"Fossies" - the Fresh Open Source Software Archive

Member "pngcrush-1.8.13/pngrutil.c" (29 Aug 2017, 147076 Bytes) of package /linux/privat/pngcrush-1.8.13.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "pngrutil.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 1.8.12_vs_1.8.13.

    1 
    2 /* pngrutil.c - utilities to read a PNG file
    3  *
    4  * Last changed in libpng 1.6.32 [August 24, 2017]
    5  * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
    6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
    7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
    8  *
    9  * This code is released under the libpng license.
   10  * For conditions of distribution and use, see the disclaimer
   11  * and license in png.h
   12  *
   13  * This file contains routines that are only called from within
   14  * libpng itself during the course of reading an image.
   15  */
   16 
   17 #include "pngpriv.h"
   18 
   19 #ifdef PNG_READ_SUPPORTED
   20 
   21 png_uint_32 PNGAPI
   22 png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
   23 {
   24    png_uint_32 uval = png_get_uint_32(buf);
   25 
   26    if (uval > PNG_UINT_31_MAX)
   27       png_error(png_ptr, "PNG unsigned integer out of range");
   28 
   29    return (uval);
   30 }
   31 
   32 #if defined(PNG_READ_gAMA_SUPPORTED) || defined(PNG_READ_cHRM_SUPPORTED)
   33 /* The following is a variation on the above for use with the fixed
   34  * point values used for gAMA and cHRM.  Instead of png_error it
   35  * issues a warning and returns (-1) - an invalid value because both
   36  * gAMA and cHRM use *unsigned* integers for fixed point values.
   37  */
   38 #define PNG_FIXED_ERROR (-1)
   39 
   40 static png_fixed_point /* PRIVATE */
   41 png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
   42 {
   43    png_uint_32 uval = png_get_uint_32(buf);
   44 
   45    if (uval <= PNG_UINT_31_MAX)
   46       return (png_fixed_point)uval; /* known to be in range */
   47 
   48    /* The caller can turn off the warning by passing NULL. */
   49    if (png_ptr != NULL)
   50       png_warning(png_ptr, "PNG fixed point integer out of range");
   51 
   52    return PNG_FIXED_ERROR;
   53 }
   54 #endif
   55 
   56 #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
   57 /* NOTE: the read macros will obscure these definitions, so that if
   58  * PNG_USE_READ_MACROS is set the library will not use them internally,
   59  * but the APIs will still be available externally.
   60  *
   61  * The parentheses around "PNGAPI function_name" in the following three
   62  * functions are necessary because they allow the macros to co-exist with
   63  * these (unused but exported) functions.
   64  */
   65 
   66 /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
   67 png_uint_32 (PNGAPI
   68 png_get_uint_32)(png_const_bytep buf)
   69 {
   70    png_uint_32 uval =
   71        ((png_uint_32)(*(buf    )) << 24) +
   72        ((png_uint_32)(*(buf + 1)) << 16) +
   73        ((png_uint_32)(*(buf + 2)) <<  8) +
   74        ((png_uint_32)(*(buf + 3))      ) ;
   75 
   76    return uval;
   77 }
   78 
   79 /* Grab a signed 32-bit integer from a buffer in big-endian format.  The
   80  * data is stored in the PNG file in two's complement format and there
   81  * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
   82  * the following code does a two's complement to native conversion.
   83  */
   84 png_int_32 (PNGAPI
   85 png_get_int_32)(png_const_bytep buf)
   86 {
   87    png_uint_32 uval = png_get_uint_32(buf);
   88    if ((uval & 0x80000000) == 0) /* non-negative */
   89       return (png_int_32)uval;
   90 
   91    uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */
   92    if ((uval & 0x80000000) == 0) /* no overflow */
   93       return -(png_int_32)uval;
   94    /* The following has to be safe; this function only gets called on PNG data
   95     * and if we get here that data is invalid.  0 is the most safe value and
   96     * if not then an attacker would surely just generate a PNG with 0 instead.
   97     */
   98    return 0;
   99 }
  100 
  101 /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */
  102 png_uint_16 (PNGAPI
  103 png_get_uint_16)(png_const_bytep buf)
  104 {
  105    /* ANSI-C requires an int value to accomodate at least 16 bits so this
  106     * works and allows the compiler not to worry about possible narrowing
  107     * on 32-bit systems.  (Pre-ANSI systems did not make integers smaller
  108     * than 16 bits either.)
  109     */
  110    unsigned int val =
  111        ((unsigned int)(*buf) << 8) +
  112        ((unsigned int)(*(buf + 1)));
  113 
  114    return (png_uint_16)val;
  115 }
  116 
  117 #endif /* READ_INT_FUNCTIONS */
  118 
  119 /* Read and check the PNG file signature */
  120 void /* PRIVATE */
  121 png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
  122 {
  123    png_size_t num_checked, num_to_check;
  124 
  125    /* Exit if the user application does not expect a signature. */
  126    if (png_ptr->sig_bytes >= 8)
  127       return;
  128 
  129    num_checked = png_ptr->sig_bytes;
  130    num_to_check = 8 - num_checked;
  131 
  132 #ifdef PNG_IO_STATE_SUPPORTED
  133    png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;
  134 #endif
  135 
  136    /* The signature must be serialized in a single I/O call. */
  137    png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
  138    png_ptr->sig_bytes = 8;
  139 
  140    if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)
  141    {
  142       if (num_checked < 4 &&
  143           png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
  144          png_error(png_ptr, "Not a PNG file");
  145       else
  146          png_error(png_ptr, "PNG file corrupted by ASCII conversion");
  147    }
  148    if (num_checked < 3)
  149       png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
  150 }
  151 
  152 /* Read the chunk header (length + type name).
  153  * Put the type name into png_ptr->chunk_name, and return the length.
  154  */
  155 png_uint_32 /* PRIVATE */
  156 png_read_chunk_header(png_structrp png_ptr)
  157 {
  158    png_byte buf[8];
  159    png_uint_32 length;
  160 
  161 #ifdef PNG_IO_STATE_SUPPORTED
  162    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;
  163 #endif
  164 
  165    /* Read the length and the chunk name.
  166     * This must be performed in a single I/O call.
  167     */
  168    png_read_data(png_ptr, buf, 8);
  169    length = png_get_uint_31(png_ptr, buf);
  170 
  171    /* Put the chunk name into png_ptr->chunk_name. */
  172    png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+4);
  173 
  174    png_debug2(0, "Reading %lx chunk, length = %lu",
  175        (unsigned long)png_ptr->chunk_name, (unsigned long)length);
  176 
  177    /* Reset the crc and run it over the chunk name. */
  178    png_reset_crc(png_ptr);
  179    png_calculate_crc(png_ptr, buf + 4, 4);
  180 
  181    /* Check to see if chunk name is valid. */
  182    png_check_chunk_name(png_ptr, png_ptr->chunk_name);
  183 
  184    /* Check for too-large chunk length */
  185    png_check_chunk_length(png_ptr, length);
  186 
  187 #ifdef PNG_IO_STATE_SUPPORTED
  188    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;
  189 #endif
  190 
  191    return length;
  192 }
  193 
  194 /* Read data, and (optionally) run it through the CRC. */
  195 void /* PRIVATE */
  196 png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
  197 {
  198    if (png_ptr == NULL)
  199       return;
  200 
  201    png_read_data(png_ptr, buf, length);
  202    png_calculate_crc(png_ptr, buf, length);
  203 }
  204 
  205 /* Optionally skip data and then check the CRC.  Depending on whether we
  206  * are reading an ancillary or critical chunk, and how the program has set
  207  * things up, we may calculate the CRC on the data and print a message.
  208  * Returns '1' if there was a CRC error, '0' otherwise.
  209  */
  210 int /* PRIVATE */
  211 png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
  212 {
  213    /* The size of the local buffer for inflate is a good guess as to a
  214     * reasonable size to use for buffering reads from the application.
  215     */
  216    while (skip > 0)
  217    {
  218       png_uint_32 len;
  219       png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
  220 
  221       len = (sizeof tmpbuf);
  222       if (len > skip)
  223          len = skip;
  224       skip -= len;
  225 
  226       png_crc_read(png_ptr, tmpbuf, len);
  227    }
  228 
  229    if (png_crc_error(png_ptr) != 0)
  230    {
  231       if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?
  232           (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :
  233           (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)
  234       {
  235          png_chunk_warning(png_ptr, "CRC error");
  236       }
  237 
  238       else
  239          png_chunk_error(png_ptr, "CRC error");
  240 
  241       return (1);
  242    }
  243 
  244    return (0);
  245 }
  246 
  247 /* Compare the CRC stored in the PNG file with that calculated by libpng from
  248  * the data it has read thus far.
  249  */
  250 int /* PRIVATE */
  251 png_crc_error(png_structrp png_ptr)
  252 {
  253    png_byte crc_bytes[4];
  254    png_uint_32 crc;
  255    int need_crc = 1;
  256 
  257    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
  258    {
  259       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
  260           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
  261          need_crc = 0;
  262    }
  263 
  264    else /* critical */
  265    {
  266       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
  267          need_crc = 0;
  268    }
  269 
  270 #ifdef PNG_IO_STATE_SUPPORTED
  271    png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;
  272 #endif
  273 
  274    /* The chunk CRC must be serialized in a single I/O call. */
  275    png_read_data(png_ptr, crc_bytes, 4);
  276 
  277    if (need_crc != 0)
  278    {
  279       crc = png_get_uint_32(crc_bytes);
  280       return ((int)(crc != png_ptr->crc));
  281    }
  282 
  283    else
  284       return (0);
  285 }
  286 
  287 #if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\
  288     defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\
  289     defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\
  290     defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_SEQUENTIAL_READ_SUPPORTED)
  291 /* Manage the read buffer; this simply reallocates the buffer if it is not small
  292  * enough (or if it is not allocated).  The routine returns a pointer to the
  293  * buffer; if an error occurs and 'warn' is set the routine returns NULL, else
  294  * it will call png_error (via png_malloc) on failure.  (warn == 2 means
  295  * 'silent').
  296  */
  297 static png_bytep
  298 png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
  299 {
  300    png_bytep buffer = png_ptr->read_buffer;
  301 
  302    if (buffer != NULL && new_size > png_ptr->read_buffer_size)
  303    {
  304       png_ptr->read_buffer = NULL;
  305       png_ptr->read_buffer = NULL;
  306       png_ptr->read_buffer_size = 0;
  307       png_free(png_ptr, buffer);
  308       buffer = NULL;
  309    }
  310 
  311    if (buffer == NULL)
  312    {
  313       buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
  314 
  315       if (buffer != NULL)
  316       {
  317          png_ptr->read_buffer = buffer;
  318          png_ptr->read_buffer_size = new_size;
  319       }
  320 
  321       else if (warn < 2) /* else silent */
  322       {
  323          if (warn != 0)
  324              png_chunk_warning(png_ptr, "insufficient memory to read chunk");
  325 
  326          else
  327              png_chunk_error(png_ptr, "insufficient memory to read chunk");
  328       }
  329    }
  330 
  331    return buffer;
  332 }
  333 #endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|SEQUENTIAL_READ */
  334 
  335 /* png_inflate_claim: claim the zstream for some nefarious purpose that involves
  336  * decompression.  Returns Z_OK on success, else a zlib error code.  It checks
  337  * the owner but, in final release builds, just issues a warning if some other
  338  * chunk apparently owns the stream.  Prior to release it does a png_error.
  339  */
  340 static int
  341 png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
  342 {
  343    if (png_ptr->zowner != 0)
  344    {
  345       char msg[64];
  346 
  347       PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
  348       /* So the message that results is "<chunk> using zstream"; this is an
  349        * internal error, but is very useful for debugging.  i18n requirements
  350        * are minimal.
  351        */
  352       (void)png_safecat(msg, (sizeof msg), 4, " using zstream");
  353 #if PNG_RELEASE_BUILD
  354       png_chunk_warning(png_ptr, msg);
  355       png_ptr->zowner = 0;
  356 #else
  357       png_chunk_error(png_ptr, msg);
  358 #endif
  359    }
  360 
  361    /* Implementation note: unlike 'png_deflate_claim' this internal function
  362     * does not take the size of the data as an argument.  Some efficiency could
  363     * be gained by using this when it is known *if* the zlib stream itself does
  364     * not record the number; however, this is an illusion: the original writer
  365     * of the PNG may have selected a lower window size, and we really must
  366     * follow that because, for systems with with limited capabilities, we
  367     * would otherwise reject the application's attempts to use a smaller window
  368     * size (zlib doesn't have an interface to say "this or lower"!).
  369     *
  370     * inflateReset2 was added to zlib 1.2.4; before this the window could not be
  371     * reset, therefore it is necessary to always allocate the maximum window
  372     * size with earlier zlibs just in case later compressed chunks need it.
  373     */
  374    {
  375       int ret; /* zlib return code */
  376 #if ZLIB_VERNUM >= 0x1240
  377       int window_bits = 0;
  378 
  379 # if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
  380       if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==
  381           PNG_OPTION_ON)
  382       {
  383          window_bits = 15;
  384          png_ptr->zstream_start = 0; /* fixed window size */
  385       }
  386 
  387       else
  388       {
  389          png_ptr->zstream_start = 1;
  390       }
  391 # endif
  392 
  393 #endif /* ZLIB_VERNUM >= 0x1240 */
  394 
  395       /* Set this for safety, just in case the previous owner left pointers to
  396        * memory allocations.
  397        */
  398       png_ptr->zstream.next_in = NULL;
  399       png_ptr->zstream.avail_in = 0;
  400       png_ptr->zstream.next_out = NULL;
  401       png_ptr->zstream.avail_out = 0;
  402 
  403       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
  404       {
  405 #if ZLIB_VERNUM >= 0x1240
  406          ret = inflateReset2(&png_ptr->zstream, window_bits);
  407 #else
  408          ret = inflateReset(&png_ptr->zstream);
  409 #endif
  410       }
  411 
  412       else
  413       {
  414 #if ZLIB_VERNUM >= 0x1240
  415          ret = inflateInit2(&png_ptr->zstream, window_bits);
  416 #else
  417          ret = inflateInit(&png_ptr->zstream);
  418 #endif
  419 
  420          if (ret == Z_OK)
  421             png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
  422       }
  423 
  424 #if ZLIB_VERNUM >= 0x1290 && \
  425    defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_IGNORE_ADLER32)
  426       if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)
  427          /* Turn off validation of the ADLER32 checksum in IDAT chunks */
  428          ret = inflateValidate(&png_ptr->zstream, 0);
  429 #endif
  430 
  431       if (ret == Z_OK)
  432          png_ptr->zowner = owner;
  433 
  434       else
  435          png_zstream_error(png_ptr, ret);
  436 
  437       return ret;
  438    }
  439 
  440 #ifdef window_bits
  441 # undef window_bits
  442 #endif
  443 }
  444 
  445 #if ZLIB_VERNUM >= 0x1240
  446 /* Handle the start of the inflate stream if we called inflateInit2(strm,0);
  447  * in this case some zlib versions skip validation of the CINFO field and, in
  448  * certain circumstances, libpng may end up displaying an invalid image, in
  449  * contrast to implementations that call zlib in the normal way (e.g. libpng
  450  * 1.5).
  451  */
  452 int /* PRIVATE */
  453 png_zlib_inflate(png_structrp png_ptr, int flush)
  454 {
  455    if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)
  456    {
  457       if ((*png_ptr->zstream.next_in >> 4) > 7)
  458       {
  459          png_ptr->zstream.msg = "invalid window size (libpng)";
  460          return Z_DATA_ERROR;
  461       }
  462 
  463       png_ptr->zstream_start = 0;
  464    }
  465 
  466    return inflate(&png_ptr->zstream, flush);
  467 }
  468 #endif /* Zlib >= 1.2.4 */
  469 
  470 #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
  471 #if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED)
  472 /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to
  473  * allow the caller to do multiple calls if required.  If the 'finish' flag is
  474  * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
  475  * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
  476  * Z_OK or Z_STREAM_END will be returned on success.
  477  *
  478  * The input and output sizes are updated to the actual amounts of data consumed
  479  * or written, not the amount available (as in a z_stream).  The data pointers
  480  * are not changed, so the next input is (data+input_size) and the next
  481  * available output is (output+output_size).
  482  */
  483 static int
  484 png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
  485     /* INPUT: */ png_const_bytep input, png_uint_32p input_size_ptr,
  486     /* OUTPUT: */ png_bytep output, png_alloc_size_t *output_size_ptr)
  487 {
  488    if (png_ptr->zowner == owner) /* Else not claimed */
  489    {
  490       int ret;
  491       png_alloc_size_t avail_out = *output_size_ptr;
  492       png_uint_32 avail_in = *input_size_ptr;
  493 
  494       /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it
  495        * can't even necessarily handle 65536 bytes) because the type uInt is
  496        * "16 bits or more".  Consequently it is necessary to chunk the input to
  497        * zlib.  This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
  498        * maximum value that can be stored in a uInt.)  It is possible to set
  499        * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
  500        * a performance advantage, because it reduces the amount of data accessed
  501        * at each step and that may give the OS more time to page it in.
  502        */
  503       png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
  504       /* avail_in and avail_out are set below from 'size' */
  505       png_ptr->zstream.avail_in = 0;
  506       png_ptr->zstream.avail_out = 0;
  507 
  508       /* Read directly into the output if it is available (this is set to
  509        * a local buffer below if output is NULL).
  510        */
  511       if (output != NULL)
  512          png_ptr->zstream.next_out = output;
  513 
  514       do
  515       {
  516          uInt avail;
  517          Byte local_buffer[PNG_INFLATE_BUF_SIZE];
  518 
  519          /* zlib INPUT BUFFER */
  520          /* The setting of 'avail_in' used to be outside the loop; by setting it
  521           * inside it is possible to chunk the input to zlib and simply rely on
  522           * zlib to advance the 'next_in' pointer.  This allows arbitrary
  523           * amounts of data to be passed through zlib at the unavoidable cost of
  524           * requiring a window save (memcpy of up to 32768 output bytes)
  525           * every ZLIB_IO_MAX input bytes.
  526           */
  527          avail_in += png_ptr->zstream.avail_in; /* not consumed last time */
  528 
  529          avail = ZLIB_IO_MAX;
  530 
  531          if (avail_in < avail)
  532             avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */
  533 
  534          avail_in -= avail;
  535          png_ptr->zstream.avail_in = avail;
  536 
  537          /* zlib OUTPUT BUFFER */
  538          avail_out += png_ptr->zstream.avail_out; /* not written last time */
  539 
  540          avail = ZLIB_IO_MAX; /* maximum zlib can process */
  541 
  542          if (output == NULL)
  543          {
  544             /* Reset the output buffer each time round if output is NULL and
  545              * make available the full buffer, up to 'remaining_space'
  546              */
  547             png_ptr->zstream.next_out = local_buffer;
  548             if ((sizeof local_buffer) < avail)
  549                avail = (sizeof local_buffer);
  550          }
  551 
  552          if (avail_out < avail)
  553             avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */
  554 
  555          png_ptr->zstream.avail_out = avail;
  556          avail_out -= avail;
  557 
  558          /* zlib inflate call */
  559          /* In fact 'avail_out' may be 0 at this point, that happens at the end
  560           * of the read when the final LZ end code was not passed at the end of
  561           * the previous chunk of input data.  Tell zlib if we have reached the
  562           * end of the output buffer.
  563           */
  564          ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH :
  565              (finish ? Z_FINISH : Z_SYNC_FLUSH));
  566       } while (ret == Z_OK);
  567 
  568       /* For safety kill the local buffer pointer now */
  569       if (output == NULL)
  570          png_ptr->zstream.next_out = NULL;
  571 
  572       /* Claw back the 'size' and 'remaining_space' byte counts. */
  573       avail_in += png_ptr->zstream.avail_in;
  574       avail_out += png_ptr->zstream.avail_out;
  575 
  576       /* Update the input and output sizes; the updated values are the amount
  577        * consumed or written, effectively the inverse of what zlib uses.
  578        */
  579       if (avail_out > 0)
  580          *output_size_ptr -= avail_out;
  581 
  582       if (avail_in > 0)
  583          *input_size_ptr -= avail_in;
  584 
  585       /* Ensure png_ptr->zstream.msg is set (even in the success case!) */
  586       png_zstream_error(png_ptr, ret);
  587       return ret;
  588    }
  589 
  590    else
  591    {
  592       /* This is a bad internal error.  The recovery assigns to the zstream msg
  593        * pointer, which is not owned by the caller, but this is safe; it's only
  594        * used on errors!
