pngpread.c (33203B)
1 /* pngpread.c - read a png file in push mode 2 * 3 * Copyright (c) 2018-2025 Cosmin Truta 4 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson 5 * Copyright (c) 1996-1997 Andreas Dilger 6 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. 7 * 8 * This code is released under the libpng license. 9 * For conditions of distribution and use, see the disclaimer 10 * and license in png.h 11 */ 12 13 #include "pngpriv.h" 14 15 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED 16 17 /* Push model modes */ 18 #define PNG_READ_SIG_MODE 0 19 #define PNG_READ_CHUNK_MODE 1 20 #define PNG_READ_IDAT_MODE 2 21 #define PNG_READ_tEXt_MODE 4 22 #define PNG_READ_zTXt_MODE 5 23 #define PNG_READ_DONE_MODE 6 24 #define PNG_READ_iTXt_MODE 7 25 #define PNG_ERROR_MODE 8 26 27 #define PNG_PUSH_SAVE_BUFFER_IF_FULL \ 28 if (png_ptr->push_length + 4 > png_ptr->buffer_size) \ 29 { png_push_save_buffer(png_ptr); return; } 30 #define PNG_PUSH_SAVE_BUFFER_IF_LT(N) \ 31 if (png_ptr->buffer_size < N) \ 32 { png_push_save_buffer(png_ptr); return; } 33 34 #ifdef PNG_READ_INTERLACING_SUPPORTED 35 /* Arrays to facilitate interlacing - use pass (0 - 6) as index. */ 36 37 /* Start of interlace block */ 38 static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0}; 39 /* Offset to next interlace block */ 40 static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1}; 41 /* Start of interlace block in the y direction */ 42 static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1}; 43 /* Offset to next interlace block in the y direction */ 44 static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2}; 45 46 /* TODO: Move these arrays to a common utility module to avoid duplication. */ 47 #endif 48 49 void PNGAPI 50 png_process_data(png_structrp png_ptr, png_inforp info_ptr, 51 png_bytep buffer, size_t buffer_size) 52 { 53 if (png_ptr == NULL || info_ptr == NULL) 54 return; 55 56 png_push_restore_buffer(png_ptr, buffer, buffer_size); 57 58 while (png_ptr->buffer_size) 59 { 60 png_process_some_data(png_ptr, info_ptr); 61 } 62 } 63 64 size_t PNGAPI 65 png_process_data_pause(png_structrp png_ptr, int save) 66 { 67 if (png_ptr != NULL) 68 { 69 /* It's easiest for the caller if we do the save; then the caller doesn't 70 * have to supply the same data again: 71 */ 72 if (save != 0) 73 png_push_save_buffer(png_ptr); 74 else 75 { 76 /* This includes any pending saved bytes: */ 77 size_t remaining = png_ptr->buffer_size; 78 png_ptr->buffer_size = 0; 79 80 /* So subtract the saved buffer size, unless all the data 81 * is actually 'saved', in which case we just return 0 82 */ 83 if (png_ptr->save_buffer_size < remaining) 84 return remaining - png_ptr->save_buffer_size; 85 } 86 } 87 88 return 0; 89 } 90 91 png_uint_32 PNGAPI 92 png_process_data_skip(png_structrp png_ptr) 93 { 94 /* TODO: Deprecate and remove this API. 95 * Somewhere the implementation of this seems to have been lost, 96 * or abandoned. It was only to support some internal back-door access 97 * to png_struct) in libpng-1.4.x. 98 */ 99 png_app_warning(png_ptr, 100 "png_process_data_skip is not implemented in any current version of libpng"); 101 return 0; 102 } 103 104 /* What we do with the incoming data depends on what we were previously 105 * doing before we ran out of data... 106 */ 107 void /* PRIVATE */ 108 png_process_some_data(png_structrp png_ptr, png_inforp info_ptr) 109 { 110 if (png_ptr == NULL) 111 return; 112 113 switch (png_ptr->process_mode) 114 { 115 case PNG_READ_SIG_MODE: 116 { 117 png_push_read_sig(png_ptr, info_ptr); 118 break; 119 } 120 121 case PNG_READ_CHUNK_MODE: 122 { 123 png_push_read_chunk(png_ptr, info_ptr); 124 break; 125 } 126 127 case PNG_READ_IDAT_MODE: 128 { 129 png_push_read_IDAT(png_ptr); 130 break; 131 } 132 133 default: 134 { 135 png_ptr->buffer_size = 0; 136 break; 137 } 138 } 139 } 140 141 /* Read any remaining signature bytes from the stream and compare them with 142 * the correct PNG signature. It is possible that this routine is called 143 * with bytes already read from the signature, either because they have been 144 * checked by the calling application, or because of multiple calls to this 145 * routine. 