result, a boolean - true on success, false on overflow. 3242 */ 3243int 3244png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times, 3245 png_int_32 divisor) 3246{ 3247 /* Return a * times / divisor, rounded. */ 3248 if (divisor != 0) 3249 { 3250 if (a == 0 || times == 0) 3251 { 3252 *res = 0; 3253 return 1; 3254 } 3255 else 3256 { 3257#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3258 double r = a; 3259 r *= times; 3260 r /= divisor; 3261 r = floor(r+.5); 3262 3263 /* A png_fixed_point is a 32-bit integer. */ 3264 if (r <= 2147483647. && r >= -2147483648.) 3265 { 3266 *res = (png_fixed_point)r; 3267 return 1; 3268 } 3269#else 3270 int negative = 0; 3271 png_uint_32 A, T, D; 3272 png_uint_32 s16, s32, s00; 3273 3274 if (a < 0) 3275 negative = 1, A = -a; 3276 else 3277 A = a; 3278 3279 if (times < 0) 3280 negative = !negative, T = -times; 3281 else 3282 T = times; 3283 3284 if (divisor < 0) 3285 negative = !negative, D = -divisor; 3286 else 3287 D = divisor; 3288 3289 /* Following can't overflow because the arguments only 3290 * have 31 bits each, however the result may be 32 bits. 3291 */ 3292 s16 = (A >> 16) * (T & 0xffff) + 3293 (A & 0xffff) * (T >> 16); 3294 /* Can't overflow because the a*times bit is only 30 3295 * bits at most. 3296 */ 3297 s32 = (A >> 16) * (T >> 16) + (s16 >> 16); 3298 s00 = (A & 0xffff) * (T & 0xffff); 3299 3300 s16 = (s16 & 0xffff) << 16; 3301 s00 += s16; 3302 3303 if (s00 < s16) 3304 ++s32; /* carry */ 3305 3306 if (s32 < D) /* else overflow */ 3307 { 3308 /* s32.s00 is now the 64-bit product, do a standard 3309 * division, we know that s32 < D, so the maximum 3310 * required shift is 31. 3311 */ 3312 int bitshift = 32; 3313 png_fixed_point result = 0; /* NOTE: signed */ 3314 3315 while (--bitshift >= 0) 3316 { 3317 png_uint_32 d32, d00; 3318 3319 if (bitshift > 0) 3320 d32 = D >> (32-bitshift), d00 = D << bitshift; 3321 3322 else 3323 d32 = 0, d00 = D; 3324 3325 if (s32 > d32) 3326 { 3327 if (s00 < d00) --s32; /* carry */ 3328 s32 -= d32, s00 -= d00, result += 1<<bitshift; 3329 } 3330 3331 else 3332 if (s32 == d32 && s00 >= d00) 3333 s32 = 0, s00 -= d00, result += 1<<bitshift; 3334 } 3335 3336 /* Handle the rounding. */ 3337 if (s00 >= (D >> 1)) 3338 ++result; 3339 3340 if (negative != 0) 3341 result = -result; 3342 3343 /* Check for overflow. */ 3344 if ((negative != 0 && result <= 0) || 3345 (negative == 0 && result >= 0)) 3346 { 3347 *res = result; 3348 return 1; 3349 } 3350 } 3351#endif 3352 } 3353 } 3354 3355 return 0; 3356} 3357#endif /* READ_GAMMA || INCH_CONVERSIONS */ 3358 3359#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED) 3360/* The following is for when the caller doesn't much care about the 3361 * result. 3362 */ 3363png_fixed_point 3364png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times, 3365 png_int_32 divisor) 3366{ 3367 png_fixed_point result; 3368 3369 if (png_muldiv(&result, a, times, divisor) != 0) 3370 return result; 3371 3372 png_warning(png_ptr, "fixed point overflow ignored"); 3373 return 0; 3374} 3375#endif 3376 3377#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */ 3378/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */ 3379png_fixed_point 3380png_reciprocal(png_fixed_point a) 3381{ 3382#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3383 double r = floor(1E10/a+.5); 3384 3385 if (r <= 2147483647. && r >= -2147483648.) 3386 return (png_fixed_point)r; 3387#else 3388 png_fixed_point res; 3389 3390 if (png_muldiv(&res, 100000, 100000, a) != 0) 3391 return res; 3392#endif 3393 3394 return 0; /* error/overflow */ 3395} 3396 3397/* This is the shared test on whether a gamma value is 'significant' - whether 3398 * it is worth doing gamma correction. 3399 */ 3400int /* PRIVATE */ 3401png_gamma_significant(png_fixed_point gamma_val) 3402{ 3403 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED || 3404 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED; 3405} 3406#endif 3407 3408#ifdef PNG_READ_GAMMA_SUPPORTED 3409#ifdef PNG_16BIT_SUPPORTED 3410/* A local convenience routine. */ 3411static png_fixed_point 3412png_product2(png_fixed_point a, png_fixed_point b) 3413{ 3414 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3415#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3416 double r = a * 1E-5; 3417 r *= b; 3418 r = floor(r+.5); 3419 3420 if (r <= 2147483647. && r >= -2147483648.) 3421 return (png_fixed_point)r; 3422#else 3423 png_fixed_point res; 3424 3425 if (png_muldiv(&res, a, b, 100000) != 0) 3426 return res; 3427#endif 3428 3429 return 0; /* overflow */ 3430} 3431#endif /* 16BIT */ 3432 3433/* The inverse of the above. */ 3434png_fixed_point 3435png_reciprocal2(png_fixed_point a, png_fixed_point b) 3436{ 3437 /* The required result is 1/a * 1/b; the following preserves accuracy. */ 3438#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3439 if (a != 0 && b != 0) 3440 { 3441 double r = 1E15/a; 3442 r /= b; 3443 r = floor(r+.5); 3444 3445 if (r <= 2147483647. && r >= -2147483648.) 3446 return (png_fixed_point)r; 3447 } 3448#else 3449 /* This may overflow because the range of png_fixed_point isn't symmetric, 3450 * but this API is only used for the product of file and screen gamma so it 3451 * doesn't matter that the smallest number it can produce is 1/21474, not 3452 * 1/100000 3453 */ 3454 png_fixed_point res = png_product2(a, b); 3455 3456 if (res != 0) 3457 return png_reciprocal(res); 3458#endif 3459 3460 return 0; /* overflow */ 3461} 3462#endif /* READ_GAMMA */ 3463 3464#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */ 3465#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED 3466/* Fixed point gamma. 