diff options
author | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-18 18:22:04 +0000 |
---|---|---|
committer | agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-03-18 18:22:04 +0000 |
commit | 71b9d6403ceaaef6b2b258fbb32f1a77b7c875e6 (patch) | |
tree | 30c9d23615c9d559a845b282a18b994d417e8f40 /third_party/libpng/pngrutil.c | |
parent | fe5aac24dff85b8a035dbda9660d7b470fb08df0 (diff) | |
download | chromium_src-71b9d6403ceaaef6b2b258fbb32f1a77b7c875e6.zip chromium_src-71b9d6403ceaaef6b2b258fbb32f1a77b7c875e6.tar.gz chromium_src-71b9d6403ceaaef6b2b258fbb32f1a77b7c875e6.tar.bz2 |
libpng: update to 1.2.43
I unpacked libpng 1.2.43 and did:
cd third_party/libpng
for x in $(ls -1) ; do cp /tmp/libpng-1.2.43/$x .; done
The diffs appear to all be safe. The Chromium specific config is in pngusr.h
and isn't touched by this change.
1.2.43 fixes http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
c7013d773eb45b8ed6a864e419e544106a0dd95d /tmp/libpng-1.2.43.tar.xz
BUG=38512
TEST=none
http://codereview.chromium.org/1118002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@41972 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/libpng/pngrutil.c')
-rw-r--r-- | third_party/libpng/pngrutil.c | 567 |
1 files changed, 340 insertions, 227 deletions
diff --git a/third_party/libpng/pngrutil.c b/third_party/libpng/pngrutil.c index ae1e3f7..9fd48be 100644 --- a/third_party/libpng/pngrutil.c +++ b/third_party/libpng/pngrutil.c @@ -1,28 +1,33 @@ /* pngrutil.c - utilities to read a PNG file * - * Last changed in libpng 1.2.37 [June 4, 2009] - * For conditions of distribution and use, see copyright notice in png.h + * Last changed in libpng 1.2.43 [February 25, 2010] * Copyright (c) 1998-2009 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * + * This code is released under the libpng license. + * For conditions of distribution and use, see the disclaimer + * and license in png.h + * * This file contains routines that are only called from within * libpng itself during the course of reading an image. */ #define PNG_INTERNAL +#define PNG_NO_PEDANTIC_WARNINGS #include "png.h" -#if defined(PNG_READ_SUPPORTED) +#ifdef PNG_READ_SUPPORTED #if defined(_WIN32_WCE) && (_WIN32_WCE<0x500) # define WIN32_WCE_OLD #endif #ifdef PNG_FLOATING_POINT_SUPPORTED -# if defined(WIN32_WCE_OLD) +# ifdef WIN32_WCE_OLD /* The strtod() function is not supported on WindowsCE */ -__inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, char **endptr) +__inline double png_strtod(png_structp png_ptr, PNG_CONST char *nptr, + char **endptr) { double result = 0; int len; @@ -213,180 +218,205 @@ png_crc_error(png_structp png_ptr) #if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \ defined(PNG_READ_iCCP_SUPPORTED) -/* - * Decompress trailing data in a chunk. The assumption is that chunkdata - * points at an allocated area holding the contents of a chunk with a - * trailing compressed part. What we get back is an allocated area - * holding the original prefix part and an uncompressed version of the - * trailing part (the malloc area passed in is freed). - */ -void /* PRIVATE */ -png_decompress_chunk(png_structp png_ptr, int comp_type, - png_size_t chunklength, - png_size_t prefix_size, png_size_t *newlength) +static png_size_t +png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size, + png_bytep output, png_size_t output_size) { - static PNG_CONST char msg[] = "Error decoding compressed text"; - png_charp text; - png_size_t text_size; + png_size_t count = 0; + + png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */ + png_ptr->zstream.avail_in = size; - if (comp_type == PNG_COMPRESSION_TYPE_BASE) + while (1) { - int ret = Z_OK; - png_ptr->zstream.next_in = (png_bytep)(png_ptr->chunkdata + prefix_size); - png_ptr->zstream.avail_in = (uInt)(chunklength - prefix_size); + int ret, avail; + + /* Reset the output buffer each time round - we empty it + * after every inflate call. + */ png_ptr->zstream.next_out = png_ptr->zbuf; - png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; + png_ptr->zstream.avail_out = png_ptr->zbuf_size; - text_size = 0; - text = NULL; + ret = inflate(&png_ptr->zstream, Z_NO_FLUSH); + avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out; - while (png_ptr->zstream.avail_in) + /* First copy/count any new output - but only if we didn't + * get an error code. + */ + if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0) { - ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH); - if (ret != Z_OK && ret != Z_STREAM_END) - { - if (png_ptr->zstream.msg != NULL) - png_warning(png_ptr, png_ptr->zstream.msg); - else - png_warning(png_ptr, msg); - inflateReset(&png_ptr->zstream); - png_ptr->zstream.avail_in = 0; + if (output != 0 && output_size > count) + { + int copy = output_size - count; + if (avail < copy) copy = avail; + png_memcpy(output + count, png_ptr->zbuf, copy); + } + count += avail; + } - if (text == NULL) - { - text_size = prefix_size + png_sizeof(msg) + 1; - text = (png_charp)png_malloc_warn(png_ptr, text_size); - if (text == NULL) - { - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - png_error(png_ptr, "Not enough memory to decompress chunk"); - } - png_memcpy(text, png_ptr->chunkdata, prefix_size); - } + if (ret == Z_OK) + continue; - text[text_size - 1] = 0x00; + /* Termination conditions - always reset the zstream, it + * must be left in inflateInit state. + */ + png_ptr->zstream.avail_in = 0; + inflateReset(&png_ptr->zstream); - /* Copy what we can of the error message into the text chunk */ - text_size = (png_size_t)(chunklength - - (text - png_ptr->chunkdata) - 1); - if (text_size > png_sizeof(msg)) - text_size = png_sizeof(msg); - png_memcpy(text + prefix_size, msg, text_size); - break; - } - if (!png_ptr->zstream.avail_out || ret == Z_STREAM_END) - { - if (text == NULL) - { - text_size = prefix_size + - png_ptr->zbuf_size - png_ptr->zstream.avail_out; - text = (png_charp)png_malloc_warn(png_ptr, text_size + 1); - if (text == NULL) - { - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - png_error(png_ptr, - "Not enough memory to decompress chunk."); - } - png_memcpy(text + prefix_size, png_ptr->zbuf, - text_size - prefix_size); - png_memcpy(text, png_ptr->chunkdata, prefix_size); - *(text + text_size) = 0x00; - } - else - { - png_charp tmp; + if (ret == Z_STREAM_END) + return count; /* NOTE: may be zero. */ - tmp = text; - text = (png_charp)png_malloc_warn(png_ptr, - (png_uint_32)(text_size + - png_ptr->zbuf_size - png_ptr->zstream.avail_out + 1)); - if (text == NULL) - { - png_free(png_ptr, tmp); - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - png_error(png_ptr, - "Not enough memory to decompress chunk.."); - } - png_memcpy(text, tmp, text_size); - png_free(png_ptr, tmp); - png_memcpy(text + text_size, png_ptr->zbuf, - (png_ptr->zbuf_size - png_ptr->zstream.avail_out)); - text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out; - *(text + text_size) = 0x00; - } - if (ret == Z_STREAM_END) - break; - else - { - png_ptr->zstream.next_out = png_ptr->zbuf; - png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size; - } - } - } - if (ret != Z_STREAM_END) + /* Now handle the error codes - the API always returns 0 + * and the error message is dumped into the uncompressed + * buffer if available. + */ { -#if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE) - char umsg[52]; + char *msg, umsg[52]; + if (png_ptr->zstream.msg != 0) + msg = png_ptr->zstream.msg; + else + { +#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) + switch (ret) + { + case Z_BUF_ERROR: + msg = "Buffer error in compressed datastream in %s chunk"; + break; + case Z_DATA_ERROR: + msg = "Data error in compressed datastream in %s chunk"; + break; + default: + msg = "Incomplete compressed datastream in %s chunk"; + break; + } + + png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name); + msg = umsg; +#else + msg = "Damaged compressed datastream in chunk other than IDAT"; +#endif + } - if (ret == Z_BUF_ERROR) - png_snprintf(umsg, 52, - "Buffer error in compressed datastream in %s chunk", - png_ptr->chunk_name); + png_warning(png_ptr, msg); + } - else if (ret == Z_DATA_ERROR) - png_snprintf(umsg, 52, - "Data error in compressed datastream in %s chunk", - png_ptr->chunk_name); + /* 0 means an error - notice that this code simple ignores + * zero length compressed chunks as a result. + */ + return 0; + } +} - else - png_snprintf(umsg, 52, - "Incomplete compressed datastream in %s chunk", - png_ptr->chunk_name); +/* + * Decompress trailing data in a chunk. The assumption is that chunkdata + * points at an allocated area holding the contents of a chunk with a + * trailing compressed part. What we get back is an allocated area + * holding the original prefix part and an uncompressed