146 */ 147 void /* PRIVATE */ 148 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) 149 { 150 size_t num_checked = png_ptr->sig_bytes; /* SAFE, does not exceed 8 */ 151 size_t num_to_check = 8 - num_checked; 152 153 if (png_ptr->buffer_size < num_to_check) 154 { 155 num_to_check = png_ptr->buffer_size; 156 } 157 158 png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]), 159 num_to_check); 160 png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check); 161 162 if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0) 163 { 164 if (num_checked < 4 && 165 png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4) != 0) 166 png_error(png_ptr, "Not a PNG file"); 167 168 else 169 png_error(png_ptr, "PNG file corrupted by ASCII conversion"); 170 } 171 else 172 { 173 if (png_ptr->sig_bytes >= 8) 174 { 175 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 176 } 177 } 178 } 179 180 void /* PRIVATE */ 181 png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr) 182 { 183 png_uint_32 chunk_name; 184 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 185 int keep; /* unknown handling method */ 186 #endif 187 188 /* First we make sure we have enough data for the 4-byte chunk name 189 * and the 4-byte chunk length before proceeding with decoding the 190 * chunk data. To fully decode each of these chunks, we also make 191 * sure we have enough data in the buffer for the 4-byte CRC at the 192 * end of every chunk (except IDAT, which is handled separately). 193 */ 194 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 195 { 196 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 197 png_ptr->push_length = png_read_chunk_header(png_ptr); 198 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 199 } 200 201 chunk_name = png_ptr->chunk_name; 202 203 #ifdef PNG_READ_APNG_SUPPORTED 204 if (png_ptr->num_frames_read > 0 && 205 png_ptr->num_frames_read < info_ptr->num_frames) 206 { 207 if (chunk_name == png_IDAT) 208 { 209 /* Discard trailing IDATs for the first frame */ 210 if ((png_ptr->mode & PNG_HAVE_fcTL) != 0 || 211 png_ptr->num_frames_read > 1) 212 png_error(png_ptr, "out of place IDAT"); 213 214 PNG_PUSH_SAVE_BUFFER_IF_FULL 215 png_crc_finish(png_ptr, png_ptr->push_length); 216 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 217 } 218 219 else if (chunk_name == png_fdAT) 220 { 221 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 222 png_ensure_sequence_number(png_ptr, 4); 223 224 if ((png_ptr->mode & PNG_HAVE_fcTL) == 0) 225 { 226 /* Discard trailing fdATs for frames other than the first */ 227 if (png_ptr->num_frames_read < 2) 228 png_error(png_ptr, "out of place fdAT"); 229 230 PNG_PUSH_SAVE_BUFFER_IF_FULL 231 png_crc_finish(png_ptr, png_ptr->push_length); 232 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 233 } 234 235 else 236 { 237 /* frame data follows */ 238 png_ptr->idat_size = png_ptr->push_length - 4; 239 png_ptr->mode |= PNG_HAVE_IDAT; 240 png_ptr->process_mode = PNG_READ_IDAT_MODE; 241 } 242 } 243 244 else if (chunk_name == png_fcTL) 245 { 246 PNG_PUSH_SAVE_BUFFER_IF_FULL 247 png_read_reset(png_ptr); 248 png_ptr->mode &= ~PNG_HAVE_fcTL; 249 250 png_handle_fcTL(png_ptr, info_ptr, png_ptr->push_length); 251 252 if ((png_ptr->mode & PNG_HAVE_fcTL) == 0) 253 png_error(png_ptr, "missing required fcTL chunk"); 254 255 png_read_reinit(png_ptr, info_ptr); 256 png_progressive_read_reset(png_ptr); 257 258 if (png_ptr->frame_info_fn != NULL) 259 (*(png_ptr->frame_info_fn))(png_ptr, png_ptr->num_frames_read); 260 261 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 262 } 263 264 else if (chunk_name == png_IEND) 265 { 266 PNG_PUSH_SAVE_BUFFER_IF_FULL 267 png_warning(png_ptr, "Number of actual frames fewer than expected"); 268 png_crc_finish(png_ptr, png_ptr->push_length); 