diff options
Diffstat (limited to 'libpng/pngrutil.c')
| -rw-r--r-- | libpng/pngrutil.c | 590 |
1 files changed, 374 insertions, 216 deletions
diff --git a/libpng/pngrutil.c b/libpng/pngrutil.c index e9dc1a4..ad4f1a9 100644 --- a/libpng/pngrutil.c +++ b/libpng/pngrutil.c @@ -1,9 +1,9 @@ /* pngrutil.c - utilities to read a PNG file * - * libpng 1.2.1 - December 12, 2001 + * Last changed in libpng 1.2.22 [October 13, 2007] * For conditions of distribution and use, see copyright notice in png.h - * Copyright (c) 1998-2001 Glenn Randers-Pehrson + * Copyright (c) 1998-2007 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -14,33 +14,49 @@ #define PNG_INTERNAL #include "png.h" -#if defined(_WIN32_WCE) +#if defined(PNG_READ_SUPPORTED) + +#if defined(_WIN32_WCE) && (_WIN32_WCE<0x500) +# define WIN32_WCE_OLD +#endif + +#ifdef PNG_FLOATING_POINT_SUPPORTED +# if defined(WIN32_WCE_OLD) /* strtod() function is not supported on WindowsCE */ -# ifdef PNG_FLOATING_POINT_SUPPORTED -__inline double strtod(const char *nptr, char **endptr) +__inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, char **endptr) { double result = 0; int len; wchar_t *str, *end; len = MultiByteToWideChar(CP_ACP, 0, nptr, -1, NULL, 0); - str = (wchar_t *)malloc(len * sizeof(wchar_t)); + str = (wchar_t *)png_malloc(png_ptr, len * sizeof(wchar_t)); if ( NULL != str ) { MultiByteToWideChar(CP_ACP, 0, nptr, -1, str, len); result = wcstod(str, &end); len = WideCharToMultiByte(CP_ACP, 0, end, -1, NULL, 0, NULL, NULL); *endptr = (char *)nptr + (png_strlen(nptr) - len + 1); - free(str); + png_free(png_ptr, str); } return result; } +# else +# define png_strtod(p,a,b) strtod(a,b) # endif #endif +png_uint_32 PNGAPI +png_get_uint_31(png_structp png_ptr, png_bytep buf) +{ + png_uint_32 i = png_get_uint_32(buf); + if (i > PNG_UINT_31_MAX) + png_error(png_ptr, "PNG unsigned integer out of range."); + return (i); +} #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */ -png_uint_32 /* PRIVATE */ +png_uint_32 PNGAPI png_get_uint_32(png_bytep buf) { png_uint_32 i = ((png_uint_32)(*buf) << 24) + @@ -51,11 +67,10 @@ png_get_uint_32(png_bytep buf) return (i); } -#if defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_oFFs_SUPPORTED) /* Grab a signed 32-bit integer from a buffer in big-endian format. The * data is stored in the PNG file in two's complement format, and it is * assumed that the machine format for signed integers is the same. */ -png_int_32 /* PRIVATE */ +png_int_32 PNGAPI png_get_int_32(png_bytep buf) { png_int_32 i = ((png_int_32)(*buf) << 24) + @@ -65,10 +80,9 @@ png_get_int_32(png_bytep buf) return (i); } -#endif /* PNG_READ_pCAL_SUPPORTED */ /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ -png_uint_16 /* PRIVATE */ +png_uint_16 PNGAPI png_get_uint_16(png_bytep buf) { png_uint_16 i = (png_uint_16)(((png_uint_16)(*buf) << 8) + @@ -82,6 +96,7 @@ png_get_uint_16(png_bytep buf) void /* PRIVATE */ png_crc_read(png_structp png_ptr, png_bytep buf, png_size_t length) { + if(png_ptr == NULL) return; png_read_data(png_ptr, buf, length); png_calculate_crc(png_ptr, buf, length); } @@ -170,8 +185,8 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, png_charp chunkdata, png_size_t chunklength, png_size_t prefix_size, png_size_t *newlength) { - static char msg[] = "Error decoding compressed text"; - png_charp text = NULL; + static PNG_CONST char msg[] = "Error decoding compressed text"; + png_charp text; png_size_t text_size; if (comp_type == PNG_COMPRESSION_TYPE_BASE) @@ -199,8 +214,13 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, if (text == NULL) { - text_size = prefix_size + sizeof(msg) + 1; - text = (png_charp)png_malloc(png_ptr, text_size); + text_size = prefix_size + png_sizeof(msg) + 1; + text = (png_charp)png_malloc_warn(png_ptr, text_size); + if (text == NULL) + { + png_free(png_ptr,chunkdata); + png_error(png_ptr,"Not enough memory to decompress chunk"); + } png_memcpy(text, chunkdata, prefix_size); } @@ -208,7 +228,8 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, /* Copy what we can of the error message into the text chunk */ text_size = (png_size_t)(chunklength - (text - chunkdata) - 1); - text_size = sizeof(msg) > text_size ? text_size : sizeof(msg); + text_size = png_sizeof(msg) > text_size ? text_size : + png_sizeof(msg); png_memcpy(text + prefix_size, msg, text_size + 1); break; } @@ -218,7 +239,12 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, { text_size = prefix_size + png_ptr->zbuf_size - png_ptr->zstream.avail_out; - text = (png_charp)png_malloc(png_ptr, text_size + 1); + text = (png_charp)png_malloc_warn(png_ptr, text_size + 1); + if (text == NULL) + { + png_free(png_ptr,chunkdata); + png_error(png_ptr,"Not enough memory to decompress chunk."); + } png_memcpy(text + prefix_size, png_ptr->zbuf, text_size - prefix_size); png_memcpy(text, chunkdata, prefix_size); @@ -229,8 +255,15 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, png_charp tmp; tmp = text; - text = (png_charp)png_malloc(png_ptr, (png_uint_32)(text_size + + text = (png_charp)png_malloc_warn(png_ptr, + (png_uint_32)(text_size + png_ptr->zbuf_size - png_ptr->zstream.avail_out + 1)); + if (text == NULL) + { + png_free(png_ptr, tmp); + png_free(png_ptr, chunkdata); + png_error(png_ptr,"Not enough memory to decompress chunk.."); + } png_memcpy(text, tmp, text_size); png_free(png_ptr, tmp); png_memcpy(text + text_size, png_ptr->zbuf, @@ -250,16 +283,19 