  595        */
  596       png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
  597       return Z_STREAM_ERROR;
  598    }
  599 }
  600 
  601 /*
  602  * Decompress trailing data in a chunk.  The assumption is that read_buffer
  603  * points at an allocated area holding the contents of a chunk with a
  604  * trailing compressed part.  What we get back is an allocated area
  605  * holding the original prefix part and an uncompressed version of the
  606  * trailing part (the malloc area passed in is freed).
  607  */
  608 static int
  609 png_decompress_chunk(png_structrp png_ptr,
  610     png_uint_32 chunklength, png_uint_32 prefix_size,
  611     png_alloc_size_t *newlength /* must be initialized to the maximum! */,
  612     int terminate /*add a '\0' to the end of the uncompressed data*/)
  613 {
  614    /* TODO: implement different limits for different types of chunk.
  615     *
  616     * The caller supplies *newlength set to the maximum length of the
  617     * uncompressed data, but this routine allocates space for the prefix and
  618     * maybe a '\0' terminator too.  We have to assume that 'prefix_size' is
  619     * limited only by the maximum chunk size.
  620     */
  621    png_alloc_size_t limit = PNG_SIZE_MAX;
  622 
  623 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
  624    if (png_ptr->user_chunk_malloc_max > 0 &&
  625        png_ptr->user_chunk_malloc_max < limit)
  626       limit = png_ptr->user_chunk_malloc_max;
  627 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
  628    if (PNG_USER_CHUNK_MALLOC_MAX < limit)
  629       limit = PNG_USER_CHUNK_MALLOC_MAX;
  630 # endif
  631 
  632    if (limit >= prefix_size + (terminate != 0))
  633    {
  634       int ret;
  635 
  636       limit -= prefix_size + (terminate != 0);
  637 
  638       if (limit < *newlength)
  639          *newlength = limit;
  640 
  641       /* Now try to claim the stream. */
  642       ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
  643 
  644       if (ret == Z_OK)
  645       {
  646          png_uint_32 lzsize = chunklength - prefix_size;
  647 
  648          ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
  649              /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,
  650              /* output: */ NULL, newlength);
  651 
  652          if (ret == Z_STREAM_END)
  653          {
  654             /* Use 'inflateReset' here, not 'inflateReset2' because this
  655              * preserves the previously decided window size (otherwise it would
  656              * be necessary to store the previous window size.)  In practice
  657              * this doesn't matter anyway, because png_inflate will call inflate
  658              * with Z_FINISH in almost all cases, so the window will not be
  659              * maintained.
  660              */
  661             if (inflateReset(&png_ptr->zstream) == Z_OK)
  662             {
  663                /* Because of the limit checks above we know that the new,
  664                 * expanded, size will fit in a size_t (let alone an
  665                 * png_alloc_size_t).  Use png_malloc_base here to avoid an
  666                 * extra OOM message.
  667                 */
  668                png_alloc_size_t new_size = *newlength;
  669                png_alloc_size_t buffer_size = prefix_size + new_size +
  670                    (terminate != 0);
  671                png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
  672                    buffer_size));
  673 
  674                if (text != NULL)
  675                {
  676                   ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,
  677                       png_ptr->read_buffer + prefix_size, &lzsize,
  678                       text + prefix_size, newlength);
  679 
  680                   if (ret == Z_STREAM_END)
  681                   {
  682                      if (new_size == *newlength)
  683                      {
  684                         if (terminate != 0)
  685                            text[prefix_size + *newlength] = 0;
  686 
  687                         if (prefix_size > 0)
  688                            memcpy(text, png_ptr->read_buffer, prefix_size);
  689 
  690                         {
  691                            png_bytep old_ptr = png_ptr->read_buffer;
  692 
  693                            png_ptr->read_buffer = text;
  694                            png_ptr->read_buffer_size = buffer_size;
  695                            text = old_ptr; /* freed below */
  696                         }
  697                      }
  698 
  699                      else
  700                      {
  701                         /* The size changed on the second read, there can be no
  702                          * guarantee that anything is correct at this point.
  703                          * The 'msg' pointer has been set to "unexpected end of
  704                          * LZ stream", which is fine, but return an error code
  705                          * that the caller won't accept.
  706                          */
  707                         ret = PNG_UNEXPECTED_ZLIB_RETURN;
  708                      }
  709                   }
  710 
  711                   else if (ret == Z_OK)
  712                      ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */
  713 
  714                   /* Free the text pointer (this is the old read_buffer on
  715                    * success)
  716                    */
  717                   png_free(png_ptr, text);
  718 
  719                   /* This really is very benign, but it's still an error because
  720                    * the extra space may otherwise be used as a Trojan Horse.
  721                    */
  722                   if (ret == Z_STREAM_END &&
  723                       chunklength - prefix_size != lzsize)
  724                      png_chunk_benign_error(png_ptr, "extra compressed data");
  725                }
  726 
  727                else
  728                {
  729                   /* Out of memory allocating the buffer */
  730                   ret = Z_MEM_ERROR;
  731                   png_zstream_error(png_ptr, Z_MEM_ERROR);
  732                }
  733             }
  734 
  735             else
  736             {
  737                /* inflateReset failed, store the error message */
  738                png_zstream_error(png_ptr, ret);
  739 
  740                if (ret == Z_STREAM_END)
  741                   ret = PNG_UNEXPECTED_ZLIB_RETURN;
  742             }
  743          }
  744 
  745          else if (ret == Z_OK)
  746             ret = PNG_UNEXPECTED_ZLIB_RETURN;
  747 
  748          /* Release the claimed stream */
  749          png_ptr->zowner = 0;
  750       }
  751 
  752       else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */
  753          ret = PNG_UNEXPECTED_ZLIB_RETURN;
  754 
  755       return ret;
  756    }
  757 
  758    else
  759    {
  760       /* Application/configuration limits exceeded */
  761       png_zstream_error(png_ptr, Z_MEM_ERROR);
  762       return Z_MEM_ERROR;
  763    }
  764 }
  765 #endif /* READ_zTXt || READ_iTXt */
  766 #endif /* READ_COMPRESSED_TEXT */
  767 
  768 #ifdef PNG_READ_iCCP_SUPPORTED
  769 /* Perform a partial read and decompress, producing 'avail_out' bytes and
  770  * reading from the current chunk as required.
  771  */
  772 static int
  773 png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
  774     png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
  775     int finish)
  776 {
  777    if (png_ptr->zowner == png_ptr->chunk_name)
  778    {
  779       int ret;
  780 
  781       /* next_in and avail_in must have been initialized by the caller. */
  782       png_ptr->zstream.next_out = next_out;
  783       png_ptr->zstream.avail_out = 0; /* set in the loop */
  784 
  785       do
  786       {
  787          if (png_ptr->zstream.avail_in == 0)
  788          {
  789             if (read_size > *chunk_bytes)
  790                read_size = (uInt)*chunk_bytes;
  791             *chunk_bytes -= read_size;
  792 
  793             if (read_size > 0)
  794                png_crc_read(png_ptr, read_buffer, read_size);
  795 
  796             png_ptr->zstream.next_in = read_buffer;
  797             png_ptr->zstream.avail_in = read_size;
  798          }
  799 
  800          if (png_ptr->zstream.avail_out == 0)
  801          {
  802             uInt avail = ZLIB_IO_MAX;
  803             if (avail > *out_size)
  804                avail = (uInt)*out_size;
  805             *out_size -= avail;
  806 
  807             png_ptr->zstream.avail_out = avail;
  808          }
  809 
  810          /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all
  811           * the available output is produced; this allows reading of truncated
  812           * streams.
  813           */
  814          ret = PNG_INFLATE(png_ptr, *chunk_bytes > 0 ?
  815              Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
  816       }
  817       while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));
  818 
  819       *out_size += png_ptr->zstream.avail_out;
  820       png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */
  821 
  822       /* Ensure the error message pointer is always set: */
  823       png_zstream_error(png_ptr, ret);
  824       return ret;
  825    }
  826 
  827    else
  828    {
  829       png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
  830       return Z_STREAM_ERROR;
  831    }
  832 }
  833 #endif /* READ_iCCP */
  834 
  835 /* Read and check the IDHR chunk */
  836 
  837 void /* PRIVATE */
  838 png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
  839 {
  840    png_byte buf[13];
  841    png_uint_32 width, height;
  842    int bit_depth, color_type, compression_type, filter_type;
  843    int interlace_type;
  844 
  845    png_debug(1, "in png_handle_IHDR");
  846 
  847    if ((png_ptr->mode & PNG_HAVE_IHDR) != 0)
  848       png_chunk_error(png_ptr, "out of place");
  849 
  850    /* Check the length */
  851    if (length != 13)
  852       png_chunk_error(png_ptr, "invalid");
  853 
  854    png_ptr->mode |= PNG_HAVE_IHDR;
  855 
  856    png_crc_read(png_ptr, buf, 13);
  857    png_crc_finish(png_ptr, 0);
  858 
  859    width = png_get_uint_31(png_ptr, buf);
  860    height = png_get_uint_31(png_ptr, buf + 4);
  861    bit_depth = buf[8];
  862    color_type = buf[9];
  863    compression_type = buf[10];
  864    filter_type = buf[11];
  865    interlace_type = buf[12];
  866 
  867    /* Set internal variables */
  868    png_ptr->width = width;
  869    png_ptr->height = height;
  870    png_ptr->bit_depth = (png_byte)bit_depth;
  871    png_ptr->interlaced = (png_byte)interlace_type;
  872    png_ptr->color_type = (png_byte)color_type;
  873 #ifdef PNG_MNG_FEATURES_SUPPORTED
  874    png_ptr->filter_type = (png_byte)filter_type;
  875 #endif
  876    png_ptr->compression_type = (png_byte)compression_type;
  877 
  878    /* Find number of channels */
  879    switch (png_ptr->color_type)
  880    {
  881       default: /* invalid, png_set_IHDR calls png_error */
  882       case PNG_COLOR_TYPE_GRAY:
  883       case PNG_COLOR_TYPE_PALETTE:
  884          png_ptr->channels = 1;
  885          break;
  886 
  887       case PNG_COLOR_TYPE_RGB:
  888          png_ptr->channels = 3;
  889          break;
  890 
  891       case PNG_COLOR_TYPE_GRAY_ALPHA:
  892          png_ptr->channels = 2;
  893          break;
  894 
  895       case PNG_COLOR_TYPE_RGB_ALPHA:
  896          png_ptr->channels = 4;
  897          break;
  898    }
  899 
  900    /* Set up other useful info */
  901    png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
  902    png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
  903    png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);
  904    png_debug1(3, "channels = %d", png_ptr->channels);
  905    png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
  906    png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
  907        color_type, interlace_type, compression_type, filter_type);
  908 }
  909 
  910 /* Read and check the palette */
  911 void /* PRIVATE */
  912 png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
  913 {
  914    png_color palette[PNG_MAX_PALETTE_LENGTH];
  915    int max_palette_length, num, i;
  916 #ifdef PNG_POINTER_INDEXING_SUPPORTED
  917    png_colorp pal_ptr;
  918 #endif
  919 
  920    png_debug(1, "in png_handle_PLTE");
  921 
  922    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
  923       png_chunk_error(png_ptr, "missing IHDR");
  924 
  925    /* Moved to before the 'after IDAT' check below because otherwise duplicate
  926     * PLTE chunks are potentially ignored (the spec says there shall not be more
  927     * than one PLTE, the error is not treated as benign, so this check trumps
  928     * the requirement that PLTE appears before IDAT.)
  929     */
  930    else if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)
  931       png_chunk_error(png_ptr, "duplicate");
  932 
  933    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
  934    {
  935       /* This is benign because the non-benign error happened before, when an
  936        * IDAT was encountered in a color-mapped image with no PLTE.
  937        */
  938       png_crc_finish(png_ptr, length);
  939       png_chunk_benign_error(png_ptr, "out of place");
  940       return;
  941    }
  942 
  943    png_ptr->mode |= PNG_HAVE_PLTE;
  944 
  945    if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
  946    {
  947       png_crc_finish(png_ptr, length);
  948       png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
  949       return;
  950    }
  951 
  952 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
  953    if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
  954    {
  955       png_crc_finish(png_ptr, length);
  956       return;
  957    }
  958 #endif
  959 
  960    if (length > 3*PNG_MAX_PALETTE_LENGTH || length % 3)
  961    {
  962       png_crc_finish(png_ptr, length);
  963 
  964       if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
  965          png_chunk_benign_error(png_ptr, "invalid");
  966 
  967       else
  968          png_chunk_error(png_ptr, "invalid");
  969 
  970       return;
  971    }
  972 
  973    /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */
  974    num = (int)length / 3;
  975 
  976    /* If the palette has 256 or fewer entries but is too large for the bit
  977     * depth, we don't issue an error, to preserve the behavior of previous
  978     * libpng versions. We silently truncate the unused extra palette entries
  979     * here.
  980     */
  981    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
  982       max_palette_length = (1 << png_ptr->bit_depth);
  983    else
  984       max_palette_length = PNG_MAX_PALETTE_LENGTH;
  985 
  986    if (num > max_palette_length)
  987       num = max_palette_length;
  988 
  989 #ifdef PNG_POINTER_INDEXING_SUPPORTED
  990    for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++)
  991    {
  992       png_byte buf[3];
  993 
  994       png_crc_read(png_ptr, buf, 3);
  995       pal_ptr->red = buf[0];
  996       pal_ptr->green = buf[1];
  997       pal_ptr->blue = buf[2];
  998    }
  999 #else
 1000    for (i = 0; i < num; i++)
 1001    {
 1002       png_byte buf[3];
 1003 
 1004       png_crc_read(png_ptr, buf, 3);
 1005       /* Don't depend upon png_color being any order */
 1006       palette[i].red = buf[0];
 1007       palette[i].green = buf[1];
 1008       palette[i].blue = buf[2];
 1009    }
 1010 #endif
 1011 
 1012    /* If we actually need the PLTE chunk (ie for a paletted image), we do
 1013     * whatever the normal CRC configuration tells us.  However, if we
 1014     * have an RGB image, the PLTE can be considered ancillary, so
 1015     * we will act as though it is.
 1016     */
 1017 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
 1018    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 1019 #endif
 1020    {
 1021       png_crc_finish(png_ptr, (png_uint_32) (length - (unsigned int)num * 3));
 1022    }
 1023 
 1024 #ifndef PNG_READ_OPT_PLTE_SUPPORTED
 1025    else if (png_crc_error(png_ptr) != 0)  /* Only if we have a CRC error */
 1026    {
 1027       /* If we don't want to use the data from an ancillary chunk,
 1028        * we have two options: an error abort, or a warning and we
 1029        * ignore the data in this chunk (which should be OK, since
 1030        * it's considered ancillary for a RGB or RGBA image).
 1031        *
 1032        * IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
 1033        * chunk type to determine whether to check the ancillary or the critical
 1034        * flags.
 1035        */
 1036       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == 0)
 1037       {
 1038          if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != 0)
 1039             return;
 1040 
 1041          else
 1042             png_chunk_error(png_ptr, "CRC error");
 1043       }
 1044 
 1045       /* Otherwise, we (optionally) emit a warning and use the chunk. */
 1046       else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0)
 1047          png_chunk_warning(png_ptr, "CRC error");
 1048    }
 1049 #endif
 1050 
 1051    /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its
 1052     * own copy of the palette.  This has the side effect that when png_start_row
 1053     * is called (this happens after any call to png_read_update_info) the
 1054     * info_ptr palette gets changed.  This is extremely unexpected and
 1055     * confusing.
 1056     *
 1057     * Fix this by not sharing the palette in this way.
 1058     */
 1059    png_set_PLTE(png_ptr, info_ptr, palette, num);
 1060 
 1061    /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
 1062     * IDAT.  Prior to 1.6.0 this was not checked; instead the code merely
 1063     * checked the apparent validity of a tRNS chunk inserted before PLTE on a
 1064     * palette PNG.  1.6.0 attempts to rigorously follow the standard and
 1065     * therefore does a benign error if the erroneous condition is detected *and*
 1066     * cancels the tRNS if the benign error returns.  The alternative is to
 1067     * amend the standard since it would be rather hypocritical of the standards
 1068     * maintainers to ignore it.
 1069     */
 1070 #ifdef PNG_READ_tRNS_SUPPORTED
 1071    if (png_ptr->num_trans > 0 ||
 1072        (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0))
 1073    {
 1074       /* Cancel this because otherwise it would be used if the transforms
 1075        * require it.  Don't cancel the 'valid' flag because this would prevent
 1076        * detection of duplicate chunks.