269 png_ptr->process_mode = PNG_READ_DONE_MODE; 270 png_push_have_end(png_ptr, info_ptr); 271 } 272 273 else 274 { 275 PNG_PUSH_SAVE_BUFFER_IF_FULL 276 png_warning(png_ptr, "Skipped (ignored) a chunk " 277 "between APNG chunks"); 278 png_crc_finish(png_ptr, png_ptr->push_length); 279 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 280 } 281 282 return; 283 } 284 #endif /* READ_APNG */ 285 286 if (chunk_name == png_IDAT) 287 { 288 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 289 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT; 290 291 /* If we reach an IDAT chunk, this means we have read all of the 292 * header chunks, and we can start reading the image (or if this 293 * is called after the image has been read - we have an error). 294 */ 295 if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) 296 png_error(png_ptr, "Missing IHDR before IDAT"); 297 298 else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE && 299 (png_ptr->mode & PNG_HAVE_PLTE) == 0) 300 png_error(png_ptr, "Missing PLTE before IDAT"); 301 302 png_ptr->process_mode = PNG_READ_IDAT_MODE; 303 304 if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) 305 if ((png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) == 0) 306 if (png_ptr->push_length == 0) 307 return; 308 309 png_ptr->mode |= PNG_HAVE_IDAT; 310 311 if ((png_ptr->mode & PNG_AFTER_IDAT) != 0) 312 png_benign_error(png_ptr, "Too many IDATs found"); 313 } 314 315 else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0) 316 { 317 /* These flags must be set consistently for all non-IDAT chunks, 318 * including the unknown chunks. 319 */ 320 png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT | PNG_AFTER_IDAT; 321 } 322 323 if (chunk_name == png_IHDR) 324 { 325 if (png_ptr->push_length != 13) 326 png_error(png_ptr, "Invalid IHDR length"); 327 328 PNG_PUSH_SAVE_BUFFER_IF_FULL 329 png_handle_chunk(png_ptr, info_ptr, png_ptr->push_length); 330 } 331 332 else if (chunk_name == png_IEND) 333 { 334 PNG_PUSH_SAVE_BUFFER_IF_FULL 335 png_handle_chunk(png_ptr, info_ptr, png_ptr->push_length); 336 337 png_ptr->process_mode = PNG_READ_DONE_MODE; 338 png_push_have_end(png_ptr, info_ptr); 339 } 340 341 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED 342 else if ((keep = png_chunk_unknown_handling(png_ptr, chunk_name)) != 0) 343 { 344 PNG_PUSH_SAVE_BUFFER_IF_FULL 345 png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length, keep); 346 347 if (chunk_name == png_PLTE) 348 png_ptr->mode |= PNG_HAVE_PLTE; 349 } 350 #endif 351 352 else if (chunk_name == png_IDAT) 353 { 354 #ifdef PNG_READ_APNG_SUPPORTED 355 png_have_info(png_ptr, info_ptr); 356 #endif 357 png_ptr->idat_size = png_ptr->push_length; 358 png_ptr->process_mode = PNG_READ_IDAT_MODE; 359 png_push_have_info(png_ptr, info_ptr); 360 png_ptr->zstream.avail_out = 361 (uInt) PNG_ROWBYTES(png_ptr->pixel_depth, 362 png_ptr->iwidth) + 1; 363 png_ptr->zstream.next_out = png_ptr->row_buf; 364 return; 365 } 366 367 #ifdef PNG_READ_APNG_SUPPORTED 368 else if (chunk_name == png_acTL) 369 { 370 PNG_PUSH_SAVE_BUFFER_IF_FULL 371 png_handle_acTL(png_ptr, info_ptr, png_ptr->push_length); 372 } 373 374 else if (chunk_name == png_fcTL) 375 { 376 PNG_PUSH_SAVE_BUFFER_IF_FULL 377 png_handle_fcTL(png_ptr, info_ptr, png_ptr->push_length); 378 } 379 380 #endif /* READ_APNG */ 381 else 382 { 383 PNG_PUSH_SAVE_BUFFER_IF_FULL 384 png_handle_chunk(png_ptr, info_ptr, png_ptr->push_length); 385 } 386 387 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 388 } 389 390 void PNGCBAPI 391 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, size_t length) 392 { 393 png_bytep ptr; 394 395 if (png_ptr == NULL) 396 return; 397 398 ptr = buffer; 399 if (png_ptr->save_buffer_size != 0) 400 { 401 size_t save_size; 402 403 if (length < png_ptr->save_buffer_size) 404 save_size = length; 405 406 else 407 save_size = png_ptr->save_buffer_size; 408 409 memcpy(ptr, png_ptr->save_buffer_ptr, save_size); 410 