version of the + * trailing part (the malloc area passed in is freed). + */ +void /* PRIVATE */ +png_decompress_chunk(png_structp png_ptr, int comp_type, + png_size_t chunklength, + png_size_t prefix_size, png_size_t *newlength) +{ + /* The caller should guarantee this */ + if (prefix_size > chunklength) + { + /* The recovery is to delete the chunk. */ + png_warning(png_ptr, "invalid chunklength"); + prefix_size = 0; /* To delete everything */ + } - png_warning(png_ptr, umsg); + else if (comp_type == PNG_COMPRESSION_TYPE_BASE) + { + png_size_t expanded_size = png_inflate(png_ptr, + (png_bytep)(png_ptr->chunkdata + prefix_size), + chunklength - prefix_size, + 0/*output*/, 0/*output size*/); + + /* Now check the limits on this chunk - if the limit fails the + * compressed data will be removed, the prefix will remain. + */ +#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED + if (png_ptr->user_chunk_malloc_max && + (prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1)) #else - png_warning(png_ptr, - "Incomplete compressed datastream in chunk other than IDAT"); + if ((PNG_USER_CHUNK_MALLOC_MAX > 0) && + prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1) #endif - text_size = prefix_size; - if (text == NULL) - { - text = (png_charp)png_malloc_warn(png_ptr, text_size+1); - if (text == NULL) - { - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = NULL; - png_error(png_ptr, "Not enough memory for text."); - } - png_memcpy(text, png_ptr->chunkdata, prefix_size); - } - *(text + text_size) = 0x00; - } + png_warning(png_ptr, "Exceeded size limit while expanding chunk"); - inflateReset(&png_ptr->zstream); - png_ptr->zstream.avail_in = 0; + /* If the size is zero either there was an error and a message + * has already been output (warning) or the size really is zero + * and we have nothing to do - the code will exit through the + * error case below. + */ + else if (expanded_size > 0) + { + /* Success (maybe) - really uncompress the chunk. */ + png_size_t new_size = 0; + png_charp text = png_malloc_warn(png_ptr, + prefix_size + expanded_size + 1); - png_free(png_ptr, png_ptr->chunkdata); - png_ptr->chunkdata = text; - *newlength=text_size; + if (text != NULL) + { + png_memcpy(text, png_ptr->chunkdata, prefix_size); + new_size = png_inflate(png_ptr, + (png_bytep)(png_ptr->chunkdata + prefix_size), + chunklength - prefix_size, + (png_bytep)(text + prefix_size), expanded_size); + text[prefix_size + expanded_size] = 0; /* just in case */ + + if (new_size == expanded_size) + { + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = text; + *newlength = prefix_size + expanded_size; + return; /* The success return! */ + } + + png_warning(png_ptr, "png_inflate logic error"); + png_free(png_ptr, text); + } + else + png_warning(png_ptr, "Not enough memory to decompress chunk."); + } } + else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */ { -#if !defined(PNG_NO_STDIO) && !defined(_WIN32_WCE) char umsg[50]; - png_snprintf(umsg, 50, "Unknown zTXt compression type %d", comp_type); +#if defined(PNG_STDIO_SUPPORTED) && !defined(_WIN32_WCE) + png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", comp_type); png_warning(png_ptr, umsg); #else png_warning(png_ptr, "Unknown zTXt compression type"); #endif - *(png_ptr->chunkdata + prefix_size) = 0x00; - *newlength = prefix_size; + /* The recovery is to simply drop the data. */ } + + /* Generic error return - leave the prefix, delete the compressed + * data, reallocate the chunkdata to remove the potentially large + * amount of compressed data. + */ + { + png_charp text = png_malloc_warn(png_ptr, prefix_size + 1); + if (text != NULL) + { + if (prefix_size > 0) + png_memcpy(text, png_ptr->chunkdata, prefix_size); + png_free(png_ptr, png_ptr->chunkdata); + png_ptr->chunkdata = text; + + /* This is an extra zero in the 'uncompressed' part. */ + *(png_ptr->chunkdata + prefix_size) = 0x00; + } + /* Ignore a malloc error here - it is safe. */ + } + + *newlength = prefix_size; } #endif @@ -427,7 +457,7 @@ png_handle_IHDR(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_ptr->bit_depth = (png_byte)bit_depth; png_ptr->interlaced = (png_byte)interlace_type; png_ptr->color_type = (png_byte)color_type; -#if defined(PNG_MNG_FEATURES_SUPPORTED) +#ifdef PNG_MNG_FEATURES_SUPPORTED png_ptr->filter_type = (png_byte)filter_type; #endif png_ptr->compression_type = (png_byte)compression_type; @@ -470,7 +500,7 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { png_color palette[PNG_MAX_PALETTE_LENGTH]; int num, i; -#ifndef PNG_NO_POINTER_INDEXING +#ifdef PNG_POINTER_INDEXING_SUPPORTED png_colorp pal_ptr; #endif @@ -498,7 +528,7 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_crc_finish(png_ptr, length); return; } -#if !defined(PNG_READ_OPT_PLTE_SUPPORTED) +#ifndef PNG_READ_OPT_PLTE_SUPPORTED if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE) { png_crc_finish(png_ptr, length); @@ -523,7 +553,7 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) num = (int)length / 3; -#ifndef PNG_NO_POINTER_INDEXING +#ifdef PNG_POINTER_INDEXING_SUPPORTED for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) { png_byte buf[3]; @@ -551,13 +581,13 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) * have an RGB image, the PLTE can be considered ancillary, so * we will act as though it is. */ -#if !defined(PNG_READ_OPT_PLTE_SUPPORTED) +#ifndef PNG_READ_OPT_PLTE_SUPPORTED if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) #endif { png_crc_finish(png_ptr, 0); } -#if !defined(PNG_READ_OPT_PLTE_SUPPORTED) +#ifndef PNG_READ_OPT_PLTE_SUPPORTED else if (png_crc_error(png_ptr)) /* Only if we have a CRC error */ { /* If we don't want to use the data from an ancillary chunk, @@ -586,7 +616,7 @@ png_handle_PLTE(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_set_PLTE(png_ptr, info_ptr, palette, num); -#if defined(PNG_READ_tRNS_SUPPORTED) +#ifdef PNG_READ_tRNS_SUPPORTED if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) { if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS)) @@ -628,7 +658,7 @@ png_handle_IEND(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) info_ptr = info_ptr; /* Quiet compiler warnings about unused info_ptr */ } -#if defined(PNG_READ_gAMA_SUPPORTED) +#ifdef PNG_READ_gAMA_SUPPORTED void /* PRIVATE */ png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -653,7 +683,7 @@ png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_warning(png_ptr, "Out of place gAMA chunk"); if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA) -#if defined(PNG_READ_sRGB_SUPPORTED) +#ifdef PNG_READ_sRGB_SUPPORTED && !(info_ptr->valid & PNG_INFO_sRGB) #endif ) @@ -683,13 +713,13 @@ png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } -#if defined(PNG_READ_sRGB_SUPPORTED) +#ifdef PNG_READ_sRGB_SUPPORTED if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB)) if (PNG_OUT_OF_RANGE(igamma, 45500L, 500)) { png_warning(png_ptr, "Ignoring incorrect gAMA value when sRGB is also present"); -#ifndef PNG_NO_CONSOLE_IO +#ifdef PNG_CONSOLE_IO_SUPPORTED fprintf(stderr, "gamma = (%d/100000)", (int)igamma); #endif return; @@ -709,7 +739,7 @@ png_handle_gAMA(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_sBIT_SUPPORTED) +#ifdef PNG_READ_sBIT_SUPPORTED void /* PRIVATE */ png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -775,7 +805,7 @@ png_handle_sBIT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_cHRM_SUPPORTED) +#ifdef PNG_READ_cHRM_SUPPORTED void /* PRIVATE */ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -803,7 +833,7 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_warning(png_ptr, "Missing PLTE before cHRM"); if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM) -#if defined(PNG_READ_sRGB_SUPPORTED) +#ifdef PNG_READ_sRGB_SUPPORTED && !(info_ptr->valid & PNG_INFO_sRGB) #endif ) @@ -855,7 +885,7 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) blue_y = (float)int_y_blue / (float)100000.0; #endif -#if defined(PNG_READ_sRGB_SUPPORTED) +#ifdef PNG_READ_sRGB_SUPPORTED if ((info_ptr != NULL) && (info_ptr->valid & PNG_INFO_sRGB)) { if (PNG_OUT_OF_RANGE(int_x_white, 31270, 1000) || @@ -869,7 +899,7 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { png_warning(png_ptr, "Ignoring incorrect cHRM value when sRGB is also present"); -#ifndef PNG_NO_CONSOLE_IO +#ifdef PNG_CONSOLE_IO_SUPPORTED #ifdef PNG_FLOATING_POINT_SUPPORTED fprintf(stderr, "wx=%f, wy=%f, rx=%f, ry=%f\n", white_x, white_y, red_x, red_y); @@ -881,7 +911,7 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) fprintf(stderr, "gx=%ld, gy=%ld, bx=%ld, by=%ld\n", int_x_green, int_y_green, int_x_blue, int_y_blue); #endif -#endif /* PNG_NO_CONSOLE_IO */ +#endif /* PNG_CONSOLE_IO_SUPPORTED */ } return; } @@ -899,7 +929,7 @@ png_handle_cHRM(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_sRGB_SUPPORTED) +#ifdef PNG_READ_sRGB_SUPPORTED void /* PRIVATE */ png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -961,7 +991,7 @@ png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { png_warning(png_ptr, "Ignoring incorrect gAMA value when sRGB is also present"); -#ifndef PNG_NO_CONSOLE_IO +#ifdef PNG_CONSOLE_IO_SUPPORTED # ifdef PNG_FIXED_POINT_SUPPORTED fprintf(stderr, "incorrect gamma=(%d/100000)\n", (int)png_ptr->int_gamma); @@ -997,7 +1027,7 @@ png_handle_sRGB(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif /* PNG_READ_sRGB_SUPPORTED */ -#if defined(PNG_READ_iCCP_SUPPORTED) +#ifdef PNG_READ_iCCP_SUPPORTED void /* PRIVATE */ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Note: this does not properly handle chunks that are > 64K under DOS */ @@ -1117,14 +1147,14 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif /* PNG_READ_iCCP_SUPPORTED */ -#if defined(PNG_READ_sPLT_SUPPORTED) +#ifdef PNG_READ_sPLT_SUPPORTED void /* PRIVATE */ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) /* Note: this does not properly handle chunks that are > 64K under DOS */ { png_bytep entry_start; png_sPLT_t new_palette; -#ifdef PNG_NO_POINTER_INDEXING +#ifdef PNG_POINTER_INDEXING_SUPPORTED png_sPLT_entryp pp; #endif int data_length, entry_size, i; @@ -1133,6 +1163,23 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug(1, "in png_handle_sPLT"); +#ifdef PNG_USER_LIMITS_SUPPORTED + + if (png_ptr->user_chunk_cache_max != 0) + { + if (png_ptr->user_chunk_cache_max == 1) + { + png_crc_finish(png_ptr, length); + return; + } + if (--png_ptr->user_chunk_cache_max == 1) + { + png_warning(png_ptr, "No space in chunk cache for sPLT"); + png_crc_finish(png_ptr, length); + return; + } + } +#endif if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before sPLT"); @@ -1166,7 +1213,8 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_ptr->chunkdata[slength] = 0x00; - for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start; entry_start++) + for (entry_start = (png_bytep)png_ptr->chunkdata; *entry_start; + entry_start++) /* Empty loop to find end of name */ ; ++entry_start; @@ -1207,10 +1255,10 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) return; } -#ifndef PNG_NO_POINTER_INDEXING +#ifdef PNG_POINTER_INDEXING_SUPPORTED for (i = 0; i < new_palette.nentries; i++) { - png_sPLT_entryp pp = new_palette.entries + i; + pp = new_palette.entries + i; if (new_palette.depth == 8) { @@ -1262,7 +1310,7 @@ png_handle_sPLT(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif /* PNG_READ_sPLT_SUPPORTED */ -#if defined(PNG_READ_tRNS_SUPPORTED) +#ifdef PNG_READ_tRNS_SUPPORTED void /* PRIVATE */ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -1357,7 +1405,7 @@ png_handle_tRNS(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_bKGD_SUPPORTED) +#ifdef PNG_READ_bKGD_SUPPORTED void /* PRIVATE */ png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -1446,7 +1494,7 @@ png_handle_bKGD(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_hIST_SUPPORTED) +#ifdef PNG_READ_hIST_SUPPORTED void /* PRIVATE */ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -1500,7 +1548,7 @@ png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_pHYs_SUPPORTED) +#ifdef PNG_READ_pHYs_SUPPORTED void /* PRIVATE */ png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -1543,7 +1591,7 @@ png_handle_pHYs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_oFFs_SUPPORTED) +#ifdef PNG_READ_oFFs_SUPPORTED void /* PRIVATE */ png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -1586,7 +1634,7 @@ png_handle_oFFs(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_pCAL_SUPPORTED) +#ifdef PNG_READ_pCAL_SUPPORTED /* Read the pCAL chunk (described in the PNG Extensions document) */ void /* PRIVATE */ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -1720,7 +1768,7 @@ png_handle_pCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_sCAL_SUPPORTED) +#ifdef PNG_READ_sCAL_SUPPORTED /* Read the sCAL chunk */ void /* PRIVATE */ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -1863,7 +1911,7 @@ png_handle_sCAL(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_tIME_SUPPORTED) +#ifdef PNG_READ_tIME_SUPPORTED void /* PRIVATE */ png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) { @@ -1906,7 +1954,7 @@ png_handle_tIME(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_tEXt_SUPPORTED) +#ifdef