 1077        */
 1078       png_ptr->num_trans = 0;
 1079 
 1080       if (info_ptr != NULL)
 1081          info_ptr->num_trans = 0;
 1082 
 1083       png_chunk_benign_error(png_ptr, "tRNS must be after");
 1084    }
 1085 #endif
 1086 
 1087 #ifdef PNG_READ_hIST_SUPPORTED
 1088    if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
 1089       png_chunk_benign_error(png_ptr, "hIST must be after");
 1090 #endif
 1091 
 1092 #ifdef PNG_READ_bKGD_SUPPORTED
 1093    if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
 1094       png_chunk_benign_error(png_ptr, "bKGD must be after");
 1095 #endif
 1096 }
 1097 
 1098 void /* PRIVATE */
 1099 png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1100 {
 1101    png_debug(1, "in png_handle_IEND");
 1102 
 1103    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0 ||
 1104        (png_ptr->mode & PNG_HAVE_IDAT) == 0)
 1105       png_chunk_error(png_ptr, "out of place");
 1106 
 1107    png_ptr->mode |= (PNG_AFTER_IDAT | PNG_HAVE_IEND);
 1108 
 1109    png_crc_finish(png_ptr, length);
 1110 
 1111    if (length != 0)
 1112       png_chunk_benign_error(png_ptr, "invalid");
 1113 
 1114    PNG_UNUSED(info_ptr)
 1115 }
 1116 
 1117 #ifdef PNG_READ_gAMA_SUPPORTED
 1118 void /* PRIVATE */
 1119 png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1120 {
 1121    png_fixed_point igamma;
 1122    png_byte buf[4];
 1123 
 1124    png_debug(1, "in png_handle_gAMA");
 1125 
 1126    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1127       png_chunk_error(png_ptr, "missing IHDR");
 1128 
 1129    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
 1130    {
 1131       png_crc_finish(png_ptr, length);
 1132       png_chunk_benign_error(png_ptr, "out of place");
 1133       return;
 1134    }
 1135 
 1136    if (length != 4)
 1137    {
 1138       png_crc_finish(png_ptr, length);
 1139       png_chunk_benign_error(png_ptr, "invalid");
 1140       return;
 1141    }
 1142 
 1143    png_crc_read(png_ptr, buf, 4);
 1144 
 1145    if (png_crc_finish(png_ptr, 0) != 0)
 1146       return;
 1147 
 1148    igamma = png_get_fixed_point(NULL, buf);
 1149 
 1150    png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
 1151    png_colorspace_sync(png_ptr, info_ptr);
 1152 }
 1153 #endif
 1154 
 1155 #ifdef PNG_READ_sBIT_SUPPORTED
 1156 void /* PRIVATE */
 1157 png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1158 {
 1159    unsigned int truelen, i;
 1160    png_byte sample_depth;
 1161    png_byte buf[4];
 1162 
 1163    png_debug(1, "in png_handle_sBIT");
 1164 
 1165    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1166       png_chunk_error(png_ptr, "missing IHDR");
 1167 
 1168    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
 1169    {
 1170       png_crc_finish(png_ptr, length);
 1171       png_chunk_benign_error(png_ptr, "out of place");
 1172       return;
 1173    }
 1174 
 1175    if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != 0)
 1176    {
 1177       png_crc_finish(png_ptr, length);
 1178       png_chunk_benign_error(png_ptr, "duplicate");
 1179       return;
 1180    }
 1181 
 1182    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 1183    {
 1184       truelen = 3;
 1185       sample_depth = 8;
 1186    }
 1187 
 1188    else
 1189    {
 1190       truelen = png_ptr->channels;
 1191       sample_depth = png_ptr->bit_depth;
 1192    }
 1193 
 1194    if (length != truelen || length > 4)
 1195    {
 1196       png_chunk_benign_error(png_ptr, "invalid");
 1197       png_crc_finish(png_ptr, length);
 1198       return;
 1199    }
 1200 
 1201    buf[0] = buf[1] = buf[2] = buf[3] = sample_depth;
 1202    png_crc_read(png_ptr, buf, truelen);
 1203 
 1204    if (png_crc_finish(png_ptr, 0) != 0)
 1205       return;
 1206 
 1207    for (i=0; i<truelen; ++i)
 1208    {
 1209       if (buf[i] == 0 || buf[i] > sample_depth)
 1210       {
 1211          png_chunk_benign_error(png_ptr, "invalid");
 1212          return;
 1213       }
 1214    }
 1215 
 1216    if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
 1217    {
 1218       png_ptr->sig_bit.red = buf[0];
 1219       png_ptr->sig_bit.green = buf[1];
 1220       png_ptr->sig_bit.blue = buf[2];
 1221       png_ptr->sig_bit.alpha = buf[3];
 1222    }
 1223 
 1224    else
 1225    {
 1226       png_ptr->sig_bit.gray = buf[0];
 1227       png_ptr->sig_bit.red = buf[0];
 1228       png_ptr->sig_bit.green = buf[0];
 1229       png_ptr->sig_bit.blue = buf[0];
 1230       png_ptr->sig_bit.alpha = buf[1];
 1231    }
 1232 
 1233    png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
 1234 }
 1235 #endif
 1236 
 1237 #ifdef PNG_READ_cHRM_SUPPORTED
 1238 void /* PRIVATE */
 1239 png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1240 {
 1241    png_byte buf[32];
 1242    png_xy xy;
 1243 
 1244    png_debug(1, "in png_handle_cHRM");
 1245 
 1246    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1247       png_chunk_error(png_ptr, "missing IHDR");
 1248 
 1249    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
 1250    {
 1251       png_crc_finish(png_ptr, length);
 1252       png_chunk_benign_error(png_ptr, "out of place");
 1253       return;
 1254    }
 1255 
 1256    if (length != 32)
 1257    {
 1258       png_crc_finish(png_ptr, length);
 1259       png_chunk_benign_error(png_ptr, "invalid");
 1260       return;
 1261    }
 1262 
 1263    png_crc_read(png_ptr, buf, 32);
 1264 
 1265    if (png_crc_finish(png_ptr, 0) != 0)
 1266       return;
 1267 
 1268    xy.whitex = png_get_fixed_point(NULL, buf);
 1269    xy.whitey = png_get_fixed_point(NULL, buf + 4);
 1270    xy.redx   = png_get_fixed_point(NULL, buf + 8);
 1271    xy.redy   = png_get_fixed_point(NULL, buf + 12);
 1272    xy.greenx = png_get_fixed_point(NULL, buf + 16);
 1273    xy.greeny = png_get_fixed_point(NULL, buf + 20);
 1274    xy.bluex  = png_get_fixed_point(NULL, buf + 24);
 1275    xy.bluey  = png_get_fixed_point(NULL, buf + 28);
 1276 
 1277    if (xy.whitex == PNG_FIXED_ERROR ||
 1278        xy.whitey == PNG_FIXED_ERROR ||
 1279        xy.redx   == PNG_FIXED_ERROR ||
 1280        xy.redy   == PNG_FIXED_ERROR ||
 1281        xy.greenx == PNG_FIXED_ERROR ||
 1282        xy.greeny == PNG_FIXED_ERROR ||
 1283        xy.bluex  == PNG_FIXED_ERROR ||
 1284        xy.bluey  == PNG_FIXED_ERROR)
 1285    {
 1286       png_chunk_benign_error(png_ptr, "invalid values");
 1287       return;
 1288    }
 1289 
 1290    /* If a colorspace error has already been output skip this chunk */
 1291    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
 1292       return;
 1293 
 1294    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0)
 1295    {
 1296       png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
 1297       png_colorspace_sync(png_ptr, info_ptr);
 1298       png_chunk_benign_error(png_ptr, "duplicate");
 1299       return;
 1300    }
 1301 
 1302    png_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
 1303    (void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
 1304        1/*prefer cHRM values*/);
 1305    png_colorspace_sync(png_ptr, info_ptr);
 1306 }
 1307 #endif
 1308 
 1309 #ifdef PNG_READ_sRGB_SUPPORTED
 1310 void /* PRIVATE */
 1311 png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1312 {
 1313    png_byte intent;
 1314 
 1315    png_debug(1, "in png_handle_sRGB");
 1316 
 1317    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1318       png_chunk_error(png_ptr, "missing IHDR");
 1319 
 1320    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
 1321    {
 1322       png_crc_finish(png_ptr, length);
 1323       png_chunk_benign_error(png_ptr, "out of place");
 1324       return;
 1325    }
 1326 
 1327    if (length != 1)
 1328    {
 1329       png_crc_finish(png_ptr, length);
 1330       png_chunk_benign_error(png_ptr, "invalid");
 1331       return;
 1332    }
 1333 
 1334    png_crc_read(png_ptr, &intent, 1);
 1335 
 1336    if (png_crc_finish(png_ptr, 0) != 0)
 1337       return;
 1338 
 1339    /* If a colorspace error has already been output skip this chunk */
 1340    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
 1341       return;
 1342 
 1343    /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
 1344     * this.
 1345     */
 1346    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != 0)
 1347    {
 1348       png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
 1349       png_colorspace_sync(png_ptr, info_ptr);
 1350       png_chunk_benign_error(png_ptr, "too many profiles");
 1351       return;
 1352    }
 1353 
 1354    (void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
 1355    png_colorspace_sync(png_ptr, info_ptr);
 1356 }
 1357 #endif /* READ_sRGB */
 1358 
 1359 #ifdef PNG_READ_iCCP_SUPPORTED
 1360 void /* PRIVATE */
 1361 png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1362 /* Note: this does not properly handle profiles that are > 64K under DOS */
 1363 {
 1364    png_const_charp errmsg = NULL; /* error message output, or no error */
 1365    int finished = 0; /* crc checked */
 1366 
 1367    png_debug(1, "in png_handle_iCCP");
 1368 
 1369    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1370       png_chunk_error(png_ptr, "missing IHDR");
 1371 
 1372    else if ((png_ptr->mode & (PNG_HAVE_IDAT|PNG_HAVE_PLTE)) != 0)
 1373    {
 1374       png_crc_finish(png_ptr, length);
 1375       png_chunk_benign_error(png_ptr, "out of place");
 1376       return;
 1377    }
 1378 
 1379    /* Consistent with all the above colorspace handling an obviously *invalid*
 1380     * chunk is just ignored, so does not invalidate the color space.  An
 1381     * alternative is to set the 'invalid' flags at the start of this routine
 1382     * and only clear them in they were not set before and all the tests pass.
 1383     */
 1384 
 1385    /* The keyword must be at least one character and there is a
 1386     * terminator (0) byte and the compression method byte, and the
 1387     * 'zlib' datastream is at least 11 bytes.
 1388     */
 1389    if (length < 14)
 1390    {
 1391       png_crc_finish(png_ptr, length);
 1392       png_chunk_benign_error(png_ptr, "too short");
 1393       return;
 1394    }
 1395 
 1396    /* If a colorspace error has already been output skip this chunk */
 1397    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
 1398    {
 1399       png_crc_finish(png_ptr, length);
 1400       return;
 1401    }
 1402 
 1403    /* Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect
 1404     * this.
 1405     */
 1406    if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == 0)
 1407    {
 1408       uInt read_length, keyword_length;
 1409       char keyword[81];
 1410 
 1411       /* Find the keyword; the keyword plus separator and compression method
 1412        * bytes can be at most 81 characters long.
 1413        */
 1414       read_length = 81; /* maximum */
 1415       if (read_length > length)
 1416          read_length = (uInt)length;
 1417 
 1418       png_crc_read(png_ptr, (png_bytep)keyword, read_length);
 1419       length -= read_length;
 1420 
 1421       /* The minimum 'zlib' stream is assumed to be just the 2 byte header,
 1422        * 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
 1423        */
 1424       if (length < 11)
 1425       {
 1426          png_crc_finish(png_ptr, length);
 1427          png_chunk_benign_error(png_ptr, "too short");
 1428          return;
 1429       }
 1430 
 1431       keyword_length = 0;
 1432       while (keyword_length < 80 && keyword_length < read_length &&
 1433          keyword[keyword_length] != 0)
 1434          ++keyword_length;
 1435 
 1436       /* TODO: make the keyword checking common */
 1437       if (keyword_length >= 1 && keyword_length <= 79)
 1438       {
 1439          /* We only understand '0' compression - deflate - so if we get a
 1440           * different value we can't safely decode the chunk.
 1441           */
 1442          if (keyword_length+1 < read_length &&
 1443             keyword[keyword_length+1] == PNG_COMPRESSION_TYPE_BASE)
 1444          {
 1445             read_length -= keyword_length+2;
 1446 
 1447             if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
 1448             {
 1449                Byte profile_header[132]={0};
 1450                Byte local_buffer[PNG_INFLATE_BUF_SIZE];
 1451                png_alloc_size_t size = (sizeof profile_header);
 1452 
 1453                png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+2);
 1454                png_ptr->zstream.avail_in = read_length;
 1455                (void)png_inflate_read(png_ptr, local_buffer,
 1456                    (sizeof local_buffer), &length, profile_header, &size,
 1457                    0/*finish: don't, because the output is too small*/);
 1458 
 1459                if (size == 0)
 1460                {
 1461                   /* We have the ICC profile header; do the basic header checks.
 1462                    */
 1463                   const png_uint_32 profile_length =
 1464                      png_get_uint_32(profile_header);
 1465 
 1466                   if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
 1467                       keyword, profile_length) != 0)
 1468                   {
 1469                      /* The length is apparently ok, so we can check the 132
 1470                       * byte header.
 1471                       */
 1472                      if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
 1473                          keyword, profile_length, profile_header,
 1474                          png_ptr->color_type) != 0)
 1475                      {
 1476                         /* Now read the tag table; a variable size buffer is
 1477                          * needed at this point, allocate one for the whole
 1478                          * profile.  The header check has already validated
 1479                          * that none of these stuff will overflow.
 1480                          */
 1481                         const png_uint_32 tag_count = png_get_uint_32(
 1482                             profile_header+128);
 1483                         png_bytep profile = png_read_buffer(png_ptr,
 1484                             profile_length, 2/*silent*/);
 1485 
 1486                         if (profile != NULL)
 1487                         {
 1488                            memcpy(profile, profile_header,
 1489                                (sizeof profile_header));
 1490 
 1491                            size = 12 * tag_count;
 1492 
 1493                            (void)png_inflate_read(png_ptr, local_buffer,
 1494                                (sizeof local_buffer), &length,
 1495                                profile + (sizeof profile_header), &size, 0);
 1496 
 1497                            /* Still expect a buffer error because we expect
 1498                             * there to be some tag data!
 1499                             */
 1500                            if (size == 0)
 1501                            {
 1502                               if (png_icc_check_tag_table(png_ptr,
 1503                                   &png_ptr->colorspace, keyword, profile_length,
 1504                                   profile) != 0)
 1505                               {
 1506                                  /* The profile has been validated for basic
 1507                                   * security issues, so read the whole thing in.
 1508                                   */
 1509                                  size = profile_length - (sizeof profile_header)
 1510                                      - 12 * tag_count;
 1511 
 1512                                  (void)png_inflate_read(png_ptr, local_buffer,
 1513                                      (sizeof local_buffer), &length,
 1514                                      profile + (sizeof profile_header) +
 1515                                      12 * tag_count, &size, 1/*finish*/);
 1516 
 1517                                  if (length > 0 && !(png_ptr->flags &
 1518                                      PNG_FLAG_BENIGN_ERRORS_WARN))
 1519                                     errmsg = "extra compressed data";
 1520 
 1521                                  /* But otherwise allow extra data: */
 1522                                  else if (size == 0)
 1523                                  {
 1524                                     if (length > 0)
 1525                                     {
 1526                                        /* This can be handled completely, so
 1527                                         * keep going.
 1528                                         */
 1529                                        png_chunk_warning(png_ptr,
 1530                                            "extra compressed data");
 1531                                     }
 1532 
 1533                                     png_crc_finish(png_ptr, length);
 1534                                     finished = 1;
 1535 
 1536 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
 1537                                     /* Check for a match against sRGB */
 1538                                     png_icc_set_sRGB(png_ptr,
 1539                                         &png_ptr->colorspace, profile,
 1540                                         png_ptr->zstream.adler);
 1541 # endif
 1542 
 1543                                     /* Steal the profile for info_ptr. */
 1544                                     if (info_ptr != NULL)
 1545                                     {
 1546                                        png_free_data(png_ptr, info_ptr,
 1547                                            PNG_FREE_ICCP, 0);
 1548 
 1549                                        info_ptr->iccp_name = png_voidcast(char*,
 1550                                            png_malloc_base(png_ptr,
 1551                                            keyword_length+1));
 1552                                        if (info_ptr->iccp_name != NULL)
 1553                                        {
 1554                                           memcpy(info_ptr->iccp_name, keyword,
 1555                                               keyword_length+1);
 1556                                           info_ptr->iccp_proflen =
 1557                                               profile_length;
 1558                                           info_ptr->iccp_profile = profile;
 1559                                           png_ptr->read_buffer = NULL; /*steal*/
 1560                                           info_ptr->free_me |= PNG_FREE_ICCP;
 1561                                           info_ptr->valid |= PNG_INFO_iCCP;
 1562                                        }
 1563 
 1564                                        else
 1565                                        {
 1566                                           png_ptr->colorspace.flags |=
 1567                                              PNG_COLORSPACE_INVALID;
 1568                                           errmsg = "out of memory";
 1569                                        }
 1570                                     }
 1571 
 1572                                     /* else the profile remains in the read
 1573                                      * buffer which gets reused for subsequent
 1574                                      * chunks.
 1575                                      */
 1576 
 1577                                     if (info_ptr != NULL)
 1578                                        png_colorspace_sync(png_ptr, info_ptr);
 1579 
 1580                                     if (errmsg == NULL)
 1581                                     {
 1582                                        png_ptr->zowner = 0;
 1583                                        return;
 1584                                     }
 1585                                  }
 1586 
 1587                                  else if (size > 0)
 1588                                     errmsg = "truncated";
 1589 
 1590 #ifndef __COVERITY__
 1591                                  else
 1592                                     errmsg = png_ptr->zstream.msg;
 1593 #endif
 1594                               }
 1595 
 1596                               /* else png_icc_check_tag_table output an error */
 1597                            }
 1598 
 1599                            else /* profile truncated */
 1600                               errmsg = png_ptr->zstream.msg;
 1601                         }
 1602 
 1603                         else
 1604                            errmsg = "out of memory";
 1605                      }
 1606 
 1607                      /* else png_icc_check_header output an error */
 1608                   }
 1609 
 1610                   /* else png_icc_check_length output an error */
 1611                }
 1612 
 1613                else /* profile truncated */
 1614                   errmsg = png_ptr->zstream.msg;
 1615 
 1616                /* Release the stream */
 1617                png_ptr->zowner = 0;
 1618             }
 1619 
 1620             else /* png_inflate_claim failed */
 1621                errmsg = png_ptr->zstream.msg;
 1622          }
 1623 
 1624          else
 1625             errmsg = "bad compression method"; /* or missing */
 1626       }
 1627 
 1628       else
 1629          errmsg = "bad keyword";
 1630    }
 1631 
 1632    else
 1633       errmsg = "too many profiles";
 1634 
 1635    /* Failure: the reason is in 'errmsg' */
 1636    if (finished == 0)
 1637       png_crc_finish(png_ptr, length);
 1638 
 1639    png_ptr->colorspace.flags |= PNG_COLORSPACE_INVALID;
 1640    png_colorspace_sync(png_ptr, info_ptr);
 1641    if (errmsg != NULL) /* else already output */
 1642       png_chunk_benign_error(png_ptr, errmsg);
 1643 }
 1644 #endif /* READ_iCCP */
 1645 
 1646 #ifdef PNG_READ_sPLT_SUPPORTED
 1647 void /* PRIVATE */
 1648 png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1649 /* Note: this does not properly handle chunks that are > 64K under DOS */
 1650 {
 1651    png_bytep entry_start, buffer;
 1652    png_sPLT_t new_palette;
 1653    png_sPLT_entryp pp;
 1654    png_uint_32 data_length;
 1655    int entry_size, i;
 1656    png_uint_32 skip = 0;
 1657    png_uint_32 dl;
 1658    png_size_t max_dl;
 1659 
 1660    png_debug(1, "in png_handle_sPLT");
 1661 
 1662 #ifdef PNG_USER_LIMITS_SUPPORTED
 1663    if (png_ptr->user_chunk_cache_max != 0)
 1664    {
 1665       if (png_ptr->user_chunk_cache_max == 1)
 1666       {
 1667          png_crc_finish(png_ptr, length);
 1668          return;
 1669       }
 1670 
 1671       if (--png_ptr->user_chunk_cache_max == 1)
 1672       {
 1673          png_warning(png_ptr, "No space in chunk cache for sPLT");
 1674          png_crc_finish(png_ptr, length);
 1675          return;
 1676       }
 1677    }
 1678 #endif
 1679 
 1680    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1681       png_chunk_error(png_ptr, "missing IHDR");
 1682 
 1683    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 1684    {
 1685       png_crc_finish(png_ptr, length);
 1686       png_chunk_benign_error(png_ptr, "out of place");
 1687       return;
 1688    }
 1689 
 1690 #ifdef PNG_MAX_MALLOC_64K
 1691    if (length > 65535U)
 1692    {
 1693       png_crc_finish(png_ptr, length);
 1694       png_chunk_benign_error(png_ptr, "too large to fit in memory");
 1695       return;
 1696    }
 1697 #endif
 1698 
 1699    buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
 1700    if (buffer == NULL)
 1701    {
 1702       png_crc_finish(png_ptr, length);
 1703       png_chunk_benign_error(png_ptr, "out of memory");
 1704       return;
 1705    }
 1706 
 1707 
 1708    /* WARNING: this may break if size_t is less than 32 bits; it is assumed
 1709     * that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
 1710     * potential breakage point if the types in pngconf.h aren't exactly right.
 1711     */
 1712    png_crc_read(png_ptr, buffer, length);
 1713 
 1714    if (png_crc_finish(png_ptr, skip) != 0)
 1715       return;
 1716 
 1717    buffer[length] = 0;
 1718 
 1719    for (entry_start = buffer; *entry_start; entry_start++)
 1720       /* Empty loop to find end of name */ ;
 1721 
 1722    ++entry_start;
 1723 
 1724    /* A sample depth should follow the separator, and we should be on it  */
 1725    if (length < 2U || entry_start > buffer + (length - 2U))
 1726    {
 1727       png_warning(png_ptr, "malformed sPLT chunk");
 1728       return;
 1729    }
 1730 
 1731    new_palette.depth = *entry_start++;
 1732    entry_size = (new_palette.depth == 8 ? 6 : 10);
 1733    /* This must fit in a png_uint_32 because it is derived from the original
 1734     * chunk data length.
