VirtualBox

source: vbox/trunk/src/libs/libpng-1.6.45/png.c@ 108378

最後變更 在這個檔案從108378是 107813,由 vboxsync 提交於 2 月 前

libpng-1.6.45: Applied and adjusted our libpng changes to 1.6.45. bugref:8515
  • 屬性 svn:eol-style 設為 native
檔案大小: 155.0 KB
 
1/* png.c - location for general purpose libpng functions
2 *
3 * Copyright (c) 2018-2025 Cosmin Truta
4 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
5 * Copyright (c) 1996-1997 Andreas Dilger
6 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
7 *
8 * This code is released under the libpng license.
9 * For conditions of distribution and use, see the disclaimer
10 * and license in png.h
11 */
12
13#include "pngpriv.h"
14
15/* Generate a compiler error if there is an old png.h in the search path. */
16typedef png_libpng_version_1_6_45 Your_png_h_is_not_version_1_6_45;
17
18/* Tells libpng that we have already handled the first "num_bytes" bytes
19 * of the PNG file signature. If the PNG data is embedded into another
20 * stream we can set num_bytes = 8 so that libpng will not attempt to read
21 * or write any of the magic bytes before it starts on the IHDR.
22 */
23
24#ifdef PNG_READ_SUPPORTED
25void PNGAPI
26png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
27{
28 unsigned int nb = (unsigned int)num_bytes;
29
30 png_debug(1, "in png_set_sig_bytes");
31
32 if (png_ptr == NULL)
33 return;
34
35 if (num_bytes < 0)
36 nb = 0;
37
38 if (nb > 8)
39 png_error(png_ptr, "Too many bytes for PNG signature");
40
41 png_ptr->sig_bytes = (png_byte)nb;
42}
43
44/* Checks whether the supplied bytes match the PNG signature. We allow
45 * checking less than the full 8-byte signature so that those apps that
46 * already read the first few bytes of a file to determine the file type
47 * can simply check the remaining bytes for extra assurance. Returns
48 * an integer less than, equal to, or greater than zero if sig is found,
49 * respectively, to be less than, to match, or be greater than the correct
50 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
51 */
52int PNGAPI
53png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
54{
55 static const png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
56
57 if (num_to_check > 8)
58 num_to_check = 8;
59
60 else if (num_to_check < 1)
61 return -1;
62
63 if (start > 7)
64 return -1;
65
66 if (start + num_to_check > 8)
67 num_to_check = 8 - start;
68
69 return memcmp(&sig[start], &png_signature[start], num_to_check);
70}
71
72#endif /* READ */
73
74#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
75/* Function to allocate memory for zlib */
76PNG_FUNCTION(voidpf /* PRIVATE */,
77png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
78{
79 png_alloc_size_t num_bytes = size;
80
81 if (png_ptr == NULL)
82 return NULL;
83
84 if (items >= (~(png_alloc_size_t)0)/size)
85 {
86 png_warning (png_voidcast(png_structrp, png_ptr),
87 "Potential overflow in png_zalloc()");
88 return NULL;
89 }
90
91 num_bytes *= items;
92 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
93}
94
95/* Function to free memory for zlib */
96void /* PRIVATE */
97png_zfree(voidpf png_ptr, voidpf ptr)
98{
99 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
100}
101
102/* Reset the CRC variable to 32 bits of 1's. Care must be taken
103 * in case CRC is > 32 bits to leave the top bits 0.
104 */
105void /* PRIVATE */
106png_reset_crc(png_structrp png_ptr)
107{
108 /* The cast is safe because the crc is a 32-bit value. */
109 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
110}
111
112/* Calculate the CRC over a section of data. We can only pass as
113 * much data to this routine as the largest single buffer size. We
114 * also check that this data will actually be used before going to the
115 * trouble of calculating it.
116 */
117void /* PRIVATE */
118png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
119{
120 int need_crc = 1;
121
122 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
123 {
124 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
125 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
126 need_crc = 0;
127 }
128
129 else /* critical */
130 {
131 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
132 need_crc = 0;
133 }
134
135 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
136 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
137 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
138 * necessary to perform a loop here.
139 */
140 if (need_crc != 0 && length > 0)
141 {
142 uLong crc = png_ptr->crc; /* Should never issue a warning */
143
144 do
145 {
146 uInt safe_length = (uInt)length;
147#ifndef __COVERITY__
148 if (safe_length == 0)
149 safe_length = (uInt)-1; /* evil, but safe */
150#endif
151
152 crc = crc32(crc, ptr, safe_length);
153
154 /* The following should never issue compiler warnings; if they do the
155 * target system has characteristics that will probably violate other
156 * assumptions within the libpng code.
157 */
158 ptr += safe_length;
159 length -= safe_length;
160 }
161 while (length > 0);
162
163 /* And the following is always safe because the crc is only 32 bits. */
164 png_ptr->crc = (png_uint_32)crc;
165 }
166}
167
168/* Check a user supplied version number, called from both read and write
169 * functions that create a png_struct.
170 */
171int
172png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
173{
174 /* Libpng versions 1.0.0 and later are binary compatible if the version
175 * string matches through the second '.'; we must recompile any
176 * applications that use any older library version.
177 */
178
179 if (user_png_ver != NULL)
180 {
181 int i = -1;
182 int found_dots = 0;
183
184 do
185 {
186 i++;
187 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
188 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
189 if (user_png_ver[i] == '.')
190 found_dots++;
191 } while (found_dots < 2 && user_png_ver[i] != 0 &&
192 PNG_LIBPNG_VER_STRING[i] != 0);
193 }
194
195 else
196 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
197
198 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
199 {
200#ifdef PNG_WARNINGS_SUPPORTED
201 size_t pos = 0;
202 char m[128];
203
204 pos = png_safecat(m, (sizeof m), pos,
205 "Application built with libpng-");
206 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
207 pos = png_safecat(m, (sizeof m), pos, " but running with ");
208 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
209 PNG_UNUSED(pos)
210
211 png_warning(png_ptr, m);
212#endif
213
214#ifdef PNG_ERROR_NUMBERS_SUPPORTED
215 png_ptr->flags = 0;
216#endif
217
218 return 0;
219 }
220
221 /* Success return. */
222 return 1;
223}
224
225/* Generic function to create a png_struct for either read or write - this
226 * contains the common initialization.
227 */
228PNG_FUNCTION(png_structp /* PRIVATE */,
229png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
230 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
231 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
232{
233 png_struct create_struct;
234# ifdef PNG_SETJMP_SUPPORTED
235 jmp_buf create_jmp_buf;
236# endif
237
238 /* This temporary stack-allocated structure is used to provide a place to
239 * build enough context to allow the user provided memory allocator (if any)
240 * to be called.
241 */
242 memset(&create_struct, 0, (sizeof create_struct));
243
244 /* Added at libpng-1.2.6 */
245# ifdef PNG_USER_LIMITS_SUPPORTED
246 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
247 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
248
249# ifdef PNG_USER_CHUNK_CACHE_MAX
250 /* Added at libpng-1.2.43 and 1.4.0 */
251 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
252# endif
253
254# ifdef PNG_USER_CHUNK_MALLOC_MAX
255 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
256 * in png_struct regardless.
257 */
258 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
259# endif
260# endif
261
262 /* The following two API calls simply set fields in png_struct, so it is safe
263 * to do them now even though error handling is not yet set up.
264 */
265# ifdef PNG_USER_MEM_SUPPORTED
266 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
267# else
268 PNG_UNUSED(mem_ptr)
269 PNG_UNUSED(malloc_fn)
270 PNG_UNUSED(free_fn)
271# endif
272
273 /* (*error_fn) can return control to the caller after the error_ptr is set,
274 * this will result in a memory leak unless the error_fn does something
275 * extremely sophisticated. The design lacks merit but is implicit in the
276 * API.
277 */
278 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
279
280# ifdef PNG_SETJMP_SUPPORTED
281 if (!setjmp(create_jmp_buf))
282# endif
283 {
284# ifdef PNG_SETJMP_SUPPORTED
285 /* Temporarily fake out the longjmp information until we have
286 * successfully completed this function. This only works if we have
287 * setjmp() support compiled in, but it is safe - this stuff should
288 * never happen.
289 */
290 create_struct.jmp_buf_ptr = &create_jmp_buf;
291 create_struct.jmp_buf_size = 0; /*stack allocation*/
292 create_struct.longjmp_fn = longjmp;
293# endif
294 /* Call the general version checker (shared with read and write code):
295 */
296 if (png_user_version_check(&create_struct, user_png_ver) != 0)
297 {
298 png_structrp png_ptr = png_voidcast(png_structrp,
299 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
300
301 if (png_ptr != NULL)
302 {
303 /* png_ptr->zstream holds a back-pointer to the png_struct, so
304 * this can only be done now:
305 */
306 create_struct.zstream.zalloc = png_zalloc;
307 create_struct.zstream.zfree = png_zfree;
308 create_struct.zstream.opaque = png_ptr;
309
310# ifdef PNG_SETJMP_SUPPORTED
311 /* Eliminate the local error handling: */
312 create_struct.jmp_buf_ptr = NULL;
313 create_struct.jmp_buf_size = 0;
314 create_struct.longjmp_fn = 0;
315# endif
316
317 *png_ptr = create_struct;
318
319 /* This is the successful return point */
320 return png_ptr;
321 }
322 }
323 }
324
325 /* A longjmp because of a bug in the application storage allocator or a
326 * simple failure to allocate the png_struct.
327 */
328 return NULL;
329}
330
331/* Allocate the memory for an info_struct for the application. */
332PNG_FUNCTION(png_infop,PNGAPI
333png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
334{
335 png_inforp info_ptr;
336
337 png_debug(1, "in png_create_info_struct");
338
339 if (png_ptr == NULL)
340 return NULL;
341
342 /* Use the internal API that does not (or at least should not) error out, so
343 * that this call always returns ok. The application typically sets up the
344 * error handling *after* creating the info_struct because this is the way it
345 * has always been done in 'example.c'.
346 */
347 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
348 (sizeof *info_ptr)));
349
350 if (info_ptr != NULL)
351 memset(info_ptr, 0, (sizeof *info_ptr));
352
353 return info_ptr;
354}
355
356/* This function frees the memory associated with a single info struct.
357 * Normally, one would use either png_destroy_read_struct() or
358 * png_destroy_write_struct() to free an info struct, but this may be
359 * useful for some applications. From libpng 1.6.0 this function is also used
360 * internally to implement the png_info release part of the 'struct' destroy
361 * APIs. This ensures that all possible approaches free the same data (all of
362 * it).
363 */
364void PNGAPI
365png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
366{
367 png_inforp info_ptr = NULL;
368
369 png_debug(1, "in png_destroy_info_struct");
370
371 if (png_ptr == NULL)
372 return;
373
374 if (info_ptr_ptr != NULL)
375 info_ptr = *info_ptr_ptr;
376
377 if (info_ptr != NULL)
378 {
379 /* Do this first in case of an error below; if the app implements its own
380 * memory management this can lead to png_free calling png_error, which
381 * will abort this routine and return control to the app error handler.
382 * An infinite loop may result if it then tries to free the same info
383 * ptr.
384 */
385 *info_ptr_ptr = NULL;
386
387 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
388 memset(info_ptr, 0, (sizeof *info_ptr));
389 png_free(png_ptr, info_ptr);
390 }
391}
392
393/* Initialize the info structure. This is now an internal function (0.89)
394 * and applications using it are urged to use png_create_info_struct()
395 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
396 * is just a memset).
397 *
398 * NOTE: it is almost inconceivable that this API is used because it bypasses
399 * the user-memory mechanism and the user error handling/warning mechanisms in
400 * those cases where it does anything other than a memset.
401 */
402PNG_FUNCTION(void,PNGAPI
403png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
404 PNG_DEPRECATED)
405{
406 png_inforp info_ptr = *ptr_ptr;
407
408 png_debug(1, "in png_info_init_3");
409
410 if (info_ptr == NULL)
411 return;
412
413 if ((sizeof (png_info)) > png_info_struct_size)
414 {
415 *ptr_ptr = NULL;
416 /* The following line is why this API should not be used: */
417 free(info_ptr);
418 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
419 (sizeof *info_ptr)));
420 if (info_ptr == NULL)
421 return;
422 *ptr_ptr = info_ptr;
423 }
424
425 /* Set everything to 0 */
426 memset(info_ptr, 0, (sizeof *info_ptr));
427}
428
429void PNGAPI
430png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
431 int freer, png_uint_32 mask)
432{
433 png_debug(1, "in png_data_freer");
434
435 if (png_ptr == NULL || info_ptr == NULL)
436 return;
437
438 if (freer == PNG_DESTROY_WILL_FREE_DATA)
439 info_ptr->free_me |= mask;
440
441 else if (freer == PNG_USER_WILL_FREE_DATA)
442 info_ptr->free_me &= ~mask;
443
444 else
445 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
446}
447
448void PNGAPI
449png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
450 int num)
451{
452 png_debug(1, "in png_free_data");
453
454 if (png_ptr == NULL || info_ptr == NULL)
455 return;
456
457#ifdef PNG_TEXT_SUPPORTED
458 /* Free text item num or (if num == -1) all text items */
459 if (info_ptr->text != NULL &&
460 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
461 {
462 if (num != -1)
463 {
464 png_free(png_ptr, info_ptr->text[num].key);
465 info_ptr->text[num].key = NULL;
466 }
467
468 else
469 {
470 int i;
471
472 for (i = 0; i < info_ptr->num_text; i++)
473 png_free(png_ptr, info_ptr->text[i].key);
474
475 png_free(png_ptr, info_ptr->text);
476 info_ptr->text = NULL;
477 info_ptr->num_text = 0;
478 info_ptr->max_text = 0;
479 }
480 }
481#endif
482
483#ifdef PNG_tRNS_SUPPORTED
484 /* Free any tRNS entry */
485 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
486 {
487 info_ptr->valid &= ~PNG_INFO_tRNS;
488 png_free(png_ptr, info_ptr->trans_alpha);
489 info_ptr->trans_alpha = NULL;
490 info_ptr->num_trans = 0;
491 }
492#endif
493
494#ifdef PNG_sCAL_SUPPORTED
495 /* Free any sCAL entry */
496 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
497 {
498 png_free(png_ptr, info_ptr->scal_s_width);
499 png_free(png_ptr, info_ptr->scal_s_height);
500 info_ptr->scal_s_width = NULL;
501 info_ptr->scal_s_height = NULL;
502 info_ptr->valid &= ~PNG_INFO_sCAL;
503 }
504#endif
505
506#ifdef PNG_pCAL_SUPPORTED
507 /* Free any pCAL entry */
508 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
509 {
510 png_free(png_ptr, info_ptr->pcal_purpose);
511 png_free(png_ptr, info_ptr->pcal_units);
512 info_ptr->pcal_purpose = NULL;
513 info_ptr->pcal_units = NULL;
514
515 if (info_ptr->pcal_params != NULL)
516 {
517 int i;
518
519 for (i = 0; i < info_ptr->pcal_nparams; i++)
520 png_free(png_ptr, info_ptr->pcal_params[i]);
521
522 png_free(png_ptr, info_ptr->pcal_params);
523 info_ptr->pcal_params = NULL;
524 }
525 info_ptr->valid &= ~PNG_INFO_pCAL;
526 }
527#endif
528
529#ifdef PNG_iCCP_SUPPORTED
530 /* Free any profile entry */
531 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
532 {
533 png_free(png_ptr, info_ptr->iccp_name);
534 png_free(png_ptr, info_ptr->iccp_profile);
535 info_ptr->iccp_name = NULL;
536 info_ptr->iccp_profile = NULL;
537 info_ptr->valid &= ~PNG_INFO_iCCP;
538 }
539#endif
540
541#ifdef PNG_sPLT_SUPPORTED
542 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
543 if (info_ptr->splt_palettes != NULL &&
544 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
545 {
546 if (num != -1)
547 {
548 png_free(png_ptr, info_ptr->splt_palettes[num].name);
549 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
550 info_ptr->splt_palettes[num].name = NULL;
551 info_ptr->splt_palettes[num].entries = NULL;
552 }
553
554 else
555 {
556 int i;
557
558 for (i = 0; i < info_ptr->splt_palettes_num; i++)
559 {
560 png_free(png_ptr, info_ptr->splt_palettes[i].name);
561 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
562 }
563
564 png_free(png_ptr, info_ptr->splt_palettes);
565 info_ptr->splt_palettes = NULL;
566 info_ptr->splt_palettes_num = 0;
567 info_ptr->valid &= ~PNG_INFO_sPLT;
568 }
569 }
570#endif
571
572#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
573 if (info_ptr->unknown_chunks != NULL &&
574 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
575 {
576 if (num != -1)
577 {
578 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
579 info_ptr->unknown_chunks[num].data = NULL;
580 }
581
582 else
583 {
584 int i;
585
586 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
587 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
588
589 png_free(png_ptr, info_ptr->unknown_chunks);
590 info_ptr->unknown_chunks = NULL;
591 info_ptr->unknown_chunks_num = 0;
592 }
593 }
594#endif
595
596#ifdef PNG_eXIf_SUPPORTED
597 /* Free any eXIf entry */
598 if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
599 {
600# ifdef PNG_READ_eXIf_SUPPORTED
601 if (info_ptr->eXIf_buf)
602 {
603 png_free(png_ptr, info_ptr->eXIf_buf);
604 info_ptr->eXIf_buf = NULL;
605 }
606# endif
607 if (info_ptr->exif)
608 {
609 png_free(png_ptr, info_ptr->exif);
610 info_ptr->exif = NULL;
611 }
612 info_ptr->valid &= ~PNG_INFO_eXIf;
613 }
614#endif
615
616#ifdef PNG_hIST_SUPPORTED
617 /* Free any hIST entry */
618 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
619 {
620 png_free(png_ptr, info_ptr->hist);
621 info_ptr->hist = NULL;
622 info_ptr->valid &= ~PNG_INFO_hIST;
623 }
624#endif
625
626 /* Free any PLTE entry that was internally allocated */
627 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
628 {
629 png_free(png_ptr, info_ptr->palette);
630 info_ptr->palette = NULL;
631 info_ptr->valid &= ~PNG_INFO_PLTE;
632 info_ptr->num_palette = 0;
633 }
634
635#ifdef PNG_INFO_IMAGE_SUPPORTED
636 /* Free any image bits attached to the info structure */
637 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
638 {
639 if (info_ptr->row_pointers != NULL)
640 {
641 png_uint_32 row;
642 for (row = 0; row < info_ptr->height; row++)
643 png_free(png_ptr, info_ptr->row_pointers[row]);
644
645 png_free(png_ptr, info_ptr->row_pointers);
646 info_ptr->row_pointers = NULL;
647 }
648 info_ptr->valid &= ~PNG_INFO_IDAT;
649 }
650#endif
651
652 if (num != -1)
653 mask &= ~PNG_FREE_MUL;
654
655 info_ptr->free_me &= ~mask;
656}
657#endif /* READ || WRITE */
658
659/* This function returns a pointer to the io_ptr associated with the user
660 * functions. The application should free any memory associated with this
661 * pointer before png_write_destroy() or png_read_destroy() are called.