PNG_READ_tEXt_SUPPORTED /* Note: this does not properly handle chunks that are > 64K under DOS */ void /* PRIVATE */ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -1920,6 +1968,22 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug(1, "in png_handle_tEXt"); +#ifdef PNG_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_cache_max != 0) + { + if (png_ptr->user_chunk_cache_max == 1) + { + png_crc_finish(png_ptr, length); + return; + } + if (--png_ptr->user_chunk_cache_max == 1) + { + png_warning(png_ptr, "No space in chunk cache for tEXt"); + png_crc_finish(png_ptr, length); + return; + } + } +#endif if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before tEXt"); @@ -1993,7 +2057,7 @@ png_handle_tEXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_zTXt_SUPPORTED) +#ifdef PNG_READ_zTXt_SUPPORTED /* Note: this does not correctly handle chunks that are > 64K under DOS */ void /* PRIVATE */ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -2006,6 +2070,22 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug(1, "in png_handle_zTXt"); +#ifdef PNG_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_cache_max != 0) + { + if (png_ptr->user_chunk_cache_max == 1) + { + png_crc_finish(png_ptr, length); + return; + } + if (--png_ptr->user_chunk_cache_max == 1) + { + png_warning(png_ptr, "No space in chunk cache for zTXt"); + png_crc_finish(png_ptr, length); + return; + } + } +#endif if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before zTXt"); @@ -2097,7 +2177,7 @@ png_handle_zTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif -#if defined(PNG_READ_iTXt_SUPPORTED) +#ifdef PNG_READ_iTXt_SUPPORTED /* Note: this does not correctly handle chunks that are > 64K under DOS */ void /* PRIVATE */ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) @@ -2111,6 +2191,22 @@ png_handle_iTXt(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug(1, "in png_handle_iTXt"); +#ifdef PNG_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_cache_max != 0) + { + if (png_ptr->user_chunk_cache_max == 1) + { + png_crc_finish(png_ptr, length); + return; + } + if (--png_ptr->user_chunk_cache_max == 1) + { + png_warning(png_ptr, "No space in chunk cache for iTXt"); + png_crc_finish(png_ptr, length); + return; + } + } +#endif if (!(png_ptr->mode & PNG_HAVE_IHDR)) png_error(png_ptr, "Missing IHDR before iTXt"); @@ -2239,6 +2335,22 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_debug(1, "in png_handle_unknown"); +#ifdef PNG_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_cache_max != 0) + { + if (png_ptr->user_chunk_cache_max == 1) + { + png_crc_finish(png_ptr, length); + return; + } + if (--png_ptr->user_chunk_cache_max == 1) + { + png_warning(png_ptr, "No space in chunk cache for unknown chunk"); + png_crc_finish(png_ptr, length); + return; + } + } +#endif if (png_ptr->mode & PNG_HAVE_IDAT) { @@ -2251,10 +2363,10 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (!(png_ptr->chunk_name[0] & 0x20)) { -#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) +#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != PNG_HANDLE_CHUNK_ALWAYS -#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) +#ifdef PNG_READ_USER_CHUNKS_SUPPORTED && png_ptr->read_user_chunk_fn == NULL #endif ) @@ -2262,9 +2374,12 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_chunk_error(png_ptr, "unknown critical chunk"); } -#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) - if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) || - (png_ptr->read_user_chunk_fn != NULL)) +#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED + if ((png_ptr->flags & PNG_FLAG_KEEP_UNKNOWN_CHUNKS) +#ifdef PNG_READ_USER_CHUNKS_SUPPORTED + || (png_ptr->read_user_chunk_fn != NULL) +#endif + ) { #ifdef PNG_MAX_MALLOC_64K if (length > (png_uint_32)65535L) @@ -2275,9 +2390,10 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) } #endif png_memcpy((png_charp)png_ptr->unknown_chunk.name, - (png_charp)png_ptr->chunk_name, + (png_charp)png_ptr->chunk_name, png_sizeof(png_ptr->unknown_chunk.name)); - png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] = '\0'; + png_ptr->unknown_chunk.name[png_sizeof(png_ptr->unknown_chunk.name)-1] + = '\0'; png_ptr->unknown_chunk.size = (png_size_t)length; if (length == 0) png_ptr->unknown_chunk.data = NULL; @@ -2286,7 +2402,7 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_ptr->unknown_chunk.data = (png_bytep)png_malloc(png_ptr, length); png_crc_read(png_ptr, (png_bytep)png_ptr->unknown_chunk.data, length); } -#if defined(PNG_READ_USER_CHUNKS_SUPPORTED) +#ifdef PNG_READ_USER_CHUNKS_SUPPORTED if (png_ptr->read_user_chunk_fn != NULL) { /* Callback to user unknown chunk handler */ @@ -2298,8 +2414,10 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) if (ret == 0) { if (!