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, if (ret != Z_STREAM_END) { #if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE) - char umsg[50]; + char umsg[52]; if (ret == Z_BUF_ERROR) - sprintf(umsg,"Buffer error in compressed datastream in %s chunk", + png_snprintf(umsg, 52, + "Buffer error in compressed datastream in %s chunk", png_ptr->chunk_name); else if (ret == Z_DATA_ERROR) - sprintf(umsg,"Data error in compressed datastream in %s chunk", + png_snprintf(umsg, 52, + "Data error in compressed datastream in %s chunk", png_ptr->chunk_name); else - sprintf(umsg,"Incomplete compressed datastream in %s chunk", + png_snprintf(umsg, 52, + "Incomplete compressed datastream in %s chunk", png_ptr->chunk_name); png_warning(png_ptr, umsg); #else @@ -269,7 +305,12 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, text_size=prefix_size; if (text == NULL) { - text = (png_charp)png_malloc(png_ptr, text_size+1); + text = (png_charp)png_malloc_warn(png_ptr, text_size+1); + if (text == NULL) + { + png_free(png_ptr, chunkdata); + png_error(png_ptr,"Not enough memory for text."); + } png_memcpy(text, chunkdata, prefix_size); } *(text + text_size) = 0x00; @@ -287,7 +328,8 @@ png_decompress_chunk(png_structp png_ptr, int comp_type, #if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE) char umsg[50]; - sprintf(umsg, "Unknown zTXt compression type %d", comp_type); + png_snprintf(umsg, 50, + "Unknown zTXt compression type %d", comp_type); png_warning(png_ptr, umsg); #else png_warning(png_ptr, "Unknown zTXt compression type"); @@ -324,15 +366,14 @@ png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_crc_read(png_ptr, buf, 13); png_crc_finish(png_ptr, 0); - width = png_get_uint_32(buf); - height = png_get_uint_32(buf + 4); + width = png_get_uint_31(png_ptr, buf); + height = png_get_uint_31(png_ptr, buf + 4); bit_depth = buf[8]; color_type = buf[9]; compression_type = buf[10]; filter_type = buf[11]; interlace_type = buf[12]; - /* set internal variables */ png_ptr->width = width; png_ptr->height = height; @@ -342,6 +383,7 @@ png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) #if defined(PNG_MNG_FEATURES_SUPPORTED) png_ptr->filter_type = (png_byte)filter_type; #endif + png_ptr->compression_type = (png_byte)compression_type; /* find number of channels */ switch (png_ptr->color_type) @@ -364,8 +406,7 @@ png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* set up other useful info */ png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels); - png_ptr->rowbytes = ((png_ptr->width * - (png_uint_32)png_ptr->pixel_depth + 7) >> 3); + png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth,png_ptr->width); png_debug1(3,"bit_depth = %d\n", png_ptr->bit_depth); png_debug1(3,"channels = %d\n", png_ptr->channels); png_debug1(3,"rowbytes = %lu\n", png_ptr->rowbytes); @@ -520,8 +561,6 @@ png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (!(png_ptr->mode & PNG_HAVE_IHDR) || !(png_ptr->mode & PNG_HAVE_IDAT)) { png_error(png_ptr, "No image in file"); - - info_ptr = info_ptr; /* quiet compiler warnings about unused info_ptr */ } png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND); @@ -531,6 +570,8 @@ png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_warning(png_ptr, "Incorrect IEND chunk length"); } png_crc_finish(png_ptr, length); + + info_ptr =info_ptr; /* quiet compiler warnings about unused info_ptr */ } #if defined(PNG_READ_gAMA_SUPPORTED) @@ -557,7 +598,7 @@ png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place gAMA chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@ -589,8 +630,8 @@ png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #if defined(PNG_READ_sRGB_SUPPORTED) - if (info_ptr->valid & PNG_INFO_sRGB) - if(igamma < 45000L || igamma > 46000L) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (PNG_OUT_OF_RANGE(igamma, 45500L, 500)) { png_warning(png_ptr, "Ignoring incorrect gAMA value when sRGB is also present"); @@ -638,7 +679,7 @@ png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sBIT chunk"); } - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT)) { png_warning(png_ptr, "Duplicate sBIT chunk"); png_crc_finish(png_ptr, length); @@ -650,7 +691,7 @@ png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) else truelen = (png_size_t)png_ptr->channels; - if (length != truelen) + if (length != truelen || length > 4) { png_warning(png_ptr, "Incorrect sBIT chunk length"); png_crc_finish(png_ptr, length); @@ -691,6 +732,8 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_fixed_point int_x_white, int_y_white, int_x_red, int_y_red, int_x_green, int_y_green, int_x_blue, int_y_blue; + png_uint_32 uint_x, uint_y; + png_debug(1, "in png_handle_cHRM\n"); if (!(png_ptr->mode & PNG_HAVE_IHDR)) @@ -705,7 +748,7 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Missing PLTE before cHRM"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) #if defined(PNG_READ_sRGB_SUPPORTED) && !