3467 * 3468 * The code to calculate the tables used below can be found in the shell script 3469 * contrib/tools/intgamma.sh 3470 * 3471 * To calculate gamma this code implements fast log() and exp() calls using only 3472 * fixed point arithmetic. This code has sufficient precision for either 8-bit 3473 * or 16-bit sample values. 3474 * 3475 * The tables used here were calculated using simple 'bc' programs, but C double 3476 * precision floating point arithmetic would work fine. 3477 * 3478 * 8-bit log table 3479 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to 3480 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point 3481 * mantissa. The numbers are 32-bit fractions. 3482 */ 3483static const png_uint_32 3484png_8bit_l2[128] = 3485{ 3486 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U, 3487 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U, 3488 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U, 3489 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U, 3490 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U, 3491 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U, 3492 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U, 3493 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U, 3494 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U, 3495 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U, 3496 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U, 3497 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U, 3498 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U, 3499 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U, 3500 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U, 3501 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U, 3502 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U, 3503 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U, 3504 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U, 3505 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U, 3506 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U, 3507 24347096U, 0U 3508 3509#if 0 3510 /* The following are the values for 16-bit tables - these work fine for the 3511 * 8-bit conversions but produce very slightly larger errors in the 16-bit 3512 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To 3513 * use these all the shifts below must be adjusted appropriately. 3514 */ 3515 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054, 3516 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803, 3517 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068, 3518 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782, 3519 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887, 3520 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339, 3521 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098, 3522 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132, 3523 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415, 3524 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523, 3525 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495, 3526 1119, 744, 372 3527#endif 3528}; 3529 3530static png_int_32 3531png_log8bit(unsigned int x) 3532{ 3533 unsigned int lg2 = 0; 3534 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log, 3535 * because the log is actually negate that means adding 1. The final 3536 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1 3537 * input), return -1 for the overflow (log 0) case, - so the result is 3538 * always at most 19 bits. 3539 */ 3540 if ((x &= 0xff) == 0) 3541 return -1; 3542 3543 if ((x & 0xf0) == 0) 3544 lg2 = 4, x <<= 4; 3545 3546 if ((x & 0xc0) == 0) 3547 lg2 += 2, x <<= 2; 3548 3549 if ((x & 0x80) == 0) 3550 lg2 += 1, x <<= 1; 3551 3552 /* result is at most 19 bits, so this cast is safe: */ 3553 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16)); 3554} 3555 3556/* The above gives exact (to 16 binary places) log2 values for 8-bit images, 3557 * for 16-bit images we use the most significant 8 bits of the 16-bit value to 3558 * get an approximation then multiply the approximation by a correction factor 3559 * determined by the remaining up to 8 bits. This requires an additional step 3560 * in the 16-bit case. 3561 * 3562 * We want log2(value/65535), we have log2(v'/255), where: 3563 * 3564 * value = v' * 256 + v'' 3565 * = v' * f 3566 * 3567 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128 3568 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less 3569 * than 258. The final factor also needs to correct for the fact that our 8-bit 3570 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535. 3571 * 3572 * This gives a final formula using a calculated value 'x' which is value/v' and 3573 * scaling by 65536 to match the above table: 3574 * 3575 * log2(x/257) * 65536 3576 * 3577 * Since these numbers are so close to '1' we can use simple linear 3578 * interpolation between the two end values 256/257 (result -368.61) and 258/257 3579 * (result 367.179). The values used below are scaled by a further 64 to give 3580 * 16-bit precision in the interpolation: 3581 * 3582 * Start (256): -23591 3583 * Zero (257): 0 3584 * End (258): 23499 3585 */ 3586#ifdef PNG_16BIT_SUPPORTED 3587static png_int_32 3588png_log16bit(png_uint_32 x) 3589{ 3590 unsigned int lg2 = 0; 3591 3592 /* As above, but now the input has 16 bits. */ 3593 if ((x &= 0xffff) == 0) 3594 return -1; 3595 3596 if ((x & 0xff00) == 0) 3597 lg2 = 8, x <<= 8; 3598 3599 if ((x & 0xf000) == 0) 3600 lg2 += 4, x <<= 4; 3601 3602 if ((x & 0xc000) == 0) 3603 lg2 += 2, x <<= 2; 3604 3605 if ((x & 0x8000) == 0) 3606 lg2 += 1, x <<= 1; 3607 3608 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional 3609 * value. 