aboutsummaryrefslogtreecommitdiffstats
path: root/png.c
diff options
context:
space:
mode:
authorPatrick Scott <phanna@android.com>2010-06-28 16:55:16 -0400
committerPatrick Scott <phanna@android.com>2010-06-28 16:55:16 -0400
commit5f6bd84e375226bf228fc8ac90318957ec9e1e7f (patch)
treeda1284f5023ad422da3263b48f1cefa6d6443912 /png.c
parent342380c79a16cc2e5ba7859c3fc4e40f2661ea45 (diff)
downloadexternal_libpng-5f6bd84e375226bf228fc8ac90318957ec9e1e7f.zip
external_libpng-5f6bd84e375226bf228fc8ac90318957ec9e1e7f.tar.gz
external_libpng-5f6bd84e375226bf228fc8ac90318957ec9e1e7f.tar.bz2
Upgrade libpng to 1.2.44 for security fixes.
Change-Id: Iae257ca6ea7031a99f38e9de196d71ef8b94f9aa
Diffstat (limited to 'png.c')
-rw-r--r--png.c257
1 files changed, 216 insertions, 41 deletions
diff --git a/png.c b/png.c
index 2e9f4c6..7ad9538 100644
--- a/png.c
+++ b/png.c
@@ -1,8 +1,8 @@
/* png.c - location for general purpose libpng functions
*
- * Last changed in libpng 1.2.37 [June 4, 2009]
- * Copyright (c) 1998-2009 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.43 [February 25, 2010]
+ * Copyright (c) 1998-2010 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
@@ -13,13 +13,15 @@
#define PNG_INTERNAL
#define PNG_NO_EXTERN
+#define PNG_NO_PEDANTIC_WARNINGS
#include "png.h"
/* Generate a compiler error if there is an old png.h in the search path. */
-typedef version_1_2_38 Your_png_h_is_not_version_1_2_38;
+typedef version_1_2_44 Your_png_h_is_not_version_1_2_44;
/* Version information for C files. This had better match the version
- * string defined in png.h. */
+ * string defined in png.h.
+ */
#ifdef PNG_USE_GLOBAL_ARRAYS
/* png_libpng_ver was changed to a function in version 1.0.5c */
@@ -76,7 +78,8 @@ PNG_CONST int FARDATA png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
*/
/* Mask to determine which pixels are valid in a pass */
-PNG_CONST int FARDATA png_pass_mask[] = {0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff};
+PNG_CONST int FARDATA png_pass_mask[] =
+ {0x80, 0x08, 0x88, 0x22, 0xaa, 0x55, 0xff};
/* Mask to determine which pixels to overwrite while displaying */
PNG_CONST int FARDATA png_pass_dsp_mask[]
@@ -95,9 +98,11 @@ PNG_CONST int FARDATA png_pass_dsp_mask[]
void PNGAPI
png_set_sig_bytes(png_structp png_ptr, int num_bytes)
{
+ png_debug(1, "in png_set_sig_bytes");
+
if (png_ptr == NULL)
return;
- png_debug(1, "in png_set_sig_bytes");
+
if (num_bytes > 8)
png_error(png_ptr, "Too many bytes for PNG signature.");
@@ -148,7 +153,7 @@ png_check_sig(png_bytep sig, int num)
#ifdef PNG_1_0_X
voidpf PNGAPI
#else
-voidpf /* private */
+voidpf /* PRIVATE */
#endif
png_zalloc(voidpf png_ptr, uInt items, uInt size)
{
@@ -192,7 +197,7 @@ png_zalloc(voidpf png_ptr, uInt items, uInt size)
#ifdef PNG_1_0_X
void PNGAPI
#else
-void /* private */
+void /* PRIVATE */
#endif
png_zfree(voidpf png_ptr, voidpf ptr)
{
@@ -246,8 +251,10 @@ png_create_info_struct(png_structp png_ptr)
png_infop info_ptr;
png_debug(1, "in png_create_info_struct");
+
if (png_ptr == NULL)
return (NULL);
+
#ifdef PNG_USER_MEM_SUPPORTED
info_ptr = (png_infop)png_create_struct_2(PNG_STRUCT_INFO,
png_ptr->malloc_fn, png_ptr->mem_ptr);
@@ -269,10 +276,12 @@ void PNGAPI
png_destroy_info_struct(png_structp png_ptr, png_infopp info_ptr_ptr)
{
png_infop info_ptr = NULL;
+
+ png_debug(1, "in png_destroy_info_struct");
+
if (png_ptr == NULL)
return;
- png_debug(1, "in png_destroy_info_struct");
if (info_ptr_ptr != NULL)
info_ptr = *info_ptr_ptr;
@@ -309,11 +318,11 @@ png_info_init_3(png_infopp ptr_ptr, png_size_t png_info_struct_size)
{
png_infop info_ptr = *ptr_ptr;
+ png_debug(1, "in png_info_init_3");
+
if (info_ptr == NULL)
return;
- png_debug(1, "in png_info_init_3");
-
if (png_sizeof(png_info) > png_info_struct_size)
{
png_destroy_struct(info_ptr);
@@ -331,8 +340,10 @@ png_data_freer(png_structp png_ptr, png_infop info_ptr,
int freer, png_uint_32 mask)
{
png_debug(1, "in png_data_freer");
+
if (png_ptr == NULL || info_ptr == NULL)
return;
+
if (freer == PNG_DESTROY_WILL_FREE_DATA)
info_ptr->free_me |= mask;
else if (freer == PNG_USER_WILL_FREE_DATA)
@@ -348,10 +359,11 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