662 */
663png_voidp PNGAPI
664png_get_io_ptr(png_const_structrp png_ptr)
665{
666 if (png_ptr == NULL)
667 return NULL;
668
669 return png_ptr->io_ptr;
670}
671
672#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
673# ifdef PNG_STDIO_SUPPORTED
674/* Initialize the default input/output functions for the PNG file. If you
675 * use your own read or write routines, you can call either png_set_read_fn()
676 * or png_set_write_fn() instead of png_init_io(). If you have defined
677 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
678 * function of your own because "FILE *" isn't necessarily available.
679 */
680void PNGAPI
681png_init_io(png_structrp png_ptr, png_FILE_p fp)
682{
683 png_debug(1, "in png_init_io");
684
685 if (png_ptr == NULL)
686 return;
687
688 png_ptr->io_ptr = (png_voidp)fp;
689}
690# endif
691
692# ifdef PNG_SAVE_INT_32_SUPPORTED
693/* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
694 * defines a cast of a signed integer to an unsigned integer either to preserve
695 * the value, if it is positive, or to calculate:
696 *
697 * (UNSIGNED_MAX+1) + integer
698 *
699 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
700 * negative integral value is added the result will be an unsigned value
701 * corresponding to the 2's complement representation.
702 */
703void PNGAPI
704png_save_int_32(png_bytep buf, png_int_32 i)
705{
706 png_save_uint_32(buf, (png_uint_32)i);
707}
708# endif
709
710# ifdef PNG_TIME_RFC1123_SUPPORTED
711/* Convert the supplied time into an RFC 1123 string suitable for use in
712 * a "Creation Time" or other text-based time string.
713 */
714int PNGAPI
715png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
716{
717 static const char short_months[12][4] =
718 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
719 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
720
721 if (out == NULL)
722 return 0;
723
724 if (ptime->year > 9999 /* RFC1123 limitation */ ||
725 ptime->month == 0 || ptime->month > 12 ||
726 ptime->day == 0 || ptime->day > 31 ||
727 ptime->hour > 23 || ptime->minute > 59 ||
728 ptime->second > 60)
729 return 0;
730
731 {
732 size_t pos = 0;
733 char number_buf[5] = {0, 0, 0, 0, 0}; /* enough for a four-digit year */
734
735# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
736# define APPEND_NUMBER(format, value)\
737 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
738# define APPEND(ch) if (pos < 28) out[pos++] = (ch)
739
740 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
741 APPEND(' ');
742 APPEND_STRING(short_months[(ptime->month - 1)]);
743 APPEND(' ');
744 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
745 APPEND(' ');
746 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
747 APPEND(':');
748 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
749 APPEND(':');
750 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
751 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
752 PNG_UNUSED (pos)
753
754# undef APPEND
755# undef APPEND_NUMBER
756# undef APPEND_STRING
757 }
758
759 return 1;
760}
761
762# if PNG_LIBPNG_VER < 10700
763/* To do: remove the following from libpng-1.7 */
764/* Original API that uses a private buffer in png_struct.
765 * Deprecated because it causes png_struct to carry a spurious temporary
766 * buffer (png_struct::time_buffer), better to have the caller pass this in.
767 */
768png_const_charp PNGAPI
769png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
770{
771 if (png_ptr != NULL)
772 {
773 /* The only failure above if png_ptr != NULL is from an invalid ptime */
774 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
775 png_warning(png_ptr, "Ignoring invalid time value");
776
777 else
778 return png_ptr->time_buffer;
779 }
780
781 return NULL;
782}
783# endif /* LIBPNG_VER < 10700 */
784# endif /* TIME_RFC1123 */
785
786#endif /* READ || WRITE */
787
788png_const_charp PNGAPI
789png_get_copyright(png_const_structrp png_ptr)
790{
791 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
792#ifdef PNG_STRING_COPYRIGHT
793 return PNG_STRING_COPYRIGHT
794#else
795 return PNG_STRING_NEWLINE \
796 "libpng version 1.6.45" PNG_STRING_NEWLINE \
797 "Copyright (c) 2018-2025 Cosmin Truta" PNG_STRING_NEWLINE \
798 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
799 PNG_STRING_NEWLINE \
800 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
801 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
802 PNG_STRING_NEWLINE;
803#endif
804}
805
806/* The following return the library version as a short string in the
807 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
808 * used with your application, print out PNG_LIBPNG_VER_STRING, which
809 * is defined in png.h.
810 * Note: now there is no difference between png_get_libpng_ver() and
811 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
812 * it is guaranteed that png.c uses the correct version of png.h.
813 */
814png_const_charp PNGAPI
815png_get_libpng_ver(png_const_structrp png_ptr)
816{
817 /* Version of *.c files used when building libpng */
818 return png_get_header_ver(png_ptr);
819}
820
821png_const_charp PNGAPI
822png_get_header_ver(png_const_structrp png_ptr)
823{
824 /* Version of *.h files used when building libpng */
825 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
826 return PNG_LIBPNG_VER_STRING;
827}
828
829png_const_charp PNGAPI
830png_get_header_version(png_const_structrp png_ptr)
831{
832 /* Returns longer string containing both version and date */
833 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
834#ifdef __STDC__
835 return PNG_HEADER_VERSION_STRING
836# ifndef PNG_READ_SUPPORTED
837 " (NO READ SUPPORT)"
838# endif
839 PNG_STRING_NEWLINE;
840#else
841 return PNG_HEADER_VERSION_STRING;
842#endif
843}
844
845#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
846/* NOTE: this routine is not used internally! */
847/* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
848 * large of png_color. This lets grayscale images be treated as
849 * paletted. Most useful for gamma correction and simplification
850 * of code. This API is not used internally.
851 */
852void PNGAPI
853png_build_grayscale_palette(int bit_depth, png_colorp palette)
854{
855 int num_palette;
856 int color_inc;
857 int i;
858 int v;
859
860 png_debug(1, "in png_do_build_grayscale_palette");
861
862 if (palette == NULL)
863 return;
864
865 switch (bit_depth)
866 {
867 case 1:
868 num_palette = 2;
869 color_inc = 0xff;
870 break;
871
872 case 2:
873 num_palette = 4;
874 color_inc = 0x55;
875 break;
876
877 case 4:
878 num_palette = 16;
879 color_inc = 0x11;
880 break;
881
882 case 8:
883 num_palette = 256;
884 color_inc = 1;
885 break;
886
887 default:
888 num_palette = 0;
889 color_inc = 0;
890 break;
891 }
892
893 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
894 {
895 palette[i].red = (png_byte)(v & 0xff);
896 palette[i].green = (png_byte)(v & 0xff);
897 palette[i].blue = (png_byte)(v & 0xff);
898 }
899}
900#endif
901
902#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
903int PNGAPI
904png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
905{
906 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
907 png_const_bytep p, p_end;
908
909 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
910 return PNG_HANDLE_CHUNK_AS_DEFAULT;
911
912 p_end = png_ptr->chunk_list;
913 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
914
915 /* The code is the fifth byte after each four byte string. Historically this
916 * code was always searched from the end of the list, this is no longer
917 * necessary because the 'set' routine handles duplicate entries correctly.
918 */
919 do /* num_chunk_list > 0, so at least one */
920 {
921 p -= 5;
922
923 if (memcmp(chunk_name, p, 4) == 0)
924 return p[4];
925 }
926 while (p > p_end);
927
928 /* This means that known chunks should be processed and unknown chunks should
929 * be handled according to the value of png_ptr->unknown_default; this can be
930 * confusing because, as a result, there are two levels of defaulting for
931 * unknown chunks.
932 */
933 return PNG_HANDLE_CHUNK_AS_DEFAULT;
934}
935
936#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
937 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
938int /* PRIVATE */
939png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
940{
941 png_byte chunk_string[5];
942
943 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
944 return png_handle_as_unknown(png_ptr, chunk_string);
945}
946#endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
947#endif /* SET_UNKNOWN_CHUNKS */
948
949#ifdef PNG_READ_SUPPORTED
950/* This function, added to libpng-1.0.6g, is untested. */
951int PNGAPI
952png_reset_zstream(png_structrp png_ptr)
953{
954 if (png_ptr == NULL)
955 return Z_STREAM_ERROR;
956
957 /* WARNING: this resets the window bits to the maximum! */
958 return inflateReset(&png_ptr->zstream);
959}
960#endif /* READ */
961
962/* This function was added to libpng-1.0.7 */
963png_uint_32 PNGAPI
964png_access_version_number(void)
965{
966 /* Version of *.c files used when building libpng */
967 return (png_uint_32)PNG_LIBPNG_VER;
968}
969
970#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
971/* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
972 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
973 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
974 */
975void /* PRIVATE */
976png_zstream_error(png_structrp png_ptr, int ret)
977{
978 /* Translate 'ret' into an appropriate error string, priority is given to the
979 * one in zstream if set. This always returns a string, even in cases like
980 * Z_OK or Z_STREAM_END where the error code is a success code.
981 */
982 if (png_ptr->zstream.msg == NULL) switch (ret)
983 {
984 default:
985 case Z_OK:
986 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
987 break;
988
989 case Z_STREAM_END:
990 /* Normal exit */
991 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
992 break;
993
994 case Z_NEED_DICT:
995 /* This means the deflate stream did not have a dictionary; this
996 * indicates a bogus PNG.
997 */
998 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
999 break;
1000
1001 case Z_ERRNO:
1002 /* gz APIs only: should not happen */
1003 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1004 break;
1005
1006 case Z_STREAM_ERROR:
1007 /* internal libpng error */
1008 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1009 break;
1010
1011 case Z_DATA_ERROR:
1012 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1013 break;
1014
1015 case Z_MEM_ERROR:
1016 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1017 break;
1018
1019 case Z_BUF_ERROR:
1020 /* End of input or output; not a problem if the caller is doing
1021 * incremental read or write.
1022 */
1023 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1024 break;
1025
1026 case Z_VERSION_ERROR:
1027 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1028 break;
1029
1030 case PNG_UNEXPECTED_ZLIB_RETURN:
1031 /* Compile errors here mean that zlib now uses the value co-opted in
1032 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1033 * and change pngpriv.h. Note that this message is "... return",
1034 * whereas the default/Z_OK one is "... return code".
1035 */
1036 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1037 break;
1038 }
1039}
1040
1041/* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1042 * at libpng 1.5.5!
1043 */
1044
1045/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1046#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1047static int
1048png_colorspace_check_gamma(png_const_structrp png_ptr,
1049 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1050 /* This is called to check a new gamma value against an existing one. The
1051 * routine returns false if the new gamma value should not be written.
1052 *
1053 * 'from' says where the new gamma value comes from:
1054 *
1055 * 0: the new gamma value is the libpng estimate for an ICC profile
1056 * 1: the new gamma value comes from a gAMA chunk
1057 * 2: the new gamma value comes from an sRGB chunk
1058 */
1059{
1060 png_fixed_point gtest;
1061
1062 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1063 (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1064 png_gamma_significant(gtest) != 0))
1065 {
1066 /* Either this is an sRGB image, in which case the calculated gamma
1067 * approximation should match, or this is an image with a profile and the
1068 * value libpng calculates for the gamma of the profile does not match the
1069 * value recorded in the file. The former, sRGB, case is an error, the
1070 * latter is just a warning.
1071 */
1072 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1073 {
1074 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1075 PNG_CHUNK_ERROR);
1076 /* Do not overwrite an sRGB value */
1077 return from == 2;
1078 }
1079
1080 else /* sRGB tag not involved */
1081 {
1082 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1083 PNG_CHUNK_WARNING);
1084 return from == 1;
1085 }
1086 }
1087
1088 return 1;
1089}
1090
1091void /* PRIVATE */
1092png_colorspace_set_gamma(png_const_structrp png_ptr,
1093 png_colorspacerp colorspace, png_fixed_point gAMA)
1094{
1095 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1096 * occur. Since the fixed point representation is asymmetrical it is
1097 * possible for 1/gamma to overflow the limit of 21474 and this means the
1098 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1099 * safety the limits here are a little narrower. The values are 0.00016 to
1100 * 6250.0, which are truly ridiculous gamma values (and will produce
1101 * displays that are all black or all white.)
1102 *
1103 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1104 * handling code, which only required the value to be >0.
1105 */
1106 png_const_charp errmsg;
1107
1108 if (gAMA < 16 || gAMA > 625000000)
1109 errmsg = "gamma value out of range";
1110
1111# ifdef PNG_READ_gAMA_SUPPORTED
1112 /* Allow the application to set the gamma value more than once */
1113 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1114 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1115 errmsg = "duplicate";
1116# endif
1117
1118 /* Do nothing if the colorspace is already invalid */
1119 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1120 return;
1121
1122 else
1123 {
1124 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1125 1/*from gAMA*/) != 0)
1126 {
1127 /* Store this gamma value. */
1128 colorspace->gamma = gAMA;
1129 colorspace->flags |=
1130 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1131 }
1132
1133 /* At present if the check_gamma test fails the gamma of the colorspace is
1134 * not updated however the colorspace is not invalidated. This
1135 * corresponds to the case where the existing gamma comes from an sRGB
1136 * chunk or profile. An error message has already been output.
1137 */
1138 return;
1139 }
1140
1141 /* Error exit - errmsg has been set. */
1142 colorspace->flags |= PNG_COLORSPACE_INVALID;
1143 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1144}
1145
1146void /* PRIVATE */
1147png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1148{
1149 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1150 {
1151 /* Everything is invalid */
1152 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1153 PNG_INFO_iCCP);
1154
1155# ifdef PNG_COLORSPACE_SUPPORTED
1156 /* Clean up the iCCP profile now if it won't be used. */
1157 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1158# else
1159 PNG_UNUSED(png_ptr)
1160# endif
1161 }
1162
1163 else
1164 {
1165# ifdef PNG_COLORSPACE_SUPPORTED
1166 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1167 * it; this allows a PNG to contain a profile which matches sRGB and
1168 * yet still have that profile retrievable by the application.
1169 */
1170 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1171 info_ptr->valid |= PNG_INFO_sRGB;
1172
1173 else
1174 info_ptr->valid &= ~PNG_INFO_sRGB;
1175
1176 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1177 info_ptr->valid |= PNG_INFO_cHRM;
1178
1179 else
1180 info_ptr->valid &= ~PNG_INFO_cHRM;
1181# endif
1182
1183 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1184 info_ptr->valid |= PNG_INFO_gAMA;
1185
1186 else
1187 info_ptr->valid &= ~PNG_INFO_gAMA;
1188 }
1189}
1190
1191#ifdef PNG_READ_SUPPORTED
1192void /* PRIVATE */
1193png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1194{
1195 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1196 return;
1197
1198 info_ptr->colorspace = png_ptr->colorspace;
1199 png_colorspace_sync_info(png_ptr, info_ptr);
1200}
1201#endif
1202#endif /* GAMMA */
1203
1204#ifdef PNG_COLORSPACE_SUPPORTED
1205static png_int_32
1206png_fp_add(png_int_32 addend0, png_int_32 addend1, int *error)
1207{
1208 /* Safely add two fixed point values setting an error flag and returning 0.5
1209 * on overflow.
1210 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1211 * relying on addition of two positive values producing a negative one is not
1212 * safe.