length -= save_size; 411 ptr += save_size; 412 png_ptr->buffer_size -= save_size; 413 png_ptr->save_buffer_size -= save_size; 414 png_ptr->save_buffer_ptr += save_size; 415 } 416 if (length != 0 && png_ptr->current_buffer_size != 0) 417 { 418 size_t save_size; 419 420 if (length < png_ptr->current_buffer_size) 421 save_size = length; 422 423 else 424 save_size = png_ptr->current_buffer_size; 425 426 memcpy(ptr, png_ptr->current_buffer_ptr, save_size); 427 png_ptr->buffer_size -= save_size; 428 png_ptr->current_buffer_size -= save_size; 429 png_ptr->current_buffer_ptr += save_size; 430 } 431 } 432 433 void /* PRIVATE */ 434 png_push_save_buffer(png_structrp png_ptr) 435 { 436 if (png_ptr->save_buffer_size != 0) 437 { 438 if (png_ptr->save_buffer_ptr != png_ptr->save_buffer) 439 { 440 size_t i, istop; 441 png_bytep sp; 442 png_bytep dp; 443 444 istop = png_ptr->save_buffer_size; 445 for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer; 446 i < istop; i++, sp++, dp++) 447 { 448 *dp = *sp; 449 } 450 } 451 } 452 if (png_ptr->save_buffer_size + png_ptr->current_buffer_size > 453 png_ptr->save_buffer_max) 454 { 455 size_t new_max; 456 png_bytep old_buffer; 457 458 if (png_ptr->save_buffer_size > PNG_SIZE_MAX - 459 (png_ptr->current_buffer_size + 256)) 460 { 461 png_error(png_ptr, "Potential overflow of save_buffer"); 462 } 463 464 new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; 465 old_buffer = png_ptr->save_buffer; 466 png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, 467 (size_t)new_max); 468 469 if (png_ptr->save_buffer == NULL) 470 { 471 png_free(png_ptr, old_buffer); 472 png_error(png_ptr, "Insufficient memory for save_buffer"); 473 } 474 475 if (old_buffer) 476 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); 477 else if (png_ptr->save_buffer_size) 478 png_error(png_ptr, "save_buffer error"); 479 png_free(png_ptr, old_buffer); 480 png_ptr->save_buffer_max = new_max; 481 } 482 if (png_ptr->current_buffer_size) 483 { 484 memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size, 485 png_ptr->current_buffer_ptr, png_ptr->current_buffer_size); 486 png_ptr->save_buffer_size += png_ptr->current_buffer_size; 487 png_ptr->current_buffer_size = 0; 488 } 489 png_ptr->save_buffer_ptr = png_ptr->save_buffer; 490 png_ptr->buffer_size = 0; 491 } 492 493 void /* PRIVATE */ 494 png_push_restore_buffer(png_structrp png_ptr, png_bytep buffer, 495 size_t buffer_length) 496 { 497 png_ptr->current_buffer = buffer; 498 png_ptr->current_buffer_size = buffer_length; 499 png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size; 500 png_ptr->current_buffer_ptr = png_ptr->current_buffer; 501 } 502 503 void /* PRIVATE */ 504 png_push_read_IDAT(png_structrp png_ptr) 505 { 506 if ((png_ptr->mode & PNG_HAVE_CHUNK_HEADER) == 0) 507 { 508 png_byte chunk_length[4]; 509 png_byte chunk_tag[4]; 510 511 /* TODO: this code can be commoned up with the same code in push_read */ 512 #ifdef PNG_READ_APNG_SUPPORTED 513 PNG_PUSH_SAVE_BUFFER_IF_LT(12) 514 #else 515 PNG_PUSH_SAVE_BUFFER_IF_LT(8) 516 #endif 517 png_push_fill_buffer(png_ptr, chunk_length, 4); 518 png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length); 519 png_reset_crc(png_ptr); 520 png_crc_read(png_ptr, chunk_tag, 4); 521 png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag); 522 png_ptr->mode |= PNG_HAVE_CHUNK_HEADER; 523 524 #ifdef PNG_READ_APNG_SUPPORTED 525 if (png_ptr->chunk_name != png_fdAT && png_ptr->num_frames_read > 0) 526 { 527 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) != 0) 528 { 529 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 530 if (png_ptr->frame_end_fn != NULL) 531 (*(png_ptr->frame_end_fn))(png_ptr, png_ptr->num_frames_read); 532 png_ptr->num_frames_read++; 533 return; 534 } 535 else 536 { 537 if (png_ptr->chunk_name == png_IEND) 538 png_error(png_ptr, "Not enough image data"); 539 PNG_PUSH_SAVE_BUFFER_IF_FULL 540 png_warning(png_ptr, "Skipping (ignoring) a chunk between " 541 "APNG chunks"); 