 1735     */
 1736    data_length = length - (png_uint_32)(entry_start - buffer);
 1737 
 1738    /* Integrity-check the data length */
 1739    if ((data_length % (unsigned int)entry_size) != 0)
 1740    {
 1741       png_warning(png_ptr, "sPLT chunk has bad length");
 1742       return;
 1743    }
 1744 
 1745    dl = (png_uint_32)(data_length / (unsigned int)entry_size);
 1746    max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
 1747 
 1748    if (dl > max_dl)
 1749    {
 1750       png_warning(png_ptr, "sPLT chunk too long");
 1751       return;
 1752    }
 1753 
 1754    new_palette.nentries = (png_int_32)(data_length / (unsigned int)entry_size);
 1755 
 1756    new_palette.entries = (png_sPLT_entryp)png_malloc_warn(png_ptr,
 1757        (png_alloc_size_t) new_palette.nentries * (sizeof (png_sPLT_entry)));
 1758 
 1759    if (new_palette.entries == NULL)
 1760    {
 1761       png_warning(png_ptr, "sPLT chunk requires too much memory");
 1762       return;
 1763    }
 1764 
 1765 #ifdef PNG_POINTER_INDEXING_SUPPORTED
 1766    for (i = 0; i < new_palette.nentries; i++)
 1767    {
 1768       pp = new_palette.entries + i;
 1769 
 1770       if (new_palette.depth == 8)
 1771       {
 1772          pp->red = *entry_start++;
 1773          pp->green = *entry_start++;
 1774          pp->blue = *entry_start++;
 1775          pp->alpha = *entry_start++;
 1776       }
 1777 
 1778       else
 1779       {
 1780          pp->red   = png_get_uint_16(entry_start); entry_start += 2;
 1781          pp->green = png_get_uint_16(entry_start); entry_start += 2;
 1782          pp->blue  = png_get_uint_16(entry_start); entry_start += 2;
 1783          pp->alpha = png_get_uint_16(entry_start); entry_start += 2;
 1784       }
 1785 
 1786       pp->frequency = png_get_uint_16(entry_start); entry_start += 2;
 1787    }
 1788 #else
 1789    pp = new_palette.entries;
 1790 
 1791    for (i = 0; i < new_palette.nentries; i++)
 1792    {
 1793 
 1794       if (new_palette.depth == 8)
 1795       {
 1796          pp[i].red   = *entry_start++;
 1797          pp[i].green = *entry_start++;
 1798          pp[i].blue  = *entry_start++;
 1799          pp[i].alpha = *entry_start++;
 1800       }
 1801 
 1802       else
 1803       {
 1804          pp[i].red   = png_get_uint_16(entry_start); entry_start += 2;
 1805          pp[i].green = png_get_uint_16(entry_start); entry_start += 2;
 1806          pp[i].blue  = png_get_uint_16(entry_start); entry_start += 2;
 1807          pp[i].alpha = png_get_uint_16(entry_start); entry_start += 2;
 1808       }
 1809 
 1810       pp[i].frequency = png_get_uint_16(entry_start); entry_start += 2;
 1811    }
 1812 #endif
 1813 
 1814    /* Discard all chunk data except the name and stash that */
 1815    new_palette.name = (png_charp)buffer;
 1816 
 1817    png_set_sPLT(png_ptr, info_ptr, &new_palette, 1);
 1818 
 1819    png_free(png_ptr, new_palette.entries);
 1820 }
 1821 #endif /* READ_sPLT */
 1822 
 1823 #ifdef PNG_READ_tRNS_SUPPORTED
 1824 void /* PRIVATE */
 1825 png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1826 {
 1827    png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
 1828 
 1829    png_debug(1, "in png_handle_tRNS");
 1830 
 1831    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1832       png_chunk_error(png_ptr, "missing IHDR");
 1833 
 1834    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 1835    {
 1836       png_crc_finish(png_ptr, length);
 1837       png_chunk_benign_error(png_ptr, "out of place");
 1838       return;
 1839    }
 1840 
 1841    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != 0)
 1842    {
 1843       png_crc_finish(png_ptr, length);
 1844       png_chunk_benign_error(png_ptr, "duplicate");
 1845       return;
 1846    }
 1847 
 1848    if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
 1849    {
 1850       png_byte buf[2];
 1851 
 1852       if (length != 2)
 1853       {
 1854          png_crc_finish(png_ptr, length);
 1855          png_chunk_benign_error(png_ptr, "invalid");
 1856          return;
 1857       }
 1858 
 1859       png_crc_read(png_ptr, buf, 2);
 1860       png_ptr->num_trans = 1;
 1861       png_ptr->trans_color.gray = png_get_uint_16(buf);
 1862    }
 1863 
 1864    else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
 1865    {
 1866       png_byte buf[6];
 1867 
 1868       if (length != 6)
 1869       {
 1870          png_crc_finish(png_ptr, length);
 1871          png_chunk_benign_error(png_ptr, "invalid");
 1872          return;
 1873       }
 1874 
 1875       png_crc_read(png_ptr, buf, length);
 1876       png_ptr->num_trans = 1;
 1877       png_ptr->trans_color.red = png_get_uint_16(buf);
 1878       png_ptr->trans_color.green = png_get_uint_16(buf + 2);
 1879       png_ptr->trans_color.blue = png_get_uint_16(buf + 4);
 1880    }
 1881 
 1882    else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 1883    {
 1884       if ((png_ptr->mode & PNG_HAVE_PLTE) == 0)
 1885       {
 1886          /* TODO: is this actually an error in the ISO spec? */
 1887          png_crc_finish(png_ptr, length);
 1888          png_chunk_benign_error(png_ptr, "out of place");
 1889          return;
 1890       }
 1891 
 1892       if (length > (unsigned int) png_ptr->num_palette ||
 1893          length > (unsigned int) PNG_MAX_PALETTE_LENGTH ||
 1894          length == 0)
 1895       {
 1896          png_crc_finish(png_ptr, length);
 1897          png_chunk_benign_error(png_ptr, "invalid");
 1898          return;
 1899       }
 1900 
 1901       png_crc_read(png_ptr, readbuf, length);
 1902       png_ptr->num_trans = (png_uint_16)length;
 1903    }
 1904 
 1905    else
 1906    {
 1907       png_crc_finish(png_ptr, length);
 1908       png_chunk_benign_error(png_ptr, "invalid with alpha channel");
 1909       return;
 1910    }
 1911 
 1912    if (png_crc_finish(png_ptr, 0) != 0)
 1913    {
 1914       png_ptr->num_trans = 0;
 1915       return;
 1916    }
 1917 
 1918    /* TODO: this is a horrible side effect in the palette case because the
 1919     * png_struct ends up with a pointer to the tRNS buffer owned by the
 1920     * png_info.  Fix this.
 1921     */
 1922    png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
 1923        &(png_ptr->trans_color));
 1924 }
 1925 #endif
 1926 
 1927 #ifdef PNG_READ_bKGD_SUPPORTED
 1928 void /* PRIVATE */
 1929 png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 1930 {
 1931    unsigned int truelen;
 1932    png_byte buf[6];
 1933    png_color_16 background;
 1934 
 1935    png_debug(1, "in png_handle_bKGD");
 1936 
 1937    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 1938       png_chunk_error(png_ptr, "missing IHDR");
 1939 
 1940    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
 1941        (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
 1942        (png_ptr->mode & PNG_HAVE_PLTE) == 0))
 1943    {
 1944       png_crc_finish(png_ptr, length);
 1945       png_chunk_benign_error(png_ptr, "out of place");
 1946       return;
 1947    }
 1948 
 1949    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != 0)
 1950    {
 1951       png_crc_finish(png_ptr, length);
 1952       png_chunk_benign_error(png_ptr, "duplicate");
 1953       return;
 1954    }
 1955 
 1956    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 1957       truelen = 1;
 1958 
 1959    else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
 1960       truelen = 6;
 1961 
 1962    else
 1963       truelen = 2;
 1964 
 1965    if (length != truelen)
 1966    {
 1967       png_crc_finish(png_ptr, length);
 1968       png_chunk_benign_error(png_ptr, "invalid");
 1969       return;
 1970    }
 1971 
 1972    png_crc_read(png_ptr, buf, truelen);
 1973 
 1974    if (png_crc_finish(png_ptr, 0) != 0)
 1975       return;
 1976 
 1977    /* We convert the index value into RGB components so that we can allow
 1978     * arbitrary RGB values for background when we have transparency, and
 1979     * so it is easy to determine the RGB values of the background color
 1980     * from the info_ptr struct.
 1981     */
 1982    if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 1983    {
 1984       background.index = buf[0];
 1985 
 1986       if (info_ptr != NULL && info_ptr->num_palette != 0)
 1987       {
 1988          if (buf[0] >= info_ptr->num_palette)
 1989          {
 1990             png_chunk_benign_error(png_ptr, "invalid index");
 1991             return;
 1992          }
 1993 
 1994          background.red = (png_uint_16)png_ptr->palette[buf[0]].red;
 1995          background.green = (png_uint_16)png_ptr->palette[buf[0]].green;
 1996          background.blue = (png_uint_16)png_ptr->palette[buf[0]].blue;
 1997       }
 1998 
 1999       else
 2000          background.red = background.green = background.blue = 0;
 2001 
 2002       background.gray = 0;
 2003    }
 2004 
 2005    else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0) /* GRAY */
 2006    {
 2007       background.index = 0;
 2008       background.red =
 2009       background.green =
 2010       background.blue =
 2011       background.gray = png_get_uint_16(buf);
 2012    }
 2013 
 2014    else
 2015    {
 2016       background.index = 0;
 2017       background.red = png_get_uint_16(buf);
 2018       background.green = png_get_uint_16(buf + 2);
 2019       background.blue = png_get_uint_16(buf + 4);
 2020       background.gray = 0;
 2021    }
 2022 
 2023    png_set_bKGD(png_ptr, info_ptr, &background);
 2024 }
 2025 #endif
 2026 
 2027 #ifdef PNG_READ_eXIf_SUPPORTED
 2028 void /* PRIVATE */
 2029 png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2030 {
 2031    unsigned int i;
 2032 
 2033    png_debug(1, "in png_handle_eXIf");
 2034 
 2035    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2036       png_chunk_error(png_ptr, "missing IHDR");
 2037 
 2038    if (length < 2)
 2039    {
 2040       png_crc_finish(png_ptr, length);
 2041       png_chunk_benign_error(png_ptr, "too short");
 2042       return;
 2043    }
 2044 
 2045    else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
 2046    {
 2047       png_crc_finish(png_ptr, length);
 2048       png_chunk_benign_error(png_ptr, "duplicate");
 2049       return;
 2050    }
 2051 
 2052    info_ptr->free_me |= PNG_FREE_EXIF;
 2053 
 2054    info_ptr->eXIf_buf = png_voidcast(png_bytep,
 2055              png_malloc_warn(png_ptr, length));
 2056 
 2057    if (info_ptr->eXIf_buf == NULL)
 2058    {
 2059       png_crc_finish(png_ptr, length);
 2060       png_chunk_benign_error(png_ptr, "out of memory");
 2061       return;
 2062    }
 2063 
 2064    for (i = 0; i < length; i++)
 2065    {
 2066       png_byte buf[1];
 2067       png_crc_read(png_ptr, buf, 1);
 2068       info_ptr->eXIf_buf[i] = buf[0];
 2069       if (i == 1 && buf[0] != 'M' && buf[0] != 'I'
 2070                  && info_ptr->eXIf_buf[0] != buf[0])
 2071       {
 2072          png_crc_finish(png_ptr, length);
 2073          png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
 2074          png_free(png_ptr, info_ptr->eXIf_buf);
 2075          info_ptr->eXIf_buf = NULL;
 2076          return;
 2077       }
 2078    }
 2079 
 2080    if (png_crc_finish(png_ptr, 0) != 0)
 2081       return;
 2082 
 2083    png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
 2084 
 2085    png_free(png_ptr, info_ptr->eXIf_buf);
 2086    info_ptr->eXIf_buf = NULL;
 2087 }
 2088 #endif
 2089 
 2090 #ifdef PNG_READ_hIST_SUPPORTED
 2091 void /* PRIVATE */
 2092 png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2093 {
 2094    unsigned int num, i;
 2095    png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
 2096 
 2097    png_debug(1, "in png_handle_hIST");
 2098 
 2099    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2100       png_chunk_error(png_ptr, "missing IHDR");
 2101 
 2102    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0 ||
 2103        (png_ptr->mode & PNG_HAVE_PLTE) == 0)
 2104    {
 2105       png_crc_finish(png_ptr, length);
 2106       png_chunk_benign_error(png_ptr, "out of place");
 2107       return;
 2108    }
 2109 
 2110    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != 0)
 2111    {
 2112       png_crc_finish(png_ptr, length);
 2113       png_chunk_benign_error(png_ptr, "duplicate");
 2114       return;
 2115    }
 2116 
 2117    num = length / 2 ;
 2118 
 2119    if (num != (unsigned int) png_ptr->num_palette ||
 2120        num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
 2121    {
 2122       png_crc_finish(png_ptr, length);
 2123       png_chunk_benign_error(png_ptr, "invalid");
 2124       return;
 2125    }
 2126 
 2127    for (i = 0; i < num; i++)
 2128    {
 2129       png_byte buf[2];
 2130 
 2131       png_crc_read(png_ptr, buf, 2);
 2132       readbuf[i] = png_get_uint_16(buf);
 2133    }
 2134 
 2135    if (png_crc_finish(png_ptr, 0) != 0)
 2136       return;
 2137 
 2138    png_set_hIST(png_ptr, info_ptr, readbuf);
 2139 }
 2140 #endif
 2141 
 2142 #ifdef PNG_READ_pHYs_SUPPORTED
 2143 void /* PRIVATE */
 2144 png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2145 {
 2146    png_byte buf[9];
 2147    png_uint_32 res_x, res_y;
 2148    int unit_type;
 2149 
 2150    png_debug(1, "in png_handle_pHYs");
 2151 
 2152    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2153       png_chunk_error(png_ptr, "missing IHDR");
 2154 
 2155    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2156    {
 2157       png_crc_finish(png_ptr, length);
 2158       png_chunk_benign_error(png_ptr, "out of place");
 2159       return;
 2160    }
 2161 
 2162    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != 0)
 2163    {
 2164       png_crc_finish(png_ptr, length);
 2165       png_chunk_benign_error(png_ptr, "duplicate");
 2166       return;
 2167    }
 2168 
 2169    if (length != 9)
 2170    {
 2171       png_crc_finish(png_ptr, length);
 2172       png_chunk_benign_error(png_ptr, "invalid");
 2173       return;
 2174    }
 2175 
 2176    png_crc_read(png_ptr, buf, 9);
 2177 
 2178    if (png_crc_finish(png_ptr, 0) != 0)
 2179       return;
 2180 
 2181    res_x = png_get_uint_32(buf);
 2182    res_y = png_get_uint_32(buf + 4);
 2183    unit_type = buf[8];
 2184    png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
 2185 }
 2186 #endif
 2187 
 2188 #ifdef PNG_READ_oFFs_SUPPORTED
 2189 void /* PRIVATE */
 2190 png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2191 {
 2192    png_byte buf[9];
 2193    png_int_32 offset_x, offset_y;
 2194    int unit_type;
 2195 
 2196    png_debug(1, "in png_handle_oFFs");
 2197 
 2198    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2199       png_chunk_error(png_ptr, "missing IHDR");
 2200 
 2201    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2202    {
 2203       png_crc_finish(png_ptr, length);
 2204       png_chunk_benign_error(png_ptr, "out of place");
 2205       return;
 2206    }
 2207 
 2208    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != 0)
 2209    {
 2210       png_crc_finish(png_ptr, length);
 2211       png_chunk_benign_error(png_ptr, "duplicate");
 2212       return;
 2213    }
 2214 
 2215    if (length != 9)
 2216    {
 2217       png_crc_finish(png_ptr, length);
 2218       png_chunk_benign_error(png_ptr, "invalid");
 2219       return;
 2220    }
 2221 
 2222    png_crc_read(png_ptr, buf, 9);
 2223 
 2224    if (png_crc_finish(png_ptr, 0) != 0)
 2225       return;
 2226 
 2227    offset_x = png_get_int_32(buf);
 2228    offset_y = png_get_int_32(buf + 4);
 2229    unit_type = buf[8];
 2230    png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
 2231 }
 2232 #endif
 2233 
 2234 #ifdef PNG_READ_pCAL_SUPPORTED
 2235 /* Read the pCAL chunk (described in the PNG Extensions document) */
 2236 void /* PRIVATE */
 2237 png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2238 {
 2239    png_int_32 X0, X1;
 2240    png_byte type, nparams;
 2241    png_bytep buffer, buf, units, endptr;
 2242    png_charpp params;
 2243    int i;
 2244 
 2245    png_debug(1, "in png_handle_pCAL");
 2246 
 2247    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2248       png_chunk_error(png_ptr, "missing IHDR");
 2249 
 2250    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2251    {
 2252       png_crc_finish(png_ptr, length);
 2253       png_chunk_benign_error(png_ptr, "out of place");
 2254       return;
 2255    }
 2256 
 2257    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != 0)
 2258    {
 2259       png_crc_finish(png_ptr, length);
 2260       png_chunk_benign_error(png_ptr, "duplicate");
 2261       return;
 2262    }
 2263 
 2264    png_debug1(2, "Allocating and reading pCAL chunk data (%u bytes)",
 2265        length + 1);
 2266 
 2267    buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
 2268 
 2269    if (buffer == NULL)
 2270    {
 2271       png_crc_finish(png_ptr, length);
 2272       png_chunk_benign_error(png_ptr, "out of memory");
 2273       return;
 2274    }
 2275 
 2276    png_crc_read(png_ptr, buffer, length);
 2277 
 2278    if (png_crc_finish(png_ptr, 0) != 0)
 2279       return;
 2280 
 2281    buffer[length] = 0; /* Null terminate the last string */
 2282 
 2283    png_debug(3, "Finding end of pCAL purpose string");
 2284    for (buf = buffer; *buf; buf++)
 2285       /* Empty loop */ ;
 2286 
 2287    endptr = buffer + length;
 2288 
 2289    /* We need to have at least 12 bytes after the purpose string
 2290     * in order to get the parameter information.
 2291     */
 2292    if (endptr - buf <= 12)
 2293    {
 2294       png_chunk_benign_error(png_ptr, "invalid");
 2295       return;
 2296    }
 2297 
 2298    png_debug(3, "Reading pCAL X0, X1, type, nparams, and units");
 2299    X0 = png_get_int_32((png_bytep)buf+1);
 2300    X1 = png_get_int_32((png_bytep)buf+5);
 2301    type = buf[9];
 2302    nparams = buf[10];
 2303    units = buf + 11;
 2304 
 2305    png_debug(3, "Checking pCAL equation type and number of parameters");
 2306    /* Check that we have the right number of parameters for known
 2307     * equation types.
 2308     */
 2309    if ((type == PNG_EQUATION_LINEAR && nparams != 2) ||
 2310        (type == PNG_EQUATION_BASE_E && nparams != 3) ||
 2311        (type == PNG_EQUATION_ARBITRARY && nparams != 3) ||
 2312        (type == PNG_EQUATION_HYPERBOLIC && nparams != 4))
 2313    {
 2314       png_chunk_benign_error(png_ptr, "invalid parameter count");
 2315       return;
 2316    }
 2317 
 2318    else if (type >= PNG_EQUATION_LAST)
 2319    {
 2320       png_chunk_benign_error(png_ptr, "unrecognized equation type");
 2321    }
 2322 
 2323    for (buf = units; *buf; buf++)
 2324       /* Empty loop to move past the units string. */ ;
 2325 
 2326    png_debug(3, "Allocating pCAL parameters array");
 2327 
 2328    params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
 2329        nparams * (sizeof (png_charp))));
 2330 
 2331    if (params == NULL)
 2332    {
 2333       png_chunk_benign_error(png_ptr, "out of memory");
 2334       return;
 2335    }
 2336 
 2337    /* Get pointers to the start of each parameter string. */
 2338    for (i = 0; i < nparams; i++)
 2339    {
 2340       buf++; /* Skip the null string terminator from previous parameter. */
 2341 
 2342       png_debug1(3, "Reading pCAL parameter %d", i);
 2343 
 2344       for (params[i] = (png_charp)buf; buf <= endptr && *buf != 0; buf++)
 2345          /* Empty loop to move past each parameter string */ ;
 2346 
 2347       /* Make sure we haven't run out of data yet */
 2348       if (buf > endptr)
 2349       {
 2350          png_free(png_ptr, params);
 2351          png_chunk_benign_error(png_ptr, "invalid data");
 2352          return;
 2353       }
 2354    }
 2355 
 2356    png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
 2357        (png_charp)units, params);
 2358 
 2359    png_free(png_ptr, params);
 2360 }
 2361 #endif
 2362 
 2363 #ifdef PNG_READ_sCAL_SUPPORTED
 2364 /* Read the sCAL chunk */
 2365 void /* PRIVATE */
 2366 png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2367 {
 2368    png_bytep buffer;
 2369    png_size_t i;
 2370    int state;
 2371 
 2372    png_debug(1, "in png_handle_sCAL");
 2373 
 2374    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2375       png_chunk_error(png_ptr, "missing IHDR");
 2376 
 2377    else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2378    {
 2379       png_crc_finish(png_ptr, length);
 2380       png_chunk_benign_error(png_ptr, "out of place");
 2381       return;
 2382    }
 2383 
 2384    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != 0)
 2385    {
 2386       png_crc_finish(png_ptr, length);
 2387       png_chunk_benign_error(png_ptr, "duplicate");
 2388       return;
 2389    }
 2390 
 2391    /* Need unit type, width, \0, height: minimum 4 bytes */
 2392    else if (length < 4)
 2393    {
 2394       png_crc_finish(png_ptr, length);
 2395       png_chunk_benign_error(png_ptr, "invalid");
 2396       return;
 2397    }
 2398 
 2399    png_debug1(2, "Allocating and reading sCAL chunk data (%u bytes)",
 2400        length + 1);
 2401 
 2402    buffer = png_read_buffer(png_ptr, length+1, 2/*silent*/);
 2403 
 2404    if (buffer == NULL)
 2405    {
 2406       png_chunk_benign_error(png_ptr, "out of memory");
 2407       png_crc_finish(png_ptr, length);
 2408       return;
 2409    }
 2410 
 2411    png_crc_read(png_ptr, buffer, length);
 2412    buffer[length] = 0; /* Null terminate the last string */
 2413 
 2414    if (png_crc_finish(png_ptr, 0) != 0)
 2415       return;
 2416 
 2417    /* Validate the unit. */
 2418    if (buffer[0] != 1 && buffer[0] != 2)
 2419    {
 2420       png_chunk_benign_error(png_ptr, "invalid unit");
 2421       return;
 2422    }
 2423 
 2424    /* Validate the ASCII numbers, need two ASCII numbers separated by
 2425     * a '\0' and they need to fit exactly in the chunk data.