1213 */
1214 if (addend0 > 0)
1215 {
1216 if (0x7fffffff - addend0 >= addend1)
1217 return addend0+addend1;
1218 }
1219 else if (addend0 < 0)
1220 {
1221 if (-0x7fffffff - addend0 <= addend1)
1222 return addend0+addend1;
1223 }
1224 else
1225 return addend1;
1226
1227 *error = 1;
1228 return PNG_FP_1/2;
1229}
1230
1231static png_int_32
1232png_fp_sub(png_int_32 addend0, png_int_32 addend1, int *error)
1233{
1234 /* As above but calculate addend0-addend1. */
1235 if (addend1 > 0)
1236 {
1237 if (-0x7fffffff + addend1 <= addend0)
1238 return addend0-addend1;
1239 }
1240 else if (addend1 < 0)
1241 {
1242 if (0x7fffffff + addend1 >= addend0)
1243 return addend0-addend1;
1244 }
1245 else
1246 return addend0;
1247
1248 *error = 1;
1249 return PNG_FP_1/2;
1250}
1251
1252static int
1253png_safe_add(png_int_32 *addend0_and_result, png_int_32 addend1,
1254 png_int_32 addend2)
1255{
1256 /* Safely add three integers. Returns 0 on success, 1 on overflow. Does not
1257 * set the result on overflow.
1258 */
1259 int error = 0;
1260 int result = png_fp_add(*addend0_and_result,
1261 png_fp_add(addend1, addend2, &error),
1262 &error);
1263 if (!error) *addend0_and_result = result;
1264 return error;
1265}
1266
1267/* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1268 * cHRM, as opposed to using chromaticities. These internal APIs return
1269 * non-zero on a parameter error. The X, Y and Z values are required to be
1270 * positive and less than 1.0.
1271 */
1272static int
1273png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1274{
1275 png_int_32 d, dred, dgreen, dblue, dwhite, whiteX, whiteY;
1276
1277 /* 'd' in each of the blocks below is just X+Y+Z for each component,
1278 * x, y and z are X,Y,Z/(X+Y+Z).
1279 */
1280 d = XYZ->red_X;
1281 if (png_safe_add(&d, XYZ->red_Y, XYZ->red_Z))
1282 return 1;
1283 dred = d;
1284 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, dred) == 0)
1285 return 1;
1286 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, dred) == 0)
1287 return 1;
1288
1289 d = XYZ->green_X;
1290 if (png_safe_add(&d, XYZ->green_Y, XYZ->green_Z))
1291 return 1;
1292 dgreen = d;
1293 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, dgreen) == 0)
1294 return 1;
1295 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, dgreen) == 0)
1296 return 1;
1297
1298 d = XYZ->blue_X;
1299 if (png_safe_add(&d, XYZ->blue_Y, XYZ->blue_Z))
1300 return 1;
1301 dblue = d;
1302 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, dblue) == 0)
1303 return 1;
1304 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, dblue) == 0)
1305 return 1;
1306
1307 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors so
1308 * the fillowing calculates (X+Y+Z) of the reference white (media white,
1309 * encoding white) itself:
1310 */
1311 d = dblue;
1312 if (png_safe_add(&d, dred, dgreen))
1313 return 1;
1314 dwhite = d;
1315
1316 /* Find the white X,Y values from the sum of the red, green and blue X,Y
1317 * values.
1318 */
1319 d = XYZ->red_X;
1320 if (png_safe_add(&d, XYZ->green_X, XYZ->blue_X))
1321 return 1;
1322 whiteX = d;
1323
1324 d = XYZ->red_Y;
1325 if (png_safe_add(&d, XYZ->green_Y, XYZ->blue_Y))
1326 return 1;
1327 whiteY = d;
1328
1329 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1330 return 1;
1331 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1332 return 1;
1333
1334 return 0;
1335}
1336
1337static int
1338png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1339{
1340 png_fixed_point red_inverse, green_inverse, blue_scale;
1341 png_fixed_point left, right, denominator;
1342
1343 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1344 * have end points with 0 tristimulus values (these are impossible end
1345 * points, but they are used to cover the possible colors). We check
1346 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1347 *
1348 * The limits here will *not* accept ACES AP0, where bluey is -7700
1349 * (-0.0770) because the PNG spec itself requires the xy values to be
1350 * unsigned. whitey is also required to be 5 or more to avoid overflow.
1351 *
1352 * Instead the upper limits have been relaxed to accomodate ACES AP1 where
1353 * redz ends up as -600 (-0.006). ProPhotoRGB was already "in range."
1354 * The new limit accomodates the AP0 and AP1 ranges for z but not AP0 redy.
1355 */
1356 const png_fixed_point fpLimit = PNG_FP_1+(PNG_FP_1/10);
1357 if (xy->redx < 0 || xy->redx > fpLimit) return 1;
1358 if (xy->redy < 0 || xy->redy > fpLimit-xy->redx) return 1;
1359 if (xy->greenx < 0 || xy->greenx > fpLimit) return 1;
1360 if (xy->greeny < 0 || xy->greeny > fpLimit-xy->greenx) return 1;
1361 if (xy->bluex < 0 || xy->bluex > fpLimit) return 1;
1362 if (xy->bluey < 0 || xy->bluey > fpLimit-xy->bluex) return 1;
1363 if (xy->whitex < 0 || xy->whitex > fpLimit) return 1;
1364 if (xy->whitey < 5 || xy->whitey > fpLimit-xy->whitex) return 1;
1365
1366 /* The reverse calculation is more difficult because the original tristimulus
1367 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1368 * derived values were recorded in the cHRM chunk;
1369 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1370 * therefore an arbitrary ninth value has to be introduced to undo the
1371 * original transformations.
1372 *
1373 * Think of the original end-points as points in (X,Y,Z) space. The
1374 * chromaticity values (c) have the property:
1375 *
1376 * C
1377 * c = ---------
1378 * X + Y + Z
1379 *
1380 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1381 * three chromaticity values (x,y,z) for each end-point obey the
1382 * relationship:
1383 *
1384 * x + y + z = 1
1385 *
1386 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1387 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1388 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1389 * and chromaticity is the intersection of the vector from the origin to the
1390 * (X,Y,Z) value with the chromaticity plane.
1391 *
1392 * To fully invert the chromaticity calculation we would need the three
1393 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1394 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1395 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1396 * given all three of the scale factors since:
1397 *
1398 * color-C = color-c * color-scale
1399 * white-C = red-C + green-C + blue-C
1400 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1401 *
1402 * But cHRM records only white-x and white-y, so we have lost the white scale
1403 * factor:
1404 *
1405 * white-C = white-c*white-scale
1406 *
1407 * To handle this the inverse transformation makes an arbitrary assumption
1408 * about white-scale:
1409 *
1410 * Assume: white-Y = 1.0
1411 * Hence: white-scale = 1/white-y
1412 * Or: red-Y + green-Y + blue-Y = 1.0
1413 *
1414 * Notice the last statement of the assumption gives an equation in three of
1415 * the nine values we want to calculate. 8 more equations come from the
1416 * above routine as summarised at the top above (the chromaticity
1417 * calculation):
1418 *
1419 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1420 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1421 *
1422 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1423 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1424 * determinants, however this is not as bad as it seems because only 28 of
1425 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1426 * Cramer's rule is notoriously numerically unstable because the determinant
1427 * calculation involves the difference of large, but similar, numbers. It is
1428 * difficult to be sure that the calculation is stable for real world values
1429 * and it is certain that it becomes unstable where the end points are close
1430 * together.
1431 *
1432 * So this code uses the perhaps slightly less optimal but more
1433 * understandable and totally obvious approach of calculating color-scale.
1434 *
1435 * This algorithm depends on the precision in white-scale and that is
1436 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1437 * accuracy inherent in the cHRM chunk drops off substantially.
1438 *
1439 * libpng arithmetic: a simple inversion of the above equations
1440 * ------------------------------------------------------------
1441 *
1442 * white_scale = 1/white-y
1443 * white-X = white-x * white-scale
1444 * white-Y = 1.0
1445 * white-Z = (1 - white-x - white-y) * white_scale
1446 *
1447 * white-C = red-C + green-C + blue-C
1448 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1449 *
1450 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1451 * all the coefficients are now known:
1452 *
1453 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1454 * = white-x/white-y
1455 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1456 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1457 * = (1 - white-x - white-y)/white-y
1458 *
1459 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1460 * three equations together to get an alternative third:
1461 *
1462 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1463 *
1464 * So now we have a Cramer's rule solution where the determinants are just
1465 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1466 * multiplication of three coefficients so we can't guarantee to avoid
1467 * overflow in the libpng fixed point representation. Using Cramer's rule in
1468 * floating point is probably a good choice here, but it's not an option for
1469 * fixed point. Instead proceed to simplify the first two equations by
1470 * eliminating what is likely to be the largest value, blue-scale:
1471 *
1472 * blue-scale = white-scale - red-scale - green-scale
1473 *
1474 * Hence:
1475 *
1476 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1477 * (white-x - blue-x)*white-scale
1478 *
1479 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1480 * 1 - blue-y*white-scale
1481 *
1482 * And now we can trivially solve for (red-scale,green-scale):
1483 *
1484 * green-scale =
1485 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1486 * -----------------------------------------------------------
1487 * green-x - blue-x
1488 *
1489 * red-scale =
1490 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1491 * ---------------------------------------------------------
1492 * red-y - blue-y
1493 *
1494 * Hence:
1495 *
1496 * red-scale =
1497 * ( (green-x - blue-x) * (white-y - blue-y) -
1498 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1499 * -------------------------------------------------------------------------
1500 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1501 *
1502 * green-scale =
1503 * ( (red-y - blue-y) * (white-x - blue-x) -
1504 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1505 * -------------------------------------------------------------------------
1506 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1507 *
1508 * Accuracy:
1509 * The input values have 5 decimal digits of accuracy.
1510 *
1511 * In the previous implementation the values were all in the range 0 < value
1512 * < 1, so simple products are in the same range but may need up to 10
1513 * decimal digits to preserve the original precision and avoid underflow.
1514 * Because we are using a 32-bit signed representation we cannot match this;
1515 * the best is a little over 9 decimal digits, less than 10.
1516 *
1517 * This range has now been extended to allow values up to 1.1, or 110,000 in
1518 * fixed point.
1519 *
1520 * The approach used here is to preserve the maximum precision within the
1521 * signed representation. Because the red-scale calculation above uses the
1522 * difference between two products of values that must be in the range
1523 * -1.1..+1.1 it is sufficient to divide the product by 8;
1524 * ceil(121,000/32767*2). The factor is irrelevant in the calculation
1525 * because it is applied to both numerator and denominator.
1526 *
1527 * Note that the values of the differences of the products of the
1528 * chromaticities in the above equations tend to be small, for example for
1529 * the sRGB chromaticities they are:
1530 *
1531 * red numerator: -0.04751
1532 * green numerator: -0.08788
1533 * denominator: -0.2241 (without white-y multiplication)
1534 *
1535 * The resultant Y coefficients from the chromaticities of some widely used
1536 * color space definitions are (to 15 decimal places):
1537 *
1538 * sRGB
1539 * 0.212639005871510 0.715168678767756 0.072192315360734
1540 * Kodak ProPhoto
1541 * 0.288071128229293 0.711843217810102 0.000085653960605
1542 * Adobe RGB
1543 * 0.297344975250536 0.627363566255466 0.075291458493998
1544 * Adobe Wide Gamut RGB
1545 * 0.258728243040113 0.724682314948566 0.016589442011321
1546 */
1547 int error = 0;
1548
1549 /* By the argument above overflow should be impossible here, however the
1550 * code now simply returns a failure code. The xy subtracts in the arguments
1551 * to png_muldiv are *not* checked for overflow because the checks at the
1552 * start guarantee they are in the range 0..110000 and png_fixed_point is a
1553 * 32-bit signed number.
1554 */
1555 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 8) == 0)
1556 return 1;
1557 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 8) == 0)
1558 return 1;
1559 denominator = png_fp_sub(left, right, &error);
1560 if (error) return 1;
1561
1562 /* Now find the red numerator. */
1563 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 8) == 0)
1564 return 1;
1565 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 8) == 0)
1566 return 1;
1567
1568 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1569 * chunk values. This calculation actually returns the reciprocal of the
1570 * scale value because this allows us to delay the multiplication of white-y
1571 * into the denominator, which tends to produce a small number.
1572 */
1573 if (png_muldiv(&red_inverse, xy->whitey, denominator,
1574 png_fp_sub(left, right, &error)) == 0 || error ||
1575 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1576 return 1;
1577
1578 /* Similarly for green_inverse: */
1579 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 8) == 0)
1580 return 1;
1581 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 8) == 0)
1582 return 1;
1583 if (png_muldiv(&green_inverse, xy->whitey, denominator,
1584 png_fp_sub(left, right, &error)) == 0 || error ||
1585 green_inverse <= xy->whitey)
1586 return 1;
1587
1588 /* And the blue scale, the checks above guarantee this can't overflow but it
1589 * can still produce 0 for extreme cHRM values.
1590 */
1591 blue_scale = png_fp_sub(png_fp_sub(png_reciprocal(xy->whitey),
1592 png_reciprocal(red_inverse), &error),
1593 png_reciprocal(green_inverse), &error);
1594 if (error || blue_scale <= 0)
1595 return 1;
1596
1597
1598 /* And fill in the png_XYZ. Again the subtracts are safe because of the
1599 * checks on the xy values at the start (the subtracts just calculate the
1600 * corresponding z values.)
1601 */
1602 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1603 return 1;
1604 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1605 return 1;
1606 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1607 red_inverse) == 0)
1608 return 1;
1609
1610 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1611 return 1;
1612 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1613 return 1;
1614 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1615 green_inverse) == 0)
1616 return 1;
1617
1618 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1619 return 1;
1620 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1621 return 1;
1622 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1623 PNG_FP_1) == 0)
1624 return 1;
1625
1626 return 0; /*success*/
1627}
1628
1629static int
1630png_XYZ_normalize(png_XYZ *XYZ)
1631{
1632 png_int_32 Y, Ytemp;
1633
1634 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1. */
1635 Ytemp = XYZ->red_Y;
1636 if (png_safe_add(&Ytemp, XYZ->green_Y, XYZ->blue_Y))
1637 return 1;
1638
1639 Y = Ytemp;
1640
1641 if (Y != PNG_FP_1)
1642 {
1643 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1644 return 1;
1645 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1646 return 1;
1647 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1648 return 1;
1649
1650 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1651 return 1;
1652 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1653 return 1;
1654 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1655 return 1;
1656
1657 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1658 return 1;
1659 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1660 return 1;
1661 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1662 return 1;
1663 }
1664
1665 return 0;
1666}
1667
1668static int
1669png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1670{
1671 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1672 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1673 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1674 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1675 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1676 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1677 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1678 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1679 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1680 return 0;
1681 return 1;
1682}
1683
1684/* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1685 * chunk chromaticities. Earlier checks used to simply look for the overflow
1686 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1687 * because the chromaticity values are not all distinct.) Despite this it is
1688 * theoretically possible to produce chromaticities that are apparently valid
1689 * but that rapidly degrade to invalid, potentially crashing, sets because of
1690 * arithmetic inaccuracies when calculations are performed on them. The new
1691 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1692 * within a small percentage of the original.
1693 */
1694static int
1695png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1696{
1697 int result;
1698 png_xy xy_test;
1699
1700 /* As a side-effect this routine also returns the XYZ endpoints. */
1701 result = png_XYZ_from_xy(XYZ, xy);
1702 if (result != 0)
1703 return result;
1704
1705 result = png_xy_from_XYZ(&xy_test, XYZ);
1706 if (result != 0)
1707 return result;
1708
1709 if (png_colorspace_endpoints_match(xy, &xy_test,
1710 5/*actually, the math is pretty accurate*/) != 0)
1711 return 0;
1712
1713 /* Too much slip */
1714 return 1;
1715}
1716
1717/* This is the check going the other way. The XYZ is modified to normalize it
1718 * (another side-effect) and the xy chromaticities are returned.
1719 */
1720static int
1721png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1722{
1723 int result;
1724 png_XYZ XYZtemp;
1725
1726 result = png_XYZ_normalize(XYZ);
1727 if (result != 0)
1728 return result;
1729
1730 result = png_xy_from_XYZ(xy, XYZ);
1731 if (result != 0)
1732 return result;
1733
1734 XYZtemp = *XYZ;
1735 return png_colorspace_check_xy(&XYZtemp, xy);
1736}
1737
1738/* Used to check for an endpoint match against sRGB */
1739static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1740{
1741 /* color x y */
1742 /* red */ 64000, 33000,
1743 /* green */ 30000, 60000,
1744 /* blue */ 15000, 6000,
1745 /* white */ 31270, 32900
1746};
1747
1748static int
1749png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1750 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1751 int preferred)
1752{
1753 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1754 return 0;
1755
1756 /* The consistency check is performed on the chromaticities; this factors out
1757 * variations because of the normalization (or not) of the end point Y
1758 * values.
1759 */
1760 if (preferred < 2 &&
1761 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1762 {
1763 /* The end points must be reasonably close to any we already have. The
1764 * following allows an error of up to +/-.001
1765 */
1766 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1767 100) == 0)
1768 {
1769 colorspace->flags |= PNG_COLORSPACE_INVALID;
1770 png_benign_error(png_ptr, "inconsistent chromaticities");
1771 return 0; /* failed */
1772 }
1773
1774 /* Only overwrite with preferred values */
1775 if (preferred == 0)
1776 return 1; /* ok, but no change */
1777 }
1778
1779 colorspace->end_points_xy = *xy;
1780 colorspace->end_points_XYZ = *XYZ;
1781 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1782
1783 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1784 * on this test.