(info_ptr->valid & PNG_INFO_sRGB) #endif @@ -724,60 +767,66 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } png_crc_read(png_ptr, buf, 4); - int_x_white = (png_fixed_point)png_get_uint_32(buf); + uint_x = png_get_uint_32(buf); png_crc_read(png_ptr, buf, 4); - int_y_white = (png_fixed_point)png_get_uint_32(buf); + uint_y = png_get_uint_32(buf); - if (int_x_white > 80000L || int_y_white > 80000L || - int_x_white + int_y_white > 100000L) + if (uint_x > 80000L || uint_y > 80000L || + uint_x + uint_y > 100000L) { png_warning(png_ptr, "Invalid cHRM white point"); png_crc_finish(png_ptr, 24); return; } + int_x_white = (png_fixed_point)uint_x; + int_y_white = (png_fixed_point)uint_y; png_crc_read(png_ptr, buf, 4); - int_x_red = (png_fixed_point)png_get_uint_32(buf); + uint_x = png_get_uint_32(buf); png_crc_read(png_ptr, buf, 4); - int_y_red = (png_fixed_point)png_get_uint_32(buf); + uint_y = png_get_uint_32(buf); - if (int_x_red > 80000L || int_y_red > 80000L || - int_x_red + int_y_red > 100000L) + if (uint_x + uint_y > 100000L) { png_warning(png_ptr, "Invalid cHRM red point"); png_crc_finish(png_ptr, 16); return; } + int_x_red = (png_fixed_point)uint_x; + int_y_red = (png_fixed_point)uint_y; png_crc_read(png_ptr, buf, 4); - int_x_green = (png_fixed_point)png_get_uint_32(buf); + uint_x = png_get_uint_32(buf); png_crc_read(png_ptr, buf, 4); - int_y_green = (png_fixed_point)png_get_uint_32(buf); + uint_y = png_get_uint_32(buf); - if (int_x_green > 80000L || int_y_green > 80000L || - int_x_green + int_y_green > 100000L) + if (uint_x + uint_y > 100000L) { png_warning(png_ptr, "Invalid cHRM green point"); png_crc_finish(png_ptr, 8); return; } + int_x_green = (png_fixed_point)uint_x; + int_y_green = (png_fixed_point)uint_y; png_crc_read(png_ptr, buf, 4); - int_x_blue = (png_fixed_point)png_get_uint_32(buf); + uint_x = png_get_uint_32(buf); png_crc_read(png_ptr, buf, 4); - int_y_blue = (png_fixed_point)png_get_uint_32(buf); + uint_y = png_get_uint_32(buf); - if (int_x_blue > 80000L || int_y_blue > 80000L || - int_x_blue + int_y_blue > 100000L) + if (uint_x + uint_y > 100000L) { png_warning(png_ptr, "Invalid cHRM blue point"); png_crc_finish(png_ptr, 0); return; } + int_x_blue = (png_fixed_point)uint_x; + int_y_blue = (png_fixed_point)uint_y; + #ifdef PNG_FLOATING_POINT_SUPPORTED white_x = (float)int_x_white / (float)100000.0; white_y = (float)int_y_white / (float)100000.0; @@ -790,20 +839,17 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) #endif #if defined(PNG_READ_sRGB_SUPPORTED) -#undef png_abs -#define png_abs(x) (((x)>0)?(x):-(x)) - if (info_ptr->valid & PNG_INFO_sRGB) + if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB)) { - if (png_abs(int_x_white - 31270L) > 1000 || - png_abs(int_y_white - 32900L) > 1000 || - png_abs(int_x_red - 64000L) > 1000 || - png_abs(int_y_red - 33000L) > 1000 || - png_abs(int_x_green - 30000L) > 1000 || - png_abs(int_y_green - 60000L) > 1000 || - png_abs(int_x_blue - 15000L) > 1000 || - png_abs(int_y_blue - 6000L) > 1000) + if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) || + PNG_OUT_OF_RANGE(int_y_white, 32900, 1000) || + PNG_OUT_OF_RANGE(int_x_red, 64000L, 1000) || + PNG_OUT_OF_RANGE(int_y_red, 33000, 1000) || + PNG_OUT_OF_RANGE(int_x_green, 30000, 1000) || + PNG_OUT_OF_RANGE(int_y_green, 60000L, 1000) || + PNG_OUT_OF_RANGE(int_x_blue, 15000, 1000) || + PNG_OUT_OF_RANGE(int_y_blue, 6000, 1000)) { - png_warning(png_ptr, "Ignoring incorrect cHRM value when sRGB is also present"); #ifndef PNG_NO_CONSOLE_IO @@ -860,7 +906,7 @@ png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place sRGB chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) { png_warning(png_ptr, "Duplicate sRGB chunk"); png_crc_finish(png_ptr, length); @@ -887,28 +933,17 @@ png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #if defined(PNG_READ_gAMA_SUPPORTED) && defined(PNG_READ_GAMMA_SUPPORTED) - if ((info_ptr->valid & PNG_INFO_gAMA)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)) { - int igamma; + png_fixed_point igamma; #ifdef PNG_FIXED_POINT_SUPPORTED - igamma=(int)info_ptr->int_gamma; + igamma=info_ptr->int_gamma; #else # ifdef PNG_FLOATING_POINT_SUPPORTED - igamma=(int)(info_ptr->gamma * 100000.); + igamma=(png_fixed_point)(info_ptr->gamma * 100000.); # endif #endif -#if 0 && defined(PNG_cHRM_SUPPORTED) && !defined(PNG_FIXED_POINT_SUPPORTED) -/* We need to define these here because they aren't in png.h */ - png_fixed_point int_x_white; - png_fixed_point int_y_white; - png_fixed_point int_x_red; - png_fixed_point int_y_red; - png_fixed_point int_x_green; - png_fixed_point int_y_green; - png_fixed_point int_x_blue; - png_fixed_point int_y_blue; -#endif - if(igamma < 45000L || igamma > 46000L) + if (PNG_OUT_OF_RANGE(igamma, 45500L, 500)) { png_warning(png_ptr, "Ignoring incorrect gAMA value when sRGB is also present"); @@ -927,17 +962,15 @@ png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) #ifdef PNG_READ_cHRM_SUPPORTED #ifdef PNG_FIXED_POINT_SUPPORTED -#undef png_abs -#define png_abs(x) (((x)>0)?(x):-(x)) - if (info_ptr->valid & PNG_INFO_cHRM) - if (png_abs(info_ptr->int_x_white - 31270L) > 1000 || - png_abs(info_ptr->int_y_white - 32900L) > 1000 || - png_abs(info_ptr->int_x_red - 64000L) > 1000 || - png_abs(info_ptr->int_y_red - 33000L) > 1000 || - png_abs(info_ptr->int_x_green - 30000L) > 1000 || - png_abs(info_ptr->int_y_green - 60000L) > 1000 || - png_abs(info_ptr->int_x_blue - 15000L) > 1000 || - png_abs(info_ptr->int_y_blue - 6000L) > 1000) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)) + if (PNG_OUT_OF_RANGE(info_ptr->int_x_white, 31270, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_y_white, 32900, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_x_red, 64000L, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_y_red, 33000, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_x_green, 30000, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_y_green, 60000L, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_x_blue, 