 2426     */
 2427    i = 1;
 2428    state = 0;
 2429 
 2430    if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == 0 ||
 2431        i >= length || buffer[i++] != 0)
 2432       png_chunk_benign_error(png_ptr, "bad width format");
 2433 
 2434    else if (PNG_FP_IS_POSITIVE(state) == 0)
 2435       png_chunk_benign_error(png_ptr, "non-positive width");
 2436 
 2437    else
 2438    {
 2439       png_size_t heighti = i;
 2440 
 2441       state = 0;
 2442       if (png_check_fp_number((png_const_charp)buffer, length,
 2443           &state, &i) == 0 || i != length)
 2444          png_chunk_benign_error(png_ptr, "bad height format");
 2445 
 2446       else if (PNG_FP_IS_POSITIVE(state) == 0)
 2447          png_chunk_benign_error(png_ptr, "non-positive height");
 2448 
 2449       else
 2450          /* This is the (only) success case. */
 2451          png_set_sCAL_s(png_ptr, info_ptr, buffer[0],
 2452              (png_charp)buffer+1, (png_charp)buffer+heighti);
 2453    }
 2454 }
 2455 #endif
 2456 
 2457 #ifdef PNG_READ_tIME_SUPPORTED
 2458 void /* PRIVATE */
 2459 png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2460 {
 2461    png_byte buf[7];
 2462    png_time mod_time;
 2463 
 2464    png_debug(1, "in png_handle_tIME");
 2465 
 2466    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2467       png_chunk_error(png_ptr, "missing IHDR");
 2468 
 2469    else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != 0)
 2470    {
 2471       png_crc_finish(png_ptr, length);
 2472       png_chunk_benign_error(png_ptr, "duplicate");
 2473       return;
 2474    }
 2475 
 2476    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2477       png_ptr->mode |= PNG_AFTER_IDAT;
 2478 
 2479    if (length != 7)
 2480    {
 2481       png_crc_finish(png_ptr, length);
 2482       png_chunk_benign_error(png_ptr, "invalid");
 2483       return;
 2484    }
 2485 
 2486    png_crc_read(png_ptr, buf, 7);
 2487 
 2488    if (png_crc_finish(png_ptr, 0) != 0)
 2489       return;
 2490 
 2491    mod_time.second = buf[6];
 2492    mod_time.minute = buf[5];
 2493    mod_time.hour = buf[4];
 2494    mod_time.day = buf[3];
 2495    mod_time.month = buf[2];
 2496    mod_time.year = png_get_uint_16(buf);
 2497 
 2498    png_set_tIME(png_ptr, info_ptr, &mod_time);
 2499 }
 2500 #endif
 2501 
 2502 #ifdef PNG_READ_tEXt_SUPPORTED
 2503 /* Note: this does not properly handle chunks that are > 64K under DOS */
 2504 void /* PRIVATE */
 2505 png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2506 {
 2507    png_text  text_info;
 2508    png_bytep buffer;
 2509    png_charp key;
 2510    png_charp text;
 2511    png_uint_32 skip = 0;
 2512 
 2513    png_debug(1, "in png_handle_tEXt");
 2514 
 2515 #ifdef PNG_USER_LIMITS_SUPPORTED
 2516    if (png_ptr->user_chunk_cache_max != 0)
 2517    {
 2518       if (png_ptr->user_chunk_cache_max == 1)
 2519       {
 2520          png_crc_finish(png_ptr, length);
 2521          return;
 2522       }
 2523 
 2524       if (--png_ptr->user_chunk_cache_max == 1)
 2525       {
 2526          png_crc_finish(png_ptr, length);
 2527          png_chunk_benign_error(png_ptr, "no space in chunk cache");
 2528          return;
 2529       }
 2530    }
 2531 #endif
 2532 
 2533    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2534       png_chunk_error(png_ptr, "missing IHDR");
 2535 
 2536    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2537       png_ptr->mode |= PNG_AFTER_IDAT;
 2538 
 2539 #ifdef PNG_MAX_MALLOC_64K
 2540    if (length > 65535U)
 2541    {
 2542       png_crc_finish(png_ptr, length);
 2543       png_chunk_benign_error(png_ptr, "too large to fit in memory");
 2544       return;
 2545    }
 2546 #endif
 2547 
 2548    buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
 2549 
 2550    if (buffer == NULL)
 2551    {
 2552       png_chunk_benign_error(png_ptr, "out of memory");
 2553       return;
 2554    }
 2555 
 2556    png_crc_read(png_ptr, buffer, length);
 2557 
 2558    if (png_crc_finish(png_ptr, skip) != 0)
 2559       return;
 2560 
 2561    key = (png_charp)buffer;
 2562    key[length] = 0;
 2563 
 2564    for (text = key; *text; text++)
 2565       /* Empty loop to find end of key */ ;
 2566 
 2567    if (text != key + length)
 2568       text++;
 2569 
 2570    text_info.compression = PNG_TEXT_COMPRESSION_NONE;
 2571    text_info.key = key;
 2572    text_info.lang = NULL;
 2573    text_info.lang_key = NULL;
 2574    text_info.itxt_length = 0;
 2575    text_info.text = text;
 2576    text_info.text_length = strlen(text);
 2577 
 2578    if (png_set_text_2(png_ptr, info_ptr, &text_info, 1) != 0)
 2579       png_warning(png_ptr, "Insufficient memory to process text chunk");
 2580 }
 2581 #endif
 2582 
 2583 #ifdef PNG_READ_zTXt_SUPPORTED
 2584 /* Note: this does not correctly handle chunks that are > 64K under DOS */
 2585 void /* PRIVATE */
 2586 png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2587 {
 2588    png_const_charp errmsg = NULL;
 2589    png_bytep       buffer;
 2590    png_uint_32     keyword_length;
 2591 
 2592    png_debug(1, "in png_handle_zTXt");
 2593 
 2594 #ifdef PNG_USER_LIMITS_SUPPORTED
 2595    if (png_ptr->user_chunk_cache_max != 0)
 2596    {
 2597       if (png_ptr->user_chunk_cache_max == 1)
 2598       {
 2599          png_crc_finish(png_ptr, length);
 2600          return;
 2601       }
 2602 
 2603       if (--png_ptr->user_chunk_cache_max == 1)
 2604       {
 2605          png_crc_finish(png_ptr, length);
 2606          png_chunk_benign_error(png_ptr, "no space in chunk cache");
 2607          return;
 2608       }
 2609    }
 2610 #endif
 2611 
 2612    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2613       png_chunk_error(png_ptr, "missing IHDR");
 2614 
 2615    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2616       png_ptr->mode |= PNG_AFTER_IDAT;
 2617 
 2618    /* Note, "length" is sufficient here; we won't be adding
 2619     * a null terminator later.
 2620     */
 2621    buffer = png_read_buffer(png_ptr, length, 2/*silent*/);
 2622 
 2623    if (buffer == NULL)
 2624    {
 2625       png_crc_finish(png_ptr, length);
 2626       png_chunk_benign_error(png_ptr, "out of memory");
 2627       return;
 2628    }
 2629 
 2630    png_crc_read(png_ptr, buffer, length);
 2631 
 2632    if (png_crc_finish(png_ptr, 0) != 0)
 2633       return;
 2634 
 2635    /* TODO: also check that the keyword contents match the spec! */
 2636    for (keyword_length = 0;
 2637       keyword_length < length && buffer[keyword_length] != 0;
 2638       ++keyword_length)
 2639       /* Empty loop to find end of name */ ;
 2640 
 2641    if (keyword_length > 79 || keyword_length < 1)
 2642       errmsg = "bad keyword";
 2643 
 2644    /* zTXt must have some LZ data after the keyword, although it may expand to
 2645     * zero bytes; we need a '\0' at the end of the keyword, the compression type
 2646     * then the LZ data:
 2647     */
 2648    else if (keyword_length + 3 > length)
 2649       errmsg = "truncated";
 2650 
 2651    else if (buffer[keyword_length+1] != PNG_COMPRESSION_TYPE_BASE)
 2652       errmsg = "unknown compression type";
 2653 
 2654    else
 2655    {
 2656       png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
 2657 
 2658       /* TODO: at present png_decompress_chunk imposes a single application
 2659        * level memory limit, this should be split to different values for iCCP
 2660        * and text chunks.
 2661        */
 2662       if (png_decompress_chunk(png_ptr, length, keyword_length+2,
 2663           &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
 2664       {
 2665          png_text text;
 2666 
 2667          if (png_ptr->read_buffer == NULL)
 2668            errmsg="Read failure in png_handle_zTXt";
 2669          else
 2670          {
 2671             /* It worked; png_ptr->read_buffer now looks like a tEXt chunk
 2672              * except for the extra compression type byte and the fact that
 2673              * it isn't necessarily '\0' terminated.
 2674              */
 2675             buffer = png_ptr->read_buffer;
 2676             buffer[uncompressed_length+(keyword_length+2)] = 0;
 2677 
 2678             text.compression = PNG_TEXT_COMPRESSION_zTXt;
 2679             text.key = (png_charp)buffer;
 2680             text.text = (png_charp)(buffer + keyword_length+2);
 2681             text.text_length = uncompressed_length;
 2682             text.itxt_length = 0;
 2683             text.lang = NULL;
 2684             text.lang_key = NULL;
 2685 
 2686             if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
 2687                errmsg = "insufficient memory";
 2688          }
 2689       }
 2690 
 2691       else
 2692          errmsg = png_ptr->zstream.msg;
 2693    }
 2694 
 2695    if (errmsg != NULL)
 2696       png_chunk_benign_error(png_ptr, errmsg);
 2697 }
 2698 #endif
 2699 
 2700 #ifdef PNG_READ_iTXt_SUPPORTED
 2701 /* Note: this does not correctly handle chunks that are > 64K under DOS */
 2702 void /* PRIVATE */
 2703 png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 2704 {
 2705    png_const_charp errmsg = NULL;
 2706    png_bytep buffer;
 2707    png_uint_32 prefix_length;
 2708 
 2709    png_debug(1, "in png_handle_iTXt");
 2710 
 2711 #ifdef PNG_USER_LIMITS_SUPPORTED
 2712    if (png_ptr->user_chunk_cache_max != 0)
 2713    {
 2714       if (png_ptr->user_chunk_cache_max == 1)
 2715       {
 2716          png_crc_finish(png_ptr, length);
 2717          return;
 2718       }
 2719 
 2720       if (--png_ptr->user_chunk_cache_max == 1)
 2721       {
 2722          png_crc_finish(png_ptr, length);
 2723          png_chunk_benign_error(png_ptr, "no space in chunk cache");
 2724          return;
 2725       }
 2726    }
 2727 #endif
 2728 
 2729    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
 2730       png_chunk_error(png_ptr, "missing IHDR");
 2731 
 2732    if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)
 2733       png_ptr->mode |= PNG_AFTER_IDAT;
 2734 
 2735    buffer = png_read_buffer(png_ptr, length+1, 1/*warn*/);
 2736 
 2737    if (buffer == NULL)
 2738    {
 2739       png_crc_finish(png_ptr, length);
 2740       png_chunk_benign_error(png_ptr, "out of memory");
 2741       return;
 2742    }
 2743 
 2744    png_crc_read(png_ptr, buffer, length);
 2745 
 2746    if (png_crc_finish(png_ptr, 0) != 0)
 2747       return;
 2748 
 2749    /* First the keyword. */
 2750    for (prefix_length=0;
 2751       prefix_length < length && buffer[prefix_length] != 0;
 2752       ++prefix_length)
 2753       /* Empty loop */ ;
 2754 
 2755    /* Perform a basic check on the keyword length here. */
 2756    if (prefix_length > 79 || prefix_length < 1)
 2757       errmsg = "bad keyword";
 2758 
 2759    /* Expect keyword, compression flag, compression type, language, translated
 2760     * keyword (both may be empty but are 0 terminated) then the text, which may
 2761     * be empty.
 2762     */
 2763    else if (prefix_length + 5 > length)
 2764       errmsg = "truncated";
 2765 
 2766    else if (buffer[prefix_length+1] == 0 ||
 2767       (buffer[prefix_length+1] == 1 &&
 2768       buffer[prefix_length+2] == PNG_COMPRESSION_TYPE_BASE))
 2769    {
 2770       int compressed = buffer[prefix_length+1] != 0;
 2771       png_uint_32 language_offset, translated_keyword_offset;
 2772       png_alloc_size_t uncompressed_length = 0;
 2773 
 2774       /* Now the language tag */
 2775       prefix_length += 3;
 2776       language_offset = prefix_length;
 2777 
 2778       for (; prefix_length < length && buffer[prefix_length] != 0;
 2779          ++prefix_length)
 2780          /* Empty loop */ ;
 2781 
 2782       /* WARNING: the length may be invalid here, this is checked below. */
 2783       translated_keyword_offset = ++prefix_length;
 2784 
 2785       for (; prefix_length < length && buffer[prefix_length] != 0;
 2786          ++prefix_length)
 2787          /* Empty loop */ ;
 2788 
 2789       /* prefix_length should now be at the trailing '\0' of the translated
 2790        * keyword, but it may already be over the end.  None of this arithmetic
 2791        * can overflow because chunks are at most 2^31 bytes long, but on 16-bit
 2792        * systems the available allocation may overflow.
 2793        */
 2794       ++prefix_length;
 2795 
 2796       if (compressed == 0 && prefix_length <= length)
 2797          uncompressed_length = length - prefix_length;
 2798 
 2799       else if (compressed != 0 && prefix_length < length)
 2800       {
 2801          uncompressed_length = PNG_SIZE_MAX;
 2802 
 2803          /* TODO: at present png_decompress_chunk imposes a single application
 2804           * level memory limit, this should be split to different values for
 2805           * iCCP and text chunks.
 2806           */
 2807          if (png_decompress_chunk(png_ptr, length, prefix_length,
 2808              &uncompressed_length, 1/*terminate*/) == Z_STREAM_END)
 2809             buffer = png_ptr->read_buffer;
 2810 
 2811          else
 2812             errmsg = png_ptr->zstream.msg;
 2813       }
 2814 
 2815       else
 2816          errmsg = "truncated";
 2817 
 2818       if (errmsg == NULL)
 2819       {
 2820          png_text text;
 2821 
 2822          buffer[uncompressed_length+prefix_length] = 0;
 2823 
 2824          if (compressed == 0)
 2825             text.compression = PNG_ITXT_COMPRESSION_NONE;
 2826 
 2827          else
 2828             text.compression = PNG_ITXT_COMPRESSION_zTXt;
 2829 
 2830          text.key = (png_charp)buffer;
 2831          text.lang = (png_charp)buffer + language_offset;
 2832          text.lang_key = (png_charp)buffer + translated_keyword_offset;
 2833          text.text = (png_charp)buffer + prefix_length;
 2834          text.text_length = 0;
 2835          text.itxt_length = uncompressed_length;
 2836 
 2837          if (png_set_text_2(png_ptr, info_ptr, &text, 1) != 0)
 2838             errmsg = "insufficient memory";
 2839       }
 2840    }
 2841 
 2842    else
 2843       errmsg = "bad compression info";
 2844 
 2845    if (errmsg != NULL)
 2846       png_chunk_benign_error(png_ptr, errmsg);
 2847 }
 2848 #endif
 2849 
 2850 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
 2851 /* Utility function for png_handle_unknown; set up png_ptr::unknown_chunk */
 2852 static int
 2853 png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
 2854 {
 2855    png_alloc_size_t limit = PNG_SIZE_MAX;
 2856 
 2857    if (png_ptr->unknown_chunk.data != NULL)
 2858    {
 2859       png_free(png_ptr, png_ptr->unknown_chunk.data);
 2860       png_ptr->unknown_chunk.data = NULL;
 2861    }
 2862 
 2863 #  ifdef PNG_SET_USER_LIMITS_SUPPORTED
 2864    if (png_ptr->user_chunk_malloc_max > 0 &&
 2865        png_ptr->user_chunk_malloc_max < limit)
 2866       limit = png_ptr->user_chunk_malloc_max;
 2867 
 2868 #  elif PNG_USER_CHUNK_MALLOC_MAX > 0
 2869    if (PNG_USER_CHUNK_MALLOC_MAX < limit)
 2870       limit = PNG_USER_CHUNK_MALLOC_MAX;
 2871 #  endif
 2872 
 2873    if (length <= limit)
 2874    {
 2875       PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
 2876       /* The following is safe because of the PNG_SIZE_MAX init above */
 2877       png_ptr->unknown_chunk.size = (png_size_t)length/*SAFE*/;
 2878       /* 'mode' is a flag array, only the bottom four bits matter here */
 2879       png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/*SAFE*/;
 2880 
 2881       if (length == 0)
 2882          png_ptr->unknown_chunk.data = NULL;
 2883 
 2884       else
 2885       {
 2886          /* Do a 'warn' here - it is handled below. */
 2887          png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
 2888              png_malloc_warn(png_ptr, length));
 2889       }
 2890    }
 2891 
 2892    if (png_ptr->unknown_chunk.data == NULL && length > 0)
 2893    {
 2894       /* This is benign because we clean up correctly */
 2895       png_crc_finish(png_ptr, length);
 2896       png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
 2897       return 0;
 2898    }
 2899 
 2900    else
 2901    {
 2902       if (length > 0)
 2903          png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
 2904       png_crc_finish(png_ptr, 0);
 2905       return 1;
 2906    }
 2907 }
 2908 #endif /* READ_UNKNOWN_CHUNKS */
 2909 
 2910 /* Handle an unknown, or known but disabled, chunk */
 2911 void /* PRIVATE */
 2912 png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
 2913     png_uint_32 length, int keep)
 2914 {
 2915    int handled = 0; /* the chunk was handled */
 2916 
 2917    png_debug(1, "in png_handle_unknown");
 2918 
 2919 #ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
 2920    /* NOTE: this code is based on the code in libpng-1.4.12 except for fixing
 2921     * the bug which meant that setting a non-default behavior for a specific
 2922     * chunk would be ignored (the default was always used unless a user
 2923     * callback was installed).
 2924     *
 2925     * 'keep' is the value from the png_chunk_unknown_handling, the setting for
 2926     * this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
 2927     * will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
 2928     * This is just an optimization to avoid multiple calls to the lookup
 2929     * function.
 2930     */
 2931 #  ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
 2932 #     ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 2933    keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
 2934 #     endif
 2935 #  endif
 2936 
 2937    /* One of the following methods will read the chunk or skip it (at least one
 2938     * of these is always defined because this is the only way to switch on
 2939     * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
 2940     */
 2941 #  ifdef PNG_READ_USER_CHUNKS_SUPPORTED
 2942    /* The user callback takes precedence over the chunk keep value, but the
 2943     * keep value is still required to validate a save of a critical chunk.
 2944     */
 2945    if (png_ptr->read_user_chunk_fn != NULL)
 2946    {
 2947       if (png_cache_unknown_chunk(png_ptr, length) != 0)
 2948       {
 2949          /* Callback to user unknown chunk handler */
 2950          int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
 2951              &png_ptr->unknown_chunk);
 2952 
 2953          /* ret is:
 2954           * negative: An error occurred; png_chunk_error will be called.
 2955           *     zero: The chunk was not handled, the chunk will be discarded
 2956           *           unless png_set_keep_unknown_chunks has been used to set
 2957           *           a 'keep' behavior for this particular chunk, in which
 2958           *           case that will be used.  A critical chunk will cause an
 2959           *           error at this point unless it is to be saved.
 2960           * positive: The chunk was handled, libpng will ignore/discard it.
 2961           */
 2962          if (ret < 0)
 2963             png_chunk_error(png_ptr, "error in user chunk");
 2964 
 2965          else if (ret == 0)
 2966          {
 2967             /* If the keep value is 'default' or 'never' override it, but
 2968              * still error out on critical chunks unless the keep value is
 2969              * 'always'  While this is weird it is the behavior in 1.4.12.
 2970              * A possible improvement would be to obey the value set for the
 2971              * chunk, but this would be an API change that would probably
 2972              * damage some applications.
 2973              *
 2974              * The png_app_warning below catches the case that matters, where
 2975              * the application has not set specific save or ignore for this
 2976              * chunk or global save or ignore.