1785 */
1786 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1787 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1788
1789 else
1790 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1791 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1792
1793 return 2; /* ok and changed */
1794}
1795
1796int /* PRIVATE */
1797png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1798 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1799{
1800 /* We must check the end points to ensure they are reasonable - in the past
1801 * color management systems have crashed as a result of getting bogus
1802 * colorant values, while this isn't the fault of libpng it is the
1803 * responsibility of libpng because PNG carries the bomb and libpng is in a
1804 * position to protect against it.
1805 */
1806 png_XYZ XYZ;
1807
1808 switch (png_colorspace_check_xy(&XYZ, xy))
1809 {
1810 case 0: /* success */
1811 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1812 preferred);
1813
1814 case 1:
1815 /* We can't invert the chromaticities so we can't produce value XYZ
1816 * values. Likely as not a color management system will fail too.
1817 */
1818 colorspace->flags |= PNG_COLORSPACE_INVALID;
1819 png_benign_error(png_ptr, "invalid chromaticities");
1820 break;
1821
1822 default:
1823 /* libpng is broken; this should be a warning but if it happens we
1824 * want error reports so for the moment it is an error.
1825 */
1826 colorspace->flags |= PNG_COLORSPACE_INVALID;
1827 png_error(png_ptr, "internal error checking chromaticities");
1828 }
1829
1830 return 0; /* failed */
1831}
1832
1833int /* PRIVATE */
1834png_colorspace_set_endpoints(png_const_structrp png_ptr,
1835 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1836{
1837 png_XYZ XYZ = *XYZ_in;
1838 png_xy xy;
1839
1840 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1841 {
1842 case 0:
1843 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1844 preferred);
1845
1846 case 1:
1847 /* End points are invalid. */
1848 colorspace->flags |= PNG_COLORSPACE_INVALID;
1849 png_benign_error(png_ptr, "invalid end points");
1850 break;
1851
1852 default:
1853 colorspace->flags |= PNG_COLORSPACE_INVALID;
1854 png_error(png_ptr, "internal error checking chromaticities");
1855 }
1856
1857 return 0; /* failed */
1858}
1859
1860#if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1861/* Error message generation */
1862static char
1863png_icc_tag_char(png_uint_32 byte)
1864{
1865 byte &= 0xff;
1866 if (byte >= 32 && byte <= 126)
1867 return (char)byte;
1868 else
1869 return '?';
1870}
1871
1872static void
1873png_icc_tag_name(char *name, png_uint_32 tag)
1874{
1875 name[0] = '\'';
1876 name[1] = png_icc_tag_char(tag >> 24);
1877 name[2] = png_icc_tag_char(tag >> 16);
1878 name[3] = png_icc_tag_char(tag >> 8);
1879 name[4] = png_icc_tag_char(tag );
1880 name[5] = '\'';
1881}
1882
1883static int
1884is_ICC_signature_char(png_alloc_size_t it)
1885{
1886 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1887 (it >= 97 && it <= 122);
1888}
1889
1890static int
1891is_ICC_signature(png_alloc_size_t it)
1892{
1893 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1894 is_ICC_signature_char((it >> 16) & 0xff) &&
1895 is_ICC_signature_char((it >> 8) & 0xff) &&
1896 is_ICC_signature_char(it & 0xff);
1897}
1898
1899static int
1900png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1901 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1902{
1903 size_t pos;
1904 char message[196]; /* see below for calculation */
1905
1906 if (colorspace != NULL)
1907 colorspace->flags |= PNG_COLORSPACE_INVALID;
1908
1909 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1910 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1911 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1912 if (is_ICC_signature(value) != 0)
1913 {
1914 /* So 'value' is at most 4 bytes and the following cast is safe */
1915 png_icc_tag_name(message+pos, (png_uint_32)value);
1916 pos += 6; /* total +8; less than the else clause */
1917 message[pos++] = ':';
1918 message[pos++] = ' ';
1919 }
1920# ifdef PNG_WARNINGS_SUPPORTED
1921 else
1922 {
1923 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114 */
1924
1925 pos = png_safecat(message, (sizeof message), pos,
1926 png_format_number(number, number+(sizeof number),
1927 PNG_NUMBER_FORMAT_x, value));
1928 pos = png_safecat(message, (sizeof message), pos, "h: "); /* +2 = 116 */
1929 }
1930# endif
1931 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1932 pos = png_safecat(message, (sizeof message), pos, reason);
1933 PNG_UNUSED(pos)
1934
1935 /* This is recoverable, but make it unconditionally an app_error on write to
1936 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1937 * on read, with a warning, but on write unless the app turns off
1938 * application errors the PNG won't be written.)
1939 */
1940 png_chunk_report(png_ptr, message,
1941 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1942
1943 return 0;
1944}
1945#endif /* sRGB || iCCP */
1946
1947#ifdef PNG_sRGB_SUPPORTED
1948int /* PRIVATE */
1949png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1950 int intent)
1951{
1952 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1953 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1954 * because ICC profiles store values adapted to a D50 environment; it is
1955 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1956 * checks and code elsewhere to understand this better.
1957 *
1958 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1959 * coefficients of (6968,23435,2366), which are reduced (because they add up
1960 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1961 * libpng has traditionally used (and are the best values given the 15bit
1962 * algorithm used by the rgb to gray code.)
1963 */
1964 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1965 {
1966 /* color X Y Z */
1967 /* red */ 41239, 21264, 1933,
1968 /* green */ 35758, 71517, 11919,
1969 /* blue */ 18048, 7219, 95053
1970 };
1971
1972 /* Do nothing if the colorspace is already invalidated. */
1973 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1974 return 0;
1975
1976 /* Check the intent, then check for existing settings. It is valid for the
1977 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1978 * be consistent with the correct values. If, however, this function is
1979 * called below because an iCCP chunk matches sRGB then it is quite
1980 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1981 * an incorrect calculation based on the values in the profile - this does
1982 * *not* invalidate the profile (though it still produces an error, which can
1983 * be ignored.)
1984 */
1985 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1986 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1987 (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1988
1989 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1990 colorspace->rendering_intent != intent)
1991 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1992 (png_alloc_size_t)intent, "inconsistent rendering intents");
1993
1994 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1995 {
1996 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1997 return 0;
1998 }
1999
2000 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
2001 * warn but overwrite the value with the correct one.
2002 */
2003 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
2004 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
2005 100))
2006 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
2007 PNG_CHUNK_ERROR);
2008
2009 /* This check is just done for the error reporting - the routine always
2010 * returns true when the 'from' argument corresponds to sRGB (2).
2011 */
2012 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
2013 2/*from sRGB*/);
2014
2015 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
2016 colorspace->rendering_intent = (png_uint_16)intent;
2017 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
2018
2019 /* endpoints */
2020 colorspace->end_points_xy = sRGB_xy;
2021 colorspace->end_points_XYZ = sRGB_XYZ;
2022 colorspace->flags |=
2023 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
2024
2025 /* gamma */
2026 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
2027 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
2028
2029 /* Finally record that we have an sRGB profile */
2030 colorspace->flags |=
2031 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
2032
2033 return 1; /* set */
2034}
2035#endif /* sRGB */
2036
2037#ifdef PNG_iCCP_SUPPORTED
2038/* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
2039 * is XYZ(0.9642,1.0,0.8249), which scales to:
2040 *
2041 * (63189.8112, 65536, 54060.6464)
2042 */
2043static const png_byte D50_nCIEXYZ[12] =
2044 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
2045
2046static int /* bool */
2047icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
2048 png_const_charp name, png_uint_32 profile_length)
2049{
2050 if (profile_length < 132)
2051 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2052 "too short");
2053 return 1;
2054}
2055
2056#ifdef PNG_READ_iCCP_SUPPORTED
2057int /* PRIVATE */
2058png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
2059 png_const_charp name, png_uint_32 profile_length)
2060{
2061 if (!icc_check_length(png_ptr, colorspace, name, profile_length))
2062 return 0;
2063
2064 /* This needs to be here because the 'normal' check is in
2065 * png_decompress_chunk, yet this happens after the attempt to
2066 * png_malloc_base the required data. We only need this on read; on write
2067 * the caller supplies the profile buffer so libpng doesn't allocate it. See
2068 * the call to icc_check_length below (the write case).
2069 */
2070# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2071 else if (png_ptr->user_chunk_malloc_max > 0 &&
2072 png_ptr->user_chunk_malloc_max < profile_length)
2073 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2074 "exceeds application limits");
2075# elif PNG_USER_CHUNK_MALLOC_MAX > 0
2076 else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2077 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2078 "exceeds libpng limits");
2079# else /* !SET_USER_LIMITS */
2080 /* This will get compiled out on all 32-bit and better systems. */
2081 else if (PNG_SIZE_MAX < profile_length)
2082 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2083 "exceeds system limits");
2084# endif /* !SET_USER_LIMITS */
2085
2086 return 1;
2087}
2088#endif /* READ_iCCP */
2089
2090int /* PRIVATE */
2091png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2092 png_const_charp name, png_uint_32 profile_length,
2093 png_const_bytep profile/* first 132 bytes only */, int color_type)
2094{
2095 png_uint_32 temp;
2096
2097 /* Length check; this cannot be ignored in this code because profile_length
2098 * is used later to check the tag table, so even if the profile seems over
2099 * long profile_length from the caller must be correct. The caller can fix
2100 * this up on read or write by just passing in the profile header length.
2101 */
2102 temp = png_get_uint_32(profile);
2103 if (temp != profile_length)
2104 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2105 "length does not match profile");
2106
2107 temp = (png_uint_32) (*(profile+8));
2108 if (temp > 3 && (profile_length & 3))
2109 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2110 "invalid length");
2111
2112 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2113 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2114 profile_length < 132+12*temp) /* truncated tag table */
2115 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116 "tag count too large");
2117
2118 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2119 * 16 bits.
2120 */
2121 temp = png_get_uint_32(profile+64);
2122 if (temp >= 0xffff) /* The ICC limit */
2123 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2124 "invalid rendering intent");
2125
2126 /* This is just a warning because the profile may be valid in future
2127 * versions.
2128 */
2129 if (temp >= PNG_sRGB_INTENT_LAST)
2130 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2131 "intent outside defined range");
2132
2133 /* At this point the tag table can't be checked because it hasn't necessarily
2134 * been loaded; however, various header fields can be checked. These checks
2135 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2136 * restricts the profiles that can be passed in an iCCP chunk (they must be
2137 * appropriate to processing PNG data!)
2138 */
2139
2140 /* Data checks (could be skipped). These checks must be independent of the
2141 * version number; however, the version number doesn't accommodate changes in
2142 * the header fields (just the known tags and the interpretation of the
2143 * data.)
2144 */
2145 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2146 if (temp != 0x61637370)
2147 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2148 "invalid signature");
2149
2150 /* Currently the PCS illuminant/adopted white point (the computational
2151 * white point) are required to be D50,
2152 * however the profile contains a record of the illuminant so perhaps ICC
2153 * expects to be able to change this in the future (despite the rationale in
2154 * the introduction for using a fixed PCS adopted white.) Consequently the
2155 * following is just a warning.
2156 */
2157 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2158 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2159 "PCS illuminant is not D50");
2160
2161 /* The PNG spec requires this:
2162 * "If the iCCP chunk is present, the image samples conform to the colour
2163 * space represented by the embedded ICC profile as defined by the
2164 * International Color Consortium [ICC]. The colour space of the ICC profile
2165 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2166 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2167 * and 4)."
2168 *
2169 * This checking code ensures the embedded profile (on either read or write)
2170 * conforms to the specification requirements. Notice that an ICC 'gray'
2171 * color-space profile contains the information to transform the monochrome
2172 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2173 * should be used in preference to the standard libpng K channel replication
2174 * into R, G and B channels.
2175 *
2176 * Previously it was suggested that an RGB profile on grayscale data could be
2177 * handled. However it it is clear that using an RGB profile in this context
2178 * must be an error - there is no specification of what it means. Thus it is
2179 * almost certainly more correct to ignore the profile.
2180 */
2181 temp = png_get_uint_32(profile+16); /* data colour space field */
2182 switch (temp)
2183 {
2184 case 0x52474220: /* 'RGB ' */
2185 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2186 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2187 "RGB color space not permitted on grayscale PNG");
2188 break;
2189
2190 case 0x47524159: /* 'GRAY' */
2191 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2192 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2193 "Gray color space not permitted on RGB PNG");
2194 break;
2195
2196 default:
2197 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2198 "invalid ICC profile color space");
2199 }
2200
2201 /* It is up to the application to check that the profile class matches the
2202 * application requirements; the spec provides no guidance, but it's pretty
2203 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2204 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2205 * cases. Issue an error for device link or abstract profiles - these don't
2206 * contain the records necessary to transform the color-space to anything
2207 * other than the target device (and not even that for an abstract profile).
2208 * Profiles of these classes may not be embedded in images.
2209 */
2210 temp = png_get_uint_32(profile+12); /* profile/device class */
2211 switch (temp)
2212 {
2213 case 0x73636e72: /* 'scnr' */
2214 case 0x6d6e7472: /* 'mntr' */
2215 case 0x70727472: /* 'prtr' */
2216 case 0x73706163: /* 'spac' */
2217 /* All supported */
2218 break;
2219
2220 case 0x61627374: /* 'abst' */
2221 /* May not be embedded in an image */
2222 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2223 "invalid embedded Abstract ICC profile");
2224
2225 case 0x6c696e6b: /* 'link' */
2226 /* DeviceLink profiles cannot be interpreted in a non-device specific
2227 * fashion, if an app uses the AToB0Tag in the profile the results are
2228 * undefined unless the result is sent to the intended device,
2229 * therefore a DeviceLink profile should not be found embedded in a
2230 * PNG.
2231 */
2232 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2233 "unexpected DeviceLink ICC profile class");
2234
2235 case 0x6e6d636c: /* 'nmcl' */
2236 /* A NamedColor profile is also device specific, however it doesn't
2237 * contain an AToB0 tag that is open to misinterpretation. Almost
2238 * certainly it will fail the tests below.
2239 */
2240 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2241 "unexpected NamedColor ICC profile class");
2242 break;
2243
2244 default:
2245 /* To allow for future enhancements to the profile accept unrecognized
2246 * profile classes with a warning, these then hit the test below on the
2247 * tag content to ensure they are backward compatible with one of the
2248 * understood profiles.
2249 */
2250 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2251 "unrecognized ICC profile class");
2252 break;
2253 }
2254
2255 /* For any profile other than a device link one the PCS must be encoded
2256 * either in XYZ or Lab.
2257 */
2258 temp = png_get_uint_32(profile+20);
2259 switch (temp)
2260 {
2261 case 0x58595a20: /* 'XYZ ' */
2262 case 0x4c616220: /* 'Lab ' */
2263 break;
2264
2265 default:
2266 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2267 "unexpected ICC PCS encoding");
2268 }
2269
2270 return 1;
2271}
2272
2273int /* PRIVATE */
2274png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2275 png_const_charp name, png_uint_32 profile_length,
2276 png_const_bytep profile /* header plus whole tag table */)
2277{
2278 png_uint_32 tag_count = png_get_uint_32(profile+128);
2279 png_uint_32 itag;
2280 png_const_bytep tag = profile+132; /* The first tag */
2281
2282 /* First scan all the tags in the table and add bits to the icc_info value
2283 * (temporarily in 'tags').
2284 */
2285 for (itag=0; itag < tag_count; ++itag, tag += 12)
2286 {
2287 png_uint_32 tag_id = png_get_uint_32(tag+0);
2288 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2289 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2290
2291 /* The ICC specification does not exclude zero length tags, therefore the
2292 * start might actually be anywhere if there is no data, but this would be
2293 * a clear abuse of the intent of the standard so the start is checked for
2294 * being in range. All defined tag types have an 8 byte header - a 4 byte
2295 * type signature then 0.
2296 */
2297
2298 /* This is a hard error; potentially it can cause read outside the
2299 * profile.
2300 */
2301 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2302 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2303 "ICC profile tag outside profile");
2304
2305 if ((tag_start & 3) != 0)
2306 {
2307 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2308 * only a warning here because libpng does not care about the
2309 * alignment.
2310 */
2311 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2312 "ICC profile tag start not a multiple of 4");
2313 }
2314 }
2315
2316 return 1; /* success, maybe with warnings */
2317}
2318
2319#ifdef PNG_sRGB_SUPPORTED
2320#if PNG_sRGB_PROFILE_CHECKS >= 0
2321/* Information about the known ICC sRGB profiles */
2322static const struct
2323{
2324 png_uint_32 adler, crc, length;
2325 png_uint_32 md5[4];
2326 png_byte have_md5;
2327 png_byte is_broken;
2328 png_uint_16 intent;
2329
2330# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2331# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2332 { adler, crc, length, md5, broke, intent },
2333
2334} png_sRGB_checks[] =
2335{
2336 /* This data comes from contrib/tools/checksum-icc run on downloads of
2337 * all four ICC sRGB profiles from www.color.org.