int num)
{
png_debug(1, "in png_free_data");
+
if (png_ptr == NULL || info_ptr == NULL)
return;
-#if defined(PNG_TEXT_SUPPORTED)
+#ifdef PNG_TEXT_SUPPORTED
/* Free text item num or (if num == -1) all text items */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_TEXT) & info_ptr->free_me)
@@ -379,7 +391,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_tRNS_SUPPORTED)
+#ifdef PNG_tRNS_SUPPORTED
/* Free any tRNS entry */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_TRNS) & info_ptr->free_me)
@@ -396,7 +408,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_sCAL_SUPPORTED)
+#ifdef PNG_sCAL_SUPPORTED
/* Free any sCAL entry */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_SCAL) & info_ptr->free_me)
@@ -414,7 +426,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_pCAL_SUPPORTED)
+#ifdef PNG_pCAL_SUPPORTED
/* Free any pCAL entry */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_PCAL) & info_ptr->free_me)
@@ -432,7 +444,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
for (i = 0; i < (int)info_ptr->pcal_nparams; i++)
{
png_free(png_ptr, info_ptr->pcal_params[i]);
- info_ptr->pcal_params[i]=NULL;
+ info_ptr->pcal_params[i] = NULL;
}
png_free(png_ptr, info_ptr->pcal_params);
info_ptr->pcal_params = NULL;
@@ -441,7 +453,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_iCCP_SUPPORTED)
+#ifdef PNG_iCCP_SUPPORTED
/* Free any iCCP entry */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_ICCP) & info_ptr->free_me)
@@ -457,7 +469,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_sPLT_SUPPORTED)
+#ifdef PNG_sPLT_SUPPORTED
/* Free a given sPLT entry, or (if num == -1) all sPLT entries */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_SPLT) & info_ptr->free_me)
@@ -492,7 +504,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_UNKNOWN_CHUNKS_SUPPORTED)
+#ifdef PNG_UNKNOWN_CHUNKS_SUPPORTED
if (png_ptr->unknown_chunk.data)
{
png_free(png_ptr, png_ptr->unknown_chunk.data);
@@ -530,7 +542,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
}
#endif
-#if defined(PNG_hIST_SUPPORTED)
+#ifdef PNG_hIST_SUPPORTED
/* Free any hIST entry */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_HIST) & info_ptr->free_me)
@@ -563,7 +575,7 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
info_ptr->num_palette = 0;
}
-#if defined(PNG_INFO_IMAGE_SUPPORTED)
+#ifdef PNG_INFO_IMAGE_SUPPORTED
/* Free any image bits attached to the info structure */
#ifdef PNG_FREE_ME_SUPPORTED
if ((mask & PNG_FREE_ROWS) & info_ptr->free_me)
@@ -577,10 +589,10 @@ png_free_data(png_structp png_ptr, png_infop info_ptr, png_uint_32 mask,
for (row = 0; row < (int)info_ptr->height; row++)
{
png_free(png_ptr, info_ptr->row_pointers[row]);
- info_ptr->row_pointers[row]=NULL;
+ info_ptr->row_pointers[row] = NULL;
}
png_free(png_ptr, info_ptr->row_pointers);
- info_ptr->row_pointers=NULL;
+ info_ptr->row_pointers = NULL;
}
info_ptr->valid &= ~PNG_INFO_IDAT;
}
@@ -605,11 +617,11 @@ png_info_destroy(png_structp png_ptr, png_infop info_ptr)
png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
-#if defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
+#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
if (png_ptr->num_chunk_list)
{
png_free(png_ptr, png_ptr->chunk_list);
- png_ptr->chunk_list=NULL;
+ png_ptr->chunk_list = NULL;
png_ptr->num_chunk_list = 0;
}
#endif
@@ -631,7 +643,7 @@ png_get_io_ptr(png_structp png_ptr)
}
#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
-#if !defined(PNG_NO_STDIO)
+#ifdef PNG_STDIO_SUPPORTED
/* Initialize the default input/output functions for the PNG file. If you
* use your own read or write routines, you can call either png_set_read_fn()
* or png_set_write_fn() instead of png_init_io(). If you have defined
@@ -642,13 +654,15 @@ void PNGAPI
png_init_io(png_structp png_ptr, png_FILE_p fp)
{
png_debug(1, "in png_init_io");
+
if (png_ptr == NULL)
return;
+
png_ptr->io_ptr = (png_voidp)fp;
}
#endif
-#if defined(PNG_TIME_RFC1123_SUPPORTED)
+#ifdef PNG_TIME_RFC1123_SUPPORTED
/* Convert the supplied time into an RFC 1123 string suitable for use in
* a "Creation Time" or other text-based time string.