(png_ptr->chunk_name[0] & 0x20)) +#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED if (png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != PNG_HANDLE_CHUNK_ALWAYS) +#endif png_chunk_error(png_ptr, "unknown critical chunk"); png_set_unknown_chunks(png_ptr, info_ptr, &png_ptr->unknown_chunk, 1); @@ -2317,7 +2435,7 @@ png_handle_unknown(png_structp png_ptr, png_infop info_ptr, png_uint_32 length) png_crc_finish(png_ptr, skip); -#if !defined(PNG_READ_USER_CHUNKS_SUPPORTED) +#ifndef PNG_READ_USER_CHUNKS_SUPPORTED info_ptr = info_ptr; /* Quiet compiler warnings about unused info_ptr */ #endif } @@ -2375,7 +2493,7 @@ png_combine_row(png_structp png_ptr, png_bytep row, int mask) png_uint_32 i; png_uint_32 row_width = png_ptr->width; -#if defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifdef PNG_READ_PACKSWAP_SUPPORTED if (png_ptr->transformations & PNG_PACKSWAP) { s_start = 0; @@ -2430,7 +2548,7 @@ png_combine_row(png_structp png_ptr, png_bytep row, int mask) png_uint_32 row_width = png_ptr->width; int value; -#if defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifdef PNG_READ_PACKSWAP_SUPPORTED if (png_ptr->transformations & PNG_PACKSWAP) { s_start = 0; @@ -2482,7 +2600,7 @@ png_combine_row(png_structp png_ptr, png_bytep row, int mask) png_uint_32 row_width = png_ptr->width; int value; -#if defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifdef PNG_READ_PACKSWAP_SUPPORTED if (png_ptr->transformations & PNG_PACKSWAP) { s_start = 0; @@ -2565,11 +2683,9 @@ png_do_read_interlace(png_structp png_ptr) png_bytep row = png_ptr->row_buf + 1; int pass = png_ptr->pass; png_uint_32 transformations = png_ptr->transformations; -#ifdef PNG_USE_LOCAL_ARRAYS /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ /* Offset to next interlace block */ PNG_CONST int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; -#endif png_debug(1, "in png_do_read_interlace"); if (row != NULL && row_info != NULL) @@ -2591,7 +2707,7 @@ png_do_read_interlace(png_structp png_ptr) png_uint_32 i; int j; -#if defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifdef PNG_READ_PACKSWAP_SUPPORTED if (transformations & PNG_PACKSWAP) { sshift = (int)((row_info->width + 7) & 0x07); @@ -2644,7 +2760,7 @@ png_do_read_interlace(png_structp png_ptr) int jstop = png_pass_inc[pass]; png_uint_32 i; -#if defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifdef PNG_READ_PACKSWAP_SUPPORTED if (transformations & PNG_PACKSWAP) { sshift = (int)(((row_info->width + 3) & 0x03) << 1); @@ -2700,7 +2816,7 @@ png_do_read_interlace(png_structp png_ptr) png_uint_32 i; int jstop = png_pass_inc[pass]; -#if defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifdef PNG_READ_PACKSWAP_SUPPORTED if (transformations & PNG_PACKSWAP) { sshift = (int)(((row_info->width + 1) & 0x01) << 2); @@ -2749,7 +2865,8 @@ png_do_read_interlace(png_structp png_ptr) default: { png_size_t pixel_bytes = (row_info->pixel_depth >> 3); - png_bytep sp = row + (png_size_t)(row_info->width - 1) * pixel_bytes; + png_bytep sp = row + (png_size_t)(row_info->width - 1) + * pixel_bytes; png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes; int jstop = png_pass_inc[pass]; @@ -2774,7 +2891,7 @@ png_do_read_interlace(png_structp png_ptr) row_info->width = final_width; row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width); } -#if !defined(PNG_READ_PACKSWAP_SUPPORTED) +#ifndef PNG_READ_PACKSWAP_SUPPORTED transformations = transformations; /* Silence compiler warning */ #endif } @@ -2903,11 +3020,10 @@ png_read_filter_row(png_structp png_ptr, png_row_infop row_info, png_bytep row, } } -#ifndef PNG_NO_SEQUENTIAL_READ_SUPPORTED +#ifdef PNG_SEQUENTIAL_READ_SUPPORTED void /* PRIVATE */ png_read_finish_row(png_structp png_ptr) { -#ifdef PNG_USE_LOCAL_ARRAYS #ifdef PNG_READ_INTERLACING_SUPPORTED /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ @@ -2923,7 +3039,6 @@ png_read_finish_row(png_structp png_ptr) /* Offset to next interlace block in the y direction */ PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; #endif /* PNG_READ_INTERLACING_SUPPORTED */ -#endif png_debug(1, "in png_read_finish_row"); png_ptr->row_number++; @@ -2946,9 +3061,6 @@ png_read_finish_row(png_structp png_ptr) png_pass_start[png_ptr->pass]) / png_pass_inc[png_ptr->pass]; - png_ptr->irowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, - png_ptr->iwidth) + 1; - if (!