2338 */
2339 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2340 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2341 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2342 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2343
2344 /* ICC sRGB v2 perceptual no black-compensation: */
2345 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2346 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2347 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2348
2349 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2350 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2351 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2352
2353 /* ICC sRGB v4 perceptual */
2354 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2355 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2356 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2357
2358 /* The following profiles have no known MD5 checksum. If there is a match
2359 * on the (empty) MD5 the other fields are used to attempt a match and
2360 * a warning is produced. The first two of these profiles have a 'cprt' tag
2361 * which suggests that they were also made by Hewlett Packard.
2362 */
2363 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2364 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2365 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2366
2367 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2368 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2369 * so the white point is recorded as the un-adapted value.) The profiles
2370 * below only differ in one byte - the intent - and are basically the same as
2371 * the previous profile except for the mediaWhitePointTag error and a missing
2372 * chromaticAdaptationTag.
2373 */
2374 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2375 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2376 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2377
2378 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2379 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2380 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2381};
2382
2383static int
2384png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2385 png_const_bytep profile, uLong adler)
2386{
2387 /* The quick check is to verify just the MD5 signature and trust the
2388 * rest of the data. Because the profile has already been verified for
2389 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2390 * field too, so if the profile has been edited with an intent not defined
2391 * by sRGB (but maybe defined by a later ICC specification) the read of
2392 * the profile will fail at that point.
2393 */
2394
2395 png_uint_32 length = 0;
2396 png_uint_32 intent = 0x10000; /* invalid */
2397#if PNG_sRGB_PROFILE_CHECKS > 1
2398 uLong crc = 0; /* the value for 0 length data */
2399#endif
2400 unsigned int i;
2401
2402#ifdef PNG_SET_OPTION_SUPPORTED
2403 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2404 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2405 PNG_OPTION_ON)
2406 return 0;
2407#endif
2408
2409 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2410 {
2411 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2412 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2413 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2414 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2415 {
2416 /* This may be one of the old HP profiles without an MD5, in that
2417 * case we can only use the length and Adler32 (note that these
2418 * are not used by default if there is an MD5!)
2419 */
2420# if PNG_sRGB_PROFILE_CHECKS == 0
2421 if (png_sRGB_checks[i].have_md5 != 0)
2422 return 1+png_sRGB_checks[i].is_broken;
2423# endif
2424
2425 /* Profile is unsigned or more checks have been configured in. */
2426 if (length == 0)
2427 {
2428 length = png_get_uint_32(profile);
2429 intent = png_get_uint_32(profile+64);
2430 }
2431
2432 /* Length *and* intent must match */
2433 if (length == (png_uint_32) png_sRGB_checks[i].length &&
2434 intent == (png_uint_32) png_sRGB_checks[i].intent)
2435 {
2436 /* Now calculate the adler32 if not done already. */
2437 if (adler == 0)
2438 {
2439 adler = adler32(0, NULL, 0);
2440 adler = adler32(adler, profile, length);
2441 }
2442
2443 if (adler == png_sRGB_checks[i].adler)
2444 {
2445 /* These basic checks suggest that the data has not been
2446 * modified, but if the check level is more than 1 perform
2447 * our own crc32 checksum on the data.
2448 */
2449# if PNG_sRGB_PROFILE_CHECKS > 1
2450 if (crc == 0)
2451 {
2452 crc = crc32(0, NULL, 0);
2453 crc = crc32(crc, profile, length);
2454 }
2455
2456 /* So this check must pass for the 'return' below to happen.
2457 */
2458 if (crc == png_sRGB_checks[i].crc)
2459# endif
2460 {
2461 if (png_sRGB_checks[i].is_broken != 0)
2462 {
2463 /* These profiles are known to have bad data that may cause
2464 * problems if they are used, therefore attempt to
2465 * discourage their use, skip the 'have_md5' warning below,
2466 * which is made irrelevant by this error.
2467 */
2468 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2469 PNG_CHUNK_ERROR);
2470 }
2471
2472 /* Warn that this being done; this isn't even an error since
2473 * the profile is perfectly valid, but it would be nice if
2474 * people used the up-to-date ones.
2475 */
2476 else if (png_sRGB_checks[i].have_md5 == 0)
2477 {
2478 png_chunk_report(png_ptr,
2479 "out-of-date sRGB profile with no signature",
2480 PNG_CHUNK_WARNING);
2481 }
2482
2483 return 1+png_sRGB_checks[i].is_broken;
2484 }
2485 }
2486
2487# if PNG_sRGB_PROFILE_CHECKS > 0
2488 /* The signature matched, but the profile had been changed in some
2489 * way. This probably indicates a data error or uninformed hacking.
2490 * Fall through to "no match".
2491 */
2492 png_chunk_report(png_ptr,
2493 "Not recognizing known sRGB profile that has been edited",
2494 PNG_CHUNK_WARNING);
2495 break;
2496# endif
2497 }
2498 }
2499 }
2500
2501 return 0; /* no match */
2502}
2503
2504void /* PRIVATE */
2505png_icc_set_sRGB(png_const_structrp png_ptr,
2506 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2507{
2508 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2509 * the sRGB information.
2510 */
2511 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2512 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2513 (int)/*already checked*/png_get_uint_32(profile+64));
2514}
2515#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2516#endif /* sRGB */
2517
2518int /* PRIVATE */
2519png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2520 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2521 int color_type)
2522{
2523 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2524 return 0;
2525
2526 if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2527 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2528 color_type) != 0 &&
2529 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2530 profile) != 0)
2531 {
2532# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2533 /* If no sRGB support, don't try storing sRGB information */
2534 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2535# endif
2536 return 1;
2537 }
2538
2539 /* Failure case */
2540 return 0;
2541}
2542#endif /* iCCP */
2543
2544#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2545void /* PRIVATE */
2546png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2547{
2548 /* Set the rgb_to_gray coefficients from the colorspace. */
2549 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2550 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2551 {
2552 /* png_set_background has not been called, get the coefficients from the Y
2553 * values of the colorspace colorants.
2554 */
2555 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2556 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2557 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2558 png_fixed_point total = r+g+b;
2559
2560 if (total > 0 &&
2561 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2562 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2563 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2564 r+g+b <= 32769)
2565 {
2566 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2567 * all of the coefficients were rounded up. Handle this by
2568 * reducing the *largest* coefficient by 1; this matches the
2569 * approach used for the default coefficients in pngrtran.c
2570 */
2571 int add = 0;
2572
2573 if (r+g+b > 32768)
2574 add = -1;
2575 else if (r+g+b < 32768)
2576 add = 1;
2577
2578 if (add != 0)
2579 {
2580 if (g >= r && g >= b)
2581 g += add;
2582 else if (r >= g && r >= b)
2583 r += add;
2584 else
2585 b += add;
2586 }
2587
2588 /* Check for an internal error. */
2589 if (r+g+b != 32768)
2590 png_error(png_ptr,
2591 "internal error handling cHRM coefficients");
2592
2593 else
2594 {
2595 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2596 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2597 }
2598 }
2599
2600 /* This is a png_error at present even though it could be ignored -
2601 * it should never happen, but it is important that if it does, the
2602 * bug is fixed.
2603 */
2604 else
2605 png_error(png_ptr, "internal error handling cHRM->XYZ");
2606 }
2607}
2608#endif /* READ_RGB_TO_GRAY */
2609
2610#endif /* COLORSPACE */
2611
2612void /* PRIVATE */
2613png_check_IHDR(png_const_structrp png_ptr,
2614 png_uint_32 width, png_uint_32 height, int bit_depth,
2615 int color_type, int interlace_type, int compression_type,
2616 int filter_type)
2617{
2618 int error = 0;
2619
2620 /* Check for width and height valid values */
2621 if (width == 0)
2622 {
2623 png_warning(png_ptr, "Image width is zero in IHDR");
2624 error = 1;
2625 }
2626
2627 if (width > PNG_UINT_31_MAX)
2628 {
2629 png_warning(png_ptr, "Invalid image width in IHDR");
2630 error = 1;
2631 }
2632
2633 /* The bit mask on the first line below must be at least as big as a
2634 * png_uint_32. "~7U" is not adequate on 16-bit systems because it will
2635 * be an unsigned 16-bit value. Casting to (png_alloc_size_t) makes the
2636 * type of the result at least as bit (in bits) as the RHS of the > operator
2637 * which also avoids a common warning on 64-bit systems that the comparison
2638 * of (png_uint_32) against the constant value on the RHS will always be
2639 * false.
2640 */
2641 if (((width + 7) & ~(png_alloc_size_t)7) >
2642 (((PNG_SIZE_MAX
2643 - 48 /* big_row_buf hack */
2644 - 1) /* filter byte */
2645 / 8) /* 8-byte RGBA pixels */
2646 - 1)) /* extra max_pixel_depth pad */
2647 {
2648 /* The size of the row must be within the limits of this architecture.
2649 * Because the read code can perform arbitrary transformations the
2650 * maximum size is checked here. Because the code in png_read_start_row
2651 * adds extra space "for safety's sake" in several places a conservative
2652 * limit is used here.
2653 *
2654 * NOTE: it would be far better to check the size that is actually used,
2655 * but the effect in the real world is minor and the changes are more
2656 * extensive, therefore much more dangerous and much more difficult to
2657 * write in a way that avoids compiler warnings.
2658 */
2659 png_warning(png_ptr, "Image width is too large for this architecture");
2660 error = 1;
2661 }
2662
2663#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2664 if (width > png_ptr->user_width_max)
2665#else
2666 if (width > PNG_USER_WIDTH_MAX)
2667#endif
2668 {
2669 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2670 error = 1;
2671 }
2672
2673 if (height == 0)
2674 {
2675 png_warning(png_ptr, "Image height is zero in IHDR");
2676 error = 1;
2677 }
2678
2679 if (height > PNG_UINT_31_MAX)
2680 {
2681 png_warning(png_ptr, "Invalid image height in IHDR");
2682 error = 1;
2683 }
2684
2685#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2686 if (height > png_ptr->user_height_max)
2687#else
2688 if (height > PNG_USER_HEIGHT_MAX)
2689#endif
2690 {
2691 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2692 error = 1;
2693 }
2694
2695 /* Check other values */
2696 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2697 bit_depth != 8 && bit_depth != 16)
2698 {
2699 png_warning(png_ptr, "Invalid bit depth in IHDR");
2700 error = 1;
2701 }
2702
2703 if (color_type < 0 || color_type == 1 ||
2704 color_type == 5 || color_type > 6)
2705 {
2706 png_warning(png_ptr, "Invalid color type in IHDR");
2707 error = 1;
2708 }
2709
2710 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2711 ((color_type == PNG_COLOR_TYPE_RGB ||
2712 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2713 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2714 {
2715 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2716 error = 1;
2717 }
2718
2719 if (interlace_type >= PNG_INTERLACE_LAST)
2720 {
2721 png_warning(png_ptr, "Unknown interlace method in IHDR");
2722 error = 1;
2723 }
2724
2725 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2726 {
2727 png_warning(png_ptr, "Unknown compression method in IHDR");
2728 error = 1;
2729 }
2730
2731#ifdef PNG_MNG_FEATURES_SUPPORTED
2732 /* Accept filter_method 64 (intrapixel differencing) only if
2733 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2734 * 2. Libpng did not read a PNG signature (this filter_method is only
2735 * used in PNG datastreams that are embedded in MNG datastreams) and
2736 * 3. The application called png_permit_mng_features with a mask that
2737 * included PNG_FLAG_MNG_FILTER_64 and
2738 * 4. The filter_method is 64 and
2739 * 5. The color_type is RGB or RGBA
2740 */
2741 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2742 png_ptr->mng_features_permitted != 0)
2743 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2744
2745 if (filter_type != PNG_FILTER_TYPE_BASE)
2746 {
2747 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2748 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2749 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2750 (color_type == PNG_COLOR_TYPE_RGB ||
2751 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2752 {
2753 png_warning(png_ptr, "Unknown filter method in IHDR");
2754 error = 1;
2755 }
2756
2757 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2758 {
2759 png_warning(png_ptr, "Invalid filter method in IHDR");
2760 error = 1;
2761 }
2762 }
2763
2764#else
2765 if (filter_type != PNG_FILTER_TYPE_BASE)
2766 {
2767 png_warning(png_ptr, "Unknown filter method in IHDR");
2768 error = 1;
2769 }
2770#endif
2771
2772 if (error == 1)
2773 png_error(png_ptr, "Invalid IHDR data");
2774}
2775
2776#if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2777/* ASCII to fp functions */
2778/* Check an ASCII formatted floating point value, see the more detailed
2779 * comments in pngpriv.h
2780 */
2781/* The following is used internally to preserve the sticky flags */
2782#define png_fp_add(state, flags) ((state) |= (flags))
2783#define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2784
2785int /* PRIVATE */
2786png_check_fp_number(png_const_charp string, size_t size, int *statep,
2787 size_t *whereami)
2788{
2789 int state = *statep;
2790 size_t i = *whereami;
2791
2792 while (i < size)
2793 {
2794 int type;
2795 /* First find the type of the next character */
2796 switch (string[i])
2797 {
2798 case 43: type = PNG_FP_SAW_SIGN; break;
2799 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2800 case 46: type = PNG_FP_SAW_DOT; break;
2801 case 48: type = PNG_FP_SAW_DIGIT; break;
2802 case 49: case 50: case 51: case 52:
2803 case 53: case 54: case 55: case 56:
2804 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2805 case 69:
2806 case 101: type = PNG_FP_SAW_E; break;
2807 default: goto PNG_FP_End;
2808 }
2809
2810 /* Now deal with this type according to the current
2811 * state, the type is arranged to not overlap the
2812 * bits of the PNG_FP_STATE.
2813 */
2814 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2815 {
2816 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2817 if ((state & PNG_FP_SAW_ANY) != 0)
2818 goto PNG_FP_End; /* not a part of the number */
2819
2820 png_fp_add(state, type);
2821 break;
2822
2823 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2824 /* Ok as trailer, ok as lead of fraction. */
2825 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2826 goto PNG_FP_End;
2827
2828 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2829 png_fp_add(state, type);
2830
2831 else
2832 png_fp_set(state, PNG_FP_FRACTION | type);
2833
2834 break;
2835
2836 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2837 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2838 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2839
2840 png_fp_add(state, type | PNG_FP_WAS_VALID);
2841
2842 break;
2843
2844 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2845 if ((state & PNG_FP_SAW_DIGIT) == 0)
2846 goto PNG_FP_End;
2847
2848 png_fp_set(state, PNG_FP_EXPONENT);
2849
2850 break;
2851
2852 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2853 goto PNG_FP_End; ** no sign in fraction */
2854
2855 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2856 goto PNG_FP_End; ** Because SAW_DOT is always set */
2857
2858 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2859 png_fp_add(state, type | PNG_FP_WAS_VALID);
2860 break;
2861
2862 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2863 /* This is correct because the trailing '.' on an
2864 * integer is handled above - so we can only get here
2865 * with the sequence ".E" (with no preceding digits).
2866 */
2867 if ((state & PNG_FP_SAW_DIGIT) == 0)
2868 goto PNG_FP_End;
2869
2870 png_fp_set(state, PNG_FP_EXPONENT);
2871
2872 break;
2873
2874 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2875 if ((state & PNG_FP_SAW_ANY) != 0)
2876 goto PNG_FP_End; /* not a part of the number */
2877
2878 png_fp_add(state, PNG_FP_SAW_SIGN);
2879
2880 break;
2881
2882 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2883 goto PNG_FP_End; */
2884
2885 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2886 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2887
2888 break;
2889
2890 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2891 goto PNG_FP_End; */
2892
2893 default: goto PNG_FP_End; /* I.e. break 2 */
2894 }
2895
2896 /* The character seems ok, continue. */
2897 ++i;
2898 }
2899
2900PNG_FP_End:
2901 /* Here at the end, update the state and return the correct
2902 * return code.
2903 */
2904 *statep = state;
2905 *whereami = i;
2906
2907 return (state & PNG_FP_SAW_DIGIT) != 0;
2908}
2909
2910
2911/* The same but for a complete string. */
2912int
2913png_check_fp_string(png_const_charp string, size_t size)
2914{
2915 int state=0;
2916 size_t char_index=0;
2917
2918 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2919 (char_index == size || string[char_index] == 0))
2920 return state /* must be non-zero - see above */;
2921
2922 return 0; /* i.e. fail */
2923}
2924#endif /* pCAL || sCAL */
2925
2926#ifdef PNG_sCAL_SUPPORTED
2927# ifdef PNG_FLOATING_POINT_SUPPORTED
2928/* Utility used below - a simple accurate power of ten from an integral
2929 * exponent.
2930 */
2931static double
2932png_pow10(int power)
2933{
2934 int recip = 0;
2935 double d = 1;
2936
2937 /* Handle negative exponent with a reciprocal at the end because
2938 * 10 is exact whereas .1 is inexact in base 2
2939 */
2940 if (power < 0)
2941 {
2942 if (power < DBL_MIN_10_EXP) return 0;
2943 recip = 1; power = -power;
2944 }
2945
2946 if (power > 0)
2947 {
2948 /* Decompose power bitwise. */
2949 double mult = 10;
2950 do
2951 {
2952 if (power & 1) d *= mult;
2953 mult *= mult;
2954 power >>= 1;
2955 }
2956 while (power > 0);
2957
2958 if (recip != 0) d = 1/d;
2959 }
2960 /* else power is 0 and d is 1 */
2961
2962 return d;
2963}
2964
2965/* Function to format a floating point value in ASCII with a given
2966 * precision.