*/
@@ -667,15 +681,15 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
png_sizeof(char)));
}
-#if defined(_WIN32_WCE)
+#ifdef _WIN32_WCE
{
wchar_t time_buf[29];
wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"),
ptime->day % 32, short_months[(ptime->month - 1) % 12],
ptime->year, ptime->hour % 24, ptime->minute % 60,
ptime->second % 61);
- WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer, 29,
- NULL, NULL);
+ WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer,
+ 29, NULL, NULL);
}
#else
#ifdef USE_FAR_KEYWORD
@@ -705,10 +719,23 @@ png_charp PNGAPI
png_get_copyright(png_structp png_ptr)
{
png_ptr = png_ptr; /* Silence compiler warning about unused png_ptr */
- return ((png_charp) "\n libpng version 1.2.38 - July 16, 2009\n\
- Copyright (c) 1998-2009 Glenn Randers-Pehrson\n\
- Copyright (c) 1996-1997 Andreas Dilger\n\
- Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.\n");
+#ifdef PNG_STRING_COPYRIGHT
+ return PNG_STRING_COPYRIGHT
+#else
+#ifdef __STDC__
+ return ((png_charp) PNG_STRING_NEWLINE \
+ "libpng version 1.2.44 - June 26, 2010" PNG_STRING_NEWLINE \
+ "Copyright (c) 1998-2010 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
+ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
+ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
+ PNG_STRING_NEWLINE);
+#else
+ return ((png_charp) "libpng version 1.2.44 - June 26, 2010\
+ Copyright (c) 1998-2010 Glenn Randers-Pehrson\
+ Copyright (c) 1996-1997 Andreas Dilger\
+ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");
+#endif
+#endif
}
/* The following return the library version as a short string in the
@@ -740,11 +767,15 @@ png_get_header_version(png_structp png_ptr)
{
/* Returns longer string containing both version and date */
png_ptr = png_ptr; /* Silence compiler warning about unused png_ptr */
+#ifdef __STDC__
return ((png_charp) PNG_HEADER_VERSION_STRING
#ifndef PNG_READ_SUPPORTED
" (NO READ SUPPORT)"
#endif
- "\n");
+ PNG_STRING_NEWLINE);
+#else
+ return ((png_charp) PNG_HEADER_VERSION_STRING);
+#endif
}
#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
@@ -785,7 +816,7 @@ png_access_version_number(void)
#if defined(PNG_READ_SUPPORTED) && defined(PNG_ASSEMBLER_CODE_SUPPORTED)
-#if !defined(PNG_1_0_X)
+#ifndef PNG_1_0_X
/* This function was added to libpng 1.2.0 */
int PNGAPI
png_mmx_support(void)
@@ -810,8 +841,8 @@ png_convert_size(size_t size)
#endif /* PNG_SIZE_T */
/* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
-#if defined(PNG_cHRM_SUPPORTED)
-#if !defined(PNG_NO_CHECK_cHRM)
+#ifdef PNG_cHRM_SUPPORTED
+#ifdef PNG_CHECK_cHRM_SUPPORTED
/*
* Multiply two 32-bit numbers, V1 and V2, using 32-bit
@@ -828,7 +859,8 @@ png_convert_size(size_t size)
* A and D, and X || Y is (X << 16) + Y.