3610 */ 3611 lg2 <<= 28; 3612 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4; 3613 3614 /* Now we need to interpolate the factor, this requires a division by the top 3615 * 8 bits. Do this with maximum precision. 3616 */ 3617 x = ((x << 16) + (x >> 9)) / (x >> 8); 3618 3619 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24, 3620 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly 3621 * 16 bits to interpolate to get the low bits of the result. Round the 3622 * answer. Note that the end point values are scaled by 64 to retain overall 3623 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust 3624 * the overall scaling by 6-12. Round at every step. 3625 */ 3626 x -= 1U << 24; 3627 3628 if (x <= 65536U) /* <= '257' */ 3629 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12); 3630 3631 else 3632 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12); 3633 3634 /* Safe, because the result can't have more than 20 bits: */ 3635 return (png_int_32)((lg2 + 2048) >> 12); 3636} 3637#endif /* 16BIT */ 3638 3639/* The 'exp()' case must invert the above, taking a 20-bit fixed point 3640 * logarithmic value and returning a 16 or 8-bit number as appropriate. In 3641 * each case only the low 16 bits are relevant - the fraction - since the 3642 * integer bits (the top 4) simply determine a shift. 3643 * 3644 * The worst case is the 16-bit distinction between 65535 and 65534. This 3645 * requires perhaps spurious accuracy in the decoding of the logarithm to 3646 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance 3647 * of getting this accuracy in practice. 3648 * 3649 * To deal with this the following exp() function works out the exponent of the 3650 * frational part of the logarithm by using an accurate 32-bit value from the 3651 * top four fractional bits then multiplying in the remaining bits. 3652 */ 3653static const png_uint_32 3654png_32bit_exp[16] = 3655{ 3656 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */ 3657 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U, 3658 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U, 3659 2553802834U, 2445529972U, 2341847524U, 2242560872U 3660}; 3661 3662/* Adjustment table; provided to explain the numbers in the code below. */ 3663#if 0 3664for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"} 3665 11 44937.64284865548751208448 3666 10 45180.98734845585101160448 3667 9 45303.31936980687359311872 3668 8 45364.65110595323018870784 3669 7 45395.35850361789624614912 3670 6 45410.72259715102037508096 3671 5 45418.40724413220722311168 3672 4 45422.25021786898173001728 3673 3 45424.17186732298419044352 3674 2 45425.13273269940811464704 3675 1 45425.61317555035558641664 3676 0 45425.85339951654943850496 3677#endif 3678 3679static png_uint_32 3680png_exp(png_fixed_point x) 3681{ 3682 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ 3683 { 3684 /* Obtain a 4-bit approximation */ 3685 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; 3686 3687 /* Incorporate the low 12 bits - these decrease the returned value by 3688 * multiplying by a number less than 1 if the bit is set. The multiplier 3689 * is determined by the above table and the shift. Notice that the values 3690 * converge on 45426 and this is used to allow linear interpolation of the 3691 * low bits. 3692 */ 3693 if (x & 0x800) 3694 e -= (((e >> 16) * 44938U) + 16U) >> 5; 3695 3696 if (x & 0x400) 3697 e -= (((e >> 16) * 45181U) + 32U) >> 6; 3698 3699 if (x & 0x200) 3700 e -= (((e >> 16) * 45303U) + 64U) >> 7; 3701 3702 if (x & 0x100) 3703 e -= (((e >> 16) * 45365U) + 128U) >> 8; 3704 3705 if (x & 0x080) 3706 e -= (((e >> 16) * 45395U) + 256U) >> 9; 3707 3708 if (x & 0x040) 3709 e -= (((e >> 16) * 45410U) + 512U) >> 10; 3710 3711 /* And handle the low 6 bits in a single block. */ 3712 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9; 3713 3714 /* Handle the upper bits of x. */ 3715 e >>= x >> 16; 3716 return e; 3717 } 3718 3719 /* Check for overflow */ 3720 if (x <= 0) 3721 return png_32bit_exp[0]; 3722 3723 /* Else underflow */ 3724 return 0; 3725} 3726 3727static png_byte 3728png_exp8bit(png_fixed_point lg2) 3729{ 3730 /* Get a 32-bit value: */ 3731 png_uint_32 x = png_exp(lg2); 3732 3733 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the 3734 * second, rounding, step can't overflow because of the first, subtraction, 3735 * step. 3736 */ 3737 x -= x >> 8; 3738 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); 3739} 3740 3741#ifdef PNG_16BIT_SUPPORTED 3742static png_uint_16 3743png_exp16bit(png_fixed_point lg2) 3744{ 3745 /* Get a 32-bit value: */ 3746 png_uint_32 x = png_exp(lg2); 3747 3748 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */ 3749 x -= x >> 16; 3750 return (png_uint_16)((x + 32767U) >> 16); 3751} 3752#endif /* 16BIT */ 3753#endif /* FLOATING_ARITHMETIC */ 3754 3755png_byte 3756png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val) 3757{ 3758 if (value > 0 && value < 255) 3759 { 3760# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3761 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly 3762 * convert this to a floating point value. This includes values that 3763 * would overflow if 'value' were to be converted to 'int'. 