15000, 1000) || + PNG_OUT_OF_RANGE(info_ptr->int_y_blue, 6000, 1000)) { png_warning(png_ptr, "Ignoring incorrect cHRM value when sRGB is also present"); @@ -956,10 +989,10 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { png_charp chunkdata; png_byte compression_type; + png_bytep pC; png_charp profile; png_uint_32 skip = 0; - png_uint_32 profile_size = 0; - png_uint_32 profile_length = 0; + png_uint_32 profile_size, profile_length; png_size_t slength, prefix_length, data_length; png_debug(1, "in png_handle_iCCP\n"); @@ -976,7 +1009,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Should be an error, but we can cope with it */ png_warning(png_ptr, "Out of place iCCP chunk"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) + if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP)) { png_warning(png_ptr, "Duplicate iCCP chunk"); png_crc_finish(png_ptr, length); @@ -1011,7 +1044,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* there should be at least one zero (the compression type byte) following the separator, and we should be on it */ - if ( profile >= chunkdata + slength) + if ( profile >= chunkdata + slength - 1) { png_free(png_ptr, chunkdata); png_warning(png_ptr, "Malformed iCCP chunk"); @@ -1041,10 +1074,11 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } /* Check the profile_size recorded in the first 32 bits of the ICC profile */ - profile_size = ((*(chunkdata+prefix_length))<<24) | - ((*(chunkdata+prefix_length+1))<<16) | - ((*(chunkdata+prefix_length+2))<< 8) | - ((*(chunkdata+prefix_length+3)) ); + pC = (png_bytep)(chunkdata+prefix_length); + profile_size = ((*(pC ))<<24) | + ((*(pC+1))<<16) | + ((*(pC+2))<< 8) | + ((*(pC+3)) ); if(profile_size < profile_length) profile_length = profile_size; @@ -1052,7 +1086,7 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if(profile_size > profile_length) { png_free(png_ptr, chunkdata); - png_warning(png_ptr, "Ignoring truncated iCCP profile.\n"); + png_warning(png_ptr, "Ignoring truncated iCCP profile."); return; } @@ -1114,7 +1148,7 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) ++entry_start; /* a sample depth should follow the separator, and we should be on it */ - if (entry_start > chunkdata + slength) + if (entry_start > chunkdata + slength - 2) { png_free(png_ptr, chunkdata); png_warning(png_ptr, "malformed sPLT chunk"); @@ -1133,9 +1167,20 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - new_palette.nentries = data_length / entry_size; - new_palette.entries = (png_sPLT_entryp)png_malloc( - png_ptr, new_palette.nentries * sizeof(png_sPLT_entry)); + new_palette.nentries = (png_int_32) ( data_length / entry_size); + if ((png_uint_32) new_palette.nentries > (png_uint_32) (PNG_SIZE_MAX / + png_sizeof(png_sPLT_entry))) + { + png_warning(png_ptr, "sPLT chunk too long"); + return; + } + new_palette.entries = (png_sPLT_entryp)png_malloc_warn( + png_ptr, new_palette.nentries * png_sizeof(png_sPLT_entry)); + if (new_palette.entries == NULL) + { + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; + } #ifndef PNG_NO_POINTER_INDEXING for (i = 0; i < new_palette.nentries; i++) @@ -1195,10 +1240,16 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) void /* PRIVATE */ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; + png_byte readbuf[PNG_MAX_PALETTE_LENGTH]; + int bit_mask; png_debug(1, "in png_handle_tRNS\n"); + /* For non-indexed color, mask off any bits in the tRNS value that + * exceed the bit depth. Some creators were writing extra bits there. + * This is not needed for indexed color. */ + bit_mask = (1 << png_ptr->bit_depth) - 1; + if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before tRNS"); else if (png_ptr->mode & PNG_HAVE_IDAT) @@ -1214,28 +1265,20 @@ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) { - if (!(png_ptr->mode & PNG_HAVE_PLTE)) - { - /* Should be an error, but we can cope with it */ - png_warning(png_ptr, "Missing PLTE before tRNS"); - } - else if (length > (png_uint_32)png_ptr->num_palette) + png_byte buf[2]; + + if (length != 2) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); return; } - if (length == 0) - { - png_warning(png_ptr, "Zero length tRNS chunk"); - png_crc_finish(png_ptr, length); - return; - } - png_crc_read(png_ptr, readbuf, (png_size_t)length); - png_ptr->num_trans = (png_uint_16)length; + png_crc_read(png_ptr, buf, 2); + png_ptr->num_trans = 1; + png_ptr->trans_values.gray = png_get_uint_16(buf) & bit_mask; } else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB) { @@ -1247,27 +1290,34 @@ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_crc_finish(png_ptr, length); return; } - png_crc_read(png_ptr, buf, (png_size_t)length); png_ptr->num_trans = 1; - png_ptr->trans_values.red = png_get_uint_16(buf); - png_ptr->trans_values.green = png_get_uint_16(buf + 2); - png_ptr->trans_values.blue = png_get_uint_16(buf + 4); + png_ptr->trans_values.red = png_get_uint_16(buf) & bit_mask; + png_ptr->trans_values.green = png_get_uint_16(buf + 2) & bit_mask; + png_ptr->trans_values.blue = png_get_uint_16(buf + 4) & bit_mask; } - else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY) + else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) { - png_byte buf[6]; - - if (length != 2) + if (!