*/
-void png_64bit_product (long v1, long v2, unsigned long *hi_product,
+void /* PRIVATE */
+png_64bit_product (long v1, long v2, unsigned long *hi_product,
unsigned long *lo_product)
{
int a, b, c, d;
@@ -852,7 +884,7 @@ void png_64bit_product (long v1, long v2, unsigned long *hi_product,
*lo_product = (unsigned long)lo;
}
-int /* private */
+int /* PRIVATE */
png_check_cHRM_fixed(png_structp png_ptr,
png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
@@ -862,6 +894,7 @@ png_check_cHRM_fixed(png_structp png_ptr,
unsigned long xy_hi,xy_lo,yx_hi,yx_lo;
png_debug(1, "in function png_check_cHRM_fixed");
+
if (png_ptr == NULL)
return 0;
@@ -920,6 +953,148 @@ png_check_cHRM_fixed(png_structp png_ptr,
return ret;
}
-#endif /* NO_PNG_CHECK_cHRM */
+#endif /* PNG_CHECK_cHRM_SUPPORTED */
#endif /* PNG_cHRM_SUPPORTED */
+
+void /* PRIVATE */
+png_check_IHDR(png_structp png_ptr,
+ png_uint_32 width, png_uint_32 height, int bit_depth,
+ int color_type, int interlace_type, int compression_type,
+ int filter_type)
+{
+ int error = 0;
+
+ /* Check for width and height valid values */
+ if (width == 0)
+ {
+ png_warning(png_ptr, "Image width is zero in IHDR");
+ error = 1;
+ }
+
+ if (height == 0)
+ {
+ png_warning(png_ptr, "Image height is zero in IHDR");
+ error = 1;
+ }
+
+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (width > png_ptr->user_width_max || width > PNG_USER_WIDTH_MAX)
+#else
+ if (width > PNG_USER_WIDTH_MAX)
+#endif
+ {
+ png_warning(png_ptr, "Image width exceeds user limit in IHDR");
+ error = 1;
+ }
+
+#ifdef PNG_SET_USER_LIMITS_SUPPORTED
+ if (height > png_ptr->user_height_max || height > PNG_USER_HEIGHT_MAX)
+#else
+ if (height > PNG_USER_HEIGHT_MAX)
+#endif
+ {
+ png_warning(png_ptr, "Image height exceeds user limit in IHDR");
+ error = 1;
+ }
+
+ if (width > PNG_UINT_31_MAX)
+ {
+ png_warning(png_ptr, "Invalid image width in IHDR");
+ error = 1;
+ }
+
+ if ( height > PNG_UINT_31_MAX)
+ {
+ png_warning(png_ptr, "Invalid image height in IHDR");
+ error = 1;
+ }
+
+ if ( width > (PNG_UINT_32_MAX
+ >> 3) /* 8-byte RGBA pixels */
+ - 64 /* bigrowbuf hack */
+ - 1 /* filter byte */
+ - 7*8 /* rounding of width to multiple of 8 pixels */
+ - 8) /* extra max_pixel_depth pad */
+ png_warning(png_ptr, "Width is too large for libpng to process pixels");
+
+ /* Check other values */
+ if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
+ bit_depth != 8 && bit_depth != 16)
+ {
+ png_warning(png_ptr, "Invalid bit depth in IHDR");
+ error = 1;
+ }
+
+ if (color_type < 0 || color_type == 1 ||
+ color_type == 5 || color_type > 6)
+ {
+ png_warning(png_ptr, "Invalid color type in IHDR");
+ error = 1;
+ }
+
+ if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
+ ((color_type == PNG_COLOR_TYPE_RGB ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
+ color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
+ {
+ png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
+ error = 1;
+ }
+
+ if (interlace_type >= PNG_INTERLACE_LAST)
+ {
+ png_warning(png_ptr, "Unknown interlace method in IHDR");
+ error = 1;
+ }
+
+ if (compression_type != PNG_COMPRESSION_TYPE_BASE)
+ {
+ png_warning(png_ptr, "Unknown compression method in IHDR");
+ error = 1;
+ }
+
+#ifdef PNG_MNG_FEATURES_SUPPORTED
+ /* Accept filter_method 64 (intrapixel differencing) only if
+ * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
+ * 2. Libpng did not read a PNG signature (this filter_method is only
+ * used in PNG datastreams that are embedded in MNG datastreams) and
+ * 3. The application called png_permit_mng_features with a mask that
+ * included PNG_FLAG_MNG_FILTER_64 and
+ * 4. The filter_method is 64 and
+ * 5. The color_type is RGB or RGBA
+ */
+ if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) &&
+ png_ptr->mng_features_permitted)
+ png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
+
+ if (filter_type != PNG_FILTER_TYPE_BASE)
+ {
+ if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) &&
+ (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
+ ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
+ (color_type == PNG_COLOR_TYPE_RGB ||
+ color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
+ {
+ png_warning(png_ptr, "Unknown filter method in IHDR");
+ error = 1;
+ }
+
+ if (png_ptr->mode & PNG_HAVE_PNG_SIGNATURE)
+ {
+ png_warning(png_ptr, "Invalid filter method in IHDR");
+ error = 1;
+ }
+ }
+
+#else
+ if (filter_type != PNG_FILTER_TYPE_BASE)
+ {
+ png_warning(png_ptr, "Unknown filter method in IHDR");
+ error = 1;
+ }
+#endif
+
+ if (error == 1)
+ png_error(png_ptr, "Invalid IHDR data");
+}
#endif /* defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) */
generated by cgit v1.1 at 2024-12-22 09:12:33 +0000