3764 * 3765 * Apparently GCC, however, does an intermediate conversion to (int) 3766 * on some (ARM) but not all (x86) platforms, possibly because of 3767 * hardware FP limitations. (E.g. if the hardware conversion always 3768 * assumes the integer register contains a signed value.) This results 3769 * in ANSI-C undefined behavior for large values. 3770 * 3771 * Other implementations on the same machine might actually be ANSI-C90 3772 * conformant and therefore compile spurious extra code for the large 3773 * values. 3774 * 3775 * We can be reasonably sure that an unsigned to float conversion 3776 * won't be faster than an int to float one. Therefore this code 3777 * assumes responsibility for the undefined behavior, which it knows 3778 * can't happen because of the check above. 3779 * 3780 * Note the argument to this routine is an (unsigned int) because, on 3781 * 16-bit platforms, it is assigned a value which might be out of 3782 * range for an (int); that would result in undefined behavior in the 3783 * caller if the *argument* ('value') were to be declared (int). 3784 */ 3785 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5); 3786 return (png_byte)r; 3787# else 3788 png_int_32 lg2 = png_log8bit(value); 3789 png_fixed_point res; 3790 3791 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3792 return png_exp8bit(res); 3793 3794 /* Overflow. */ 3795 value = 0; 3796# endif 3797 } 3798 3799 return (png_byte)(value & 0xff); 3800} 3801 3802#ifdef PNG_16BIT_SUPPORTED 3803png_uint_16 3804png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val) 3805{ 3806 if (value > 0 && value < 65535) 3807 { 3808# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3809 /* The same (unsigned int)->(double) constraints apply here as above, 3810 * however in this case the (unsigned int) to (int) conversion can 3811 * overflow on an ANSI-C90 compliant system so the cast needs to ensure 3812 * that this is not possible. 3813 */ 3814 double r = floor(65535*pow((png_int_32)value/65535., 3815 gamma_val*.00001)+.5); 3816 return (png_uint_16)r; 3817# else 3818 png_int_32 lg2 = png_log16bit(value); 3819 png_fixed_point res; 3820 3821 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0) 3822 return png_exp16bit(res); 3823 3824 /* Overflow. */ 3825 value = 0; 3826# endif 3827 } 3828 3829 return (png_uint_16)value; 3830} 3831#endif /* 16BIT */ 3832 3833/* This does the right thing based on the bit_depth field of the 3834 * png_struct, interpreting values as 8-bit or 16-bit. While the result 3835 * is nominally a 16-bit value if bit depth is 8 then the result is 3836 * 8-bit (as are the arguments.) 3837 */ 3838png_uint_16 /* PRIVATE */ 3839png_gamma_correct(png_structrp png_ptr, unsigned int value, 3840 png_fixed_point gamma_val) 3841{ 3842 if (png_ptr->bit_depth == 8) 3843 return png_gamma_8bit_correct(value, gamma_val); 3844 3845#ifdef PNG_16BIT_SUPPORTED 3846 else 3847 return png_gamma_16bit_correct(value, gamma_val); 3848#else 3849 /* should not reach this */ 3850 return 0; 3851#endif /* 16BIT */ 3852} 3853 3854#ifdef PNG_16BIT_SUPPORTED 3855/* Internal function to build a single 16-bit table - the table consists of 3856 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount 3857 * to shift the input values right (or 16-number_of_signifiant_bits). 3858 * 3859 * The caller is responsible for ensuring that the table gets cleaned up on 3860 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument 3861 * should be somewhere that will be cleaned. 3862 */ 3863static void 3864png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable, 3865 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 3866{ 3867 /* Various values derived from 'shift': */ 3868 PNG_CONST unsigned int num = 1U << (8U - shift); 3869#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3870 /* CSE the division and work round wacky GCC warnings (see the comments 3871 * in png_gamma_8bit_correct for where these come from.) 3872 */ 3873 PNG_CONST double fmax = 1./(((png_int_32)1 << (16U - shift))-1); 3874#endif 3875 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 3876 PNG_CONST unsigned int max_by_2 = 1U << (15U-shift); 3877 unsigned int i; 3878 3879 png_uint_16pp table = *ptable = 3880 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 3881 3882 for (i = 0; i < num; i++) 3883 { 3884 png_uint_16p sub_table = table[i] = 3885 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16))); 3886 3887 /* The 'threshold' test is repeated here because it can arise for one of 3888 * the 16-bit tables even if the others don't hit it. 3889 */ 3890 if (png_gamma_significant(gamma_val) != 0) 3891 { 3892 /* The old code would overflow at the end and this would cause the 3893 * 'pow' function to return a result >1, resulting in an 3894 * arithmetic error. This code follows the spec exactly; ig is 3895 * the recovered input sample, it always has 8-16 bits. 3896 * 3897 * We want input * 65535/max, rounded, the arithmetic fits in 32 3898 * bits (unsigned) so long as max <= 32767. 