 2977              */
 2978             if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
 2979             {
 2980 #              ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 2981                if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
 2982                {
 2983                   png_chunk_warning(png_ptr, "Saving unknown chunk:");
 2984                   png_app_warning(png_ptr,
 2985                       "forcing save of an unhandled chunk;"
 2986                       " please call png_set_keep_unknown_chunks");
 2987                       /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */
 2988                }
 2989 #              endif
 2990                keep = PNG_HANDLE_CHUNK_IF_SAFE;
 2991             }
 2992          }
 2993 
 2994          else /* chunk was handled */
 2995          {
 2996             handled = 1;
 2997             /* Critical chunks can be safely discarded at this point. */
 2998             keep = PNG_HANDLE_CHUNK_NEVER;
 2999          }
 3000       }
 3001 
 3002       else
 3003          keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */
 3004    }
 3005 
 3006    else
 3007    /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */
 3008 #  endif /* READ_USER_CHUNKS */
 3009 
 3010 #  ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
 3011    {
 3012       /* keep is currently just the per-chunk setting, if there was no
 3013        * setting change it to the global default now (not that this may
 3014        * still be AS_DEFAULT) then obtain the cache of the chunk if required,
 3015        * if not simply skip the chunk.
 3016        */
 3017       if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
 3018          keep = png_ptr->unknown_default;
 3019 
 3020       if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
 3021          (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
 3022           PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
 3023       {
 3024          if (png_cache_unknown_chunk(png_ptr, length) == 0)
 3025             keep = PNG_HANDLE_CHUNK_NEVER;
 3026       }
 3027 
 3028       else
 3029          png_crc_finish(png_ptr, length);
 3030    }
 3031 #  else
 3032 #     ifndef PNG_READ_USER_CHUNKS_SUPPORTED
 3033 #        error no method to support READ_UNKNOWN_CHUNKS
 3034 #     endif
 3035 
 3036    {
 3037       /* If here there is no read callback pointer set and no support is
 3038        * compiled in to just save the unknown chunks, so simply skip this
 3039        * chunk.  If 'keep' is something other than AS_DEFAULT or NEVER then
 3040        * the app has erroneously asked for unknown chunk saving when there
 3041        * is no support.
 3042        */
 3043       if (keep > PNG_HANDLE_CHUNK_NEVER)
 3044          png_app_error(png_ptr, "no unknown chunk support available");
 3045 
 3046       png_crc_finish(png_ptr, length);
 3047    }
 3048 #  endif
 3049 
 3050 #  ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
 3051    /* Now store the chunk in the chunk list if appropriate, and if the limits
 3052     * permit it.
 3053     */
 3054    if (keep == PNG_HANDLE_CHUNK_ALWAYS ||
 3055       (keep == PNG_HANDLE_CHUNK_IF_SAFE &&
 3056        PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
 3057    {
 3058 #     ifdef PNG_USER_LIMITS_SUPPORTED
 3059       switch (png_ptr->user_chunk_cache_max)
 3060       {
 3061          case 2:
 3062             png_ptr->user_chunk_cache_max = 1;
 3063             png_chunk_benign_error(png_ptr, "no space in chunk cache");
 3064             /* FALLTHROUGH */
 3065          case 1:
 3066             /* NOTE: prior to 1.6.0 this case resulted in an unknown critical
 3067              * chunk being skipped, now there will be a hard error below.
 3068              */
 3069             break;
 3070 
 3071          default: /* not at limit */
 3072             --(png_ptr->user_chunk_cache_max);
 3073             /* FALLTHROUGH */
 3074          case 0: /* no limit */
 3075 #  endif /* USER_LIMITS */
 3076             /* Here when the limit isn't reached or when limits are compiled
 3077              * out; store the chunk.
 3078              */
 3079             png_set_unknown_chunks(png_ptr, info_ptr,
 3080                 &png_ptr->unknown_chunk, 1);
 3081             handled = 1;
 3082 #  ifdef PNG_USER_LIMITS_SUPPORTED
 3083             break;
 3084       }
 3085 #  endif
 3086    }
 3087 #  else /* no store support: the chunk must be handled by the user callback */
 3088    PNG_UNUSED(info_ptr)
 3089 #  endif
 3090 
 3091    /* Regardless of the error handling below the cached data (if any) can be
 3092     * freed now.  Notice that the data is not freed if there is a png_error, but
 3093     * it will be freed by destroy_read_struct.
 3094     */
 3095    if (png_ptr->unknown_chunk.data != NULL)
 3096       png_free(png_ptr, png_ptr->unknown_chunk.data);
 3097    png_ptr->unknown_chunk.data = NULL;
 3098 
 3099 #else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
 3100    /* There is no support to read an unknown chunk, so just skip it. */
 3101    png_crc_finish(png_ptr, length);
 3102    PNG_UNUSED(info_ptr)
 3103    PNG_UNUSED(keep)
 3104 #endif /* !READ_UNKNOWN_CHUNKS */
 3105 
 3106    /* Check for unhandled critical chunks */
 3107    if (handled == 0 && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
 3108       png_chunk_error(png_ptr, "unhandled critical chunk");
 3109 }
 3110 
 3111 /* This function is called to verify that a chunk name is valid.
 3112  * This function can't have the "critical chunk check" incorporated
 3113  * into it, since in the future we will need to be able to call user
 3114  * functions to handle unknown critical chunks after we check that
 3115  * the chunk name itself is valid.
 3116  */
 3117 
 3118 /* Bit hacking: the test for an invalid byte in the 4 byte chunk name is:
 3119  *
 3120  * ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
 3121  */
 3122 
 3123 void /* PRIVATE */
 3124 png_check_chunk_name(png_const_structrp png_ptr, const png_uint_32 chunk_name)
 3125 {
 3126    int i;
 3127    png_uint_32 cn=chunk_name;
 3128 
 3129    png_debug(1, "in png_check_chunk_name");
 3130 
 3131    for (i=1; i<=4; ++i)
 3132    {
 3133       int c = cn & 0xff;
 3134 
 3135       if (c < 65 || c > 122 || (c > 90 && c < 97))
 3136          png_chunk_error(png_ptr, "invalid chunk type");
 3137 
 3138       cn >>= 8;
 3139    }
 3140 }
 3141 
 3142 void /* PRIVATE */
 3143 png_check_chunk_length(png_const_structrp png_ptr, const png_uint_32 length)
 3144 {
 3145    png_alloc_size_t limit = PNG_UINT_31_MAX;
 3146 
 3147    if (png_ptr->chunk_name != png_IDAT)
 3148    {
 3149 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
 3150       if (png_ptr->user_chunk_malloc_max > 0 &&
 3151           png_ptr->user_chunk_malloc_max < limit)
 3152          limit = png_ptr->user_chunk_malloc_max;
 3153 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
 3154       if (PNG_USER_CHUNK_MALLOC_MAX < limit)
 3155          limit = PNG_USER_CHUNK_MALLOC_MAX;
 3156 # endif
 3157    }
 3158    else
 3159    {
 3160       size_t row_factor =
 3161          (png_ptr->width * png_ptr->channels * (png_ptr->bit_depth > 8? 2: 1)
 3162           + 1 + (png_ptr->interlaced? 6: 0));
 3163       if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
 3164          limit=PNG_UINT_31_MAX;
 3165       else
 3166          limit = png_ptr->height * row_factor;
 3167       limit += 6 + 5*(limit/32566+1); /* zlib+deflate overhead */
 3168       limit=limit < PNG_UINT_31_MAX? limit : PNG_UINT_31_MAX;
 3169    }
 3170 
 3171    if (length > limit)
 3172    {
 3173       png_debug2(0," length = %lu, limit = %lu",
 3174          (unsigned long)length,(unsigned long)limit);
 3175       png_chunk_error(png_ptr, "chunk data is too large");
 3176    }
 3177 }
 3178 
 3179 /* Combines the row recently read in with the existing pixels in the row.  This
 3180  * routine takes care of alpha and transparency if requested.  This routine also
 3181  * handles the two methods of progressive display of interlaced images,
 3182  * depending on the 'display' value; if 'display' is true then the whole row
 3183  * (dp) is filled from the start by replicating the available pixels.  If
 3184  * 'display' is false only those pixels present in the pass are filled in.
 3185  */
 3186 void /* PRIVATE */
 3187 png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
 3188 {
 3189    unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
 3190    png_const_bytep sp = png_ptr->row_buf + 1;
 3191    png_alloc_size_t row_width = png_ptr->width;
 3192    unsigned int pass = png_ptr->pass;
 3193    png_bytep end_ptr = 0;
 3194    png_byte end_byte = 0;
 3195    unsigned int end_mask;
 3196 
 3197    png_debug(1, "in png_combine_row");
 3198 
 3199    /* Added in 1.5.6: it should not be possible to enter this routine until at
 3200     * least one row has been read from the PNG data and transformed.
 3201     */
 3202    if (pixel_depth == 0)
 3203       png_error(png_ptr, "internal row logic error");
 3204 
 3205    /* Added in 1.5.4: the pixel depth should match the information returned by
 3206     * any call to png_read_update_info at this point.  Do not continue if we got
 3207     * this wrong.
 3208     */
 3209    if (png_ptr->info_rowbytes != 0 && png_ptr->info_rowbytes !=
 3210           PNG_ROWBYTES(pixel_depth, row_width))
 3211       png_error(png_ptr, "internal row size calculation error");
 3212 
 3213    /* Don't expect this to ever happen: */
 3214    if (row_width == 0)
 3215       png_error(png_ptr, "internal row width error");
 3216 
 3217    /* Preserve the last byte in cases where only part of it will be overwritten,
 3218     * the multiply below may overflow, we don't care because ANSI-C guarantees
 3219     * we get the low bits.
 3220     */
 3221    end_mask = (pixel_depth * row_width) & 7;
 3222    if (end_mask != 0)
 3223    {
 3224       /* end_ptr == NULL is a flag to say do nothing */
 3225       end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1;
 3226       end_byte = *end_ptr;
 3227 #     ifdef PNG_READ_PACKSWAP_SUPPORTED
 3228       if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
 3229          /* little-endian byte */
 3230          end_mask = (unsigned int)(0xff << end_mask);
 3231 
 3232       else /* big-endian byte */
 3233 #     endif
 3234       end_mask = 0xff >> end_mask;
 3235       /* end_mask is now the bits to *keep* from the destination row */
 3236    }
 3237 
 3238    /* For non-interlaced images this reduces to a memcpy(). A memcpy()
 3239     * will also happen if interlacing isn't supported or if the application
 3240     * does not call png_set_interlace_handling().  In the latter cases the
 3241     * caller just gets a sequence of the unexpanded rows from each interlace
 3242     * pass.
 3243     */
 3244 #ifdef PNG_READ_INTERLACING_SUPPORTED
 3245    if (png_ptr->interlaced != 0 &&
 3246        (png_ptr->transformations & PNG_INTERLACE) != 0 &&
 3247        pass < 6 && (display == 0 ||
 3248        /* The following copies everything for 'display' on passes 0, 2 and 4. */
 3249        (display == 1 && (pass & 1) != 0)))
 3250    {
 3251       /* Narrow images may have no bits in a pass; the caller should handle
 3252        * this, but this test is cheap:
 3253        */
 3254       if (row_width <= PNG_PASS_START_COL(pass))
 3255          return;
 3256 
 3257       if (pixel_depth < 8)
 3258       {
 3259          /* For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit
 3260           * into 32 bits, then a single loop over the bytes using the four byte
 3261           * values in the 32-bit mask can be used.  For the 'display' option the
 3262           * expanded mask may also not require any masking within a byte.  To
 3263           * make this work the PACKSWAP option must be taken into account - it
 3264           * simply requires the pixels to be reversed in each byte.
 3265           *
 3266           * The 'regular' case requires a mask for each of the first 6 passes,
 3267           * the 'display' case does a copy for the even passes in the range
 3268           * 0..6.  This has already been handled in the test above.
 3269           *
 3270           * The masks are arranged as four bytes with the first byte to use in
 3271           * the lowest bits (little-endian) regardless of the order (PACKSWAP or
 3272           * not) of the pixels in each byte.
 3273           *
 3274           * NOTE: the whole of this logic depends on the caller of this function
 3275           * only calling it on rows appropriate to the pass.  This function only
 3276           * understands the 'x' logic; the 'y' logic is handled by the caller.
 3277           *
 3278           * The following defines allow generation of compile time constant bit
 3279           * masks for each pixel depth and each possibility of swapped or not
 3280           * swapped bytes.  Pass 'p' is in the range 0..6; 'x', a pixel index,
 3281           * is in the range 0..7; and the result is 1 if the pixel is to be
 3282           * copied in the pass, 0 if not.  'S' is for the sparkle method, 'B'
 3283           * for the block method.
 3284           *
 3285           * With some compilers a compile time expression of the general form:
 3286           *
 3287           *    (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
 3288           *
 3289           * Produces warnings with values of 'shift' in the range 33 to 63
 3290           * because the right hand side of the ?: expression is evaluated by
 3291           * the compiler even though it isn't used.  Microsoft Visual C (various
 3292           * versions) and the Intel C compiler are known to do this.  To avoid
 3293           * this the following macros are used in 1.5.6.  This is a temporary
 3294           * solution to avoid destabilizing the code during the release process.
 3295           */
 3296 #        if PNG_USE_COMPILE_TIME_MASKS
 3297 #           define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
 3298 #           define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
 3299 #        else
 3300 #           define PNG_LSR(x,s) ((x)>>(s))
 3301 #           define PNG_LSL(x,s) ((x)<<(s))
 3302 #        endif
 3303 #        define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
 3304            PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
 3305 #        define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
 3306            PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
 3307 
 3308          /* Return a mask for pass 'p' pixel 'x' at depth 'd'.  The mask is
 3309           * little endian - the first pixel is at bit 0 - however the extra
 3310           * parameter 's' can be set to cause the mask position to be swapped
 3311           * within each byte, to match the PNG format.  This is done by XOR of
 3312           * the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
 3313           */
 3314 #        define PIXEL_MASK(p,x,d,s) \
 3315             (PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
 3316 
 3317          /* Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.
 3318           */
 3319 #        define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
 3320 #        define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
 3321 
 3322          /* Combine 8 of these to get the full mask.  For the 1-bpp and 2-bpp
 3323           * cases the result needs replicating, for the 4-bpp case the above
 3324           * generates a full 32 bits.
 3325           */
 3326 #        define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
 3327 
 3328 #        define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
 3329             S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
 3330             S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
 3331 
 3332 #        define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
 3333             B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
 3334             B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
 3335 
 3336 #if PNG_USE_COMPILE_TIME_MASKS
 3337          /* Utility macros to construct all the masks for a depth/swap
 3338           * combination.  The 's' parameter says whether the format is PNG
 3339           * (big endian bytes) or not.  Only the three odd-numbered passes are
 3340           * required for the display/block algorithm.
 3341           */
 3342 #        define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
 3343             S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
 3344 
 3345 #        define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
 3346 
 3347 #        define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
 3348 
 3349          /* Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and
 3350           * then pass:
 3351           */
 3352          static PNG_CONST png_uint_32 row_mask[2/*PACKSWAP*/][3/*depth*/][6] =
 3353          {
 3354             /* Little-endian byte masks for PACKSWAP */
 3355             { S_MASKS(1,0), S_MASKS(2,0), S_MASKS(4,0) },
 3356             /* Normal (big-endian byte) masks - PNG format */
 3357             { S_MASKS(1,1), S_MASKS(2,1), S_MASKS(4,1) }
 3358          };
 3359 
 3360          /* display_mask has only three entries for the odd passes, so index by
 3361           * pass>>1.
 3362           */
 3363          static PNG_CONST png_uint_32 display_mask[2][3][3] =
 3364          {
 3365             /* Little-endian byte masks for PACKSWAP */
 3366             { B_MASKS(1,0), B_MASKS(2,0), B_MASKS(4,0) },
 3367             /* Normal (big-endian byte) masks - PNG format */
 3368             { B_MASKS(1,1), B_MASKS(2,1), B_MASKS(4,1) }
 3369          };
 3370 
 3371 #        define MASK(pass,depth,display,png)\
 3372             ((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
 3373                row_mask[png][DEPTH_INDEX(depth)][pass])
 3374 
 3375 #else /* !PNG_USE_COMPILE_TIME_MASKS */
 3376          /* This is the runtime alternative: it seems unlikely that this will
 3377           * ever be either smaller or faster than the compile time approach.
 3378           */
 3379 #        define MASK(pass,depth,display,png)\
 3380             ((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
 3381 #endif /* !USE_COMPILE_TIME_MASKS */
 3382 
 3383          /* Use the appropriate mask to copy the required bits.  In some cases
 3384           * the byte mask will be 0 or 0xff; optimize these cases.  row_width is
 3385           * the number of pixels, but the code copies bytes, so it is necessary
 3386           * to special case the end.
 3387           */
 3388          png_uint_32 pixels_per_byte = 8 / pixel_depth;
 3389          png_uint_32 mask;
 3390 
 3391 #        ifdef PNG_READ_PACKSWAP_SUPPORTED
 3392          if ((png_ptr->transformations & PNG_PACKSWAP) != 0)
 3393             mask = MASK(pass, pixel_depth, display, 0);
 3394 
 3395          else
 3396 #        endif
 3397          mask = MASK(pass, pixel_depth, display, 1);
 3398 
 3399          for (;;)
 3400          {
 3401             png_uint_32 m;
 3402 
 3403             /* It doesn't matter in the following if png_uint_32 has more than
 3404              * 32 bits because the high bits always match those in m<<24; it is,
 3405              * however, essential to use OR here, not +, because of this.
 3406              */
 3407             m = mask;
 3408             mask = (m >> 8) | (m << 24); /* rotate right to good compilers */
 3409             m &= 0xff;
 3410 
 3411             if (m != 0) /* something to copy */
 3412             {
 3413                if (m != 0xff)
 3414                   *dp = (png_byte)((*dp & ~m) | (*sp & m));
 3415                else
 3416                   *dp = *sp;
 3417             }
 3418 
 3419             /* NOTE: this may overwrite the last byte with garbage if the image
 3420              * is not an exact number of bytes wide; libpng has always done
 3421              * this.
 3422              */
 3423             if (row_width <= pixels_per_byte)
 3424                break; /* May need to restore part of the last byte */
 3425 
 3426             row_width -= pixels_per_byte;
 3427             ++dp;
 3428             ++sp;
 3429          }
 3430       }
 3431 
 3432       else /* pixel_depth >= 8 */
 3433       {
 3434          unsigned int bytes_to_copy, bytes_to_jump;
 3435 
 3436          /* Validate the depth - it must be a multiple of 8 */
 3437          if (pixel_depth & 7)
 3438             png_error(png_ptr, "invalid user transform pixel depth");
 3439 
 3440          pixel_depth >>= 3; /* now in bytes */
 3441          row_width *= pixel_depth;
 3442 
 3443          /* Regardless of pass number the Adam 7 interlace always results in a
 3444           * fixed number of pixels to copy then to skip.  There may be a
 3445           * different number of pixels to skip at the start though.
 3446           */
 3447          {
 3448             unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
 3449 
 3450             row_width -= offset;
 3451             dp += offset;
 3452             sp += offset;
 3453          }
 3454 
 3455          /* Work out the bytes to copy. */
 3456          if (display != 0)
 3457          {
 3458             /* When doing the 'block' algorithm the pixel in the pass gets
 3459              * replicated to adjacent pixels.  This is why the even (0,2,4,6)
 3460              * passes are skipped above - the entire expanded row is copied.
 3461              */
 3462             bytes_to_copy = (1<<((6-pass)>>1)) * pixel_depth;
 3463 
 3464             /* But don't allow this number to exceed the actual row width. */
 3465             if (bytes_to_copy > row_width)
 3466                bytes_to_copy = (unsigned int)/*SAFE*/row_width;
 3467          }
 3468 
 3469          else /* normal row; Adam7 only ever gives us one pixel to copy. */
 3470             bytes_to_copy = pixel_depth;
 3471 
 3472          /* In Adam7 there is a constant offset between where the pixels go. */
 3473          bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
 3474 
 3475          /* And simply copy these bytes.  Some optimization is possible here,
 3476           * depending on the value of 'bytes_to_copy'.  Special case the low
 3477           * byte counts, which we know to be frequent.
 3478           *
 3479           * Notice that these cases all 'return' rather than 'break' - this
 3480           * avoids an unnecessary test on whether to restore the last byte
 3481           * below.
 3482           */
 3483          switch (bytes_to_copy)
 3484          {
 3485             case 1:
 3486                for (;;)
 3487                {
 3488                   *dp = *sp;
 3489 
 3490                   if (row_width <= bytes_to_jump)
 3491                      return;
 3492 
 3493                   dp += bytes_to_jump;
 3494                   sp += bytes_to_jump;
 3495                   row_width -= bytes_to_jump;
 3496                }
 3497 
 3498             case 2:
 3499                /* There is a possibility of a partial copy at the end here; this
 3500                 * slows the code down somewhat.