542 png_crc_finish(png_ptr, png_ptr->push_length); 543 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 544 return; 545 } 546 } 547 else 548 #endif 549 #ifdef PNG_READ_APNG_SUPPORTED 550 if (png_ptr->chunk_name != png_IDAT && png_ptr->num_frames_read == 0) 551 #else 552 if (png_ptr->chunk_name != png_IDAT) 553 #endif 554 { 555 png_ptr->process_mode = PNG_READ_CHUNK_MODE; 556 557 if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 558 png_error(png_ptr, "Not enough compressed data"); 559 560 #ifdef PNG_READ_APNG_SUPPORTED 561 if (png_ptr->frame_end_fn != NULL) 562 (*(png_ptr->frame_end_fn))(png_ptr, png_ptr->num_frames_read); 563 png_ptr->num_frames_read++; 564 #endif 565 566 return; 567 } 568 569 png_ptr->idat_size = png_ptr->push_length; 570 571 #ifdef PNG_READ_APNG_SUPPORTED 572 if (png_ptr->num_frames_read > 0) 573 { 574 png_ensure_sequence_number(png_ptr, 4); 575 png_ptr->idat_size -= 4; 576 } 577 #endif 578 } 579 580 if (png_ptr->idat_size != 0 && png_ptr->save_buffer_size != 0) 581 { 582 size_t save_size = png_ptr->save_buffer_size; 583 png_uint_32 idat_size = png_ptr->idat_size; 584 585 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 586 * are of different types and we don't know which variable has the fewest 587 * bits. Carefully select the smaller and cast it to the type of the 588 * larger - this cannot overflow. Do not cast in the following test - it 589 * will break on either 16-bit or 64-bit platforms. 590 */ 591 if (idat_size < save_size) 592 save_size = (size_t)idat_size; 593 594 else 595 idat_size = (png_uint_32)save_size; 596 597 png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); 598 599 png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size); 600 601 png_ptr->idat_size -= idat_size; 602 png_ptr->buffer_size -= save_size; 603 png_ptr->save_buffer_size -= save_size; 604 png_ptr->save_buffer_ptr += save_size; 605 } 606 607 if (png_ptr->idat_size != 0 && png_ptr->current_buffer_size != 0) 608 { 609 size_t save_size = png_ptr->current_buffer_size; 610 png_uint_32 idat_size = png_ptr->idat_size; 611 612 /* We want the smaller of 'idat_size' and 'current_buffer_size', but they 613 * are of different types and we don't know which variable has the fewest 614 * bits. Carefully select the smaller and cast it to the type of the 615 * larger - this cannot overflow. 616 */ 617 if (idat_size < save_size) 618 save_size = (size_t)idat_size; 619 620 else 621 idat_size = (png_uint_32)save_size; 622 623 png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); 624 625 png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size); 626 627 png_ptr->idat_size -= idat_size; 628 png_ptr->buffer_size -= save_size; 629 png_ptr->current_buffer_size -= save_size; 630 png_ptr->current_buffer_ptr += save_size; 631 } 632 633 if (png_ptr->idat_size == 0) 634 { 635 PNG_PUSH_SAVE_BUFFER_IF_LT(4) 636 png_crc_finish(png_ptr, 0); 637 png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; 638 png_ptr->mode |= PNG_AFTER_IDAT; 639 png_ptr->zowner = 0; 640 } 641 } 642 643 void /* PRIVATE */ 644 png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer, 645 size_t buffer_length) 646 { 647 /* The caller checks for a non-zero buffer length. */ 648 if (!(buffer_length > 0) || buffer == NULL) 649 png_error(png_ptr, "No IDAT data (internal error)"); 650 651 #ifdef PNG_READ_APNG_SUPPORTED 652 /* If the app is not APNG-aware, decode only the first frame */ 653 if ((png_ptr->apng_flags & PNG_APNG_APP) == 0 && 654 png_ptr->num_frames_read > 0) 655 { 656 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 657 return; 658 } 659 #endif 660 661 /* This routine must process all the data it has been given 662 * before returning, calling the row callback as required to 663 * handle the uncompressed results. 664 */ 665 png_ptr->zstream.next_in = buffer; 666 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 667 png_ptr->zstream.avail_in = (uInt)buffer_length; 668 669 /* Keep going until the decompressed data is all processed 670 * or the stream marked as finished. 