3899 */ 3900 unsigned int j; 3901 for (j = 0; j < 256; j++) 3902 { 3903 png_uint_32 ig = (j << (8-shift)) + i; 3904# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED 3905 /* Inline the 'max' scaling operation: */ 3906 /* See png_gamma_8bit_correct for why the cast to (int) is 3907 * required here. 3908 */ 3909 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5); 3910 sub_table[j] = (png_uint_16)d; 3911# else 3912 if (shift != 0) 3913 ig = (ig * 65535U + max_by_2)/max; 3914 3915 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val); 3916# endif 3917 } 3918 } 3919 else 3920 { 3921 /* We must still build a table, but do it the fast way. */ 3922 unsigned int j; 3923 3924 for (j = 0; j < 256; j++) 3925 { 3926 png_uint_32 ig = (j << (8-shift)) + i; 3927 3928 if (shift != 0) 3929 ig = (ig * 65535U + max_by_2)/max; 3930 3931 sub_table[j] = (png_uint_16)ig; 3932 } 3933 } 3934 } 3935} 3936 3937/* NOTE: this function expects the *inverse* of the overall gamma transformation 3938 * required. 3939 */ 3940static void 3941png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable, 3942 PNG_CONST unsigned int shift, PNG_CONST png_fixed_point gamma_val) 3943{ 3944 PNG_CONST unsigned int num = 1U << (8U - shift); 3945 PNG_CONST unsigned int max = (1U << (16U - shift))-1U; 3946 unsigned int i; 3947 png_uint_32 last; 3948 3949 png_uint_16pp table = *ptable = 3950 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p))); 3951 3952 /* 'num' is the number of tables and also the number of low bits of low 3953 * bits of the input 16-bit value used to select a table. Each table is 3954 * itself indexed by the high 8 bits of the value. 3955 */ 3956 for (i = 0; i < num; i++) 3957 table[i] = (png_uint_16p)png_malloc(png_ptr, 3958 256 * (sizeof (png_uint_16))); 3959 3960 /* 'gamma_val' is set to the reciprocal of the value calculated above, so 3961 * pow(out,g) is an *input* value. 'last' is the last input value set. 3962 * 3963 * In the loop 'i' is used to find output values. Since the output is 3964 * 8-bit there are only 256 possible values. The tables are set up to 3965 * select the closest possible output value for each input by finding 3966 * the input value at the boundary between each pair of output values 3967 * and filling the table up to that boundary with the lower output 3968 * value. 3969 * 3970 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit 3971 * values the code below uses a 16-bit value in i; the values start at 3972 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last 3973 * entries are filled with 255). Start i at 128 and fill all 'last' 3974 * table entries <= 'max' 3975 */ 3976 last = 0; 3977 for (i = 0; i < 255; ++i) /* 8-bit output value */ 3978 { 3979 /* Find the corresponding maximum input value */ 3980 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */ 3981 3982 /* Find the boundary value in 16 bits: */ 3983 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val); 3984 3985 /* Adjust (round) to (16-shift) bits: */ 3986 bound = (bound * max + 32768U)/65535U + 1U; 3987 3988 while (last < bound) 3989 { 3990 table[last & (0xffU >> shift)][last >> (8U - shift)] = out; 3991 last++; 3992 } 3993 } 3994 3995 /* And fill in the final entries. */ 3996 while (last < (num << 8)) 3997 { 3998 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U; 3999 last++; 4000 } 4001} 4002#endif /* 16BIT */ 4003 4004/* Build a single 8-bit table: same as the 16-bit case but much simpler (and 4005 * typically much faster). Note that libpng currently does no sBIT processing 4006 * (apparently contrary to the spec) so a 256-entry table is always generated. 4007 */ 4008static void 4009png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable, 4010 PNG_CONST png_fixed_point gamma_val) 4011{ 4012 unsigned int i; 4013 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256); 4014 4015 if (png_gamma_significant(gamma_val) != 0) 4016 for (i=0; i<256; i++) 4017 table[i] = png_gamma_8bit_correct(i, gamma_val); 4018 4019 else 4020 for (i=0; i<256; ++i) 4021 table[i] = (png_byte)(i & 0xff); 4022} 4023 4024/* Used from png_read_destroy and below to release the memory used by the gamma 4025 * tables. 4026 */ 4027void /* PRIVATE */ 4028png_destroy_gamma_table(png_structrp png_ptr) 4029{ 4030 png_free(png_ptr, png_ptr->gamma_table); 4031 png_ptr->gamma_table = NULL; 4032 4033#ifdef PNG_16BIT_SUPPORTED 4034 if (png_ptr->gamma_16_table != NULL) 4035 { 4036 int i; 4037 int istop = (1 << (8 - png_ptr->gamma_shift)); 4038 for (i = 0; i < istop; i++) 4039 { 4040 png_free(png_ptr, png_ptr->gamma_16_table[i]); 4041 } 4042 png_free(png_ptr, png_ptr->gamma_16_table); 4043 png_ptr->gamma_16_table = NULL; 4044 } 4045#endif /* 16BIT */ 4046 4047#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4048 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4049 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4050 png_free(png_ptr, png_ptr->gamma_from_1); 4051 png_ptr->gamma_from_1 = NULL; 4052 png_free(png_ptr, png_ptr->gamma_to_1); 4053 png_ptr->gamma_to_1 = NULL; 4054 4055#ifdef PNG_16BIT_SUPPORTED 4056 if (png_ptr->gamma_16_from_1 != NULL) 4057 { 4058 int i; 4059 int istop = (1 << (8 - png_ptr->gamma_shift)); 4060 for (i = 0; i < istop; i++) 4061 { 4062 png_free(png_ptr, png_ptr->gamma_16_from_1[i]); 4063 } 4064 png_free(png_ptr, png_ptr->gamma_16_from_1); 4065 png_ptr->gamma_16_from_1 = NULL; 4066 } 4067 if (png_ptr->gamma_16_to_1 != NULL) 4068 { 4069 int i; 4070 int istop = (1 << (8 - png_ptr->gamma_shift)); 4071 for (i = 0; i < istop; i++) 4072 { 4073 png_free(png_ptr, png_ptr->gamma_16_to_1[i]); 4074 } 4075 png_free(png_ptr, png_ptr->gamma_16_to_1); 4076 png_ptr->gamma_16_to_1 = NULL; 4077 } 4078#endif /* 16BIT */ 4079#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4080} 4081 4082/* We build the 8- or 16-bit gamma tables here. Note that for 16-bit 4083 * tables, we don't make a full table if we are reducing to 8-bit in 4084 * the future. Note also how the gamma_16 tables are segmented so that 4085 * we don't need to allocate > 64K chunks for a full 16-bit table. 