 3501                 */
 3502                do
 3503                {
 3504                   dp[0] = sp[0]; dp[1] = sp[1];
 3505 
 3506                   if (row_width <= bytes_to_jump)
 3507                      return;
 3508 
 3509                   sp += bytes_to_jump;
 3510                   dp += bytes_to_jump;
 3511                   row_width -= bytes_to_jump;
 3512                }
 3513                while (row_width > 1);
 3514 
 3515                /* And there can only be one byte left at this point: */
 3516                *dp = *sp;
 3517                return;
 3518 
 3519             case 3:
 3520                /* This can only be the RGB case, so each copy is exactly one
 3521                 * pixel and it is not necessary to check for a partial copy.
 3522                 */
 3523                for (;;)
 3524                {
 3525                   dp[0] = sp[0]; dp[1] = sp[1]; dp[2] = sp[2];
 3526 
 3527                   if (row_width <= bytes_to_jump)
 3528                      return;
 3529 
 3530                   sp += bytes_to_jump;
 3531                   dp += bytes_to_jump;
 3532                   row_width -= bytes_to_jump;
 3533                }
 3534 
 3535             default:
 3536 #if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
 3537                /* Check for double byte alignment and, if possible, use a
 3538                 * 16-bit copy.  Don't attempt this for narrow images - ones that
 3539                 * are less than an interlace panel wide.  Don't attempt it for
 3540                 * wide bytes_to_copy either - use the memcpy there.
 3541                 */
 3542                if (bytes_to_copy < 16 /*else use memcpy*/ &&
 3543                    png_isaligned(dp, png_uint_16) &&
 3544                    png_isaligned(sp, png_uint_16) &&
 3545                    bytes_to_copy % (sizeof (png_uint_16)) == 0 &&
 3546                    bytes_to_jump % (sizeof (png_uint_16)) == 0)
 3547                {
 3548                   /* Everything is aligned for png_uint_16 copies, but try for
 3549                    * png_uint_32 first.
 3550                    */
 3551                   if (png_isaligned(dp, png_uint_32) &&
 3552                       png_isaligned(sp, png_uint_32) &&
 3553                       bytes_to_copy % (sizeof (png_uint_32)) == 0 &&
 3554                       bytes_to_jump % (sizeof (png_uint_32)) == 0)
 3555                   {
 3556                      png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
 3557                      png_const_uint_32p sp32 = png_aligncastconst(
 3558                          png_const_uint_32p, sp);
 3559                      size_t skip = (bytes_to_jump-bytes_to_copy) /
 3560                          (sizeof (png_uint_32));
 3561 
 3562                      do
 3563                      {
 3564                         size_t c = bytes_to_copy;
 3565                         do
 3566                         {
 3567                            *dp32++ = *sp32++;
 3568                            c -= (sizeof (png_uint_32));
 3569                         }
 3570                         while (c > 0);
 3571 
 3572                         if (row_width <= bytes_to_jump)
 3573                            return;
 3574 
 3575                         dp32 += skip;
 3576                         sp32 += skip;
 3577                         row_width -= bytes_to_jump;
 3578                      }
 3579                      while (bytes_to_copy <= row_width);
 3580 
 3581                      /* Get to here when the row_width truncates the final copy.
 3582                       * There will be 1-3 bytes left to copy, so don't try the
 3583                       * 16-bit loop below.
 3584                       */
 3585                      dp = (png_bytep)dp32;
 3586                      sp = (png_const_bytep)sp32;
 3587                      do
 3588                         *dp++ = *sp++;
 3589                      while (--row_width > 0);
 3590                      return;
 3591                   }
 3592 
 3593                   /* Else do it in 16-bit quantities, but only if the size is
 3594                    * not too large.
 3595                    */
 3596                   else
 3597                   {
 3598                      png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
 3599                      png_const_uint_16p sp16 = png_aligncastconst(
 3600                         png_const_uint_16p, sp);
 3601                      size_t skip = (bytes_to_jump-bytes_to_copy) /
 3602                         (sizeof (png_uint_16));
 3603 
 3604                      do
 3605                      {
 3606                         size_t c = bytes_to_copy;
 3607                         do
 3608                         {
 3609                            *dp16++ = *sp16++;
 3610                            c -= (sizeof (png_uint_16));
 3611                         }
 3612                         while (c > 0);
 3613 
 3614                         if (row_width <= bytes_to_jump)
 3615                            return;
 3616 
 3617                         dp16 += skip;
 3618                         sp16 += skip;
 3619                         row_width -= bytes_to_jump;
 3620                      }
 3621                      while (bytes_to_copy <= row_width);
 3622 
 3623                      /* End of row - 1 byte left, bytes_to_copy > row_width: */
 3624                      dp = (png_bytep)dp16;
 3625                      sp = (png_const_bytep)sp16;
 3626                      do
 3627                         *dp++ = *sp++;
 3628                      while (--row_width > 0);
 3629                      return;
 3630                   }
 3631                }
 3632 #endif /* ALIGN_TYPE code */
 3633 
 3634                /* The true default - use a memcpy: */
 3635                for (;;)
 3636                {
 3637                   memcpy(dp, sp, bytes_to_copy);
 3638 
 3639                   if (row_width <= bytes_to_jump)
 3640                      return;
 3641 
 3642                   sp += bytes_to_jump;
 3643                   dp += bytes_to_jump;
 3644                   row_width -= bytes_to_jump;
 3645                   if (bytes_to_copy > row_width)
 3646                      bytes_to_copy = (unsigned int)/*SAFE*/row_width;
 3647                }
 3648          }
 3649 
 3650          /* NOT REACHED*/
 3651       } /* pixel_depth >= 8 */
 3652 
 3653       /* Here if pixel_depth < 8 to check 'end_ptr' below. */
 3654    }
 3655    else
 3656 #endif /* READ_INTERLACING */
 3657 
 3658    /* If here then the switch above wasn't used so just memcpy the whole row
 3659     * from the temporary row buffer (notice that this overwrites the end of the
 3660     * destination row if it is a partial byte.)
 3661     */
 3662    memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
 3663 
 3664    /* Restore the overwritten bits from the last byte if necessary. */
 3665    if (end_ptr != NULL)
 3666       *end_ptr = (png_byte)((end_byte & end_mask) | (*end_ptr & ~end_mask));
 3667 }
 3668 
 3669 #ifdef PNG_READ_INTERLACING_SUPPORTED
 3670 void /* PRIVATE */
 3671 png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
 3672     png_uint_32 transformations /* Because these may affect the byte layout */)
 3673 {
 3674    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
 3675    /* Offset to next interlace block */
 3676    static PNG_CONST unsigned int png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
 3677 
 3678    png_debug(1, "in png_do_read_interlace");
 3679    if (row != NULL && row_info != NULL)
 3680    {
 3681       png_uint_32 final_width;
 3682 
 3683       final_width = row_info->width * png_pass_inc[pass];
 3684 
 3685       switch (row_info->pixel_depth)
 3686       {
 3687          case 1:
 3688          {
 3689             png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 3);
 3690             png_bytep dp = row + (png_size_t)((final_width - 1) >> 3);
 3691             unsigned int sshift, dshift;
 3692             unsigned int s_start, s_end;
 3693             int s_inc;
 3694             int jstop = (int)png_pass_inc[pass];
 3695             png_byte v;
 3696             png_uint_32 i;
 3697             int j;
 3698 
 3699 #ifdef PNG_READ_PACKSWAP_SUPPORTED
 3700             if ((transformations & PNG_PACKSWAP) != 0)
 3701             {
 3702                 sshift = ((row_info->width + 7) & 0x07);
 3703                 dshift = ((final_width + 7) & 0x07);
 3704                 s_start = 7;
 3705                 s_end = 0;
 3706                 s_inc = -1;
 3707             }
 3708 
 3709             else
 3710 #endif
 3711             {
 3712                 sshift = 7 - ((row_info->width + 7) & 0x07);
 3713                 dshift = 7 - ((final_width + 7) & 0x07);
 3714                 s_start = 0;
 3715                 s_end = 7;
 3716                 s_inc = 1;
 3717             }
 3718 
 3719             for (i = 0; i < row_info->width; i++)
 3720             {
 3721                v = (png_byte)((*sp >> sshift) & 0x01);
 3722                for (j = 0; j < jstop; j++)
 3723                {
 3724                   unsigned int tmp = *dp & (0x7f7f >> (7 - dshift));
 3725                   tmp |= (unsigned int)(v << dshift);
 3726                   *dp = (png_byte)(tmp & 0xff);
 3727 
 3728                   if (dshift == s_end)
 3729                   {
 3730                      dshift = s_start;
 3731                      dp--;
 3732                   }
 3733 
 3734                   else
 3735                      dshift = (unsigned int)((int)dshift + s_inc);
 3736                }
 3737 
 3738                if (sshift == s_end)
 3739                {
 3740                   sshift = s_start;
 3741                   sp--;
 3742                }
 3743 
 3744                else
 3745                   sshift = (unsigned int)((int)sshift + s_inc);
 3746             }
 3747             break;
 3748          }
 3749 
 3750          case 2:
 3751          {
 3752             png_bytep sp = row + (png_uint_32)((row_info->width - 1) >> 2);
 3753             png_bytep dp = row + (png_uint_32)((final_width - 1) >> 2);
 3754             unsigned int sshift, dshift;
 3755             unsigned int s_start, s_end;
 3756             int s_inc;
 3757             int jstop = (int)png_pass_inc[pass];
 3758             png_uint_32 i;
 3759 
 3760 #ifdef PNG_READ_PACKSWAP_SUPPORTED
 3761             if ((transformations & PNG_PACKSWAP) != 0)
 3762             {
 3763                sshift = (((row_info->width + 3) & 0x03) << 1);
 3764                dshift = (((final_width + 3) & 0x03) << 1);
 3765                s_start = 6;
 3766                s_end = 0;
 3767                s_inc = -2;
 3768             }
 3769 
 3770             else
 3771 #endif
 3772             {
 3773                sshift = ((3 - ((row_info->width + 3) & 0x03)) << 1);
 3774                dshift = ((3 - ((final_width + 3) & 0x03)) << 1);
 3775                s_start = 0;
 3776                s_end = 6;
 3777                s_inc = 2;
 3778             }
 3779 
 3780             for (i = 0; i < row_info->width; i++)
 3781             {
 3782                png_byte v;
 3783                int j;
 3784 
 3785                v = (png_byte)((*sp >> sshift) & 0x03);
 3786                for (j = 0; j < jstop; j++)
 3787                {
 3788                   unsigned int tmp = *dp & (0x3f3f >> (6 - dshift));
 3789                   tmp |= (unsigned int)(v << dshift);
 3790                   *dp = (png_byte)(tmp & 0xff);
 3791 
 3792                   if (dshift == s_end)
 3793                   {
 3794                      dshift = s_start;
 3795                      dp--;
 3796                   }
 3797 
 3798                   else
 3799                      dshift = (unsigned int)((int)dshift + s_inc);
 3800                }
 3801 
 3802                if (sshift == s_end)
 3803                {
 3804                   sshift = s_start;
 3805                   sp--;
 3806                }
 3807 
 3808                else
 3809                   sshift = (unsigned int)((int)sshift + s_inc);
 3810             }
 3811             break;
 3812          }
 3813 
 3814          case 4:
 3815          {
 3816             png_bytep sp = row + (png_size_t)((row_info->width - 1) >> 1);
 3817             png_bytep dp = row + (png_size_t)((final_width - 1) >> 1);
 3818             unsigned int sshift, dshift;
 3819             unsigned int s_start, s_end;
 3820             int s_inc;
 3821             png_uint_32 i;
 3822             int jstop = (int)png_pass_inc[pass];
 3823 
 3824 #ifdef PNG_READ_PACKSWAP_SUPPORTED
 3825             if ((transformations & PNG_PACKSWAP) != 0)
 3826             {
 3827                sshift = (((row_info->width + 1) & 0x01) << 2);
 3828                dshift = (((final_width + 1) & 0x01) << 2);
 3829                s_start = 4;
 3830                s_end = 0;
 3831                s_inc = -4;
 3832             }
 3833 
 3834             else
 3835 #endif
 3836             {
 3837                sshift = ((1 - ((row_info->width + 1) & 0x01)) << 2);
 3838                dshift = ((1 - ((final_width + 1) & 0x01)) << 2);
 3839                s_start = 0;
 3840                s_end = 4;
 3841                s_inc = 4;
 3842             }
 3843 
 3844             for (i = 0; i < row_info->width; i++)
 3845             {
 3846                png_byte v = (png_byte)((*sp >> sshift) & 0x0f);
 3847                int j;
 3848 
 3849                for (j = 0; j < jstop; j++)
 3850                {
 3851                   unsigned int tmp = *dp & (0xf0f >> (4 - dshift));
 3852                   tmp |= (unsigned int)(v << dshift);
 3853                   *dp = (png_byte)(tmp & 0xff);
 3854 
 3855                   if (dshift == s_end)
 3856                   {
 3857                      dshift = s_start;
 3858                      dp--;
 3859                   }
 3860 
 3861                   else
 3862                      dshift = (unsigned int)((int)dshift + s_inc);
 3863                }
 3864 
 3865                if (sshift == s_end)
 3866                {
 3867                   sshift = s_start;
 3868                   sp--;
 3869                }
 3870 
 3871                else
 3872                   sshift = (unsigned int)((int)sshift + s_inc);
 3873             }
 3874             break;
 3875          }
 3876 
 3877          default:
 3878          {
 3879             png_size_t pixel_bytes = (row_info->pixel_depth >> 3);
 3880 
 3881             png_bytep sp = row + (png_size_t)(row_info->width - 1)
 3882                 * pixel_bytes;
 3883 
 3884             png_bytep dp = row + (png_size_t)(final_width - 1) * pixel_bytes;
 3885 
 3886             int jstop = (int)png_pass_inc[pass];
 3887             png_uint_32 i;
 3888 
 3889             for (i = 0; i < row_info->width; i++)
 3890             {
 3891                png_byte v[8]; /* SAFE; pixel_depth does not exceed 64 */
 3892                int j;
 3893 
 3894                memcpy(v, sp, pixel_bytes);
 3895 
 3896                for (j = 0; j < jstop; j++)
 3897                {
 3898                   memcpy(dp, v, pixel_bytes);
 3899                   dp -= pixel_bytes;
 3900                }
 3901 
 3902                sp -= pixel_bytes;
 3903             }
 3904             break;
 3905          }
 3906       }
 3907 
 3908       row_info->width = final_width;
 3909       row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
 3910    }
 3911 #ifndef PNG_READ_PACKSWAP_SUPPORTED
 3912    PNG_UNUSED(transformations)  /* Silence compiler warning */
 3913 #endif
 3914 }
 3915 #endif /* READ_INTERLACING */
 3916 
 3917 static void
 3918 png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
 3919     png_const_bytep prev_row)
 3920 {
 3921    png_size_t i;
 3922    png_size_t istop = row_info->rowbytes;
 3923    unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
 3924    png_bytep rp = row + bpp;
 3925 
 3926    PNG_UNUSED(prev_row)
 3927 
 3928    for (i = bpp; i < istop; i++)
 3929    {
 3930       *rp = (png_byte)(((int)(*rp) + (int)(*(rp-bpp))) & 0xff);
 3931       rp++;
 3932    }
 3933 }
 3934 
 3935 static void
 3936 png_read_filter_row_up(png_row_infop row_info, png_bytep row,
 3937     png_const_bytep prev_row)
 3938 {
 3939    png_size_t i;
 3940    png_size_t istop = row_info->rowbytes;
 3941    png_bytep rp = row;
 3942    png_const_bytep pp = prev_row;
 3943 
 3944    for (i = 0; i < istop; i++)
 3945    {
 3946       *rp = (png_byte)(((int)(*rp) + (int)(*pp++)) & 0xff);
 3947       rp++;
 3948    }
 3949 }
 3950 
 3951 static void
 3952 png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
 3953     png_const_bytep prev_row)
 3954 {
 3955    png_size_t i;
 3956    png_bytep rp = row;
 3957    png_const_bytep pp = prev_row;
 3958    unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
 3959    png_size_t istop = row_info->rowbytes - bpp;
 3960 
 3961    for (i = 0; i < bpp; i++)
 3962    {
 3963       *rp = (png_byte)(((int)(*rp) +
 3964          ((int)(*pp++) / 2 )) & 0xff);
 3965 
 3966       rp++;
 3967    }
 3968 
 3969    for (i = 0; i < istop; i++)
 3970    {
 3971       *rp = (png_byte)(((int)(*rp) +
 3972          (int)(*pp++ + *(rp-bpp)) / 2 ) & 0xff);
 3973 
 3974       rp++;
 3975    }
 3976 }
 3977 
 3978 static void
 3979 png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
 3980     png_const_bytep prev_row)
 3981 {
 3982    png_bytep rp_end = row + row_info->rowbytes;
 3983    int a, c;
 3984 
 3985    /* First pixel/byte */
 3986    c = *prev_row++;
 3987    a = *row + c;
 3988    *row++ = (png_byte)a;
 3989 
 3990    /* Remainder */
 3991    while (row < rp_end)
 3992    {
 3993       int b, pa, pb, pc, p;
 3994 
 3995       a &= 0xff; /* From previous iteration or start */
 3996       b = *prev_row++;
 3997 
 3998       p = b - c;
 3999       pc = a - c;
 4000 
 4001 #ifdef PNG_USE_ABS
 4002       pa = abs(p);
 4003       pb = abs(pc);
 4004       pc = abs(p + pc);
 4005 #else
 4006       pa = p < 0 ? -p : p;
 4007       pb = pc < 0 ? -pc : pc;
 4008       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
 4009 #endif
 4010 
 4011       /* Find the best predictor, the least of pa, pb, pc favoring the earlier
 4012        * ones in the case of a tie.
 4013        */
 4014       if (pb < pa)
 4015       {
 4016          pa = pb; a = b;
 4017       }
 4018       if (pc < pa) a = c;
 4019 
 4020       /* Calculate the current pixel in a, and move the previous row pixel to c
 4021        * for the next time round the loop
 4022        */
 4023       c = b;
 4024       a += *row;
 4025       *row++ = (png_byte)a;
 4026    }
 4027 }
 4028 
 4029 static void
 4030 png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
 4031     png_const_bytep prev_row)
 4032 {
 4033    unsigned int bpp = (row_info->pixel_depth + 7) >> 3;
 4034    png_bytep rp_end = row + bpp;
 4035 
 4036    /* Process the first pixel in the row completely (this is the same as 'up'
 4037     * because there is only one candidate predictor for the first row).
 4038     */
 4039    while (row < rp_end)
 4040    {
 4041       int a = *row + *prev_row++;
 4042       *row++ = (png_byte)a;
 4043    }
 4044 
 4045    /* Remainder */
 4046    rp_end = rp_end + (row_info->rowbytes - bpp);
 4047 
 4048    while (row < rp_end)
 4049    {
 4050       int a, b, c, pa, pb, pc, p;
 4051 
 4052       c = *(prev_row - bpp);
 4053       a = *(row - bpp);
 4054       b = *prev_row++;
 4055 
 4056       p = b - c;
 4057       pc = a - c;
 4058 
 4059 #ifdef PNG_USE_ABS
 4060       pa = abs(p);
 4061       pb = abs(pc);
 4062       pc = abs(p + pc);
 4063 #else
 4064       pa = p < 0 ? -p : p;
 4065       pb = pc < 0 ? -pc : pc;
 4066       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
 4067 #endif
 4068 
 4069       if (pb < pa)
 4070       {
 4071          pa = pb; a = b;
 4072       }
 4073       if (pc < pa) a = c;
 4074 
 4075       a += *row;
 4076       *row++ = (png_byte)a;
 4077    }
 4078 }
 4079 
 4080 static void
 4081 png_init_filter_functions(png_structrp pp)
 4082    /* This function is called once for every PNG image (except for PNG images
 4083     * that only use PNG_FILTER_VALUE_NONE for all rows) to set the
 4084     * implementations required to reverse the filtering of PNG rows.  Reversing
 4085     * the filter is the first transformation performed on the row data.  It is
 4086     * performed in place, therefore an implementation can be selected based on
 4087     * the image pixel format.  If the implementation depends on image width then
 4088     * take care to ensure that it works correctly if the image is interlaced -
 4089     * interlacing causes the actual row width to vary.