(png_ptr->transformations & PNG_INTERLACE)) { png_ptr->num_rows = (png_ptr->height + @@ -3007,7 +3119,7 @@ png_read_finish_row(png_structp png_ptr) { if (!(png_ptr->zstream.avail_out) || png_ptr->zstream.avail_in || png_ptr->idat_size) - png_warning(png_ptr, "Extra compressed data"); + png_warning(png_ptr, "Extra compressed data."); png_ptr->mode |= PNG_AFTER_IDAT; png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED; break; @@ -3029,18 +3141,17 @@ png_read_finish_row(png_structp png_ptr) } if (png_ptr->idat_size || png_ptr->zstream.avail_in) - png_warning(png_ptr, "Extra compression data"); + png_warning(png_ptr, "Extra compression data."); inflateReset(&png_ptr->zstream); png_ptr->mode |= PNG_AFTER_IDAT; } -#endif /* PNG_NO_SEQUENTIAL_READ_SUPPORTED */ +#endif /* PNG_SEQUENTIAL_READ_SUPPORTED */ void /* PRIVATE */ png_read_start_row(png_structp png_ptr) { -#ifdef PNG_USE_LOCAL_ARRAYS #ifdef PNG_READ_INTERLACING_SUPPORTED /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ @@ -3056,7 +3167,6 @@ png_read_start_row(png_structp png_ptr) /* Offset to next interlace block in the y direction */ PNG_CONST int png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; #endif -#endif int max_pixel_depth; png_size_t row_bytes; @@ -3077,25 +3187,21 @@ png_read_start_row(png_structp png_ptr) png_pass_inc[png_ptr->pass] - 1 - png_pass_start[png_ptr->pass]) / png_pass_inc[png_ptr->pass]; - - png_ptr->irowbytes = - PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1; } else #endif /* PNG_READ_INTERLACING_SUPPORTED */ { png_ptr->num_rows = png_ptr->height; png_ptr->iwidth = png_ptr->width; - png_ptr->irowbytes = png_ptr->rowbytes + 1; } max_pixel_depth = png_ptr->pixel_depth; -#if defined(PNG_READ_PACK_SUPPORTED) +#ifdef PNG_READ_PACK_SUPPORTED if ((png_ptr->transformations & PNG_PACK) && png_ptr->bit_depth < 8) max_pixel_depth = 8; #endif -#if defined(PNG_READ_EXPAND_SUPPORTED) +#ifdef PNG_READ_EXPAND_SUPPORTED if (png_ptr->transformations & PNG_EXPAND) { if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) @@ -3123,7 +3229,7 @@ png_read_start_row(png_structp png_ptr) } #endif -#if defined(PNG_READ_FILLER_SUPPORTED) +#ifdef PNG_READ_FILLER_SUPPORTED if (png_ptr->transformations & (PNG_FILLER)) { if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) @@ -3145,14 +3251,14 @@ png_read_start_row(png_structp png_ptr) } #endif -#if defined(PNG_READ_GRAY_TO_RGB_SUPPORTED) +#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED if (png_ptr->transformations & PNG_GRAY_TO_RGB) { if ( -#if defined(PNG_READ_EXPAND_SUPPORTED) +#ifdef PNG_READ_EXPAND_SUPPORTED (png_ptr->num_trans && (png_ptr->transformations & PNG_EXPAND)) || #endif -#if defined(PNG_READ_FILLER_SUPPORTED) +#ifdef PNG_READ_FILLER_SUPPORTED (png_ptr->transformations & (PNG_FILLER)) || #endif png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) @@ -3207,9 +3313,15 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) if (row_bytes + 64 > png_ptr->old_big_row_buf_size) { png_free(png_ptr, png_ptr->big_row_buf); - png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 64); if (png_ptr->interlaced) - png_memset(png_ptr->big_row_buf, 0, row_bytes + 64); + png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr, + row_bytes + 64); + else + png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, + row_bytes + 64); + png_ptr->old_big_row_buf_size = row_bytes + 64; + + /* Use 32 bytes of padding before and after row_buf. */ png_ptr->row_buf = png_ptr->big_row_buf + 32; png_ptr->old_big_row_buf_size = row_bytes + 64; } @@ -3237,7 +3349,8 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) png_debug1(3, "iwidth = %lu,", png_ptr->iwidth); png_debug1(3, "num_rows = %lu,", png_ptr->num_rows); png_debug1(3, "rowbytes = %lu,", png_ptr->rowbytes); - png_debug1(3, "irowbytes = %lu", png_ptr->irowbytes); + png_debug1(3, "irowbytes = %lu", + PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1); png_ptr->flags |= PNG_FLAG_ROW_INIT; } |