4086 */ 4087void /* PRIVATE */ 4088png_build_gamma_table(png_structrp png_ptr, int bit_depth) 4089{ 4090 png_debug(1, "in png_build_gamma_table"); 4091 4092 /* Remove any existing table; this copes with multiple calls to 4093 * png_read_update_info. The warning is because building the gamma tables 4094 * multiple times is a performance hit - it's harmless but the ability to call 4095 * png_read_update_info() multiple times is new in 1.5.6 so it seems sensible 4096 * to warn if the app introduces such a hit. 4097 */ 4098 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL) 4099 { 4100 png_warning(png_ptr, "gamma table being rebuilt"); 4101 png_destroy_gamma_table(png_ptr); 4102 } 4103 4104 if (bit_depth <= 8) 4105 { 4106 png_build_8bit_table(png_ptr, &png_ptr->gamma_table, 4107 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4108 png_ptr->screen_gamma) : PNG_FP_1); 4109 4110#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4111 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4112 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4113 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4114 { 4115 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1, 4116 png_reciprocal(png_ptr->colorspace.gamma)); 4117 4118 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1, 4119 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4120 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4121 } 4122#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4123 } 4124#ifdef PNG_16BIT_SUPPORTED 4125 else 4126 { 4127 png_byte shift, sig_bit; 4128 4129 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) 4130 { 4131 sig_bit = png_ptr->sig_bit.red; 4132 4133 if (png_ptr->sig_bit.green > sig_bit) 4134 sig_bit = png_ptr->sig_bit.green; 4135 4136 if (png_ptr->sig_bit.blue > sig_bit) 4137 sig_bit = png_ptr->sig_bit.blue; 4138 } 4139 else 4140 sig_bit = png_ptr->sig_bit.gray; 4141 4142 /* 16-bit gamma code uses this equation: 4143 * 4144 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8] 4145 * 4146 * Where 'iv' is the input color value and 'ov' is the output value - 4147 * pow(iv, gamma). 4148 * 4149 * Thus the gamma table consists of up to 256 256-entry tables. The table 4150 * is selected by the (8-gamma_shift) most significant of the low 8 bits of 4151 * the color value then indexed by the upper 8 bits: 4152 * 4153 * table[low bits][high 8 bits] 4154 * 4155 * So the table 'n' corresponds to all those 'iv' of: 4156 * 4157 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1> 4158 * 4159 */ 4160 if (sig_bit > 0 && sig_bit < 16U) 4161 /* shift == insignificant bits */ 4162 shift = (png_byte)((16U - sig_bit) & 0xff); 4163 4164 else 4165 shift = 0; /* keep all 16 bits */ 4166 4167 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4168 { 4169 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively 4170 * the significant bits in the *input* when the output will 4171 * eventually be 8 bits. By default it is 11. 4172 */ 4173 if (shift < (16U - PNG_MAX_GAMMA_8)) 4174 shift = (16U - PNG_MAX_GAMMA_8); 4175 } 4176 4177 if (shift > 8U) 4178 shift = 8U; /* Guarantees at least one table! */ 4179 4180 png_ptr->gamma_shift = shift; 4181 4182 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now 4183 * PNG_COMPOSE). This effectively smashed the background calculation for 4184 * 16-bit output because the 8-bit table assumes the result will be reduced 4185 * to 8 bits. 4186 */ 4187 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0) 4188 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift, 4189 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma, 4190 png_ptr->screen_gamma) : PNG_FP_1); 4191 4192 else 4193 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift, 4194 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma, 4195 png_ptr->screen_gamma) : PNG_FP_1); 4196 4197#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \ 4198 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \ 4199 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED) 4200 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0) 4201 { 4202 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift, 4203 png_reciprocal(png_ptr->colorspace.gamma)); 4204 4205 /* Notice that the '16 from 1' table should be full precision, however 4206 * the lookup on this table still uses gamma_shift, so it can't be. 4207 * TODO: fix this. 4208 */ 4209 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift, 4210 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) : 4211 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */); 4212 } 4213#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */ 4214 } 4215#endif /* 16BIT */ 4216} 4217#endif /* READ_GAMMA */ 4218 4219/* HARDWARE OR SOFTWARE OPTION SUPPORT */ 4220#ifdef PNG_SET_OPTION_SUPPORTED 4221int PNGAPI 4222png_set_option(png_structrp png_ptr, int option, int onoff) 4223{ 4224 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT && 4225 (option & 1) == 0) 4226 { 4227 int mask = 3 << option; 4228 int setting = (2 + (onoff != 0)) << option; 4229 int current = png_ptr->options; 4230 4231 png_ptr->options = (png_byte)(((current & ~mask) | setting) & 0xff); 4232 4233 return (current & mask) >> option; 4234 } 4235 4236 return PNG_OPTION_INVALID; 4237} 4238#endif 4239 4240/* sRGB support */ 4241#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4242 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4243/* sRGB conversion tables; these are machine generated with the code in 4244 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the 4245 * specification (see the article at http://en.wikipedia.org/wiki/SRGB) 4246 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. 