 4090     */
 4091 {
 4092    unsigned int bpp = (pp->pixel_depth + 7) >> 3;
 4093 
 4094    pp->read_filter[PNG_FILTER_VALUE_SUB-1] = png_read_filter_row_sub;
 4095    pp->read_filter[PNG_FILTER_VALUE_UP-1] = png_read_filter_row_up;
 4096    pp->read_filter[PNG_FILTER_VALUE_AVG-1] = png_read_filter_row_avg;
 4097    if (bpp == 1)
 4098       pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
 4099          png_read_filter_row_paeth_1byte_pixel;
 4100    else
 4101       pp->read_filter[PNG_FILTER_VALUE_PAETH-1] =
 4102          png_read_filter_row_paeth_multibyte_pixel;
 4103 
 4104 #ifdef PNG_FILTER_OPTIMIZATIONS
 4105    /* To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to
 4106     * call to install hardware optimizations for the above functions; simply
 4107     * replace whatever elements of the pp->read_filter[] array with a hardware
 4108     * specific (or, for that matter, generic) optimization.
 4109     *
 4110     * To see an example of this examine what configure.ac does when
 4111     * --enable-arm-neon is specified on the command line.
 4112     */
 4113    PNG_FILTER_OPTIMIZATIONS(pp, bpp);
 4114 #endif
 4115 }
 4116 
 4117 void /* PRIVATE */
 4118 png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
 4119     png_const_bytep prev_row, int filter)
 4120 {
 4121    /* OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define
 4122     * PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
 4123     * implementations.  See png_init_filter_functions above.
 4124     */
 4125    if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
 4126    {
 4127       if (pp->read_filter[0] == NULL)
 4128          png_init_filter_functions(pp);
 4129 
 4130       pp->read_filter[filter-1](row_info, row, prev_row);
 4131    }
 4132 }
 4133 
 4134 #ifdef PNG_SEQUENTIAL_READ_SUPPORTED
 4135 void /* PRIVATE */
 4136 png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
 4137     png_alloc_size_t avail_out)
 4138 {
 4139    /* Loop reading IDATs and decompressing the result into output[avail_out] */
 4140    png_ptr->zstream.next_out = output;
 4141    png_ptr->zstream.avail_out = 0; /* safety: set below */
 4142 
 4143    if (output == NULL)
 4144       avail_out = 0;
 4145 
 4146    do
 4147    {
 4148       int ret;
 4149       png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
 4150 
 4151       if (png_ptr->zstream.avail_in == 0)
 4152       {
 4153          uInt avail_in;
 4154          png_bytep buffer;
 4155 
 4156          while (png_ptr->idat_size == 0)
 4157          {
 4158             png_crc_finish(png_ptr, 0);
 4159 
 4160             png_ptr->idat_size = png_read_chunk_header(png_ptr);
 4161             /* This is an error even in the 'check' case because the code just
 4162              * consumed a non-IDAT header.
 4163              */
 4164             if (png_ptr->chunk_name != png_IDAT)
 4165                png_error(png_ptr, "Not enough image data");
 4166          }
 4167 
 4168          avail_in = png_ptr->IDAT_read_size;
 4169 
 4170          if (avail_in > png_ptr->idat_size)
 4171             avail_in = (uInt)png_ptr->idat_size;
 4172 
 4173          /* A PNG with a gradually increasing IDAT size will defeat this attempt
 4174           * to minimize memory usage by causing lots of re-allocs, but
 4175           * realistically doing IDAT_read_size re-allocs is not likely to be a
 4176           * big problem.
 4177           */
 4178          buffer = png_read_buffer(png_ptr, avail_in, 0/*error*/);
 4179 
 4180          png_crc_read(png_ptr, buffer, avail_in);
 4181          png_ptr->idat_size -= avail_in;
 4182 
 4183          png_ptr->zstream.next_in = buffer;
 4184          png_ptr->zstream.avail_in = avail_in;
 4185       }
 4186 
 4187       /* And set up the output side. */
 4188       if (output != NULL) /* standard read */
 4189       {
 4190          uInt out = ZLIB_IO_MAX;
 4191 
 4192          if (out > avail_out)
 4193             out = (uInt)avail_out;
 4194 
 4195          avail_out -= out;
 4196          png_ptr->zstream.avail_out = out;
 4197       }
 4198 
 4199       else /* after last row, checking for end */
 4200       {
 4201          png_ptr->zstream.next_out = tmpbuf;
 4202          png_ptr->zstream.avail_out = (sizeof tmpbuf);
 4203       }
 4204 
 4205       /* Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the
 4206        * process.  If the LZ stream is truncated the sequential reader will
 4207        * terminally damage the stream, above, by reading the chunk header of the
 4208        * following chunk (it then exits with png_error).
 4209        *
 4210        * TODO: deal more elegantly with truncated IDAT lists.
 4211        */
 4212       ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
 4213 
 4214       /* Take the unconsumed output back. */
 4215       if (output != NULL)
 4216          avail_out += png_ptr->zstream.avail_out;
 4217 
 4218       else /* avail_out counts the extra bytes */
 4219          avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
 4220 
 4221       png_ptr->zstream.avail_out = 0;
 4222 
 4223       if (ret == Z_STREAM_END)
 4224       {
 4225          /* Do this for safety; we won't read any more into this row. */
 4226          png_ptr->zstream.next_out = NULL;
 4227 
 4228          png_ptr->mode |= PNG_AFTER_IDAT;
 4229          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
 4230 
 4231          if (png_ptr->zstream.avail_in > 0 || png_ptr->idat_size > 0)
 4232             png_chunk_benign_error(png_ptr, "Extra compressed data");
 4233          break;
 4234       }
 4235 
 4236       if (ret != Z_OK)
 4237       {
 4238          png_zstream_error(png_ptr, ret);
 4239 
 4240          if (output != NULL)
 4241             png_chunk_error(png_ptr, png_ptr->zstream.msg);
 4242 
 4243          else /* checking */
 4244          {
 4245             png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
 4246             return;
 4247          }
 4248       }
 4249    } while (avail_out > 0);
 4250 
 4251    if (avail_out > 0)
 4252    {
 4253       /* The stream ended before the image; this is the same as too few IDATs so
 4254        * should be handled the same way.
 4255        */
 4256       if (output != NULL)
 4257          png_error(png_ptr, "Not enough image data");
 4258 
 4259       else /* the deflate stream contained extra data */
 4260          png_chunk_benign_error(png_ptr, "Too much image data");
 4261    }
 4262 }
 4263 
 4264 void /* PRIVATE */
 4265 png_read_finish_IDAT(png_structrp png_ptr)
 4266 {
 4267    /* We don't need any more data and the stream should have ended, however the
 4268     * LZ end code may actually not have been processed.  In this case we must
 4269     * read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
 4270     * may still remain to be consumed.
 4271     */
 4272    if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
 4273    {
 4274       /* The NULL causes png_read_IDAT_data to swallow any remaining bytes in
 4275        * the compressed stream, but the stream may be damaged too, so even after
 4276        * this call we may need to terminate the zstream ownership.
 4277        */
 4278       png_read_IDAT_data(png_ptr, NULL, 0);
 4279       png_ptr->zstream.next_out = NULL; /* safety */
 4280 
 4281       /* Now clear everything out for safety; the following may not have been
 4282        * done.
 4283        */
 4284       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
 4285       {
 4286          png_ptr->mode |= PNG_AFTER_IDAT;
 4287          png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED;
 4288       }
 4289    }
 4290 
 4291    /* If the zstream has not been released do it now *and* terminate the reading
 4292     * of the final IDAT chunk.
 4293     */
 4294    if (png_ptr->zowner == png_IDAT)
 4295    {
 4296       /* Always do this; the pointers otherwise point into the read buffer. */
 4297       png_ptr->zstream.next_in = NULL;
 4298       png_ptr->zstream.avail_in = 0;
 4299 
 4300       /* Now we no longer own the zstream. */
 4301       png_ptr->zowner = 0;
 4302 
 4303       /* The slightly weird semantics of the sequential IDAT reading is that we
 4304        * are always in or at the end of an IDAT chunk, so we always need to do a
 4305        * crc_finish here.  If idat_size is non-zero we also need to read the
 4306        * spurious bytes at the end of the chunk now.
 4307        */
 4308       (void)png_crc_finish(png_ptr, png_ptr->idat_size);
 4309    }
 4310 }
 4311 
 4312 void /* PRIVATE */
 4313 png_read_finish_row(png_structrp png_ptr)
 4314 {
 4315    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
 4316 
 4317    /* Start of interlace block */
 4318    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
 4319 
 4320    /* Offset to next interlace block */
 4321    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
 4322 
 4323    /* Start of interlace block in the y direction */
 4324    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
 4325 
 4326    /* Offset to next interlace block in the y direction */
 4327    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
 4328 
 4329    png_debug(1, "in png_read_finish_row");
 4330    png_ptr->row_number++;
 4331    if (png_ptr->row_number < png_ptr->num_rows)
 4332       return;
 4333 
 4334    if (png_ptr->interlaced != 0)
 4335    {
 4336       png_ptr->row_number = 0;
 4337 
 4338       /* TO DO: don't do this if prev_row isn't needed (requires
 4339        * read-ahead of the next row's filter byte.
 4340        */
 4341       memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
 4342 
 4343       do
 4344       {
 4345          png_ptr->pass++;
 4346 
 4347          if (png_ptr->pass >= 7)
 4348             break;
 4349 
 4350          png_ptr->iwidth = (png_ptr->width +
 4351             png_pass_inc[png_ptr->pass] - 1 -
 4352             png_pass_start[png_ptr->pass]) /
 4353             png_pass_inc[png_ptr->pass];
 4354 
 4355          if ((png_ptr->transformations & PNG_INTERLACE) == 0)
 4356          {
 4357             png_ptr->num_rows = (png_ptr->height +
 4358                 png_pass_yinc[png_ptr->pass] - 1 -
 4359                 png_pass_ystart[png_ptr->pass]) /
 4360                 png_pass_yinc[png_ptr->pass];
 4361          }
 4362 
 4363          else  /* if (png_ptr->transformations & PNG_INTERLACE) */
 4364             break; /* libpng deinterlacing sees every row */
 4365 
 4366       } while (png_ptr->num_rows == 0 || png_ptr->iwidth == 0);
 4367 
 4368       if (png_ptr->pass < 7)
 4369          return;
 4370    }
 4371 
 4372    /* Here after at the end of the last row of the last pass. */
 4373    png_read_finish_IDAT(png_ptr);
 4374 }
 4375 #endif /* SEQUENTIAL_READ */
 4376 
 4377 void /* PRIVATE */
 4378 png_read_start_row(png_structrp png_ptr)
 4379 {
 4380    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
 4381 
 4382    /* Start of interlace block */
 4383    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
 4384 
 4385    /* Offset to next interlace block */
 4386    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
 4387 
 4388    /* Start of interlace block in the y direction */
 4389    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
 4390 
 4391    /* Offset to next interlace block in the y direction */
 4392    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
 4393 
 4394    unsigned int max_pixel_depth;
 4395    png_size_t row_bytes;
 4396 
 4397    png_debug(1, "in png_read_start_row");
 4398 
 4399 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
 4400    png_init_read_transformations(png_ptr);
 4401 #endif
 4402    if (png_ptr->interlaced != 0)
 4403    {
 4404       if ((png_ptr->transformations & PNG_INTERLACE) == 0)
 4405          png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
 4406              png_pass_ystart[0]) / png_pass_yinc[0];
 4407 
 4408       else
 4409          png_ptr->num_rows = png_ptr->height;
 4410 
 4411       png_ptr->iwidth = (png_ptr->width +
 4412           png_pass_inc[png_ptr->pass] - 1 -
 4413           png_pass_start[png_ptr->pass]) /
 4414           png_pass_inc[png_ptr->pass];
 4415    }
 4416 
 4417    else
 4418    {
 4419       png_ptr->num_rows = png_ptr->height;
 4420       png_ptr->iwidth = png_ptr->width;
 4421    }
 4422 
 4423    max_pixel_depth = (unsigned int)png_ptr->pixel_depth;
 4424 
 4425    /* WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of
 4426     * calculations to calculate the final pixel depth, then
 4427     * png_do_read_transforms actually does the transforms.  This means that the
 4428     * code which effectively calculates this value is actually repeated in three
 4429     * separate places.  They must all match.  Innocent changes to the order of
 4430     * transformations can and will break libpng in a way that causes memory
 4431     * overwrites.
 4432     *
 4433     * TODO: fix this.
 4434     */
 4435 #ifdef PNG_READ_PACK_SUPPORTED
 4436    if ((png_ptr->transformations & PNG_PACK) != 0 && png_ptr->bit_depth < 8)
 4437       max_pixel_depth = 8;
 4438 #endif
 4439 
 4440 #ifdef PNG_READ_EXPAND_SUPPORTED
 4441    if ((png_ptr->transformations & PNG_EXPAND) != 0)
 4442    {
 4443       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 4444       {
 4445          if (png_ptr->num_trans != 0)
 4446             max_pixel_depth = 32;
 4447 
 4448          else
 4449             max_pixel_depth = 24;
 4450       }
 4451 
 4452       else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
 4453       {
 4454          if (max_pixel_depth < 8)
 4455             max_pixel_depth = 8;
 4456 
 4457          if (png_ptr->num_trans != 0)
 4458             max_pixel_depth *= 2;
 4459       }
 4460 
 4461       else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
 4462       {
 4463          if (png_ptr->num_trans != 0)
 4464          {
 4465             max_pixel_depth *= 4;
 4466             max_pixel_depth /= 3;
 4467          }
 4468       }
 4469    }
 4470 #endif
 4471 
 4472 #ifdef PNG_READ_EXPAND_16_SUPPORTED
 4473    if ((png_ptr->transformations & PNG_EXPAND_16) != 0)
 4474    {
 4475 #  ifdef PNG_READ_EXPAND_SUPPORTED
 4476       /* In fact it is an error if it isn't supported, but checking is
 4477        * the safe way.
 4478        */
 4479       if ((png_ptr->transformations & PNG_EXPAND) != 0)
 4480       {
 4481          if (png_ptr->bit_depth < 16)
 4482             max_pixel_depth *= 2;
 4483       }
 4484       else
 4485 #  endif
 4486       png_ptr->transformations &= ~PNG_EXPAND_16;
 4487    }
 4488 #endif
 4489 
 4490 #ifdef PNG_READ_FILLER_SUPPORTED
 4491    if ((png_ptr->transformations & (PNG_FILLER)) != 0)
 4492    {
 4493       if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
 4494       {
 4495          if (max_pixel_depth <= 8)
 4496             max_pixel_depth = 16;
 4497 
 4498          else
 4499             max_pixel_depth = 32;
 4500       }
 4501 
 4502       else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB ||
 4503          png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
 4504       {
 4505          if (max_pixel_depth <= 32)
 4506             max_pixel_depth = 32;
 4507 
 4508          else
 4509             max_pixel_depth = 64;
 4510       }
 4511    }
 4512 #endif
 4513 
 4514 #ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
 4515    if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != 0)
 4516    {
 4517       if (
 4518 #ifdef PNG_READ_EXPAND_SUPPORTED
 4519           (png_ptr->num_trans != 0 &&
 4520           (png_ptr->transformations & PNG_EXPAND) != 0) ||
 4521 #endif
 4522 #ifdef PNG_READ_FILLER_SUPPORTED
 4523           (png_ptr->transformations & (PNG_FILLER)) != 0 ||
 4524 #endif
 4525           png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
 4526       {
 4527          if (max_pixel_depth <= 16)
 4528             max_pixel_depth = 32;
 4529 
 4530          else
 4531             max_pixel_depth = 64;
 4532       }
 4533 
 4534       else
 4535       {
 4536          if (max_pixel_depth <= 8)
 4537          {
 4538             if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
 4539                max_pixel_depth = 32;
 4540 
 4541             else
 4542                max_pixel_depth = 24;
 4543          }
 4544 
 4545          else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
 4546             max_pixel_depth = 64;
 4547 
 4548          else
 4549             max_pixel_depth = 48;
 4550       }
 4551    }
 4552 #endif
 4553 
 4554 #if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
 4555 defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
 4556    if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0)
 4557    {
 4558       unsigned int user_pixel_depth = png_ptr->user_transform_depth *
 4559          png_ptr->user_transform_channels;
 4560 
 4561       if (user_pixel_depth > max_pixel_depth)
 4562          max_pixel_depth = user_pixel_depth;
 4563    }
 4564 #endif
 4565 
 4566    /* This value is stored in png_struct and double checked in the row read
 4567     * code.
 4568     */
 4569    png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
 4570    png_ptr->transformed_pixel_depth = 0; /* calculated on demand */
 4571 
 4572    /* Align the width on the next larger 8 pixels.  Mainly used
 4573     * for interlacing
 4574     */
 4575    row_bytes = ((png_ptr->width + 7) & ~((png_uint_32)7));
 4576    /* Calculate the maximum bytes needed, adding a byte and a pixel
 4577     * for safety's sake
 4578     */
 4579    row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
 4580        1 + ((max_pixel_depth + 7) >> 3U);
 4581 
 4582 #ifdef PNG_MAX_MALLOC_64K
 4583    if (row_bytes > (png_uint_32)65536L)
 4584       png_error(png_ptr, "This image requires a row greater than 64KB");
 4585 #endif
 4586 
 4587    if (row_bytes + 48 > png_ptr->old_big_row_buf_size)
 4588    {
 4589       png_free(png_ptr, png_ptr->big_row_buf);
 4590       png_free(png_ptr, png_ptr->big_prev_row);
 4591 
 4592       if (png_ptr->interlaced != 0)
 4593          png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
 4594              row_bytes + 48);
 4595 
 4596       else
 4597          png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
 4598 
 4599       png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + 48);
 4600 
 4601 #ifdef PNG_ALIGNED_MEMORY_SUPPORTED
 4602       /* Use 16-byte aligned memory for row_buf with at least 16 bytes
 4603        * of padding before and after row_buf; treat prev_row similarly.
 4604        * NOTE: the alignment is to the start of the pixels, one beyond the start
 4605        * of the buffer, because of the filter byte.  Prior to libpng 1.5.6 this
 4606        * was incorrect; the filter byte was aligned, which had the exact
 4607        * opposite effect of that intended.
 4608        */
 4609       {
 4610          png_bytep temp = png_ptr->big_row_buf + 32;
 4611          int extra = (int)((temp - (png_bytep)0) & 0x0f);
 4612          png_ptr->row_buf = temp - extra - 1/*filter byte*/;
 4613 
 4614          temp = png_ptr->big_prev_row + 32;
 4615          extra = (int)((temp - (png_bytep)0) & 0x0f);
 4616          png_ptr->prev_row = temp - extra - 1/*filter byte*/;
 4617       }
 4618 
 4619 #else
 4620       /* Use 31 bytes of padding before and 17 bytes after row_buf. */
 4621       png_ptr->row_buf = png_ptr->big_row_buf + 31;
 4622       png_ptr->prev_row = png_ptr->big_prev_row + 31;
 4623 #endif
 4624       png_ptr->old_big_row_buf_size = row_bytes + 48;
 4625    }
 4626 
 4627 #ifdef PNG_MAX_MALLOC_64K
 4628    if (png_ptr->rowbytes > 65535)
 4629       png_error(png_ptr, "This image requires a row greater than 64KB");
 4630 
 4631 #endif
 4632    if (png_ptr->rowbytes > (PNG_SIZE_MAX - 1))
 4633       png_error(png_ptr, "Row has too many bytes to allocate in memory");
 4634 
 4635    memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
 4636 
 4637    png_debug1(3, "width = %u,", png_ptr->width);
 4638    png_debug1(3, "height = %u,", png_ptr->height);
 4639    png_debug1(3, "iwidth = %u,", png_ptr->iwidth);
 4640    png_debug1(3, "num_rows = %u,", png_ptr->num_rows);
 4641    png_debug1(3, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
 4642    png_debug1(3, "irowbytes = %lu",
 4643        (unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1);
 4644 
 4645    /* The sequential reader needs a buffer for IDAT, but the progressive reader
 4646     * does not, so free the read buffer now regardless; the sequential reader
 4647     * reallocates it on demand.
 4648     */
 4649    if (png_ptr->read_buffer != NULL)
 4650    {
 4651       png_bytep buffer = png_ptr->read_buffer;
 4652 
 4653       png_ptr->read_buffer_size = 0;
 4654       png_ptr->read_buffer = NULL;
 4655       png_free(png_ptr, buffer);
 4656    }
 4657 
 4658    /* Finally claim the zstream for the inflate of the IDAT data, use the bits
 4659     * value from the stream (note that this will result in a fatal error if the
 4660     * IDAT stream has a bogus deflate header window_bits value, but this should
 4661     * not be happening any longer!)
 4662     */
 4663    if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
 4664       png_error(png_ptr, png_ptr->zstream.msg);
 4665 
 4666    png_ptr->flags |= PNG_FLAG_ROW_INIT;
 4667 }
 4668 #endif /* READ */