671 */ 672 while (png_ptr->zstream.avail_in > 0 && 673 (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) 674 { 675 int ret; 676 677 /* We have data for zlib, but we must check that zlib 678 * has someplace to put the results. It doesn't matter 679 * if we don't expect any results -- it may be the input 680 * data is just the LZ end code. 681 */ 682 if (!(png_ptr->zstream.avail_out > 0)) 683 { 684 /* TODO: WARNING: TRUNCATION ERROR: DANGER WILL ROBINSON: */ 685 png_ptr->zstream.avail_out = (uInt)(PNG_ROWBYTES(png_ptr->pixel_depth, 686 png_ptr->iwidth) + 1); 687 688 png_ptr->zstream.next_out = png_ptr->row_buf; 689 } 690 691 /* Using Z_SYNC_FLUSH here means that an unterminated 692 * LZ stream (a stream with a missing end code) can still 693 * be handled, otherwise (Z_NO_FLUSH) a future zlib 694 * implementation might defer output and therefore 695 * change the current behavior (see comments in inflate.c 696 * for why this doesn't happen at present with zlib 1.2.5). 697 */ 698 ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); 699 700 /* Check for any failure before proceeding. */ 701 if (ret != Z_OK && ret != Z_STREAM_END) 702 { 703 /* Terminate the decompression. */ 704 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 705 png_ptr->zowner = 0; 706 707 /* This may be a truncated stream (missing or 708 * damaged end code). Treat that as a warning. 709 */ 710 if (png_ptr->row_number >= png_ptr->num_rows || 711 png_ptr->pass > 6) 712 png_warning(png_ptr, "Truncated compressed data in IDAT"); 713 714 else 715 { 716 if (ret == Z_DATA_ERROR) 717 png_benign_error(png_ptr, "IDAT: ADLER32 checksum mismatch"); 718 else 719 png_error(png_ptr, "Decompression error in IDAT"); 720 } 721 722 /* Skip the check on unprocessed input */ 723 return; 724 } 725 726 /* Did inflate output any data? */ 727 if (png_ptr->zstream.next_out != png_ptr->row_buf) 728 { 729 /* Is this unexpected data after the last row? 730 * If it is, artificially terminate the LZ output 731 * here. 732 */ 733 if (png_ptr->row_number >= png_ptr->num_rows || 734 png_ptr->pass > 6) 735 { 736 /* Extra data. */ 737 png_warning(png_ptr, "Extra compressed data in IDAT"); 738 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 739 png_ptr->zowner = 0; 740 741 /* Do no more processing; skip the unprocessed 742 * input check below. 743 */ 744 return; 745 } 746 747 /* Do we have a complete row? */ 748 if (png_ptr->zstream.avail_out == 0) 749 png_push_process_row(png_ptr); 750 } 751 752 /* And check for the end of the stream. */ 753 if (ret == Z_STREAM_END) 754 png_ptr->flags |= PNG_FLAG_ZSTREAM_ENDED; 755 } 756 757 /* All the data should have been processed, if anything 758 * is left at this point we have bytes of IDAT data 759 * after the zlib end code. 760 */ 761 if (png_ptr->zstream.avail_in > 0) 762 png_warning(png_ptr, "Extra compression data in IDAT"); 763 } 764 765 void /* PRIVATE */ 766 png_push_process_row(png_structrp png_ptr) 767 { 768 /* 1.5.6: row_info moved out of png_struct to a local here. */ 769 png_row_info row_info; 770 771 row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */ 772 row_info.color_type = png_ptr->color_type; 773 row_info.bit_depth = png_ptr->bit_depth; 774 row_info.channels = png_ptr->channels; 775 row_info.pixel_depth = png_ptr->pixel_depth; 776 row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width); 777 778 if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE) 779 { 780 if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST) 781 png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1, 782 png_ptr->prev_row + 1, png_ptr->row_buf[0]); 783 else 784 png_error(png_ptr, "bad adaptive filter value"); 785 } 786 787 /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before 788 * 1.5.6, while the buffer really is this big in current versions of libpng 789 * it may not be in the future, so this was changed just to copy the 