4247 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). 4248 * The inverse (linear to sRGB) table has accuracies as follows: 4249 * 4250 * For all possible (255*65535+1) input values: 4251 * 4252 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact 4253 * 4254 * For the input values corresponding to the 65536 16-bit values: 4255 * 4256 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact 4257 * 4258 * In all cases the inexact readings are only off by one. 4259 */ 4260 4261#ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4262/* The convert-to-sRGB table is only currently required for read. */ 4263const png_uint_16 png_sRGB_table[256] = 4264{ 4265 0,20,40,60,80,99,119,139, 4266 159,179,199,219,241,264,288,313, 4267 340,367,396,427,458,491,526,562, 4268 599,637,677,718,761,805,851,898, 4269 947,997,1048,1101,1156,1212,1270,1330, 4270 1391,1453,1517,1583,1651,1720,1790,1863, 4271 1937,2013,2090,2170,2250,2333,2418,2504, 4272 2592,2681,2773,2866,2961,3058,3157,3258, 4273 3360,3464,3570,3678,3788,3900,4014,4129, 4274 4247,4366,4488,4611,4736,4864,4993,5124, 4275 5257,5392,5530,5669,5810,5953,6099,6246, 4276 6395,6547,6700,6856,7014,7174,7335,7500, 4277 7666,7834,8004,8177,8352,8528,8708,8889, 4278 9072,9258,9445,9635,9828,10022,10219,10417, 4279 10619,10822,11028,11235,11446,11658,11873,12090, 4280 12309,12530,12754,12980,13209,13440,13673,13909, 4281 14146,14387,14629,14874,15122,15371,15623,15878, 4282 16135,16394,16656,16920,17187,17456,17727,18001, 4283 18277,18556,18837,19121,19407,19696,19987,20281, 4284 20577,20876,21177,21481,21787,22096,22407,22721, 4285 23038,23357,23678,24002,24329,24658,24990,25325, 4286 25662,26001,26344,26688,27036,27386,27739,28094, 4287 28452,28813,29176,29542,29911,30282,30656,31033, 4288 31412,31794,32179,32567,32957,33350,33745,34143, 4289 34544,34948,35355,35764,36176,36591,37008,37429, 4290 37852,38278,38706,39138,39572,40009,40449,40891, 4291 41337,41785,42236,42690,43147,43606,44069,44534, 4292 45002,45473,45947,46423,46903,47385,47871,48359, 4293 48850,49344,49841,50341,50844,51349,51858,52369, 4294 52884,53401,53921,54445,54971,55500,56032,56567, 4295 57105,57646,58190,58737,59287,59840,60396,60955, 4296 61517,62082,62650,63221,63795,64372,64952,65535 4297}; 4298#endif /* SIMPLIFIED_READ */ 4299 4300/* The base/delta tables are required for both read and write (but currently 4301 * only the simplified versions.) 4302 */ 4303const png_uint_16 png_sRGB_base[512] = 4304{ 4305 128,1782,3383,4644,5675,6564,7357,8074, 4306 8732,9346,9921,10463,10977,11466,11935,12384, 4307 12816,13233,13634,14024,14402,14769,15125,15473, 4308 15812,16142,16466,16781,17090,17393,17690,17981, 4309 18266,18546,18822,19093,19359,19621,19879,20133, 4310 20383,20630,20873,21113,21349,21583,21813,22041, 4311 22265,22487,22707,22923,23138,23350,23559,23767, 4312 23972,24175,24376,24575,24772,24967,25160,25352, 4313 25542,25730,25916,26101,26284,26465,26645,26823, 4314 27000,27176,27350,27523,27695,27865,28034,28201, 4315 28368,28533,28697,28860,29021,29182,29341,29500, 4316 29657,29813,29969,30123,30276,30429,30580,30730, 4317 30880,31028,31176,31323,31469,31614,31758,31902, 4318 32045,32186,32327,32468,32607,32746,32884,33021, 4319 33158,33294,33429,33564,33697,33831,33963,34095, 4320 34226,34357,34486,34616,34744,34873,35000,35127, 4321 35253,35379,35504,35629,35753,35876,35999,36122, 4322 36244,36365,36486,36606,36726,36845,36964,37083, 4323 37201,37318,37435,37551,37668,37783,37898,38013, 4324 38127,38241,38354,38467,38580,38692,38803,38915, 4325 39026,39136,39246,39356,39465,39574,39682,39790, 4326 39898,40005,40112,40219,40325,40431,40537,40642, 4327 40747,40851,40955,41059,41163,41266,41369,41471, 4328 41573,41675,41777,41878,41979,42079,42179,42279, 4329 42379,42478,42577,42676,42775,42873,42971,43068, 4330 43165,43262,43359,43456,43552,43648,43743,43839, 4331 43934,44028,44123,44217,44311,44405,44499,44592, 4332 44685,44778,44870,44962,45054,45146,45238,45329, 4333 45420,45511,45601,45692,45782,45872,45961,46051, 4334 46140,46229,46318,46406,46494,46583,46670,46758, 4335 46846,46933,47020,47107,47193,47280,47366,47452, 4336 47538,47623,47709,47794,47879,47964,48048,48133, 4337 48217,48301,48385,48468,48552,48635,48718,48801, 4338 48884,48966,49048,49131,49213,49294,49376,49458, 4339 49539,49620,49701,49782,49862,49943,50023,50103, 4340 50183,50263,50342,50422,50501,50580,50659,50738, 4341 50816,50895,50973,51051,51129,51207,51285,51362, 4342 51439,51517,51594,51671,51747,51824,51900,51977, 4343 52053,52129,52205,52280,52356,52432,52507,52582, 4344 52657,52732,52807,52881,52956,53030,53104,53178, 4345 53252,53326,53400,53473,53546,53620,53693,53766, 4346 53839,53911,53984,54056,54129,54201,54273,54345, 4347 54417,54489,54560,54632,54703,54774,54845,54916, 4348 54987,55058,55129,55199,55269,55340,55410,55480, 4349 55550,55620,55689,55759,55828,55898,55967,56036, 4350 56105,56174,56243,56311,56380,56448,56517,56585, 4351 56653,56721,56789,56857,56924,56992,57059,57127, 4352 57194,57261,57328,57395,57462,57529,57595,57662, 4353 57728,57795,57861,57927,57993,58059,58125,58191, 4354 58256,58322,58387,58453,58518,58583,58648,58713, 4355 