(png_ptr->mode & PNG_HAVE_PLTE)) + { + /* Should be an error, but we can cope with it. */ + png_warning(png_ptr, "Missing PLTE before tRNS"); + } + if (length > (png_uint_32)png_ptr->num_palette || + length > PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect tRNS chunk length"); png_crc_finish(png_ptr, length); return; } - - png_crc_read(png_ptr, buf, 2); - png_ptr->num_trans = 1; - png_ptr->trans_values.gray = png_get_uint_16(buf); + if (length == 0) + { + png_warning(png_ptr, "Zero length tRNS chunk"); + png_crc_finish(png_ptr, length); + return; + } + png_crc_read(png_ptr, readbuf, (png_size_t)length); + png_ptr->num_trans = (png_uint_16)length; } else { @@ -1277,7 +1327,10 @@ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } if (png_crc_finish(png_ptr, 0)) + { + png_ptr->num_trans = 0; return; + } png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans, &(png_ptr->trans_values)); @@ -1377,8 +1430,8 @@ png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { - int num, i; - png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; + unsigned int num, i; + png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH]; png_debug(1, "in png_handle_hIST\n"); @@ -1403,8 +1456,9 @@ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } - num = (int)length / 2 ; - if (num != png_ptr->num_palette) + num = length / 2 ; + if (num != (unsigned int) png_ptr->num_palette || num > + (unsigned int) PNG_MAX_PALETTE_LENGTH) { png_warning(png_ptr, "Incorrect hIST chunk length"); png_crc_finish(png_ptr, length); @@ -1544,7 +1598,12 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug1(2, "Allocating and reading pCAL chunk data (%lu bytes)\n", length + 1); - purpose = (png_charp)png_malloc(png_ptr, length + 1); + purpose = (png_charp)png_malloc_warn(png_ptr, length + 1); + if (purpose == NULL) + { + png_warning(png_ptr, "No memory for pCAL purpose."); + return; + } slength = (png_size_t)length; png_crc_read(png_ptr, (png_bytep)purpose, slength); @@ -1599,8 +1658,14 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Empty loop to move past the units string. */ ; png_debug(3, "Allocating pCAL parameters array\n"); - params = (png_charpp)png_malloc(png_ptr, (png_uint_32)(nparams - *sizeof(png_charp))) ; + params = (png_charpp)png_malloc_warn(png_ptr, (png_uint_32)(nparams + *png_sizeof(png_charp))) ; + if (params == NULL) + { + png_free(png_ptr, purpose); + png_warning(png_ptr, "No memory for pCAL params."); + return; + } /* Get pointers to the start of each parameter string. */ for (i = 0; i < (int)nparams; i++) @@ -1608,7 +1673,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) buf++; /* Skip the null string terminator from previous parameter. */ png_debug1(3, "Reading pCAL parameter %d\n", i); - for (params[i] = buf; *buf != 0x00 && buf <= endptr; buf++) + for (params[i] = buf; buf <= endptr && *buf != 0x00; buf++) /* Empty loop to move past each parameter string */ ; /* Make sure we haven't run out of data yet */ @@ -1664,7 +1729,12 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug1(2, "Allocating and reading sCAL chunk data (%lu bytes)\n", length + 1); - buffer = (png_charp)png_malloc(png_ptr, length + 1); + buffer = (png_charp)png_malloc_warn(png_ptr, length + 1); + if (buffer == NULL) + { + png_warning(png_ptr, "Out of memory while processing sCAL chunk"); + return; + } slength = (png_size_t)length; png_crc_read(png_ptr, (png_bytep)buffer, slength); @@ -1679,7 +1749,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) ep = buffer + 1; /* skip unit byte */ #ifdef PNG_FLOATING_POINT_SUPPORTED - width = strtod(ep, &vp); + width = png_strtod(png_ptr, ep, &vp); if (*vp) { png_warning(png_ptr, "malformed width string in sCAL chunk"); @@ -1687,7 +1757,12 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #else #ifdef PNG_FIXED_POINT_SUPPORTED - swidth = (png_charp)png_malloc(png_ptr, png_strlen(ep) + 1); + swidth = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); + if (swidth == NULL) + { + png_warning(png_ptr, "Out of memory while processing sCAL chunk width"); + return; + } png_memcpy(swidth, ep, (png_size_t)png_strlen(ep)); #endif #endif @@ -1696,8 +1771,19 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* empty loop */ ; ep++; + if (buffer + slength < ep) + { + png_warning(png_ptr, "Truncated sCAL chunk"); +#if defined(PNG_FIXED_POINT_SUPPORTED) && \ + !defined(PNG_FLOATING_POINT_SUPPORTED) + png_free(png_ptr, swidth); +#endif + png_free(png_ptr, buffer); + return; + } + #ifdef PNG_FLOATING_POINT_SUPPORTED - height = strtod(ep, &vp); + height = png_strtod(png_ptr, ep, &vp); if (*vp) { png_warning(png_ptr, "malformed height string in sCAL chunk"); @@ -1705,7 +1791,12 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #else #ifdef PNG_FIXED_POINT_SUPPORTED - sheight = (png_charp)png_malloc(png_ptr, png_strlen(ep) + 1); + sheight = (png_charp)png_malloc_warn(png_ptr, png_strlen(ep) + 1); + if (swidth == NULL) + { + png_warning(png_ptr, "Out of memory while processing sCAL chunk height"); + return; + } png_memcpy(sheight, ep, (png_size_t)png_strlen(ep)); #endif #endif @@ -1795,6 +1886,7 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_charp text; png_uint_32 skip = 0; png_size_t slength; + int ret; png_debug(1, "in png_handle_tEXt\n"); @@ -1813,7 +1905,12 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif - key = (png_charp)png_malloc(png_ptr, length + 1); + key = (png_charp)png_malloc_warn(png_ptr, length + 1); + if (key == NULL) + { + png_warning(png_ptr, "No memory to process text chunk."); + return; + } slength = (png_size_t)length; png_crc_read(png_ptr, (png_bytep)key, slength); @@ -1831,7 +1928,14 