790 * interlaced row count: 791 */ 792 memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1); 793 794 #ifdef PNG_READ_TRANSFORMS_SUPPORTED 795 if (png_ptr->transformations != 0) 796 png_do_read_transformations(png_ptr, &row_info); 797 #endif 798 799 /* The transformed pixel depth should match the depth now in row_info. */ 800 if (png_ptr->transformed_pixel_depth == 0) 801 { 802 png_ptr->transformed_pixel_depth = row_info.pixel_depth; 803 if (row_info.pixel_depth > png_ptr->maximum_pixel_depth) 804 png_error(png_ptr, "progressive row overflow"); 805 } 806 807 else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth) 808 png_error(png_ptr, "internal progressive row size calculation error"); 809 810 811 #ifdef PNG_READ_INTERLACING_SUPPORTED 812 /* Expand interlaced rows to full size */ 813 if (png_ptr->interlaced != 0 && 814 (png_ptr->transformations & PNG_INTERLACE) != 0) 815 { 816 if (png_ptr->pass < 6) 817 png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass, 818 png_ptr->transformations); 819 820 switch (png_ptr->pass) 821 { 822 case 0: 823 { 824 int i; 825 for (i = 0; i < 8 && png_ptr->pass == 0; i++) 826 { 827 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 828 png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */ 829 } 830 831 if (png_ptr->pass == 2) /* Pass 1 might be empty */ 832 { 833 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 834 { 835 png_push_have_row(png_ptr, NULL); 836 png_read_push_finish_row(png_ptr); 837 } 838 } 839 840 if (png_ptr->pass == 4 && png_ptr->height <= 4) 841 { 842 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 843 { 844 png_push_have_row(png_ptr, NULL); 845 png_read_push_finish_row(png_ptr); 846 } 847 } 848 849 if (png_ptr->pass == 6 && png_ptr->height <= 4) 850 { 851 png_push_have_row(png_ptr, NULL); 852 png_read_push_finish_row(png_ptr); 853 } 854 855 break; 856 } 857 858 case 1: 859 { 860 int i; 861 for (i = 0; i < 8 && png_ptr->pass == 1; i++) 862 { 863 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 864 png_read_push_finish_row(png_ptr); 865 } 866 867 if (png_ptr->pass == 2) /* Skip top 4 generated rows */ 868 { 869 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 870 { 871 png_push_have_row(png_ptr, NULL); 872 png_read_push_finish_row(png_ptr); 873 } 874 } 875 876 break; 877 } 878 879 case 2: 880 { 881 int i; 882 883 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 884 { 885 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 886 png_read_push_finish_row(png_ptr); 887 } 888 889 for (i = 0; i < 4 && png_ptr->pass == 2; i++) 890 { 891 png_push_have_row(png_ptr, NULL); 892 png_read_push_finish_row(png_ptr); 893 } 894 895 if (png_ptr->pass == 4) /* Pass 3 might be empty */ 896 { 897 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 898 { 899 png_push_have_row(png_ptr, NULL); 900 png_read_push_finish_row(png_ptr); 901 } 902 } 903 904 break; 905 } 906 907 case 3: 908 { 909 int i; 910 911 for (i = 0; i < 4 && png_ptr->pass == 3; i++) 912 { 913 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 914 png_read_push_finish_row(png_ptr); 915 } 916 917 if (png_ptr->pass == 4) /* Skip top two generated rows */ 918 { 919 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 920 { 921 png_push_have_row(png_ptr, NULL); 922 png_read_push_finish_row(png_ptr); 923 } 924 } 925 926 break; 927 } 928 929 case 4: 930 { 931 int i; 932 933 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 934 { 935 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 936 png_read_push_finish_row(png_ptr); 937 } 938 939 for (i = 0; i < 2 && png_ptr->pass == 4; i++) 940 { 941 png_push_have_row(png_ptr, NULL); 942 png_read_push_finish_row(png_ptr); 943 } 944 945 if (png_ptr->pass == 6) /* Pass 5 might be empty */ 946 { 947 png_push_have_row(png_ptr, NULL); 948 png_read_push_finish_row(png_ptr); 949 } 950 951 break; 952 } 953 954 case 5: 955 { 956 int i; 957 958 for (i = 0; i < 2 && png_ptr->pass == 5; i++) 959 { 960 