2967 */
2968void /* PRIVATE */
2969png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2970 double fp, unsigned int precision)
2971{
2972 /* We use standard functions from math.h, but not printf because
2973 * that would require stdio. The caller must supply a buffer of
2974 * sufficient size or we will png_error. The tests on size and
2975 * the space in ascii[] consumed are indicated below.
2976 */
2977 if (precision < 1)
2978 precision = DBL_DIG;
2979
2980 /* Enforce the limit of the implementation precision too. */
2981 if (precision > DBL_DIG+1)
2982 precision = DBL_DIG+1;
2983
2984 /* Basic sanity checks */
2985 if (size >= precision+5) /* See the requirements below. */
2986 {
2987 if (fp < 0)
2988 {
2989 fp = -fp;
2990 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2991 --size;
2992 }
2993
2994 if (fp >= DBL_MIN && fp <= DBL_MAX)
2995 {
2996 int exp_b10; /* A base 10 exponent */
2997 double base; /* 10^exp_b10 */
2998
2999 /* First extract a base 10 exponent of the number,
3000 * the calculation below rounds down when converting
3001 * from base 2 to base 10 (multiply by log10(2) -
3002 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
3003 * be increased. Note that the arithmetic shift
3004 * performs a floor() unlike C arithmetic - using a
3005 * C multiply would break the following for negative
3006 * exponents.
3007 */
3008 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
3009
3010 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
3011
3012 /* Avoid underflow here. */
3013 base = png_pow10(exp_b10); /* May underflow */
3014
3015 while (base < DBL_MIN || base < fp)
3016 {
3017 /* And this may overflow. */
3018 double test = png_pow10(exp_b10+1);
3019
3020 if (test <= DBL_MAX)
3021 {
3022 ++exp_b10; base = test;
3023 }
3024
3025 else
3026 break;
3027 }
3028
3029 /* Normalize fp and correct exp_b10, after this fp is in the
3030 * range [.1,1) and exp_b10 is both the exponent and the digit
3031 * *before* which the decimal point should be inserted
3032 * (starting with 0 for the first digit). Note that this
3033 * works even if 10^exp_b10 is out of range because of the
3034 * test on DBL_MAX above.
3035 */
3036 fp /= base;
3037 while (fp >= 1)
3038 {
3039 fp /= 10; ++exp_b10;
3040 }
3041
3042 /* Because of the code above fp may, at this point, be
3043 * less than .1, this is ok because the code below can
3044 * handle the leading zeros this generates, so no attempt
3045 * is made to correct that here.
3046 */
3047
3048 {
3049 unsigned int czero, clead, cdigits;
3050 char exponent[10];
3051
3052 /* Allow up to two leading zeros - this will not lengthen
3053 * the number compared to using E-n.
3054 */
3055 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
3056 {
3057 czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
3058 exp_b10 = 0; /* Dot added below before first output. */
3059 }
3060 else
3061 czero = 0; /* No zeros to add */
3062
3063 /* Generate the digit list, stripping trailing zeros and
3064 * inserting a '.' before a digit if the exponent is 0.
3065 */
3066 clead = czero; /* Count of leading zeros */
3067 cdigits = 0; /* Count of digits in list. */
3068
3069 do
3070 {
3071 double d;
3072
3073 fp *= 10;
3074 /* Use modf here, not floor and subtract, so that
3075 * the separation is done in one step. At the end
3076 * of the loop don't break the number into parts so
3077 * that the final digit is rounded.
3078 */
3079 if (cdigits+czero+1 < precision+clead)
3080 fp = modf(fp, &d);
3081
3082 else
3083 {
3084 d = floor(fp + .5);
3085
3086 if (d > 9)
3087 {
3088 /* Rounding up to 10, handle that here. */
3089 if (czero > 0)
3090 {
3091 --czero; d = 1;
3092 if (cdigits == 0) --clead;
3093 }
3094 else
3095 {
3096 while (cdigits > 0 && d > 9)
3097 {
3098 int ch = *--ascii;
3099
3100 if (exp_b10 != (-1))
3101 ++exp_b10;
3102
3103 else if (ch == 46)
3104 {
3105 ch = *--ascii; ++size;
3106 /* Advance exp_b10 to '1', so that the
3107 * decimal point happens after the
3108 * previous digit.
3109 */
3110 exp_b10 = 1;
3111 }
3112
3113 --cdigits;
3114 d = ch - 47; /* I.e. 1+(ch-48) */
3115 }
3116
3117 /* Did we reach the beginning? If so adjust the
3118 * exponent but take into account the leading
3119 * decimal point.
3120 */
3121 if (d > 9) /* cdigits == 0 */
3122 {
3123 if (exp_b10 == (-1))
3124 {
3125 /* Leading decimal point (plus zeros?), if
3126 * we lose the decimal point here it must
3127 * be reentered below.
3128 */
3129 int ch = *--ascii;
3130
3131 if (ch == 46)
3132 {
3133 ++size; exp_b10 = 1;
3134 }
3135
3136 /* Else lost a leading zero, so 'exp_b10' is
3137 * still ok at (-1)
3138 */
3139 }
3140 else
3141 ++exp_b10;
3142
3143 /* In all cases we output a '1' */
3144 d = 1;
3145 }
3146 }
3147 }
3148 fp = 0; /* Guarantees termination below. */
3149 }
3150
3151 if (d == 0)
3152 {
3153 ++czero;
3154 if (cdigits == 0) ++clead;
3155 }
3156 else
3157 {
3158 /* Included embedded zeros in the digit count. */
3159 cdigits += czero - clead;
3160 clead = 0;
3161
3162 while (czero > 0)
3163 {
3164 /* exp_b10 == (-1) means we just output the decimal
3165 * place - after the DP don't adjust 'exp_b10' any
3166 * more!
3167 */
3168 if (exp_b10 != (-1))
3169 {
3170 if (exp_b10 == 0)
3171 {
3172 *ascii++ = 46; --size;
3173 }
3174 /* PLUS 1: TOTAL 4 */
3175 --exp_b10;
3176 }
3177 *ascii++ = 48; --czero;
3178 }
3179
3180 if (exp_b10 != (-1))
3181 {
3182 if (exp_b10 == 0)
3183 {
3184 *ascii++ = 46; --size; /* counted above */
3185 }
3186
3187 --exp_b10;
3188 }
3189 *ascii++ = (char)(48 + (int)d); ++cdigits;
3190 }
3191 }
3192 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3193
3194 /* The total output count (max) is now 4+precision */
3195
3196 /* Check for an exponent, if we don't need one we are
3197 * done and just need to terminate the string. At this
3198 * point, exp_b10==(-1) is effectively a flag: it got
3199 * to '-1' because of the decrement, after outputting
3200 * the decimal point above. (The exponent required is
3201 * *not* -1.)
3202 */
3203 if (exp_b10 >= (-1) && exp_b10 <= 2)
3204 {
3205 /* The following only happens if we didn't output the
3206 * leading zeros above for negative exponent, so this
3207 * doesn't add to the digit requirement. Note that the
3208 * two zeros here can only be output if the two leading
3209 * zeros were *not* output, so this doesn't increase
3210 * the output count.
3211 */
3212 while (exp_b10-- > 0) *ascii++ = 48;
3213
3214 *ascii = 0;
3215
3216 /* Total buffer requirement (including the '\0') is
3217 * 5+precision - see check at the start.
3218 */
3219 return;
3220 }
3221
3222 /* Here if an exponent is required, adjust size for
3223 * the digits we output but did not count. The total
3224 * digit output here so far is at most 1+precision - no
3225 * decimal point and no leading or trailing zeros have
3226 * been output.
3227 */
3228 size -= cdigits;
3229
3230 *ascii++ = 69; --size; /* 'E': PLUS 1 TOTAL 2+precision */
3231
3232 /* The following use of an unsigned temporary avoids ambiguities in
3233 * the signed arithmetic on exp_b10 and permits GCC at least to do
3234 * better optimization.
3235 */
3236 {
3237 unsigned int uexp_b10;
3238
3239 if (exp_b10 < 0)
3240 {
3241 *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3242 uexp_b10 = 0U-exp_b10;
3243 }
3244
3245 else
3246 uexp_b10 = 0U+exp_b10;
3247
3248 cdigits = 0;
3249
3250 while (uexp_b10 > 0)
3251 {
3252 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3253 uexp_b10 /= 10;
3254 }
3255 }
3256
3257 /* Need another size check here for the exponent digits, so
3258 * this need not be considered above.
3259 */
3260 if (size > cdigits)
3261 {
3262 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3263
3264 *ascii = 0;
3265
3266 return;
3267 }
3268 }
3269 }
3270 else if (!(fp >= DBL_MIN))
3271 {
3272 *ascii++ = 48; /* '0' */
3273 *ascii = 0;
3274 return;
3275 }
3276 else
3277 {
3278 *ascii++ = 105; /* 'i' */
3279 *ascii++ = 110; /* 'n' */
3280 *ascii++ = 102; /* 'f' */
3281 *ascii = 0;
3282 return;
3283 }
3284 }
3285
3286 /* Here on buffer too small. */
3287 png_error(png_ptr, "ASCII conversion buffer too small");
3288}
3289# endif /* FLOATING_POINT */
3290
3291# ifdef PNG_FIXED_POINT_SUPPORTED
3292/* Function to format a fixed point value in ASCII.
3293 */
3294void /* PRIVATE */
3295png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3296 size_t size, png_fixed_point fp)
3297{
3298 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3299 * trailing \0, 13 characters:
3300 */
3301 if (size > 12)
3302 {
3303 png_uint_32 num;
3304
3305 /* Avoid overflow here on the minimum integer. */
3306 if (fp < 0)
3307 {
3308 *ascii++ = 45; num = (png_uint_32)(-fp);
3309 }
3310 else
3311 num = (png_uint_32)fp;
3312
3313 if (num <= 0x80000000) /* else overflowed */
3314 {
3315 unsigned int ndigits = 0, first = 16 /* flag value */;
3316 char digits[10] = {0};
3317
3318 while (num)
3319 {
3320 /* Split the low digit off num: */
3321 unsigned int tmp = num/10;
3322 num -= tmp*10;
3323 digits[ndigits++] = (char)(48 + num);
3324 /* Record the first non-zero digit, note that this is a number
3325 * starting at 1, it's not actually the array index.
3326 */
3327 if (first == 16 && num > 0)
3328 first = ndigits;
3329 num = tmp;
3330 }
3331
3332 if (ndigits > 0)
3333 {
3334 while (ndigits > 5) *ascii++ = digits[--ndigits];
3335 /* The remaining digits are fractional digits, ndigits is '5' or
3336 * smaller at this point. It is certainly not zero. Check for a
3337 * non-zero fractional digit:
3338 */
3339 if (first <= 5)
3340 {
3341 unsigned int i;
3342 *ascii++ = 46; /* decimal point */
3343 /* ndigits may be <5 for small numbers, output leading zeros
3344 * then ndigits digits to first:
3345 */
3346 i = 5;
3347 while (ndigits < i)
3348 {
3349 *ascii++ = 48; --i;
3350 }
3351 while (ndigits >= first) *ascii++ = digits[--ndigits];
3352 /* Don't output the trailing zeros! */
3353 }
3354 }
3355 else
3356 *ascii++ = 48;
3357
3358 /* And null terminate the string: */
3359 *ascii = 0;
3360 return;
3361 }
3362 }
3363
3364 /* Here on buffer too small. */
3365 png_error(png_ptr, "ASCII conversion buffer too small");
3366}
3367# endif /* FIXED_POINT */
3368#endif /* SCAL */
3369
3370#if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3371 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3372 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3373 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3374 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3375 (defined(PNG_sCAL_SUPPORTED) && \
3376 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3377png_fixed_point
3378png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3379{
3380 double r = floor(100000 * fp + .5);
3381
3382 if (r > 2147483647. || r < -2147483648.)
3383 png_fixed_error(png_ptr, text);
3384
3385# ifndef PNG_ERROR_TEXT_SUPPORTED
3386 PNG_UNUSED(text)
3387# endif
3388
3389 return (png_fixed_point)r;
3390}
3391#endif
3392
3393#if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3394 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3395/* muldiv functions */
3396/* This API takes signed arguments and rounds the result to the nearest
3397 * integer (or, for a fixed point number - the standard argument - to
3398 * the nearest .00001). Overflow and divide by zero are signalled in
3399 * the result, a boolean - true on success, false on overflow.
3400 */
3401int
3402png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3403 png_int_32 divisor)
3404{
3405 /* Return a * times / divisor, rounded. */
3406 if (divisor != 0)
3407 {
3408 if (a == 0 || times == 0)
3409 {
3410 *res = 0;
3411 return 1;
3412 }
3413 else
3414 {
3415#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3416 double r = a;
3417 r *= times;
3418 r /= divisor;
3419 r = floor(r+.5);
3420
3421 /* A png_fixed_point is a 32-bit integer. */
3422 if (r <= 2147483647. && r >= -2147483648.)
3423 {
3424 *res = (png_fixed_point)r;
3425 return 1;
3426 }
3427#else
3428 int negative = 0;
3429 png_uint_32 A, T, D;
3430 png_uint_32 s16, s32, s00;
3431
3432 if (a < 0)
3433 negative = 1, A = -a;
3434 else
3435 A = a;
3436
3437 if (times < 0)
3438 negative = !negative, T = -times;
3439 else
3440 T = times;
3441
3442 if (divisor < 0)
3443 negative = !negative, D = -divisor;
3444 else
3445 D = divisor;
3446
3447 /* Following can't overflow because the arguments only
3448 * have 31 bits each, however the result may be 32 bits.
3449 */
3450 s16 = (A >> 16) * (T & 0xffff) +
3451 (A & 0xffff) * (T >> 16);
3452 /* Can't overflow because the a*times bit is only 30
3453 * bits at most.
3454 */
3455 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3456 s00 = (A & 0xffff) * (T & 0xffff);
3457
3458 s16 = (s16 & 0xffff) << 16;
3459 s00 += s16;
3460
3461 if (s00 < s16)
3462 ++s32; /* carry */
3463
3464 if (s32 < D) /* else overflow */
3465 {
3466 /* s32.s00 is now the 64-bit product, do a standard
3467 * division, we know that s32 < D, so the maximum
3468 * required shift is 31.
3469 */
3470 int bitshift = 32;
3471 png_fixed_point result = 0; /* NOTE: signed */
3472
3473 while (--bitshift >= 0)
3474 {
3475 png_uint_32 d32, d00;
3476
3477 if (bitshift > 0)
3478 d32 = D >> (32-bitshift), d00 = D << bitshift;
3479
3480 else
3481 d32 = 0, d00 = D;
3482
3483 if (s32 > d32)
3484 {
3485 if (s00 < d00) --s32; /* carry */
3486 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3487 }
3488
3489 else
3490 if (s32 == d32 && s00 >= d00)
3491 s32 = 0, s00 -= d00, result += 1<<bitshift;
3492 }
3493
3494 /* Handle the rounding. */
3495 if (s00 >= (D >> 1))
3496 ++result;
3497
3498 if (negative != 0)
3499 result = -result;
3500
3501 /* Check for overflow. */
3502 if ((negative != 0 && result <= 0) ||
3503 (negative == 0 && result >= 0))
3504 {
3505 *res = result;
3506 return 1;
3507 }
3508 }
3509#endif
3510 }
3511 }
3512
3513 return 0;
3514}
3515#endif /* READ_GAMMA || INCH_CONVERSIONS */
3516
3517#if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3518/* The following is for when the caller doesn't much care about the
3519 * result.
3520 */
3521png_fixed_point
3522png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3523 png_int_32 divisor)
3524{
3525 png_fixed_point result;
3526
3527 if (png_muldiv(&result, a, times, divisor) != 0)
3528 return result;
3529
3530 png_warning(png_ptr, "fixed point overflow ignored");
3531 return 0;
3532}
3533#endif
3534
3535#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3536/* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3537png_fixed_point
3538png_reciprocal(png_fixed_point a)
3539{
3540#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3541 double r = floor(1E10/a+.5);
3542
3543 if (r <= 2147483647. && r >= -2147483648.)
3544 return (png_fixed_point)r;
3545#else
3546 png_fixed_point res;
3547
3548 if (png_muldiv(&res, 100000, 100000, a) != 0)
3549 return res;
3550#endif
3551
3552 return 0; /* error/overflow */
3553}
3554
3555/* This is the shared test on whether a gamma value is 'significant' - whether
3556 * it is worth doing gamma correction.
3557 */
3558int /* PRIVATE */
3559png_gamma_significant(png_fixed_point gamma_val)
3560{
3561 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3562 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3563}
3564#endif
3565
3566#ifdef PNG_READ_GAMMA_SUPPORTED
3567#ifdef PNG_16BIT_SUPPORTED
3568/* A local convenience routine. */
3569static png_fixed_point
3570png_product2(png_fixed_point a, png_fixed_point b)
3571{
3572 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3573#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3574 double r = a * 1E-5;
3575 r *= b;
3576 r = floor(r+.5);
3577
3578 if (r <= 2147483647. && r >= -2147483648.)