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (text != key + slength) text++; - text_ptr = (png_textp)png_malloc(png_ptr, (png_uint_32)sizeof(png_text)); + text_ptr = (png_textp)png_malloc_warn(png_ptr, + (png_uint_32)png_sizeof(png_text)); + if (text_ptr == NULL) + { + png_warning(png_ptr, "Not enough memory to process text chunk."); + png_free(png_ptr, key); + return; + } text_ptr->compression = PNG_TEXT_COMPRESSION_NONE; text_ptr->key = key; #ifdef PNG_iTXt_SUPPORTED @@ -1842,10 +1946,12 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) text_ptr->text = text; text_ptr->text_length = png_strlen(text); - png_set_text(png_ptr, info_ptr, text_ptr, 1); + ret=png_set_text_2(png_ptr, info_ptr, text_ptr, 1); png_free(png_ptr, key); png_free(png_ptr, text_ptr); + if (ret) + png_warning(png_ptr, "Insufficient memory to process text chunk."); } #endif @@ -1858,6 +1964,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_charp chunkdata; png_charp text; int comp_type; + int ret; png_size_t slength, prefix_len, data_len; png_debug(1, "in png_handle_zTXt\n"); @@ -1878,8 +1985,13 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif - chunkdata = (png_charp)png_malloc(png_ptr, length + 1); - slength = (png_size_t)length; + chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); + if (chunkdata == NULL) + { + png_warning(png_ptr,"Out of memory processing zTXt chunk."); + return; + } + slength = (png_size_t)length; png_crc_read(png_ptr, (png_bytep)chunkdata, slength); if (png_crc_finish(png_ptr, 0)) { @@ -1893,10 +2005,11 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* empty loop */ ; /* zTXt must have some text after the chunkdataword */ - if (text == chunkdata + slength) + if (text >= chunkdata + slength - 2) { - comp_type = PNG_TEXT_COMPRESSION_NONE; - png_warning(png_ptr, "Zero length zTXt chunk"); + png_warning(png_ptr, "Truncated zTXt chunk"); + png_free(png_ptr, chunkdata); + return; } else { @@ -1913,7 +2026,14 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) chunkdata = (png_charp)png_decompress_chunk(png_ptr, comp_type, chunkdata, (png_size_t)length, prefix_len, &data_len); - text_ptr = (png_textp)png_malloc(png_ptr, (png_uint_32)sizeof(png_text)); + text_ptr = (png_textp)png_malloc_warn(png_ptr, + (png_uint_32)png_sizeof(png_text)); + if (text_ptr == NULL) + { + png_warning(png_ptr,"Not enough memory to process zTXt chunk."); + png_free(png_ptr, chunkdata); + return; + } text_ptr->compression = comp_type; text_ptr->key = chunkdata; #ifdef PNG_iTXt_SUPPORTED @@ -1924,10 +2044,12 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) text_ptr->text = chunkdata + prefix_len; text_ptr->text_length = data_len; - png_set_text(png_ptr, info_ptr, text_ptr, 1); + ret=png_set_text_2(png_ptr, info_ptr, text_ptr, 1); png_free(png_ptr, text_ptr); png_free(png_ptr, chunkdata); + if (ret) + png_error(png_ptr, "Insufficient memory to store zTXt chunk."); } #endif @@ -1941,6 +2063,7 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_charp key, lang, text, lang_key; int comp_flag; int comp_type = 0; + int ret; png_size_t slength, prefix_len, data_len; png_debug(1, "in png_handle_iTXt\n"); @@ -1962,7 +2085,12 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif - chunkdata = (png_charp)png_malloc(png_ptr, length + 1); + chunkdata = (png_charp)png_malloc_warn(png_ptr, length + 1); + if (chunkdata == NULL) + { + png_warning(png_ptr, "No memory to process iTXt chunk."); + return; + } slength = (png_size_t)length; png_crc_read(png_ptr, (png_bytep)chunkdata, slength); if (png_crc_finish(png_ptr, 0)) @@ -1981,10 +2109,11 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) translated keyword (possibly empty), and possibly some text after the keyword */ - if (lang >= chunkdata + slength) + if (lang >= chunkdata + slength - 3) { - comp_flag = PNG_TEXT_COMPRESSION_NONE; - png_warning(png_ptr, "Zero length iTXt chunk"); + png_warning(png_ptr, "Truncated iTXt chunk"); + png_free(png_ptr, chunkdata); + return; } else { @@ -1996,9 +2125,22 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* empty loop */ ; lang_key++; /* skip NUL separator */ + if (lang_key >= chunkdata + slength) + { + png_warning(png_ptr, "Truncated iTXt chunk"); + png_free(png_ptr, chunkdata); + return; + } + for (text = lang_key; *text; text++) /* empty loop */ ; text++; /* skip NUL separator */ + if (text >= chunkdata + slength) + { + png_warning(png_ptr, "Malformed iTXt chunk"); + png_free(png_ptr, chunkdata); + return; + } prefix_len = text - chunkdata; @@ -2008,7 +2150,14 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) (size_t)length, prefix_len, &data_len); else data_len=png_strlen(chunkdata + prefix_len); - text_ptr = (png_textp)png_malloc(png_ptr, (png_uint_32)sizeof(png_text)); + text_ptr = (png_textp)png_malloc_warn(png_ptr, + (png_uint_32)png_sizeof(png_text)); + if (text_ptr == NULL) + { + png_warning(png_ptr,"Not enough memory to process iTXt chunk."); + png_free(png_ptr, chunkdata); + return; + } text_ptr->compression = (int)comp_flag + 1; text_ptr->lang_key = chunkdata+(lang_key-key); text_ptr->lang = chunkdata+(lang-key); @@ -2017,10 +2166,12 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) text_ptr->key = chunkdata; text_ptr->text = chunkdata + prefix_len; - png_set_text(png_ptr, info_ptr, text_ptr, 1); + ret=png_set_text_2(png_ptr, info_ptr, text_ptr, 1); png_free(png_ptr, text_ptr); png_free(png_ptr, chunkdata); + if (ret) + png_error(png_ptr, "Insufficient memory to store iTXt chunk."); } #endif @@ -2039,7 +2190,7 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (png_ptr->mode & PNG_HAVE_IDAT) { #ifdef PNG_USE_LOCAL_ARRAYS - PNG_IDAT; + PNG_CONST PNG_IDAT; #endif if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) /* not an IDAT */ png_ptr->mode |= PNG_AFTER_IDAT; @@ -2051,7 +2202,7 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != - HANDLE_CHUNK_ALWAYS + PNG_HANDLE_CHUNK_ALWAYS #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) && png_ptr->read_user_chunk_fn == NULL #endif @@ -2061,10 +2212,9 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) - if (png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) + if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) || + (png_ptr->read_user_chunk_fn != NULL)) { - png_unknown_chunk chunk; - #ifdef PNG_MAX_MALLOC_64K if (length > (png_uint_32)65535L) { @@ -2073,27 +2223,36 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) length = (png_uint_32)65535L; } #endif - png_strcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name); - chunk.data = (png_bytep)png_malloc(png_ptr, length); - chunk.size = (png_size_t)length; - png_crc_read(png_ptr, (png_bytep)chunk.data, length); + png_strncpy((png_charp)png_ptr->unknown_chunk.name, + (png_charp)png_ptr->chunk_name, 4); + png_ptr->unknown_chunk.name[4] = '\0'; + png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_ptr->unknown_chunk.size = (png_size_t)length; + png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) if(png_ptr->read_user_chunk_fn != NULL) { /* callback to user unknown chunk handler */ - if ((*(png_ptr->read_user_chunk_fn)) (png_ptr, &chunk) <= 0) + int ret; + ret = (*(png_ptr->read_user_chunk_fn)) + (png_ptr, &png_ptr->unknown_chunk); + if (ret < 0) + png_chunk_error(png_ptr, "error in user chunk"); + if (ret == 0) { if (!(png_ptr->chunk_name[0] & 0x20)) if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != - HANDLE_CHUNK_ALWAYS) + PNG_HANDLE_CHUNK_ALWAYS) png_chunk_error(png_ptr, "unknown critical chunk"); - png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1); + png_set_unknown_chunks(png_ptr, info_ptr, + &png_ptr->unknown_chunk, 1); } } - else +#else + png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); #endif - png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1); - png_free(png_ptr, chunk.data); + png_free(png_ptr, png_ptr->unknown_chunk.data); + png_ptr->unknown_chunk.data = NULL; } else #endif @@ -2112,7 +2271,7 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) functions to handle unknown critical chunks after we check that the chunk name itself is valid. */ -#define isnonalpha(c) ((c) < 41 || (c) > 122 || ((c) > 90 && (c) < 97)) +#define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97)) void /* PRIVATE */ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name) @@ -2135,7 +2294,7 @@ png_check_chunk_name(png_structp png_ptr, png_bytep chunk_name) a zero indicates the pixel is to be skipped. This is in addition to any alpha or transparency value associated with the pixel. If you want all pixels to be combined, pass 0xff (255) in mask. */ -#ifndef PNG_HAVE_ASSEMBLER_COMBINE_ROW + void /* PRIVATE */ png_combine_row(png_structp png_ptr, png_bytep row, int mask) { @@ -2143,8 +2302,7 @@ png_combine_row(png_structp png_ptr, png_bytep row, int mask) if (mask == 0xff) { png_memcpy(row, png_ptr->row_buf + 1, - (png_size_t)((png_ptr->width * - png_ptr->row_info.pixel_depth + 7) >> 3)); + PNG_ROWBYTES(png_ptr->row_info.pixel_depth, png_ptr->width)); } else { @@ -2337,10 +2495,8 @@ png_combine_row(png_structp png_ptr, png_bytep row, int mask) } } } -#endif /* !PNG_HAVE_ASSEMBLER_COMBINE_ROW */ #ifdef PNG_READ_INTERLACING_SUPPORTED -#ifndef PNG_HAVE_ASSEMBLER_READ_INTERLACE /* else in pngvcrd.c, pnggccrd.c */ /* OLD pre-1.0.9 interface: void png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass, png_uint_32 transformations) @@ -2355,10 +2511,10 @@ png_do_read_interlace(png_structp png_ptr) #ifdef PNG_USE_LOCAL_ARRAYS /* arrays to facilitate easy interlacing - use pass (0 - 6) as index */ /* offset to next interlace block */ - const int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; + PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; #endif - png_debug(1,"in png_do_read_interlace (stock C version)\n"); + png_debug(1,"in png_do_read_interlace\n"); if (row != NULL && row_info != NULL) { png_uint_32 final_width; @@ -2559,17 +2715,14 @@ png_do_read_interlace(png_structp png_ptr) } } row_info->width = final_width; - row_info->rowbytes = ((final_width * - (png_uint_32)row_info->pixel_depth + 7) >> 3); + row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth,final_width); } #if !defined(PNG_READ_PACKSWAP_SUPPORTED) transformations = transformations; /* silence compiler warning */ #endif } -#endif /* !PNG_HAVE_ASSEMBLER_READ_INTERLACE */ #endif /* PNG_READ_INTERLACING_SUPPORTED */ -#ifndef PNG_HAVE_ASSEMBLER_READ_FILTER_ROW void /* PRIVATE */ png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, png_bytep prev_row, int filter) @@ -2692,7 +2845,6 @@ png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, break; } } -#endif /* !PNG_HAVE_ASSEMBLER_READ_FILTER_ROW */ void /* PRIVATE */ png_read_finish_row(png_structp png_ptr) @@ -2701,16 +2853,16 @@ png_read_finish_row(png_structp png_ptr) /* arrays to facilitate easy interlacing - use pass (0 - 6) as index */ /* start of interlace block */ - const