58778,58843,58908,58972,59037,59101,59165,59230, 4356 59294,59358,59422,59486,59549,59613,59677,59740, 4357 59804,59867,59930,59993,60056,60119,60182,60245, 4358 60308,60370,60433,60495,60558,60620,60682,60744, 4359 60806,60868,60930,60992,61054,61115,61177,61238, 4360 61300,61361,61422,61483,61544,61605,61666,61727, 4361 61788,61848,61909,61969,62030,62090,62150,62211, 4362 62271,62331,62391,62450,62510,62570,62630,62689, 4363 62749,62808,62867,62927,62986,63045,63104,63163, 4364 63222,63281,63340,63398,63457,63515,63574,63632, 4365 63691,63749,63807,63865,63923,63981,64039,64097, 4366 64155,64212,64270,64328,64385,64443,64500,64557, 4367 64614,64672,64729,64786,64843,64900,64956,65013, 4368 65070,65126,65183,65239,65296,65352,65409,65465 4369}; 4370 4371const png_byte png_sRGB_delta[512] = 4372{ 4373 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54, 4374 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36, 4375 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28, 4376 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24, 4377 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21, 4378 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19, 4379 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17, 4380 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16, 4381 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15, 4382 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14, 4383 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13, 4384 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12, 4385 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12, 4386 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11, 4387 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4388 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11, 4389 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4390 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4391 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10, 4392 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4393 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4394 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4395 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9, 4396 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4397 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4398 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4399 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4400 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8, 4401 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7, 4402 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4403 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7, 4404 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7 4405}; 4406#endif /* SIMPLIFIED READ/WRITE sRGB support */ 4407 4408/* SIMPLIFIED READ/WRITE SUPPORT */ 4409#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\ 4410 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) 4411static int 4412png_image_free_function(png_voidp argument) 4413{ 4414 png_imagep image = png_voidcast(png_imagep, argument); 4415 png_controlp cp = image->opaque; 4416 png_control c; 4417 4418 /* Double check that we have a png_ptr - it should be impossible to get here 4419 * without one. 4420 */ 4421 if (cp->png_ptr == NULL) 4422 return 0; 4423 4424 /* First free any data held in the control structure. */ 4425# ifdef PNG_STDIO_SUPPORTED 4426 if (cp->owned_file != 0) 4427 { 4428 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr); 4429 cp->owned_file = 0; 4430 4431 /* Ignore errors here. */ 4432 if (fp != NULL) 4433 { 4434 cp->png_ptr->io_ptr = NULL; 4435 (void)fclose(fp); 4436 } 4437 } 4438# endif 4439 4440 /* Copy the control structure so that the original, allocated, version can be 4441 * safely freed. Notice that a png_error here stops the remainder of the 4442 * cleanup, but this is probably fine because that would indicate bad memory 4443 * problems anyway. 4444 */ 4445 c = *cp; 4446 image->opaque = &c; 4447 png_free(c.png_ptr, cp); 4448 4449 /* Then the structures, calling the correct API. */ 4450 if (c.for_write != 0) 4451 { 4452# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED 4453 png_destroy_write_struct(&c.png_ptr, &c.info_ptr); 4454# else 4455 png_error(c.png_ptr, "simplified write not supported"); 4456# endif 4457 } 4458 else 4459 { 4460# ifdef PNG_SIMPLIFIED_READ_SUPPORTED 4461 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL); 4462# else 4463 png_error(c.png_ptr, "simplified read not supported"); 4464# endif 4465 } 4466 4467 /* Success. */ 4468 return 1; 4469} 4470 4471void PNGAPI 4472png_image_free(png_imagep image) 4473{ 4474 /* Safely call the real function, but only if doing so is safe at this point 4475 * (if not inside an error handling context). Otherwise assume 4476 * png_safe_execute will call this API after the return. 4477 */ 4478 if (image != NULL && image->opaque != NULL && 4479 image->opaque->error_buf == NULL) 4480 { 4481 /* Ignore errors here: */ 4482 (void)png_safe_execute(image, png_image_free_function, image); 4483 image->opaque = NULL; 4484 } 4485} 4486 4487int /* PRIVATE */ 4488png_image_error(png_imagep image, png_const_charp error_message) 4489{ 4490 /* Utility to log an error. */ 4491 png_safecat(image->message, (sizeof image->message), 0, error_message); 4492 image->warning_or_error |= PNG_IMAGE_ERROR; 4493 png_image_free(image); 4494 return 0; 4495} 4496 4497#endif /* SIMPLIFIED READ/WRITE */ 4498#endif /* READ || WRITE */ 4499