3579 return (png_fixed_point)r;
3580#else
3581 png_fixed_point res;
3582
3583 if (png_muldiv(&res, a, b, 100000) != 0)
3584 return res;
3585#endif
3586
3587 return 0; /* overflow */
3588}
3589#endif /* 16BIT */
3590
3591/* The inverse of the above. */
3592png_fixed_point
3593png_reciprocal2(png_fixed_point a, png_fixed_point b)
3594{
3595 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3596#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3597 if (a != 0 && b != 0)
3598 {
3599 double r = 1E15/a;
3600 r /= b;
3601 r = floor(r+.5);
3602
3603 if (r <= 2147483647. && r >= -2147483648.)
3604 return (png_fixed_point)r;
3605 }
3606#else
3607 /* This may overflow because the range of png_fixed_point isn't symmetric,
3608 * but this API is only used for the product of file and screen gamma so it
3609 * doesn't matter that the smallest number it can produce is 1/21474, not
3610 * 1/100000
3611 */
3612 png_fixed_point res = png_product2(a, b);
3613
3614 if (res != 0)
3615 return png_reciprocal(res);
3616#endif
3617
3618 return 0; /* overflow */
3619}
3620#endif /* READ_GAMMA */
3621
3622#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3623#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3624/* Fixed point gamma.
3625 *
3626 * The code to calculate the tables used below can be found in the shell script
3627 * contrib/tools/intgamma.sh
3628 *
3629 * To calculate gamma this code implements fast log() and exp() calls using only
3630 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3631 * or 16-bit sample values.
3632 *
3633 * The tables used here were calculated using simple 'bc' programs, but C double
3634 * precision floating point arithmetic would work fine.
3635 *
3636 * 8-bit log table
3637 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3638 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3639 * mantissa. The numbers are 32-bit fractions.
3640 */
3641static const png_uint_32
3642png_8bit_l2[128] =
3643{
3644 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3645 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3646 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3647 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3648 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3649 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3650 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3651 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3652 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3653 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3654 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3655 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3656 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3657 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3658 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3659 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3660 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3661 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3662 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3663 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3664 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3665 24347096U, 0U
3666
3667#if 0
3668 /* The following are the values for 16-bit tables - these work fine for the
3669 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3670 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3671 * use these all the shifts below must be adjusted appropriately.
3672 */
3673 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3674 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3675 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3676 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3677 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3678 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3679 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3680 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3681 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3682 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3683 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3684 1119, 744, 372
3685#endif
3686};
3687
3688static png_int_32
3689png_log8bit(unsigned int x)
3690{
3691 unsigned int lg2 = 0;
3692 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3693 * because the log is actually negate that means adding 1. The final
3694 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3695 * input), return -1 for the overflow (log 0) case, - so the result is
3696 * always at most 19 bits.
3697 */
3698 if ((x &= 0xff) == 0)
3699 return -1;
3700
3701 if ((x & 0xf0) == 0)
3702 lg2 = 4, x <<= 4;
3703
3704 if ((x & 0xc0) == 0)
3705 lg2 += 2, x <<= 2;
3706
3707 if ((x & 0x80) == 0)
3708 lg2 += 1, x <<= 1;
3709
3710 /* result is at most 19 bits, so this cast is safe: */
3711 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3712}
3713
3714/* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3715 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3716 * get an approximation then multiply the approximation by a correction factor
3717 * determined by the remaining up to 8 bits. This requires an additional step
3718 * in the 16-bit case.
3719 *
3720 * We want log2(value/65535), we have log2(v'/255), where:
3721 *
3722 * value = v' * 256 + v''
3723 * = v' * f
3724 *
3725 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3726 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3727 * than 258. The final factor also needs to correct for the fact that our 8-bit
3728 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3729 *
3730 * This gives a final formula using a calculated value 'x' which is value/v' and
3731 * scaling by 65536 to match the above table:
3732 *
3733 * log2(x/257) * 65536
3734 *
3735 * Since these numbers are so close to '1' we can use simple linear
3736 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3737 * (result 367.179). The values used below are scaled by a further 64 to give
3738 * 16-bit precision in the interpolation:
3739 *
3740 * Start (256): -23591
3741 * Zero (257): 0
3742 * End (258): 23499
3743 */
3744#ifdef PNG_16BIT_SUPPORTED
3745static png_int_32
3746png_log16bit(png_uint_32 x)
3747{
3748 unsigned int lg2 = 0;
3749
3750 /* As above, but now the input has 16 bits. */
3751 if ((x &= 0xffff) == 0)
3752 return -1;
3753
3754 if ((x & 0xff00) == 0)
3755 lg2 = 8, x <<= 8;
3756
3757 if ((x & 0xf000) == 0)
3758 lg2 += 4, x <<= 4;
3759
3760 if ((x & 0xc000) == 0)
3761 lg2 += 2, x <<= 2;
3762
3763 if ((x & 0x8000) == 0)
3764 lg2 += 1, x <<= 1;
3765
3766 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3767 * value.
3768 */
3769 lg2 <<= 28;
3770 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3771
3772 /* Now we need to interpolate the factor, this requires a division by the top
3773 * 8 bits. Do this with maximum precision.
3774 */
3775 x = ((x << 16) + (x >> 9)) / (x >> 8);
3776
3777 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3778 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3779 * 16 bits to interpolate to get the low bits of the result. Round the
3780 * answer. Note that the end point values are scaled by 64 to retain overall
3781 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3782 * the overall scaling by 6-12. Round at every step.
3783 */
3784 x -= 1U << 24;
3785
3786 if (x <= 65536U) /* <= '257' */
3787 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3788
3789 else
3790 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3791
3792 /* Safe, because the result can't have more than 20 bits: */
3793 return (png_int_32)((lg2 + 2048) >> 12);
3794}
3795#endif /* 16BIT */
3796
3797/* The 'exp()' case must invert the above, taking a 20-bit fixed point
3798 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3799 * each case only the low 16 bits are relevant - the fraction - since the
3800 * integer bits (the top 4) simply determine a shift.
3801 *
3802 * The worst case is the 16-bit distinction between 65535 and 65534. This
3803 * requires perhaps spurious accuracy in the decoding of the logarithm to
3804 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3805 * of getting this accuracy in practice.
3806 *
3807 * To deal with this the following exp() function works out the exponent of the
3808 * fractional part of the logarithm by using an accurate 32-bit value from the
3809 * top four fractional bits then multiplying in the remaining bits.
3810 */
3811static const png_uint_32
3812png_32bit_exp[16] =
3813{
3814 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3815 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3816 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3817 2553802834U, 2445529972U, 2341847524U, 2242560872U
3818};
3819
3820/* Adjustment table; provided to explain the numbers in the code below. */
3821#if 0
3822for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3823 11 44937.64284865548751208448
3824 10 45180.98734845585101160448
3825 9 45303.31936980687359311872
3826 8 45364.65110595323018870784
3827 7 45395.35850361789624614912
3828 6 45410.72259715102037508096
3829 5 45418.40724413220722311168
3830 4 45422.25021786898173001728
3831 3 45424.17186732298419044352
3832 2 45425.13273269940811464704
3833 1 45425.61317555035558641664
3834 0 45425.85339951654943850496
3835#endif
3836
3837static png_uint_32
3838png_exp(png_fixed_point x)
3839{
3840 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3841 {
3842 /* Obtain a 4-bit approximation */
3843 png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3844
3845 /* Incorporate the low 12 bits - these decrease the returned value by
3846 * multiplying by a number less than 1 if the bit is set. The multiplier
3847 * is determined by the above table and the shift. Notice that the values
3848 * converge on 45426 and this is used to allow linear interpolation of the
3849 * low bits.
3850 */
3851 if (x & 0x800)
3852 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3853
3854 if (x & 0x400)
3855 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3856
3857 if (x & 0x200)
3858 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3859
3860 if (x & 0x100)
3861 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3862
3863 if (x & 0x080)
3864 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3865
3866 if (x & 0x040)
3867 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3868
3869 /* And handle the low 6 bits in a single block. */
3870 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3871
3872 /* Handle the upper bits of x. */
3873 e >>= x >> 16;
3874 return e;
3875 }
3876
3877 /* Check for overflow */
3878 if (x <= 0)
3879 return png_32bit_exp[0];
3880
3881 /* Else underflow */
3882 return 0;
3883}
3884
3885static png_byte
3886png_exp8bit(png_fixed_point lg2)
3887{
3888 /* Get a 32-bit value: */
3889 png_uint_32 x = png_exp(lg2);
3890
3891 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3892 * second, rounding, step can't overflow because of the first, subtraction,
3893 * step.
3894 */
3895 x -= x >> 8;
3896 return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3897}
3898
3899#ifdef PNG_16BIT_SUPPORTED
3900static png_uint_16
3901png_exp16bit(png_fixed_point lg2)
3902{
3903 /* Get a 32-bit value: */
3904 png_uint_32 x = png_exp(lg2);
3905
3906 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3907 x -= x >> 16;
3908 return (png_uint_16)((x + 32767U) >> 16);
3909}
3910#endif /* 16BIT */
3911#endif /* FLOATING_ARITHMETIC */
3912
3913png_byte
3914png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3915{
3916 if (value > 0 && value < 255)
3917 {
3918# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3919 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3920 * convert this to a floating point value. This includes values that
3921 * would overflow if 'value' were to be converted to 'int'.
3922 *
3923 * Apparently GCC, however, does an intermediate conversion to (int)
3924 * on some (ARM) but not all (x86) platforms, possibly because of
3925 * hardware FP limitations. (E.g. if the hardware conversion always
3926 * assumes the integer register contains a signed value.) This results
3927 * in ANSI-C undefined behavior for large values.
3928 *
3929 * Other implementations on the same machine might actually be ANSI-C90
3930 * conformant and therefore compile spurious extra code for the large
3931 * values.
3932 *
3933 * We can be reasonably sure that an unsigned to float conversion
3934 * won't be faster than an int to float one. Therefore this code
3935 * assumes responsibility for the undefined behavior, which it knows
3936 * can't happen because of the check above.
3937 *
3938 * Note the argument to this routine is an (unsigned int) because, on
3939 * 16-bit platforms, it is assigned a value which might be out of
3940 * range for an (int); that would result in undefined behavior in the
3941 * caller if the *argument* ('value') were to be declared (int).
3942 */
3943 double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3944 return (png_byte)r;
3945# else
3946 png_int_32 lg2 = png_log8bit(value);
3947 png_fixed_point res;
3948
3949 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3950 return png_exp8bit(res);
3951
3952 /* Overflow. */
3953 value = 0;
3954# endif
3955 }
3956
3957 return (png_byte)(value & 0xff);
3958}
3959
3960#ifdef PNG_16BIT_SUPPORTED
3961png_uint_16
3962png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3963{
3964 if (value > 0 && value < 65535)
3965 {
3966# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3967 /* The same (unsigned int)->(double) constraints apply here as above,
3968 * however in this case the (unsigned int) to (int) conversion can
3969 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3970 * that this is not possible.
3971 */
3972 double r = floor(65535*pow((png_int_32)value/65535.,
3973 gamma_val*.00001)+.5);
3974 return (png_uint_16)r;
3975# else
3976 png_int_32 lg2 = png_log16bit(value);
3977 png_fixed_point res;
3978
3979 if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3980 return png_exp16bit(res);
3981
3982 /* Overflow. */
3983 value = 0;
3984# endif
3985 }
3986
3987 return (png_uint_16)value;
3988}
3989#endif /* 16BIT */
3990
3991/* This does the right thing based on the bit_depth field of the
3992 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3993 * is nominally a 16-bit value if bit depth is 8 then the result is
3994 * 8-bit (as are the arguments.)
3995 */
3996png_uint_16 /* PRIVATE */
3997png_gamma_correct(png_structrp png_ptr, unsigned int value,
3998 png_fixed_point gamma_val)
3999{
4000 if (png_ptr->bit_depth == 8)
4001 return png_gamma_8bit_correct(value, gamma_val);
4002
4003#ifdef PNG_16BIT_SUPPORTED
4004 else
4005 return png_gamma_16bit_correct(value, gamma_val);
4006#else
4007 /* should not reach this */
4008 return 0;
4009#endif /* 16BIT */
4010}
4011
4012#ifdef PNG_16BIT_SUPPORTED
4013/* Internal function to build a single 16-bit table - the table consists of
4014 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
4015 * to shift the input values right (or 16-number_of_signifiant_bits).
4016 *
4017 * The caller is responsible for ensuring that the table gets cleaned up on
4018 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
4019 * should be somewhere that will be cleaned.
4020 */
4021static void
4022png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
4023 unsigned int shift, png_fixed_point gamma_val)
4024{
4025 /* Various values derived from 'shift': */
4026 unsigned int num = 1U << (8U - shift);
4027#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4028 /* CSE the division and work round wacky GCC warnings (see the comments
4029 * in png_gamma_8bit_correct for where these come from.)
4030 */
4031 double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
4032#endif
4033 unsigned int max = (1U << (16U - shift)) - 1U;
4034 unsigned int max_by_2 = 1U << (15U - shift);
4035 unsigned int i;
4036
4037 png_uint_16pp table = *ptable =
4038 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4039
4040 for (i = 0; i < num; i++)
4041 {
4042 png_uint_16p sub_table = table[i] =
4043 (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
4044
4045 /* The 'threshold' test is repeated here because it can arise for one of
4046 * the 16-bit tables even if the others don't hit it.
4047 */
4048 if (png_gamma_significant(gamma_val) != 0)
4049 {
4050 /* The old code would overflow at the end and this would cause the
4051 * 'pow' function to return a result >1, resulting in an
4052 * arithmetic error. This code follows the spec exactly; ig is
4053 * the recovered input sample, it always has 8-16 bits.
4054 *
4055 * We want input * 65535/max, rounded, the arithmetic fits in 32
4056 * bits (unsigned) so long as max <= 32767.
4057 */
4058 unsigned int j;
4059 for (j = 0; j < 256; j++)
4060 {
4061 png_uint_32 ig = (j << (8-shift)) + i;
4062# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4063 /* Inline the 'max' scaling operation: */
4064 /* See png_gamma_8bit_correct for why the cast to (int) is
4065 * required here.
4066 */
4067 double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4068 sub_table[j] = (png_uint_16)d;
4069# else
4070 if (shift != 0)
4071 ig = (ig * 65535U + max_by_2)/max;
4072
4073 sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4074# endif
4075 }
4076 }
4077 else
4078 {
4079 /* We must still build a table, but do it the fast way. */
4080 unsigned int j;
4081
4082 for (j = 0; j < 256; j++)
4083 {
4084 png_uint_32 ig = (j << (8-shift)) + i;
4085
4086 if (shift != 0)
4087 ig = (ig * 65535U + max_by_2)/max;
4088
4089 sub_table[j] = (png_uint_16)ig;
4090 }
4091 }
4092 }
4093}
4094
4095/* NOTE: this function expects the *inverse* of the overall gamma transformation
4096 * required.
4097 */
4098static void
4099png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4100 unsigned int shift, png_fixed_point gamma_val)
4101{
4102 unsigned int num = 1U << (8U - shift);
4103 unsigned int max = (1U << (16U - shift))-1U;
4104 unsigned int i;
4105 png_uint_32 last;
4106
4107 png_uint_16pp table = *ptable =
4108 (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4109
4110 /* 'num' is the number of tables and also the number of low bits of low
4111 * bits of the input 16-bit value used to select a table. Each table is
4112 * itself indexed by the high 8 bits of the value.
4113 */
4114 for (i = 0; i < num; i++)
4115 table[i] = (png_uint_16p)png_malloc(png_ptr,
4116 256 * (sizeof (png_uint_16)));
4117
4118 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4119 * pow(out,g) is an *input* value. 'last' is the last input value set.
4120 *
4121 * In the loop 'i' is used to find output values. Since the output is
4122 * 8-bit there are only 256 possible values. The tables are set up to
4123 * select the closest possible output value for each input by finding
4124 * the input value at the boundary between each pair of output values
4125 * and filling the table up to that boundary with the lower output
4126 * value.
4127 *
4128 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4129 * values the code below uses a 16-bit value in i; the values start at
4130 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4131 * entries are filled with 255). Start i at 128 and fill all 'last'
4132 * table entries <= 'max'
4133 */
4134 last = 0;
4135 for (i = 0; i < 255; ++i) /* 8-bit output value */
4136 {
4137 /* Find the corresponding maximum input value */
4138 png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4139
4140 /* Find the boundary value in 16 bits: */
4141 png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4142
4143 /* Adjust (round) to (16-shift) bits: */
4144 bound = (bound * max + 32768U)/65535U + 1U;
4145
4146 while (last < bound)
4147 {
4148 table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4149 last++;
4150 }
4151 }
4152
4153 /* And fill in the final entries. */
4154 while (last < (num << 8))
4155 {
4156 table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4157 last++;
4158 }
4159}
4160#endif /* 16BIT */
4161
4162/* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4163 * typically much faster). Note that libpng currently does no sBIT processing
4164 * (apparently contrary to the spec) so a 256-entry table is always generated.
4165 */
4166static void
4167png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4168 png_fixed_point gamma_val)
4169{
4170 unsigned int i;
4171 png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4172
4173 if (png_gamma_significant(gamma_val) != 0)
4174 for (i=0; i<256; i++)
4175 table[i] = png_gamma_8bit_correct(i, gamma_val);
4176
4177 else
4178 for (i=0; i<256; ++i)
4179 table[i] = (png_byte)(i & 0xff);
4180}
4181
4182/* Used from png_read_destroy and below to release the memory used by the gamma
4183 * tables.