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 961 png_read_push_finish_row(png_ptr); 962 } 963 964 if (png_ptr->pass == 6) /* Skip top generated row */ 965 { 966 png_push_have_row(png_ptr, NULL); 967 png_read_push_finish_row(png_ptr); 968 } 969 970 break; 971 } 972 973 default: 974 case 6: 975 { 976 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 977 png_read_push_finish_row(png_ptr); 978 979 if (png_ptr->pass != 6) 980 break; 981 982 png_push_have_row(png_ptr, NULL); 983 png_read_push_finish_row(png_ptr); 984 } 985 } 986 } 987 else 988 #endif 989 { 990 png_push_have_row(png_ptr, png_ptr->row_buf + 1); 991 png_read_push_finish_row(png_ptr); 992 } 993 } 994 995 void /* PRIVATE */ 996 png_read_push_finish_row(png_structrp png_ptr) 997 { 998 png_ptr->row_number++; 999 if (png_ptr->row_number < png_ptr->num_rows) 1000 return; 1001 1002 #ifdef PNG_READ_INTERLACING_SUPPORTED 1003 if (png_ptr->interlaced != 0) 1004 { 1005 png_ptr->row_number = 0; 1006 memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1); 1007 1008 do 1009 { 1010 png_ptr->pass++; 1011 if ((png_ptr->pass == 1 && png_ptr->width < 5) || 1012 (png_ptr->pass == 3 && png_ptr->width < 3) || 1013 (png_ptr->pass == 5 && png_ptr->width < 2)) 1014 png_ptr->pass++; 1015 1016 if (png_ptr->pass > 7) 1017 png_ptr->pass--; 1018 1019 if (png_ptr->pass >= 7) 1020 break; 1021 1022 png_ptr->iwidth = (png_ptr->width + 1023 png_pass_inc[png_ptr->pass] - 1 - 1024 png_pass_start[png_ptr->pass]) / 1025 png_pass_inc[png_ptr->pass]; 1026 1027 if ((png_ptr->transformations & PNG_INTERLACE) != 0) 1028 break; 1029 1030 png_ptr->num_rows = (png_ptr->height + 1031 png_pass_yinc[png_ptr->pass] - 1 - 1032 png_pass_ystart[png_ptr->pass]) / 1033 png_pass_yinc[png_ptr->pass]; 1034 1035 } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); 1036 } 1037 #endif /* READ_INTERLACING */ 1038 } 1039 1040 void /* PRIVATE */ 1041 png_push_have_info(png_structrp png_ptr, png_inforp info_ptr) 1042 { 1043 if (png_ptr->info_fn != NULL) 1044 (*(png_ptr->info_fn))(png_ptr, info_ptr); 1045 } 1046 1047 void /* PRIVATE */ 1048 png_push_have_end(png_structrp png_ptr, png_inforp info_ptr) 1049 { 1050 if (png_ptr->end_fn != NULL) 1051 (*(png_ptr->end_fn))(png_ptr, info_ptr); 1052 } 1053 1054 void /* PRIVATE */ 1055 png_push_have_row(png_structrp png_ptr, png_bytep row) 1056 { 1057 if (png_ptr->row_fn != NULL) 1058 (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number, 1059 (int)png_ptr->pass); 1060 } 1061 1062 #ifdef PNG_READ_INTERLACING_SUPPORTED 1063 void PNGAPI 1064 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, 1065 png_const_bytep new_row) 1066 { 1067 if (png_ptr == NULL) 1068 return; 1069 1070 /* new_row is a flag here - if it is NULL then the app callback was called 1071 * from an empty row (see the calls to png_struct::row_fn below), otherwise 1072 * it must be png_ptr->row_buf+1 1073 */ 1074 if (new_row != NULL) 1075 png_combine_row(png_ptr, old_row, 1/*blocky display*/); 1076 } 1077 #endif /* READ_INTERLACING */ 1078 1079 void PNGAPI 1080 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, 1081 png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn, 1082 png_progressive_end_ptr end_fn) 1083 { 1084 if (png_ptr == NULL) 1085 return; 1086 1087 png_ptr->info_fn = info_fn; 1088 png_ptr->row_fn = row_fn; 1089 png_ptr->end_fn = end_fn; 1090 1091 png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer); 1092 } 1093 1094 #ifdef PNG_READ_APNG_SUPPORTED 1095 void PNGAPI 1096 png_set_progressive_frame_fn(png_structp png_ptr, 1097 png_progressive_frame_ptr frame_info_fn, 1098 png_progressive_frame_ptr frame_end_fn) 1099 { 1100 png_ptr->frame_info_fn = frame_info_fn; 1101 png_ptr->frame_end_fn = frame_end_fn; 1102 png_ptr->apng_flags |= PNG_APNG_APP; 1103 } 1104 #endif 1105 1106 png_voidp PNGAPI 1107 png_get_progressive_ptr(png_const_structrp png_ptr) 1108 { 1109 if (png_ptr == NULL) 1110 return NULL; 1111 1112 return png_ptr->io_ptr; 1113 } 1114 #endif /* PROGRESSIVE_READ */