int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; + PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; /* offset to next interlace block */ - const int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; + PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; /* start of interlace block in the y direction */ - const int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; + PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; /* offset to next interlace block in the y direction */ - const int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; + PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; #endif png_debug(1, "in png_read_finish_row\n"); @@ -2721,7 +2873,8 @@ png_read_finish_row(png_structp png_ptr) if (png_ptr->interlaced) { png_ptr->row_number = 0; - png_memset_check(png_ptr, png_ptr->prev_row, 0, png_ptr->rowbytes + 1); + png_memset_check(png_ptr, png_ptr->prev_row, 0, + png_ptr->rowbytes + 1); do { png_ptr->pass++; @@ -2731,8 +2884,9 @@ png_read_finish_row(png_structp png_ptr) png_pass_inc[png_ptr->pass] - 1 - png_pass_start[png_ptr->pass]) / png_pass_inc[png_ptr->pass]; - png_ptr->irowbytes = ((png_ptr->iwidth * - (png_uint_32)png_ptr->pixel_depth + 7) >> 3) +1; + + png_ptr->irowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, + png_ptr->iwidth) + 1; if (!(png_ptr->transformations & PNG_INTERLACE)) { @@ -2754,7 +2908,7 @@ png_read_finish_row(png_structp png_ptr) if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED)) { #ifdef PNG_USE_LOCAL_ARRAYS - PNG_IDAT; + PNG_CONST PNG_IDAT; #endif char extra; int ret; @@ -2772,11 +2926,10 @@ png_read_finish_row(png_structp png_ptr) png_crc_finish(png_ptr, 0); png_read_data(png_ptr, chunk_length, 4); - png_ptr->idat_size = png_get_uint_32(chunk_length); - + png_ptr->idat_size = png_get_uint_31(png_ptr, chunk_length); png_reset_crc(png_ptr); png_crc_read(png_ptr, png_ptr->chunk_name, 4); - if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4)) + if (png_memcmp(png_ptr->chunk_name, png_IDAT, 4)) png_error(png_ptr, "Not enough image data"); } @@ -2792,7 +2945,7 @@ png_read_finish_row(png_structp png_ptr) { if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in || png_ptr->idat_size) - png_error(png_ptr, "Extra compressed data"); + png_warning(png_ptr, "Extra compressed data"); png_ptr->mode |= PNG_AFTER_IDAT; png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; break; @@ -2802,14 +2955,19 @@ png_read_finish_row(png_structp png_ptr) "Decompression Error"); if (!(png_ptr->zstream.avail_out)) - png_error(png_ptr, "Extra compressed data"); + { + png_warning(png_ptr, "Extra compressed data."); + png_ptr->mode |= PNG_AFTER_IDAT; + png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; + break; + } } png_ptr->zstream.avail_out = 0; } if (png_ptr->idat_size || png_ptr->zstream.avail_in) - png_error(png_ptr, "Extra compression data"); + png_warning(png_ptr, "Extra compression data"); inflateReset(&png_ptr->zstream); @@ -2823,16 +2981,16 @@ png_read_start_row(png_structp png_ptr) /* arrays to facilitate easy interlacing - use pass (0 - 6) as index */ /* start of interlace block */ - const int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; + PNG_CONST int png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; /* offset to next interlace block */ - const int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; + PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; /* start of interlace block in the y direction */ - const int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; + PNG_CONST int png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; /* offset to next interlace block in the y direction */ - const int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; + PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; #endif int max_pixel_depth; @@ -2854,8 +3012,8 @@ png_read_start_row(png_structp png_ptr) png_pass_start[png_ptr->pass]) / png_pass_inc[png_ptr->pass]; - row_bytes = ((png_ptr->iwidth * - (png_uint_32)png_ptr->pixel_depth + 7) >> 3) +1; + row_bytes = PNG_ROWBYTES(png_ptr->pixel_depth,png_ptr->iwidth) + 1; + png_ptr->irowbytes = (png_size_t)row_bytes; if((png_uint_32)png_ptr->irowbytes != row_bytes) png_error(png_ptr, "Rowbytes overflow in png_read_start_row"); @@ -2973,7 +3131,7 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7)); /* calculate the maximum bytes needed, adding a byte and a pixel for safety's sake */ - row_bytes = ((row_bytes * (png_uint_32)max_pixel_depth + 7) >> 3) + + row_bytes = PNG_ROWBYTES(max_pixel_depth,row_bytes) + 1 + ((max_pixel_depth + 7) >> 3); #ifdef PNG_MAX_MALLOC_64K if (row_bytes > (png_uint_32)65536L) @@ -2981,14 +3139,13 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) #endif png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes+64); png_ptr->row_buf = png_ptr->big_row_buf+32; -#if defined(PNG_DEBUG) && defined(PNG_USE_PNGGCCRD) - png_ptr->row_buf_size = row_bytes; -#endif #ifdef PNG_MAX_MALLOC_64K if ((png_uint_32)png_ptr->rowbytes + 1 > (png_uint_32)65536L) png_error(png_ptr, "This image requires a row greater than 64KB"); #endif + if ((png_uint_32)png_ptr->rowbytes > (png_uint_32)(PNG_SIZE_MAX - 1)) + png_error(png_ptr, "Row has too many bytes to allocate in memory."); png_ptr->prev_row = (png_bytep)png_malloc(png_ptr, (png_uint_32)( png_ptr->rowbytes + 1)); @@ -3003,3 +3160,4 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) png_ptr->flags |= PNG_FLAG_ROW_INIT; } +#endif /* PNG_READ_SUPPORTED */ |