4184 */
4185void /* PRIVATE */
4186png_destroy_gamma_table(png_structrp png_ptr)
4187{
4188 png_free(png_ptr, png_ptr->gamma_table);
4189 png_ptr->gamma_table = NULL;
4190
4191#ifdef PNG_16BIT_SUPPORTED
4192 if (png_ptr->gamma_16_table != NULL)
4193 {
4194 int i;
4195 int istop = (1 << (8 - png_ptr->gamma_shift));
4196 for (i = 0; i < istop; i++)
4197 {
4198 png_free(png_ptr, png_ptr->gamma_16_table[i]);
4199 }
4200 png_free(png_ptr, png_ptr->gamma_16_table);
4201 png_ptr->gamma_16_table = NULL;
4202 }
4203#endif /* 16BIT */
4204
4205#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4206 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4207 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4208 png_free(png_ptr, png_ptr->gamma_from_1);
4209 png_ptr->gamma_from_1 = NULL;
4210 png_free(png_ptr, png_ptr->gamma_to_1);
4211 png_ptr->gamma_to_1 = NULL;
4212
4213#ifdef PNG_16BIT_SUPPORTED
4214 if (png_ptr->gamma_16_from_1 != NULL)
4215 {
4216 int i;
4217 int istop = (1 << (8 - png_ptr->gamma_shift));
4218 for (i = 0; i < istop; i++)
4219 {
4220 png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4221 }
4222 png_free(png_ptr, png_ptr->gamma_16_from_1);
4223 png_ptr->gamma_16_from_1 = NULL;
4224 }
4225 if (png_ptr->gamma_16_to_1 != NULL)
4226 {
4227 int i;
4228 int istop = (1 << (8 - png_ptr->gamma_shift));
4229 for (i = 0; i < istop; i++)
4230 {
4231 png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4232 }
4233 png_free(png_ptr, png_ptr->gamma_16_to_1);
4234 png_ptr->gamma_16_to_1 = NULL;
4235 }
4236#endif /* 16BIT */
4237#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4238}
4239
4240/* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4241 * tables, we don't make a full table if we are reducing to 8-bit in
4242 * the future. Note also how the gamma_16 tables are segmented so that
4243 * we don't need to allocate > 64K chunks for a full 16-bit table.
4244 */
4245void /* PRIVATE */
4246png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4247{
4248 png_debug(1, "in png_build_gamma_table");
4249
4250 /* Remove any existing table; this copes with multiple calls to
4251 * png_read_update_info. The warning is because building the gamma tables
4252 * multiple times is a performance hit - it's harmless but the ability to
4253 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4254 * sensible to warn if the app introduces such a hit.
4255 */
4256 if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4257 {
4258 png_warning(png_ptr, "gamma table being rebuilt");
4259 png_destroy_gamma_table(png_ptr);
4260 }
4261
4262 if (bit_depth <= 8)
4263 {
4264 png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4265 png_ptr->screen_gamma > 0 ?
4266 png_reciprocal2(png_ptr->colorspace.gamma,
4267 png_ptr->screen_gamma) : PNG_FP_1);
4268
4269#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4270 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4271 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4272 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4273 {
4274 png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4275 png_reciprocal(png_ptr->colorspace.gamma));
4276
4277 png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4278 png_ptr->screen_gamma > 0 ?
4279 png_reciprocal(png_ptr->screen_gamma) :
4280 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4281 }
4282#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4283 }
4284#ifdef PNG_16BIT_SUPPORTED
4285 else
4286 {
4287 png_byte shift, sig_bit;
4288
4289 if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4290 {
4291 sig_bit = png_ptr->sig_bit.red;
4292
4293 if (png_ptr->sig_bit.green > sig_bit)
4294 sig_bit = png_ptr->sig_bit.green;
4295
4296 if (png_ptr->sig_bit.blue > sig_bit)
4297 sig_bit = png_ptr->sig_bit.blue;
4298 }
4299 else
4300 sig_bit = png_ptr->sig_bit.gray;
4301
4302 /* 16-bit gamma code uses this equation:
4303 *
4304 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4305 *
4306 * Where 'iv' is the input color value and 'ov' is the output value -
4307 * pow(iv, gamma).
4308 *
4309 * Thus the gamma table consists of up to 256 256-entry tables. The table
4310 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4311 * of the color value then indexed by the upper 8 bits:
4312 *
4313 * table[low bits][high 8 bits]
4314 *
4315 * So the table 'n' corresponds to all those 'iv' of:
4316 *
4317 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4318 *
4319 */
4320 if (sig_bit > 0 && sig_bit < 16U)
4321 /* shift == insignificant bits */
4322 shift = (png_byte)((16U - sig_bit) & 0xff);
4323
4324 else
4325 shift = 0; /* keep all 16 bits */
4326
4327 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4328 {
4329 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4330 * the significant bits in the *input* when the output will
4331 * eventually be 8 bits. By default it is 11.
4332 */
4333 if (shift < (16U - PNG_MAX_GAMMA_8))
4334 shift = (16U - PNG_MAX_GAMMA_8);
4335 }
4336
4337 if (shift > 8U)
4338 shift = 8U; /* Guarantees at least one table! */
4339
4340 png_ptr->gamma_shift = shift;
4341
4342 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4343 * PNG_COMPOSE). This effectively smashed the background calculation for
4344 * 16-bit output because the 8-bit table assumes the result will be
4345 * reduced to 8 bits.
4346 */
4347 if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4348 png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4349 png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4350 png_ptr->screen_gamma) : PNG_FP_1);
4351
4352 else
4353 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4354 png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4355 png_ptr->screen_gamma) : PNG_FP_1);
4356
4357#if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4358 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4359 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4360 if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4361 {
4362 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4363 png_reciprocal(png_ptr->colorspace.gamma));
4364
4365 /* Notice that the '16 from 1' table should be full precision, however
4366 * the lookup on this table still uses gamma_shift, so it can't be.
4367 * TODO: fix this.
4368 */
4369 png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4370 png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4371 png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4372 }
4373#endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4374 }
4375#endif /* 16BIT */
4376}
4377#endif /* READ_GAMMA */
4378
4379/* HARDWARE OR SOFTWARE OPTION SUPPORT */
4380#ifdef PNG_SET_OPTION_SUPPORTED
4381int PNGAPI
4382png_set_option(png_structrp png_ptr, int option, int onoff)
4383{
4384 if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4385 (option & 1) == 0)
4386 {
4387 png_uint_32 mask = 3U << option;
4388 png_uint_32 setting = (2U + (onoff != 0)) << option;
4389 png_uint_32 current = png_ptr->options;
4390
4391 png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4392
4393 return (int)(current & mask) >> option;
4394 }
4395
4396 return PNG_OPTION_INVALID;
4397}
4398#endif
4399
4400/* sRGB support */
4401#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4402 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4403/* sRGB conversion tables; these are machine generated with the code in
4404 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4405 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4406 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4407 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4408 * The inverse (linear to sRGB) table has accuracies as follows:
4409 *
4410 * For all possible (255*65535+1) input values:
4411 *
4412 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4413 *
4414 * For the input values corresponding to the 65536 16-bit values:
4415 *
4416 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4417 *
4418 * In all cases the inexact readings are only off by one.
4419 */
4420
4421#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4422/* The convert-to-sRGB table is only currently required for read. */
4423const png_uint_16 png_sRGB_table[256] =
4424{
4425 0,20,40,60,80,99,119,139,
4426 159,179,199,219,241,264,288,313,
4427 340,367,396,427,458,491,526,562,
4428 599,637,677,718,761,805,851,898,
4429 947,997,1048,1101,1156,1212,1270,1330,
4430 1391,1453,1517,1583,1651,1720,1790,1863,
4431 1937,2013,2090,2170,2250,2333,2418,2504,
4432 2592,2681,2773,2866,2961,3058,3157,3258,
4433 3360,3464,3570,3678,3788,3900,4014,4129,
4434 4247,4366,4488,4611,4736,4864,4993,5124,
4435 5257,5392,5530,5669,5810,5953,6099,6246,
4436 6395,6547,6700,6856,7014,7174,7335,7500,
4437 7666,7834,8004,8177,8352,8528,8708,8889,
4438 9072,9258,9445,9635,9828,10022,10219,10417,
4439 10619,10822,11028,11235,11446,11658,11873,12090,
4440 12309,12530,12754,12980,13209,13440,13673,13909,
4441 14146,14387,14629,14874,15122,15371,15623,15878,
4442 16135,16394,16656,16920,17187,17456,17727,18001,
4443 18277,18556,18837,19121,19407,19696,19987,20281,
4444 20577,20876,21177,21481,21787,22096,22407,22721,
4445 23038,23357,23678,24002,24329,24658,24990,25325,
4446 25662,26001,26344,26688,27036,27386,27739,28094,
4447 28452,28813,29176,29542,29911,30282,30656,31033,
4448 31412,31794,32179,32567,32957,33350,33745,34143,
4449 34544,34948,35355,35764,36176,36591,37008,37429,
4450 37852,38278,38706,39138,39572,40009,40449,40891,
4451 41337,41785,42236,42690,43147,43606,44069,44534,
4452 45002,45473,45947,46423,46903,47385,47871,48359,
4453 48850,49344,49841,50341,50844,51349,51858,52369,
4454 52884,53401,53921,54445,54971,55500,56032,56567,
4455 57105,57646,58190,58737,59287,59840,60396,60955,
4456 61517,62082,62650,63221,63795,64372,64952,65535
4457};
4458#endif /* SIMPLIFIED_READ */
4459
4460/* The base/delta tables are required for both read and write (but currently
4461 * only the simplified versions.)
4462 */
4463const png_uint_16 png_sRGB_base[512] =
4464{
4465 128,1782,3383,4644,5675,6564,7357,8074,
4466 8732,9346,9921,10463,10977,11466,11935,12384,
4467 12816,13233,13634,14024,14402,14769,15125,15473,
4468 15812,16142,16466,16781,17090,17393,17690,17981,
4469 18266,18546,18822,19093,19359,19621,19879,20133,
4470 20383,20630,20873,21113,21349,21583,21813,22041,
4471 22265,22487,22707,22923,23138,23350,23559,23767,
4472 23972,24175,24376,24575,24772,24967,25160,25352,
4473 25542,25730,25916,26101,26284,26465,26645,26823,
4474 27000,27176,27350,27523,27695,27865,28034,28201,
4475 28368,28533,28697,28860,29021,29182,29341,29500,
4476 29657,29813,29969,30123,30276,30429,30580,30730,
4477 30880,31028,31176,31323,31469,31614,31758,31902,
4478 32045,32186,32327,32468,32607,32746,32884,33021,
4479 33158,33294,33429,33564,33697,33831,33963,34095,
4480 34226,34357,34486,34616,34744,34873,35000,35127,
4481 35253,35379,35504,35629,35753,35876,35999,36122,
4482 36244,36365,36486,36606,36726,36845,36964,37083,
4483 37201,37318,37435,37551,37668,37783,37898,38013,
4484 38127,38241,38354,38467,38580,38692,38803,38915,
4485 39026,39136,39246,39356,39465,39574,39682,39790,
4486 39898,40005,40112,40219,40325,40431,40537,40642,
4487 40747,40851,40955,41059,41163,41266,41369,41471,
4488 41573,41675,41777,41878,41979,42079,42179,42279,
4489 42379,42478,42577,42676,42775,42873,42971,43068,
4490 43165,43262,43359,43456,43552,43648,43743,43839,
4491 43934,44028,44123,44217,44311,44405,44499,44592,
4492 44685,44778,44870,44962,45054,45146,45238,45329,
4493 45420,45511,45601,45692,45782,45872,45961,46051,
4494 46140,46229,46318,46406,46494,46583,46670,46758,
4495 46846,46933,47020,47107,47193,47280,47366,47452,
4496 47538,47623,47709,47794,47879,47964,48048,48133,
4497 48217,48301,48385,48468,48552,48635,48718,48801,
4498 48884,48966,49048,49131,49213,49294,49376,49458,
4499 49539,49620,49701,49782,49862,49943,50023,50103,
4500 50183,50263,50342,50422,50501,50580,50659,50738,
4501 50816,50895,50973,51051,51129,51207,51285,51362,
4502 51439,51517,51594,51671,51747,51824,51900,51977,
4503 52053,52129,52205,52280,52356,52432,52507,52582,
4504 52657,52732,52807,52881,52956,53030,53104,53178,
4505 53252,53326,53400,53473,53546,53620,53693,53766,
4506 53839,53911,53984,54056,54129,54201,54273,54345,
4507 54417,54489,54560,54632,54703,54774,54845,54916,
4508 54987,55058,55129,55199,55269,55340,55410,55480,
4509 55550,55620,55689,55759,55828,55898,55967,56036,
4510 56105,56174,56243,56311,56380,56448,56517,56585,
4511 56653,56721,56789,56857,56924,56992,57059,57127,
4512 57194,57261,57328,57395,57462,57529,57595,57662,
4513 57728,57795,57861,57927,57993,58059,58125,58191,
4514 58256,58322,58387,58453,58518,58583,58648,58713,
4515 58778,58843,58908,58972,59037,59101,59165,59230,
4516 59294,59358,59422,59486,59549,59613,59677,59740,
4517 59804,59867,59930,59993,60056,60119,60182,60245,
4518 60308,60370,60433,60495,60558,60620,60682,60744,
4519 60806,60868,60930,60992,61054,61115,61177,61238,
4520 61300,61361,61422,61483,61544,61605,61666,61727,
4521 61788,61848,61909,61969,62030,62090,62150,62211,
4522 62271,62331,62391,62450,62510,62570,62630,62689,
4523 62749,62808,62867,62927,62986,63045,63104,63163,
4524 63222,63281,63340,63398,63457,63515,63574,63632,
4525 63691,63749,63807,63865,63923,63981,64039,64097,
4526 64155,64212,64270,64328,64385,64443,64500,64557,
4527 64614,64672,64729,64786,64843,64900,64956,65013,
4528 65070,65126,65183,65239,65296,65352,65409,65465
4529};
4530
4531const png_byte png_sRGB_delta[512] =
4532{
4533 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4534 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4535 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4536 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4537 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4538 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4539 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4540 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4541 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4542 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4543 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4544 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4545 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4546 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4547 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4548 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4549 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4550 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4551 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4552 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4553 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4554 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4555 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4556 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4557 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4558 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4559 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4560 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4561 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4562 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4563 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4564 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4565};
4566#endif /* SIMPLIFIED READ/WRITE sRGB support */
4567
4568/* SIMPLIFIED READ/WRITE SUPPORT */
4569#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4570 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4571static int
4572png_image_free_function(png_voidp argument)
4573{
4574 png_imagep image = png_voidcast(png_imagep, argument);
4575 png_controlp cp = image->opaque;
4576 png_control c;
4577
4578 /* Double check that we have a png_ptr - it should be impossible to get here
4579 * without one.
4580 */
4581 if (cp->png_ptr == NULL)
4582 return 0;
4583
4584 /* First free any data held in the control structure. */
4585# ifdef PNG_STDIO_SUPPORTED
4586 if (cp->owned_file != 0)
4587 {
4588 FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4589 cp->owned_file = 0;
4590
4591 /* Ignore errors here. */
4592 if (fp != NULL)
4593 {
4594 cp->png_ptr->io_ptr = NULL;
4595 (void)fclose(fp);
4596 }
4597 }
4598# endif
4599
4600 /* Copy the control structure so that the original, allocated, version can be
4601 * safely freed. Notice that a png_error here stops the remainder of the
4602 * cleanup, but this is probably fine because that would indicate bad memory
4603 * problems anyway.
4604 */
4605 c = *cp;
4606 image->opaque = &c;
4607 png_free(c.png_ptr, cp);
4608
4609 /* Then the structures, calling the correct API. */
4610 if (c.for_write != 0)
4611 {
4612# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4613 png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4614# else
4615 png_error(c.png_ptr, "simplified write not supported");
4616# endif
4617 }
4618 else
4619 {
4620# ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4621 png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4622# else
4623 png_error(c.png_ptr, "simplified read not supported");
4624# endif
4625 }
4626
4627 /* Success. */
4628 return 1;
4629}
4630
4631void PNGAPI
4632png_image_free(png_imagep image)
4633{
4634 /* Safely call the real function, but only if doing so is safe at this point
4635 * (if not inside an error handling context). Otherwise assume
4636 * png_safe_execute will call this API after the return.
4637 */
4638 if (image != NULL && image->opaque != NULL &&
4639 image->opaque->error_buf == NULL)
4640 {
4641 png_image_free_function(image);
4642 image->opaque = NULL;
4643 }
4644}
4645
4646int /* PRIVATE */
4647png_image_error(png_imagep image, png_const_charp error_message)
4648{
4649 /* Utility to log an error. */
4650 png_safecat(image->message, (sizeof image->message), 0, error_message);
4651 image->warning_or_error |= PNG_IMAGE_ERROR;
4652 png_image_free(image);
4653 return 0;
4654}
4655
4656#endif /* SIMPLIFIED READ/WRITE */
4657#endif /* READ || WRITE */
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette