pngrutil.c source code [Aseprite/third_party/libpng/pngrutil.c]

1
2	/ pngrutil.c - utilities to read a PNG file*
3	*
4	* Copyright (c) 2018 Cosmin Truta
5	* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6	* Copyright (c) 1996-1997 Andreas Dilger
7	* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8	*
9	* This code is released under the libpng license.
10	* For conditions of distribution and use, see the disclaimer
11	* and license in png.h
12	*
13	* This file contains routines that are only called from within
14	* libpng itself during the course of reading an image.
15	*/
16
17	#include "pngpriv.h"
18
19	#ifdef PNG_READ_SUPPORTED
20
21	png_uint_32 PNGAPI
22	png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
23	{
24	png_uint_32 uval = png_get_uint_32(buf);
25
26	if (uval > PNG_UINT_31_MAX)
27	png_error(png_ptr, "PNG unsigned integer out of range");
28
29	return (uval);
30	}
31
32	#if defined(PNG_READ_gAMA_SUPPORTED) \|\| defined(PNG_READ_cHRM_SUPPORTED)
33	/ The following is a variation on the above for use with the fixed*
34	* point values used for gAMA and cHRM. Instead of png_error it
35	* issues a warning and returns (-1) - an invalid value because both
36	* gAMA and cHRM use unsigned integers for fixed point values.
37	*/
38	#define PNG_FIXED_ERROR (-1)
39
40	static png_fixed_point / PRIVATE /
41	png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42	{
43	png_uint_32 uval = png_get_uint_32(buf);
44
45	if (uval <= PNG_UINT_31_MAX)
46	return (png_fixed_point)uval; / known to be in range /
47
48	/ The caller can turn off the warning by passing NULL. /
49	if (png_ptr != NULL)
50	png_warning(png_ptr, "PNG fixed point integer out of range");
51
52	return PNG_FIXED_ERROR;
53	}
54	#endif
55
56	#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57	/ NOTE: the read macros will obscure these definitions, so that if*
58	* PNG_USE_READ_MACROS is set the library will not use them internally,
59	* but the APIs will still be available externally.
60	*
61	* The parentheses around "PNGAPI function_name" in the following three
62	* functions are necessary because they allow the macros to co-exist with
63	* these (unused but exported) functions.
64	*/
65
66	/ Grab an unsigned 32-bit integer from a buffer in big-endian format. /
67	png_uint_32 (PNGAPI
68	png_get_uint_32)(png_const_bytep buf)
69	{
70	png_uint_32 uval =
71	((png_uint_32)(*(buf )) << `24`) +
72	((png_uint_32)(*(buf + `1`)) << `16`) +
73	((png_uint_32)(*(buf + `2`)) << `8`) +
74	((png_uint_32)(*(buf + `3`)) ) ;
75
76	return uval;
77	}
78
79	/ Grab a signed 32-bit integer from a buffer in big-endian format. The*
80	* data is stored in the PNG file in two's complement format and there
81	* is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82	* the following code does a two's complement to native conversion.
83	*/
84	png_int_32 (PNGAPI
85	png_get_int_32)(png_const_bytep buf)
86	{
87	png_uint_32 uval = png_get_uint_32(buf);
88	if ((uval & `0x80000000`) == `0`) / non-negative /
89	return (png_int_32)uval;
90
91	uval = (uval ^ `0xffffffff`) + `1`; / 2's complement: -x = ~x+1 /
92	if ((uval & `0x80000000`) == `0`) / no overflow /
93	return -(png_int_32)uval;
94	/ The following has to be safe; this function only gets called on PNG data*
95	* and if we get here that data is invalid. 0 is the most safe value and
96	* if not then an attacker would surely just generate a PNG with 0 instead.
97	*/
98	return `0`;
99	}
100
101	/ Grab an unsigned 16-bit integer from a buffer in big-endian format. /
102	png_uint_16 (PNGAPI
103	png_get_uint_16)(png_const_bytep buf)
104	{
105	/ ANSI-C requires an int value to accommodate at least 16 bits so this*
106	* works and allows the compiler not to worry about possible narrowing
107	* on 32-bit systems. (Pre-ANSI systems did not make integers smaller
108	* than 16 bits either.)
109	*/
110	unsigned int val =
111	((unsigned int)(*buf) << `8`) +
112	((unsigned int)(*(buf + `1`)));
113
114	return (png_uint_16)val;
115	}
116
117	#endif /* READ_INT_FUNCTIONS */
118
119	/ Read and check the PNG file signature /
120	void / PRIVATE /
121	png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122	{
123	size_t num_checked, num_to_check;
124
125	/ Exit if the user application does not expect a signature. /
126	if (png_ptr->sig_bytes >= `8`)
127	return;
128
129	num_checked = png_ptr->sig_bytes;
130	num_to_check = `8` - num_checked;
131
132	#ifdef PNG_IO_STATE_SUPPORTED
133	png_ptr->io_state = PNG_IO_READING \| PNG_IO_SIGNATURE;
134	#endif
135
136	/ The signature must be serialized in a single I/O call. /
137	png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138	png_ptr->sig_bytes = `8`;
139
140	if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != `0`)
141	{
142	if (num_checked < `4` &&
143	png_sig_cmp(info_ptr->signature, num_checked, num_to_check - `4`))
144	png_error(png_ptr, "Not a PNG file");
145	else
146	png_error(png_ptr, "PNG file corrupted by ASCII conversion");
147	}
148	if (num_checked < `3`)
149	png_ptr->mode \|= PNG_HAVE_PNG_SIGNATURE;
150	}
151
152	/ Read the chunk header (length + type name).*
153	* Put the type name into png_ptr->chunk_name, and return the length.
154	*/
155	png_uint_32 / PRIVATE /
156	png_read_chunk_header(png_structrp png_ptr)
157	{
158	png_byte buf[`8`];
159	png_uint_32 length;
160
161	#ifdef PNG_IO_STATE_SUPPORTED
162	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_HDR;
163	#endif
164
165	/ Read the length and the chunk name.*
166	* This must be performed in a single I/O call.
167	*/
168	png_read_data(png_ptr, buf, `8`);
169	length = png_get_uint_31(png_ptr, buf);
170
171	/ Put the chunk name into png_ptr->chunk_name. /
172	png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+`4`);
173
174	png_debug2(`0`, "Reading %lx chunk, length = %lu",
175	(unsigned long)png_ptr->chunk_name, (unsigned long)length);
176
177	/ Reset the crc and run it over the chunk name. /
178	png_reset_crc(png_ptr);
179	png_calculate_crc(png_ptr, buf + `4`, `4`);
180
181	/ Check to see if chunk name is valid. /
182	png_check_chunk_name(png_ptr, png_ptr->chunk_name);
183
184	/ Check for too-large chunk length /
185	png_check_chunk_length(png_ptr, length);
186
187	#ifdef PNG_IO_STATE_SUPPORTED
188	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_DATA;
189	#endif
190
191	return length;
192	}
193
194	/ Read data, and (optionally) run it through the CRC. /
195	void / PRIVATE /
196	png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
197	{
198	if (png_ptr == NULL)
199	return;
200
201	png_read_data(png_ptr, buf, length);
202	png_calculate_crc(png_ptr, buf, length);
203	}
204
205	/ Optionally skip data and then check the CRC. Depending on whether we*
206	* are reading an ancillary or critical chunk, and how the program has set
207	* things up, we may calculate the CRC on the data and print a message.
208	* Returns '1' if there was a CRC error, '0' otherwise.
209	*/
210	int / PRIVATE /
211	png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
212	{
213	/ The size of the local buffer for inflate is a good guess as to a*
214	* reasonable size to use for buffering reads from the application.
215	*/
216	while (skip > `0`)
217	{
218	png_uint_32 len;
219	png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
220
221	len = (sizeof tmpbuf);
222	if (len > skip)
223	len = skip;
224	skip -= len;
225
226	png_crc_read(png_ptr, tmpbuf, len);
227	}
228
229	if (png_crc_error(png_ptr) != `0`)
230	{
231	if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != `0` ?
232	(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == `0` :
233	(png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != `0`)
234	{
235	png_chunk_warning(png_ptr, "CRC error");
236	}
237
238	else
239	png_chunk_error(png_ptr, "CRC error");
240
241	return (`1`);
242	}
243
244	return (`0`);
245	}
246
247	/ Compare the CRC stored in the PNG file with that calculated by libpng from*
248	* the data it has read thus far.
249	*/
250	int / PRIVATE /
251	png_crc_error(png_structrp png_ptr)
252	{
253	png_byte crc_bytes[`4`];
254	png_uint_32 crc;
255	int need_crc = `1`;
256
257	if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != `0`)
258	{
259	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
260	(PNG_FLAG_CRC_ANCILLARY_USE \| PNG_FLAG_CRC_ANCILLARY_NOWARN))
261	need_crc = `0`;
262	}
263
264	else / critical /
265	{
266	if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != `0`)
267	need_crc = `0`;
268	}
269
270	#ifdef PNG_IO_STATE_SUPPORTED
271	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_CRC;
272	#endif
273
274	/ The chunk CRC must be serialized in a single I/O call. /
275	png_read_data(png_ptr, crc_bytes, `4`);
276
277	if (need_crc != `0`)
278	{
279	crc = png_get_uint_32(crc_bytes);
280	return ((int)(crc != png_ptr->crc));
281	}
282
283	else
284	return (`0`);
285	}
286
287	#if defined(PNG_READ_iCCP_SUPPORTED) \|\| defined(PNG_READ_iTXt_SUPPORTED) \|\|\
288	defined(PNG_READ_pCAL_SUPPORTED) \|\| defined(PNG_READ_sCAL_SUPPORTED) \|\|\
289	defined(PNG_READ_sPLT_SUPPORTED) \|\| defined(PNG_READ_tEXt_SUPPORTED) \|\|\
290	defined(PNG_READ_zTXt_SUPPORTED) \|\| defined(PNG_SEQUENTIAL_READ_SUPPORTED)
291	/ Manage the read buffer; this simply reallocates the buffer if it is not small*
292	* enough (or if it is not allocated). The routine returns a pointer to the
293	* buffer; if an error occurs and 'warn' is set the routine returns NULL, else
294	* it will call png_error (via png_malloc) on failure. (warn == 2 means
295	* 'silent').
296	*/
297	static png_bytep
298	png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
299	{
300	png_bytep buffer = png_ptr->read_buffer;
301
302	if (buffer != NULL && new_size > png_ptr->read_buffer_size)
303	{
304	png_ptr->read_buffer = NULL;
305	png_ptr->read_buffer_size = `0`;
306	png_free(png_ptr, buffer);
307	buffer = NULL;
308	}
309
310	if (buffer == NULL)
311	{
312	buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
313
314	if (buffer != NULL)
315	{
316	memset(buffer, `0`, new_size); / just in case /
317	png_ptr->read_buffer = buffer;
318	png_ptr->read_buffer_size = new_size;
319	}
320
321	else if (warn < `2`) / else silent /
322	{
323	if (warn != `0`)
324	png_chunk_warning(png_ptr, "insufficient memory to read chunk");
325
326	else
327	png_chunk_error(png_ptr, "insufficient memory to read chunk");
328	}
329	}
330
331	return buffer;
332	}
333	#endif /* READ_iCCP\|iTXt\|pCAL\|sCAL\|sPLT\|tEXt\|zTXt\|SEQUENTIAL_READ */
334
335	/ png_inflate_claim: claim the zstream for some nefarious purpose that involves*
336	* decompression. Returns Z_OK on success, else a zlib error code. It checks
337	* the owner but, in final release builds, just issues a warning if some other
338	* chunk apparently owns the stream. Prior to release it does a png_error.
339	*/
340	static int
341	png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
342	{
343	if (png_ptr->zowner != `0`)
344	{
345	char msg[`64`];
346
347	PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
348	/ So the message that results is "<chunk> using zstream"; this is an*
349	* internal error, but is very useful for debugging. i18n requirements
350	* are minimal.
351	*/
352	(void)png_safecat(msg, (sizeof msg), `4`, " using zstream");
353	#if PNG_RELEASE_BUILD
354	png_chunk_warning(png_ptr, msg);
355	png_ptr->zowner = `0`;
356	#else
357	png_chunk_error(png_ptr, msg);
358	#endif
359	}
360
361	/ Implementation note: unlike 'png_deflate_claim' this internal function*
362	* does not take the size of the data as an argument. Some efficiency could
363	* be gained by using this when it is known if the zlib stream itself does
364	* not record the number; however, this is an illusion: the original writer
365	* of the PNG may have selected a lower window size, and we really must
366	* follow that because, for systems with with limited capabilities, we
367	* would otherwise reject the application's attempts to use a smaller window
368	* size (zlib doesn't have an interface to say "this or lower"!).
369	*
370	* inflateReset2 was added to zlib 1.2.4; before this the window could not be
371	* reset, therefore it is necessary to always allocate the maximum window
372	* size with earlier zlibs just in case later compressed chunks need it.
373	*/
374	{
375	int ret; / zlib return code /
376	#if ZLIB_VERNUM >= 0x1240
377	int window_bits = `0`;
378
379	# if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
380	if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & `3`) ==
381	PNG_OPTION_ON)
382	{
383	window_bits = `15`;
384	png_ptr->zstream_start = `0`; / fixed window size /
385	}
386
387	else
388	{
389	png_ptr->zstream_start = `1`;
390	}
391	# endif
392
393	#endif /* ZLIB_VERNUM >= 0x1240 */
394
395	/ Set this for safety, just in case the previous owner left pointers to*
396	* memory allocations.
397	*/
398	png_ptr->zstream.next_in = NULL;
399	png_ptr->zstream.avail_in = `0`;
400	png_ptr->zstream.next_out = NULL;
401	png_ptr->zstream.avail_out = `0`;
402
403	if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != `0`)
404	{
405	#if ZLIB_VERNUM >= 0x1240
406	ret = inflateReset2(&png_ptr->zstream, window_bits);
407	#else
408	ret = inflateReset(&png_ptr->zstream);
409	#endif
410	}
411
412	else
413	{
414	#if ZLIB_VERNUM >= 0x1240
415	ret = inflateInit2(&png_ptr->zstream, window_bits);
416	#else
417	ret = inflateInit(&png_ptr->zstream);
418	#endif
419
420	if (ret == Z_OK)
421	png_ptr->flags \|= PNG_FLAG_ZSTREAM_INITIALIZED;
422	}
423
424	#if ZLIB_VERNUM >= 0x1290 && \
425	defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_IGNORE_ADLER32)
426	if (((png_ptr->options >> PNG_IGNORE_ADLER32) & `3`) == PNG_OPTION_ON)
427	/ Turn off validation of the ADLER32 checksum in IDAT chunks /
428	ret = inflateValidate(&png_ptr->zstream, `0`);
429	#endif
430
431	if (ret == Z_OK)
432	png_ptr->zowner = owner;
433
434	else
435	png_zstream_error(png_ptr, ret);
436
437	return ret;
438	}
439
440	#ifdef window_bits
441	# undef window_bits
442	#endif
443	}
444
445	#if ZLIB_VERNUM >= 0x1240
446	/ Handle the start of the inflate stream if we called inflateInit2(strm,0);*
447	* in this case some zlib versions skip validation of the CINFO field and, in
448	* certain circumstances, libpng may end up displaying an invalid image, in
449	* contrast to implementations that call zlib in the normal way (e.g. libpng
450	* 1.5).
451	*/
452	int / PRIVATE /
453	png_zlib_inflate(png_structrp png_ptr, int flush)
454	{
455	if (png_ptr->zstream_start && png_ptr->zstream.avail_in > `0`)
456	{
457	if ((*png_ptr->zstream.next_in >> `4`) > `7`)
458	{
459	png_ptr->zstream.msg = "invalid window size (libpng)";
460	return Z_DATA_ERROR;
461	}
462
463	png_ptr->zstream_start = `0`;
464	}
465
466	return inflate(&png_ptr->zstream, flush);
467	}
468	#endif /* Zlib >= 1.2.4 */
469
470	#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
471	#if defined(PNG_READ_zTXt_SUPPORTED) \|\| defined (PNG_READ_iTXt_SUPPORTED)
472	/ png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to*
473	* allow the caller to do multiple calls if required. If the 'finish' flag is
474	* set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
475	* be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
476	* Z_OK or Z_STREAM_END will be returned on success.
477	*
478	* The input and output sizes are updated to the actual amounts of data consumed
479	* or written, not the amount available (as in a z_stream). The data pointers
480	* are not changed, so the next input is (data+input_size) and the next
481	* available output is (output+output_size).
482	*/
483	static int
484	png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
485	/ INPUT: / png_const_bytep input, png_uint_32p input_size_ptr,
486	/ OUTPUT: / png_bytep output, png_alloc_size_t *output_size_ptr)
487	{
488	if (png_ptr->zowner == owner) / Else not claimed /
489	{
490	int ret;
491	png_alloc_size_t avail_out = *output_size_ptr;
492	png_uint_32 avail_in = *input_size_ptr;
493
494	/ zlib can't necessarily handle more than 65535 bytes at once (i.e. it*
495	* can't even necessarily handle 65536 bytes) because the type uInt is
496	* "16 bits or more". Consequently it is necessary to chunk the input to
497	* zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
498	* maximum value that can be stored in a uInt.) It is possible to set
499	* ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
500	* a performance advantage, because it reduces the amount of data accessed
501	* at each step and that may give the OS more time to page it in.
502	*/
503	png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
504	/ avail_in and avail_out are set below from 'size' /
505	png_ptr->zstream.avail_in = `0`;
506	png_ptr->zstream.avail_out = `0`;
507
508	/ Read directly into the output if it is available (this is set to*
509	* a local buffer below if output is NULL).
510	*/
511	if (output != NULL)
512	png_ptr->zstream.next_out = output;
513
514	do
515	{
516	uInt avail;
517	Byte local_buffer[PNG_INFLATE_BUF_SIZE];
518
519	/ zlib INPUT BUFFER /
520	/ The setting of 'avail_in' used to be outside the loop; by setting it*
521	* inside it is possible to chunk the input to zlib and simply rely on
522	* zlib to advance the 'next_in' pointer. This allows arbitrary
523	* amounts of data to be passed through zlib at the unavoidable cost of
524	* requiring a window save (memcpy of up to 32768 output bytes)
525	* every ZLIB_IO_MAX input bytes.
526	*/
527	avail_in += png_ptr->zstream.avail_in; / not consumed last time /
528
529	avail = ZLIB_IO_MAX;
530
531	if (avail_in < avail)
532	avail = (uInt)avail_in; / safe: < than ZLIB_IO_MAX /
533
534	avail_in -= avail;
535	png_ptr->zstream.avail_in = avail;
536
537	/ zlib OUTPUT BUFFER /
538	avail_out += png_ptr->zstream.avail_out; / not written last time /
539
540	avail = ZLIB_IO_MAX; / maximum zlib can process /
541
542	if (output == NULL)
543	{
544	/ Reset the output buffer each time round if output is NULL and*
545	* make available the full buffer, up to 'remaining_space'
546	*/
547	png_ptr->zstream.next_out = local_buffer;
548	if ((sizeof local_buffer) < avail)
549	avail = (sizeof local_buffer);
550	}
551
552	if (avail_out < avail)
553	avail = (uInt)avail_out; / safe: < ZLIB_IO_MAX /
554
555	png_ptr->zstream.avail_out = avail;
556	avail_out -= avail;
557
558	/ zlib inflate call /
559	/ In fact 'avail_out' may be 0 at this point, that happens at the end*
560	* of the read when the final LZ end code was not passed at the end of
561	* the previous chunk of input data. Tell zlib if we have reached the
562	* end of the output buffer.
563	*/
564	ret = PNG_INFLATE(png_ptr, avail_out > `0` ? Z_NO_FLUSH :
565	(finish ? Z_FINISH : Z_SYNC_FLUSH));
566	} while (ret == Z_OK);
567
568	/ For safety kill the local buffer pointer now /
569	if (output == NULL)
570	png_ptr->zstream.next_out = NULL;
571
572	/ Claw back the 'size' and 'remaining_space' byte counts. /
573	avail_in += png_ptr->zstream.avail_in;
574	avail_out += png_ptr->zstream.avail_out;
575
576	/ Update the input and output sizes; the updated values are the amount*
577	* consumed or written, effectively the inverse of what zlib uses.
578	*/
579	if (avail_out > `0`)
580	*output_size_ptr -= avail_out;
581
582	if (avail_in > `0`)
583	*input_size_ptr -= avail_in;
584
585	/ Ensure png_ptr->zstream.msg is set (even in the success case!) /
586	png_zstream_error(png_ptr, ret);
587	return ret;
588	}
589
590	else
591	{
592	/ This is a bad internal error. The recovery assigns to the zstream msg*
593	* pointer, which is not owned by the caller, but this is safe; it's only
594	* used on errors!
595	*/
596	png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
597	return Z_STREAM_ERROR;
598	}
599	}
600
601	/*
602	* Decompress trailing data in a chunk. The assumption is that read_buffer
603	* points at an allocated area holding the contents of a chunk with a
604	* trailing compressed part. What we get back is an allocated area
605	* holding the original prefix part and an uncompressed version of the
606	* trailing part (the malloc area passed in is freed).
607	*/
608	static int
609	png_decompress_chunk(png_structrp png_ptr,
610	png_uint_32 chunklength, png_uint_32 prefix_size,
611	png_alloc_size_t newlength /* must be initialized to the maximum! /,
612	int terminate /add a '\0' to the end of the uncompressed data/)
613	{
614	/ TODO: implement different limits for different types of chunk.*
615	*
616	* The caller supplies *newlength set to the maximum length of the
617	* uncompressed data, but this routine allocates space for the prefix and
618	* maybe a '\0' terminator too. We have to assume that 'prefix_size' is
619	* limited only by the maximum chunk size.
620	*/
621	png_alloc_size_t limit = PNG_SIZE_MAX;
622
623	# ifdef PNG_SET_USER_LIMITS_SUPPORTED
624	if (png_ptr->user_chunk_malloc_max > `0` &&
625	png_ptr->user_chunk_malloc_max < limit)
626	limit = png_ptr->user_chunk_malloc_max;
627	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
628	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
629	limit = PNG_USER_CHUNK_MALLOC_MAX;
630	# endif
631
632	if (limit >= prefix_size + (terminate != `0`))
633	{
634	int ret;
635
636	limit -= prefix_size + (terminate != `0`);
637
638	if (limit < *newlength)
639	*newlength = limit;
640
641	/ Now try to claim the stream. /
642	ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
643
644	if (ret == Z_OK)
645	{
646	png_uint_32 lzsize = chunklength - prefix_size;
647
648	ret = png_inflate(png_ptr, png_ptr->chunk_name, `1`/finish/,
649	/ input: / png_ptr->read_buffer + prefix_size, &lzsize,
650	/ output: / NULL, newlength);
651
652	if (ret == Z_STREAM_END)
653	{
654	/ Use 'inflateReset' here, not 'inflateReset2' because this*
655	* preserves the previously decided window size (otherwise it would
656	* be necessary to store the previous window size.) In practice
657	* this doesn't matter anyway, because png_inflate will call inflate
658	* with Z_FINISH in almost all cases, so the window will not be
659	* maintained.
660	*/
661	if (inflateReset(&png_ptr->zstream) == Z_OK)
662	{
663	/ Because of the limit checks above we know that the new,*
664	* expanded, size will fit in a size_t (let alone an
665	* png_alloc_size_t). Use png_malloc_base here to avoid an
666	* extra OOM message.
667	*/
668	png_alloc_size_t new_size = *newlength;
669	png_alloc_size_t buffer_size = prefix_size + new_size +
670	(terminate != `0`);
671	png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
672	buffer_size));
673
674	if (text != NULL)
675	{
676	memset(text, `0`, buffer_size);
677
678	ret = png_inflate(png_ptr, png_ptr->chunk_name, `1`/finish/,
679	png_ptr->read_buffer + prefix_size, &lzsize,
680	text + prefix_size, newlength);
681
682	if (ret == Z_STREAM_END)
683	{
684	if (new_size == *newlength)
685	{
686	if (terminate != `0`)
687	text[prefix_size + *newlength] = `0`;
688
689	if (prefix_size > `0`)
690	memcpy(text, png_ptr->read_buffer, prefix_size);
691
692	{
693	png_bytep old_ptr = png_ptr->read_buffer;
694
695	png_ptr->read_buffer = text;
696	png_ptr->read_buffer_size = buffer_size;
697	text = old_ptr; / freed below /
698	}
699	}
700
701	else
702	{
703	/ The size changed on the second read, there can be no*
704	* guarantee that anything is correct at this point.
705	* The 'msg' pointer has been set to "unexpected end of
706	* LZ stream", which is fine, but return an error code
707	* that the caller won't accept.
708	*/
709	ret = PNG_UNEXPECTED_ZLIB_RETURN;
710	}
711	}
712
713	else if (ret == Z_OK)
714	ret = PNG_UNEXPECTED_ZLIB_RETURN; / for safety /
715
716	/ Free the text pointer (this is the old read_buffer on*
717	* success)
718	*/
719	png_free(png_ptr, text);
720
721	/ This really is very benign, but it's still an error because*
722	* the extra space may otherwise be used as a Trojan Horse.
723	*/
724	if (ret == Z_STREAM_END &&
725	chunklength - prefix_size != lzsize)
726	png_chunk_benign_error(png_ptr, "extra compressed data");
727	}
728
729	else
730	{
731	/ Out of memory allocating the buffer /
732	ret = Z_MEM_ERROR;
733	png_zstream_error(png_ptr, Z_MEM_ERROR);
734	}
735	}
736
737	else
738	{
739	/ inflateReset failed, store the error message /
740	png_zstream_error(png_ptr, ret);
741	ret = PNG_UNEXPECTED_ZLIB_RETURN;
742	}
743	}
744
745	else if (ret == Z_OK)
746	ret = PNG_UNEXPECTED_ZLIB_RETURN;
747
748	/ Release the claimed stream /
749	png_ptr->zowner = `0`;
750	}
751
752	else / the claim failed / if (ret == Z_STREAM_END) / impossible! /
753	ret = PNG_UNEXPECTED_ZLIB_RETURN;
754
755	return ret;
756	}
757
758	else
759	{
760	/ Application/configuration limits exceeded /
761	png_zstream_error(png_ptr, Z_MEM_ERROR);
762	return Z_MEM_ERROR;
763	}
764	}
765	#endif /* READ_zTXt \|\| READ_iTXt */
766	#endif /* READ_COMPRESSED_TEXT */
767
768	#ifdef PNG_READ_iCCP_SUPPORTED
769	/ Perform a partial read and decompress, producing 'avail_out' bytes and*
770	* reading from the current chunk as required.
771	*/
772	static int
773	png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
774	png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
775	int finish)
776	{
777	if (png_ptr->zowner == png_ptr->chunk_name)
778	{
779	int ret;
780
781	/ next_in and avail_in must have been initialized by the caller. /
782	png_ptr->zstream.next_out = next_out;
783	png_ptr->zstream.avail_out = `0`; / set in the loop /
784
785	do
786	{
787	if (png_ptr->zstream.avail_in == `0`)
788	{
789	if (read_size > *chunk_bytes)
790	read_size = (uInt)*chunk_bytes;
791	*chunk_bytes -= read_size;
792
793	if (read_size > `0`)
794	png_crc_read(png_ptr, read_buffer, read_size);
795
796	png_ptr->zstream.next_in = read_buffer;
797	png_ptr->zstream.avail_in = read_size;
798	}
799
800	if (png_ptr->zstream.avail_out == `0`)
801	{
802	uInt avail = ZLIB_IO_MAX;
803	if (avail > *out_size)
804	avail = (uInt)*out_size;
805	*out_size -= avail;
806
807	png_ptr->zstream.avail_out = avail;
808	}
809
810	/ Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all*
811	* the available output is produced; this allows reading of truncated
812	* streams.
813	*/
814	ret = PNG_INFLATE(png_ptr, *chunk_bytes > `0` ?
815	Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
816	}
817	while (ret == Z_OK && (*out_size > `0` \|\| png_ptr->zstream.avail_out > `0`));
818
819	*out_size += png_ptr->zstream.avail_out;
820	png_ptr->zstream.avail_out = `0`; / Should not be required, but is safe /
821
822	/ Ensure the error message pointer is always set: /
823	png_zstream_error(png_ptr, ret);
824	return ret;
825	}
826
827	else
828	{
829	png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
830	return Z_STREAM_ERROR;
831	}
832	}
833	#endif /* READ_iCCP */
834
835	/ Read and check the IDHR chunk /
836
837	void / PRIVATE /
838	png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
839	{
840	png_byte buf[`13`];
841	png_uint_32 width, height;
842	int bit_depth, color_type, compression_type, filter_type;
843	int interlace_type;
844
845	png_debug(`1`, "in png_handle_IHDR");
846
847	if ((png_ptr->mode & PNG_HAVE_IHDR) != `0`)
848	png_chunk_error(png_ptr, "out of place");
849
850	/ Check the length /
851	if (length != `13`)
852	png_chunk_error(png_ptr, "invalid");
853
854	png_ptr->mode \|= PNG_HAVE_IHDR;
855
856	png_crc_read(png_ptr, buf, `13`);
857	png_crc_finish(png_ptr, `0`);
858
859	width = png_get_uint_31(png_ptr, buf);
860	height = png_get_uint_31(png_ptr, buf + `4`);
861	bit_depth = buf[`8`];
862	color_type = buf[`9`];
863	compression_type = buf[`10`];
864	filter_type = buf[`11`];
865	interlace_type = buf[`12`];
866
867	/ Set internal variables /
868	png_ptr->width = width;
869	png_ptr->height = height;
870	png_ptr->bit_depth = (png_byte)bit_depth;
871	png_ptr->interlaced = (png_byte)interlace_type;
872	png_ptr->color_type = (png_byte)color_type;
873	#ifdef PNG_MNG_FEATURES_SUPPORTED
874	png_ptr->filter_type = (png_byte)filter_type;
875	#endif
876	png_ptr->compression_type = (png_byte)compression_type;
877
878	/ Find number of channels /
879	switch (png_ptr->color_type)
880	{
881	default: / invalid, png_set_IHDR calls png_error /
882	case PNG_COLOR_TYPE_GRAY:
883	case PNG_COLOR_TYPE_PALETTE:
884	png_ptr->channels = `1`;
885	break;
886
887	case PNG_COLOR_TYPE_RGB:
888	png_ptr->channels = `3`;
889	break;
890
891	case PNG_COLOR_TYPE_GRAY_ALPHA:
892	png_ptr->channels = `2`;
893	break;
894
895	case PNG_COLOR_TYPE_RGB_ALPHA:
896	png_ptr->channels = `4`;
897	break;
898	}
899
900	/ Set up other useful info /
901	png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
902	png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
903	png_debug1(`3`, "bit_depth = %d", png_ptr->bit_depth);
904	png_debug1(`3`, "channels = %d", png_ptr->channels);
905	png_debug1(`3`, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
906	png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
907	color_type, interlace_type, compression_type, filter_type);
908	}
909
910	/ Read and check the palette /
911	void / PRIVATE /
912	png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
913	{
914	png_color palette[PNG_MAX_PALETTE_LENGTH];
915	int max_palette_length, num, i;
916	#ifdef PNG_POINTER_INDEXING_SUPPORTED
917	png_colorp pal_ptr;
918	#endif
919
920	png_debug(`1`, "in png_handle_PLTE");
921
922	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
923	png_chunk_error(png_ptr, "missing IHDR");
924
925	/ Moved to before the 'after IDAT' check below because otherwise duplicate*
926	* PLTE chunks are potentially ignored (the spec says there shall not be more
927	* than one PLTE, the error is not treated as benign, so this check trumps
928	* the requirement that PLTE appears before IDAT.)
929	*/
930	else if ((png_ptr->mode & PNG_HAVE_PLTE) != `0`)
931	png_chunk_error(png_ptr, "duplicate");
932
933	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
934	{
935	/ This is benign because the non-benign error happened before, when an*
936	* IDAT was encountered in a color-mapped image with no PLTE.
937	*/
938	png_crc_finish(png_ptr, length);
939	png_chunk_benign_error(png_ptr, "out of place");
940	return;
941	}
942
943	png_ptr->mode \|= PNG_HAVE_PLTE;
944
945	if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == `0`)
946	{
947	png_crc_finish(png_ptr, length);
948	png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
949	return;
950	}
951
952	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
953	if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
954	{
955	png_crc_finish(png_ptr, length);
956	return;
957	}
958	#endif
959
960	if (length > `3`*PNG_MAX_PALETTE_LENGTH \|\| length % `3`)
961	{
962	png_crc_finish(png_ptr, length);
963
964	if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
965	png_chunk_benign_error(png_ptr, "invalid");
966
967	else
968	png_chunk_error(png_ptr, "invalid");
969
970	return;
971	}
972
973	/ The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /*
974	num = (int)length / `3`;
975
976	/ If the palette has 256 or fewer entries but is too large for the bit*
977	* depth, we don't issue an error, to preserve the behavior of previous
978	* libpng versions. We silently truncate the unused extra palette entries
979	* here.
980	*/
981	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
982	max_palette_length = (`1` << png_ptr->bit_depth);
983	else
984	max_palette_length = PNG_MAX_PALETTE_LENGTH;
985
986	if (num > max_palette_length)
987	num = max_palette_length;
988
989	#ifdef PNG_POINTER_INDEXING_SUPPORTED
990	for (i = `0`, pal_ptr = palette; i < num; i++, pal_ptr++)
991	{
992	png_byte buf[`3`];
993
994	png_crc_read(png_ptr, buf, `3`);
995	pal_ptr->red = buf[`0`];
996	pal_ptr->green = buf[`1`];
997	pal_ptr->blue = buf[`2`];
998	}
999	#else
1000	for (i = `0`; i < num; i++)
1001	{
1002	png_byte buf[`3`];
1003
1004	png_crc_read(png_ptr, buf, `3`);
1005	/ Don't depend upon png_color being any order /
1006	palette[i].red = buf[`0`];
1007	palette[i].green = buf[`1`];
1008	palette[i].blue = buf[`2`];
1009	}
1010	#endif
1011
1012	/ If we actually need the PLTE chunk (ie for a paletted image), we do*
1013	* whatever the normal CRC configuration tells us. However, if we
1014	* have an RGB image, the PLTE can be considered ancillary, so
1015	* we will act as though it is.
1016	*/
1017	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1018	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1019	#endif
1020	{
1021	png_crc_finish(png_ptr, (png_uint_32) (length - (unsigned int)num * `3`));
1022	}
1023
1024	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1025	else if (png_crc_error(png_ptr) != `0`) / Only if we have a CRC error /
1026	{
1027	/ If we don't want to use the data from an ancillary chunk,*
1028	* we have two options: an error abort, or a warning and we
1029	* ignore the data in this chunk (which should be OK, since
1030	* it's considered ancillary for a RGB or RGBA image).
1031	*
1032	* IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1033	* chunk type to determine whether to check the ancillary or the critical
1034	* flags.
1035	*/
1036	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == `0`)
1037	{
1038	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != `0`)
1039	return;
1040
1041	else
1042	png_chunk_error(png_ptr, "CRC error");
1043	}
1044
1045	/ Otherwise, we (optionally) emit a warning and use the chunk. /
1046	else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == `0`)
1047	png_chunk_warning(png_ptr, "CRC error");
1048	}
1049	#endif
1050
1051	/ TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its*
1052	* own copy of the palette. This has the side effect that when png_start_row
1053	* is called (this happens after any call to png_read_update_info) the
1054	* info_ptr palette gets changed. This is extremely unexpected and
1055	* confusing.
1056	*
1057	* Fix this by not sharing the palette in this way.
1058	*/
1059	png_set_PLTE(png_ptr, info_ptr, palette, num);
1060
1061	/ The three chunks, bKGD, hIST and tRNS must appear after PLTE and before*
1062	* IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1063	* checked the apparent validity of a tRNS chunk inserted before PLTE on a
1064	* palette PNG. 1.6.0 attempts to rigorously follow the standard and
1065	* therefore does a benign error if the erroneous condition is detected and
1066	* cancels the tRNS if the benign error returns. The alternative is to
1067	* amend the standard since it would be rather hypocritical of the standards
1068	* maintainers to ignore it.
1069	*/
1070	#ifdef PNG_READ_tRNS_SUPPORTED
1071	if (png_ptr->num_trans > `0` \|\|
1072	(info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != `0`))
1073	{
1074	/ Cancel this because otherwise it would be used if the transforms*
1075	* require it. Don't cancel the 'valid' flag because this would prevent
1076	* detection of duplicate chunks.
1077	*/
1078	png_ptr->num_trans = `0`;
1079
1080	if (info_ptr != NULL)
1081	info_ptr->num_trans = `0`;
1082
1083	png_chunk_benign_error(png_ptr, "tRNS must be after");
1084	}
1085	#endif
1086
1087	#ifdef PNG_READ_hIST_SUPPORTED
1088	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != `0`)
1089	png_chunk_benign_error(png_ptr, "hIST must be after");
1090	#endif
1091
1092	#ifdef PNG_READ_bKGD_SUPPORTED
1093	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != `0`)
1094	png_chunk_benign_error(png_ptr, "bKGD must be after");
1095	#endif
1096	}
1097
1098	void / PRIVATE /
1099	png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1100	{
1101	png_debug(`1`, "in png_handle_IEND");
1102
1103	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0` \|\|
1104	(png_ptr->mode & PNG_HAVE_IDAT) == `0`)
1105	png_chunk_error(png_ptr, "out of place");
1106
1107	png_ptr->mode \|= (PNG_AFTER_IDAT \| PNG_HAVE_IEND);
1108
1109	png_crc_finish(png_ptr, length);
1110
1111	if (length != `0`)
1112	png_chunk_benign_error(png_ptr, "invalid");
1113
1114	PNG_UNUSED(info_ptr)
1115	}
1116
1117	#ifdef PNG_READ_gAMA_SUPPORTED
1118	void / PRIVATE /
1119	png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1120	{
1121	png_fixed_point igamma;
1122	png_byte buf[`4`];
1123
1124	png_debug(`1`, "in png_handle_gAMA");
1125
1126	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1127	png_chunk_error(png_ptr, "missing IHDR");
1128
1129	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1130	{
1131	png_crc_finish(png_ptr, length);
1132	png_chunk_benign_error(png_ptr, "out of place");
1133	return;
1134	}
1135
1136	if (length != `4`)
1137	{
1138	png_crc_finish(png_ptr, length);
1139	png_chunk_benign_error(png_ptr, "invalid");
1140	return;
1141	}
1142
1143	png_crc_read(png_ptr, buf, `4`);
1144
1145	if (png_crc_finish(png_ptr, `0`) != `0`)
1146	return;
1147
1148	igamma = png_get_fixed_point(NULL, buf);
1149
1150	png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1151	png_colorspace_sync(png_ptr, info_ptr);
1152	}
1153	#endif
1154
1155	#ifdef PNG_READ_sBIT_SUPPORTED
1156	void / PRIVATE /
1157	png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1158	{
1159	unsigned int truelen, i;
1160	png_byte sample_depth;
1161	png_byte buf[`4`];
1162
1163	png_debug(`1`, "in png_handle_sBIT");
1164
1165	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1166	png_chunk_error(png_ptr, "missing IHDR");
1167
1168	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1169	{
1170	png_crc_finish(png_ptr, length);
1171	png_chunk_benign_error(png_ptr, "out of place");
1172	return;
1173	}
1174
1175	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != `0`)
1176	{
1177	png_crc_finish(png_ptr, length);
1178	png_chunk_benign_error(png_ptr, "duplicate");
1179	return;
1180	}
1181
1182	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1183	{
1184	truelen = `3`;
1185	sample_depth = `8`;
1186	}
1187
1188	else
1189	{
1190	truelen = png_ptr->channels;
1191	sample_depth = png_ptr->bit_depth;
1192	}
1193
1194	if (length != truelen \|\| length > `4`)
1195	{
1196	png_chunk_benign_error(png_ptr, "invalid");
1197	png_crc_finish(png_ptr, length);
1198	return;
1199	}
1200
1201	buf[`0`] = buf[`1`] = buf[`2`] = buf[`3`] = sample_depth;
1202	png_crc_read(png_ptr, buf, truelen);
1203
1204	if (png_crc_finish(png_ptr, `0`) != `0`)
1205	return;
1206
1207	for (i=`0`; i<truelen; ++i)
1208	{
1209	if (buf[i] == `0` \|\| buf[i] > sample_depth)
1210	{
1211	png_chunk_benign_error(png_ptr, "invalid");
1212	return;
1213	}
1214	}
1215
1216	if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != `0`)
1217	{
1218	png_ptr->sig_bit.red = buf[`0`];
1219	png_ptr->sig_bit.green = buf[`1`];
1220	png_ptr->sig_bit.blue = buf[`2`];
1221	png_ptr->sig_bit.alpha = buf[`3`];
1222	}
1223
1224	else
1225	{
1226	png_ptr->sig_bit.gray = buf[`0`];
1227	png_ptr->sig_bit.red = buf[`0`];
1228	png_ptr->sig_bit.green = buf[`0`];
1229	png_ptr->sig_bit.blue = buf[`0`];
1230	png_ptr->sig_bit.alpha = buf[`1`];
1231	}
1232
1233	png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1234	}
1235	#endif
1236
1237	#ifdef PNG_READ_cHRM_SUPPORTED
1238	void / PRIVATE /
1239	png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1240	{
1241	png_byte buf[`32`];
1242	png_xy xy;
1243
1244	png_debug(`1`, "in png_handle_cHRM");
1245
1246	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1247	png_chunk_error(png_ptr, "missing IHDR");
1248
1249	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1250	{
1251	png_crc_finish(png_ptr, length);
1252	png_chunk_benign_error(png_ptr, "out of place");
1253	return;
1254	}
1255
1256	if (length != `32`)
1257	{
1258	png_crc_finish(png_ptr, length);
1259	png_chunk_benign_error(png_ptr, "invalid");
1260	return;
1261	}
1262
1263	png_crc_read(png_ptr, buf, `32`);
1264
1265	if (png_crc_finish(png_ptr, `0`) != `0`)
1266	return;
1267
1268	xy.whitex = png_get_fixed_point(NULL, buf);
1269	xy.whitey = png_get_fixed_point(NULL, buf + `4`);
1270	xy.redx = png_get_fixed_point(NULL, buf + `8`);
1271	xy.redy = png_get_fixed_point(NULL, buf + `12`);
1272	xy.greenx = png_get_fixed_point(NULL, buf + `16`);
1273	xy.greeny = png_get_fixed_point(NULL, buf + `20`);
1274	xy.bluex = png_get_fixed_point(NULL, buf + `24`);
1275	xy.bluey = png_get_fixed_point(NULL, buf + `28`);
1276
1277	if (xy.whitex == PNG_FIXED_ERROR \|\|
1278	xy.whitey == PNG_FIXED_ERROR \|\|
1279	xy.redx == PNG_FIXED_ERROR \|\|
1280	xy.redy == PNG_FIXED_ERROR \|\|
1281	xy.greenx == PNG_FIXED_ERROR \|\|
1282	xy.greeny == PNG_FIXED_ERROR \|\|
1283	xy.bluex == PNG_FIXED_ERROR \|\|
1284	xy.bluey == PNG_FIXED_ERROR)
1285	{
1286	png_chunk_benign_error(png_ptr, "invalid values");
1287	return;
1288	}
1289
1290	/ If a colorspace error has already been output skip this chunk /
1291	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1292	return;
1293
1294	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != `0`)
1295	{
1296	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
1297	png_colorspace_sync(png_ptr, info_ptr);
1298	png_chunk_benign_error(png_ptr, "duplicate");
1299	return;
1300	}
1301
1302	png_ptr->colorspace.flags \|= PNG_COLORSPACE_FROM_cHRM;
1303	(void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
1304	`1`/prefer cHRM values/);
1305	png_colorspace_sync(png_ptr, info_ptr);
1306	}
1307	#endif
1308
1309	#ifdef PNG_READ_sRGB_SUPPORTED
1310	void / PRIVATE /
1311	png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1312	{
1313	png_byte intent;
1314
1315	png_debug(`1`, "in png_handle_sRGB");
1316
1317	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1318	png_chunk_error(png_ptr, "missing IHDR");
1319
1320	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1321	{
1322	png_crc_finish(png_ptr, length);
1323	png_chunk_benign_error(png_ptr, "out of place");
1324	return;
1325	}
1326
1327	if (length != `1`)
1328	{
1329	png_crc_finish(png_ptr, length);
1330	png_chunk_benign_error(png_ptr, "invalid");
1331	return;
1332	}
1333
1334	png_crc_read(png_ptr, &intent, `1`);
1335
1336	if (png_crc_finish(png_ptr, `0`) != `0`)
1337	return;
1338
1339	/ If a colorspace error has already been output skip this chunk /
1340	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1341	return;
1342
1343	/ Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect*
1344	* this.
1345	*/
1346	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != `0`)
1347	{
1348	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
1349	png_colorspace_sync(png_ptr, info_ptr);
1350	png_chunk_benign_error(png_ptr, "too many profiles");
1351	return;
1352	}
1353
1354	(void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1355	png_colorspace_sync(png_ptr, info_ptr);
1356	}
1357	#endif /* READ_sRGB */
1358
1359	#ifdef PNG_READ_iCCP_SUPPORTED
1360	void / PRIVATE /
1361	png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1362	/ Note: this does not properly handle profiles that are > 64K under DOS /
1363	{
1364	png_const_charp errmsg = NULL; / error message output, or no error /
1365	int finished = `0`; / crc checked /
1366
1367	png_debug(`1`, "in png_handle_iCCP");
1368
1369	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1370	png_chunk_error(png_ptr, "missing IHDR");
1371
1372	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1373	{
1374	png_crc_finish(png_ptr, length);
1375	png_chunk_benign_error(png_ptr, "out of place");
1376	return;
1377	}
1378
1379	/* Consistent with all the above colorspace handling an obviously invalid
1380	* chunk is just ignored, so does not invalidate the color space. An
1381	* alternative is to set the 'invalid' flags at the start of this routine
1382	* and only clear them in they were not set before and all the tests pass.
1383	*/
1384
1385	/ The keyword must be at least one character and there is a*
1386	* terminator (0) byte and the compression method byte, and the
1387	* 'zlib' datastream is at least 11 bytes.
1388	*/
1389	if (length < `14`)
1390	{
1391	png_crc_finish(png_ptr, length);
1392	png_chunk_benign_error(png_ptr, "too short");
1393	return;
1394	}
1395
1396	/ If a colorspace error has already been output skip this chunk /
1397	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1398	{
1399	png_crc_finish(png_ptr, length);
1400	return;
1401	}
1402
1403	/ Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect*
1404	* this.
1405	*/
1406	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == `0`)
1407	{
1408	uInt read_length, keyword_length;
1409	char keyword[`81`];
1410
1411	/ Find the keyword; the keyword plus separator and compression method*
1412	* bytes can be at most 81 characters long.
1413	*/
1414	read_length = `81`; / maximum /
1415	if (read_length > length)
1416	read_length = (uInt)length;
1417
1418	png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1419	length -= read_length;
1420
1421	/ The minimum 'zlib' stream is assumed to be just the 2 byte header,*
1422	* 5 bytes minimum 'deflate' stream, and the 4 byte checksum.
1423	*/
1424	if (length < `11`)
1425	{
1426	png_crc_finish(png_ptr, length);
1427	png_chunk_benign_error(png_ptr, "too short");
1428	return;
1429	}
1430
1431	keyword_length = `0`;
1432	while (keyword_length < `80` && keyword_length < read_length &&
1433	keyword[keyword_length] != `0`)
1434	++keyword_length;
1435
1436	/ TODO: make the keyword checking common /
1437	if (keyword_length >= `1` && keyword_length <= `79`)
1438	{
1439	/ We only understand '0' compression - deflate - so if we get a*
1440	* different value we can't safely decode the chunk.
1441	*/
1442	if (keyword_length+`1` < read_length &&
1443	keyword[keyword_length+`1`] == PNG_COMPRESSION_TYPE_BASE)
1444	{
1445	read_length -= keyword_length+`2`;
1446
1447	if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1448	{
1449	Byte profile_header[`132`]={`0`};
1450	Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1451	png_alloc_size_t size = (sizeof profile_header);
1452
1453	png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+`2`);
1454	png_ptr->zstream.avail_in = read_length;
1455	(void)png_inflate_read(png_ptr, local_buffer,
1456	(sizeof local_buffer), &length, profile_header, &size,
1457	`0`/finish: don't, because the output is too small/);
1458
1459	if (size == `0`)
1460	{
1461	/ We have the ICC profile header; do the basic header checks.*
1462	*/
1463	png_uint_32 profile_length = png_get_uint_32(profile_header);
1464
1465	if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1466	keyword, profile_length) != `0`)
1467	{
1468	/ The length is apparently ok, so we can check the 132*
1469	* byte header.
1470	*/
1471	if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1472	keyword, profile_length, profile_header,
1473	png_ptr->color_type) != `0`)
1474	{
1475	/ Now read the tag table; a variable size buffer is*
1476	* needed at this point, allocate one for the whole
1477	* profile. The header check has already validated
1478	* that none of this stuff will overflow.
1479	*/
1480	png_uint_32 tag_count =
1481	png_get_uint_32(profile_header + `128`);
1482	png_bytep profile = png_read_buffer(png_ptr,
1483	profile_length, `2`/silent/);
1484
1485	if (profile != NULL)
1486	{
1487	memcpy(profile, profile_header,
1488	(sizeof profile_header));
1489
1490	size = `12` * tag_count;
1491
1492	(void)png_inflate_read(png_ptr, local_buffer,
1493	(sizeof local_buffer), &length,
1494	profile + (sizeof profile_header), &size, `0`);
1495
1496	/ Still expect a buffer error because we expect*
1497	* there to be some tag data!
1498	*/
1499	if (size == `0`)
1500	{
1501	if (png_icc_check_tag_table(png_ptr,
1502	&png_ptr->colorspace, keyword, profile_length,
1503	profile) != `0`)
1504	{
1505	/ The profile has been validated for basic*
1506	* security issues, so read the whole thing in.
1507	*/
1508	size = profile_length - (sizeof profile_header)
1509	- `12` * tag_count;
1510
1511	(void)png_inflate_read(png_ptr, local_buffer,
1512	(sizeof local_buffer), &length,
1513	profile + (sizeof profile_header) +
1514	`12` * tag_count, &size, `1`/finish/);
1515
1516	if (length > `0` && !(png_ptr->flags &
1517	PNG_FLAG_BENIGN_ERRORS_WARN))
1518	errmsg = "extra compressed data";
1519
1520	/ But otherwise allow extra data: /
1521	else if (size == `0`)
1522	{
1523	if (length > `0`)
1524	{
1525	/ This can be handled completely, so*
1526	* keep going.
1527	*/
1528	png_chunk_warning(png_ptr,
1529	"extra compressed data");
1530	}
1531
1532	png_crc_finish(png_ptr, length);
1533	finished = `1`;
1534
1535	# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
1536	/ Check for a match against sRGB /
1537	png_icc_set_sRGB(png_ptr,
1538	&png_ptr->colorspace, profile,
1539	png_ptr->zstream.adler);
1540	# endif
1541
1542	/ Steal the profile for info_ptr. /
1543	if (info_ptr != NULL)
1544	{
1545	png_free_data(png_ptr, info_ptr,
1546	PNG_FREE_ICCP, `0`);
1547
1548	info_ptr->iccp_name = png_voidcast(char*,
1549	png_malloc_base(png_ptr,
1550	keyword_length+`1`));
1551	if (info_ptr->iccp_name != NULL)
1552	{
1553	memcpy(info_ptr->iccp_name, keyword,
1554	keyword_length+`1`);
1555	info_ptr->iccp_proflen =
1556	profile_length;
1557	info_ptr->iccp_profile = profile;
1558	png_ptr->read_buffer = NULL; /steal/
1559	info_ptr->free_me \|= PNG_FREE_ICCP;
1560	info_ptr->valid \|= PNG_INFO_iCCP;
1561	}
1562
1563	else
1564	{
1565	png_ptr->colorspace.flags \|=
1566	PNG_COLORSPACE_INVALID;
1567	errmsg = "out of memory";
1568	}
1569	}
1570
1571	/ else the profile remains in the read*
1572	* buffer which gets reused for subsequent
1573	* chunks.
1574	*/
1575
1576	if (info_ptr != NULL)
1577	png_colorspace_sync(png_ptr, info_ptr);
1578
1579	if (errmsg == NULL)
1580	{
1581	png_ptr->zowner = `0`;
1582	return;
1583	}
1584	}
1585	if (errmsg == NULL)
1586	errmsg = png_ptr->zstream.msg;
1587	}
1588	/ else png_icc_check_tag_table output an error /
1589	}
1590	else / profile truncated /
1591	errmsg = png_ptr->zstream.msg;
1592	}
1593
1594	else
1595	errmsg = "out of memory";
1596	}
1597
1598	/ else png_icc_check_header output an error /
1599	}
1600
1601	/ else png_icc_check_length output an error /
1602	}
1603
1604	else / profile truncated /
1605	errmsg = png_ptr->zstream.msg;
1606
1607	/ Release the stream /
1608	png_ptr->zowner = `0`;
1609	}
1610
1611	else / png_inflate_claim failed /
1612	errmsg = png_ptr->zstream.msg;
1613	}
1614
1615	else
1616	errmsg = "bad compression method"; / or missing /
1617	}
1618
1619	else
1620	errmsg = "bad keyword";
1621	}
1622
1623	else
1624	errmsg = "too many profiles";
1625
1626	/ Failure: the reason is in 'errmsg' /
1627	if (finished == `0`)
1628	png_crc_finish(png_ptr, length);
1629
1630	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
1631	png_colorspace_sync(png_ptr, info_ptr);
1632	if (errmsg != NULL) / else already output /
1633	png_chunk_benign_error(png_ptr, errmsg);
1634	}
1635	#endif /* READ_iCCP */
1636
1637	#ifdef PNG_READ_sPLT_SUPPORTED
1638	void / PRIVATE /
1639	png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1640	/ Note: this does not properly handle chunks that are > 64K under DOS /
1641	{
1642	png_bytep entry_start, buffer;
1643	png_sPLT_t new_palette;
1644	png_sPLT_entryp pp;
1645	png_uint_32 data_length;
1646	int entry_size, i;
1647	png_uint_32 skip = `0`;
1648	png_uint_32 dl;
1649	size_t max_dl;
1650
1651	png_debug(`1`, "in png_handle_sPLT");
1652
1653	#ifdef PNG_USER_LIMITS_SUPPORTED
1654	if (png_ptr->user_chunk_cache_max != `0`)
1655	{
1656	if (png_ptr->user_chunk_cache_max == `1`)
1657	{
1658	png_crc_finish(png_ptr, length);
1659	return;
1660	}
1661
1662	if (--png_ptr->user_chunk_cache_max == `1`)
1663	{
1664	png_warning(png_ptr, "No space in chunk cache for sPLT");
1665	png_crc_finish(png_ptr, length);
1666	return;
1667	}
1668	}
1669	#endif
1670
1671	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1672	png_chunk_error(png_ptr, "missing IHDR");
1673
1674	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
1675	{
1676	png_crc_finish(png_ptr, length);
1677	png_chunk_benign_error(png_ptr, "out of place");
1678	return;
1679	}
1680
1681	#ifdef PNG_MAX_MALLOC_64K
1682	if (length > `65535U`)
1683	{
1684	png_crc_finish(png_ptr, length);
1685	png_chunk_benign_error(png_ptr, "too large to fit in memory");
1686	return;
1687	}
1688	#endif
1689
1690	buffer = png_read_buffer(png_ptr, length+`1`, `2`/silent/);
1691	if (buffer == NULL)
1692	{
1693	png_crc_finish(png_ptr, length);
1694	png_chunk_benign_error(png_ptr, "out of memory");
1695	return;
1696	}
1697
1698
1699	/ WARNING: this may break if size_t is less than 32 bits; it is assumed*
1700	* that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1701	* potential breakage point if the types in pngconf.h aren't exactly right.
1702	*/
1703	png_crc_read(png_ptr, buffer, length);
1704
1705	if (png_crc_finish(png_ptr, skip) != `0`)
1706	return;
1707
1708	buffer[length] = `0`;
1709
1710	for (entry_start = buffer; *entry_start; entry_start++)
1711	/ Empty loop to find end of name / ;
1712
1713	++entry_start;
1714
1715	/ A sample depth should follow the separator, and we should be on it /
1716	if (length < `2U` \|\| entry_start > buffer + (length - `2U`))
1717	{
1718	png_warning(png_ptr, "malformed sPLT chunk");
1719	return;
1720	}
1721
1722	new_palette.depth = *entry_start++;
1723	entry_size = (new_palette.depth == `8` ? `6` : `10`);
1724	/ This must fit in a png_uint_32 because it is derived from the original*
1725	* chunk data length.
1726	*/
1727	data_length = length - (png_uint_32)(entry_start - buffer);
1728
1729	/ Integrity-check the data length /
1730	if ((data_length % (unsigned int)entry_size) != `0`)
1731	{
1732	png_warning(png_ptr, "sPLT chunk has bad length");
1733	return;
1734	}
1735
1736	dl = (png_uint_32)(data_length / (unsigned int)entry_size);
1737	max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1738
1739	if (dl > max_dl)
1740	{
1741	png_warning(png_ptr, "sPLT chunk too long");
1742	return;
1743	}
1744
1745	new_palette.nentries = (png_int_32)(data_length / (unsigned int)entry_size);
1746
1747	new_palette.entries = (png_sPLT_entryp)png_malloc_warn(png_ptr,
1748	(png_alloc_size_t) new_palette.nentries * (sizeof (png_sPLT_entry)));
1749
1750	if (new_palette.entries == NULL)
1751	{
1752	png_warning(png_ptr, "sPLT chunk requires too much memory");
1753	return;
1754	}
1755
1756	#ifdef PNG_POINTER_INDEXING_SUPPORTED
1757	for (i = `0`; i < new_palette.nentries; i++)
1758	{
1759	pp = new_palette.entries + i;
1760
1761	if (new_palette.depth == `8`)
1762	{
1763	pp->red = *entry_start++;
1764	pp->green = *entry_start++;
1765	pp->blue = *entry_start++;
1766	pp->alpha = *entry_start++;
1767	}
1768
1769	else
1770	{
1771	pp->red = png_get_uint_16(entry_start); entry_start += `2`;
1772	pp->green = png_get_uint_16(entry_start); entry_start += `2`;
1773	pp->blue = png_get_uint_16(entry_start); entry_start += `2`;
1774	pp->alpha = png_get_uint_16(entry_start); entry_start += `2`;
1775	}
1776
1777	pp->frequency = png_get_uint_16(entry_start); entry_start += `2`;
1778	}
1779	#else
1780	pp = new_palette.entries;
1781
1782	for (i = `0`; i < new_palette.nentries; i++)
1783	{
1784
1785	if (new_palette.depth == `8`)
1786	{
1787	pp[i].red = *entry_start++;
1788	pp[i].green = *entry_start++;
1789	pp[i].blue = *entry_start++;
1790	pp[i].alpha = *entry_start++;
1791	}
1792
1793	else
1794	{
1795	pp[i].red = png_get_uint_16(entry_start); entry_start += `2`;
1796	pp[i].green = png_get_uint_16(entry_start); entry_start += `2`;
1797	pp[i].blue = png_get_uint_16(entry_start); entry_start += `2`;
1798	pp[i].alpha = png_get_uint_16(entry_start); entry_start += `2`;
1799	}
1800
1801	pp[i].frequency = png_get_uint_16(entry_start); entry_start += `2`;
1802	}
1803	#endif
1804
1805	/ Discard all chunk data except the name and stash that /
1806	new_palette.name = (png_charp)buffer;
1807
1808	png_set_sPLT(png_ptr, info_ptr, &new_palette, `1`);
1809
1810	png_free(png_ptr, new_palette.entries);
1811	}
1812	#endif /* READ_sPLT */
1813
1814	#ifdef PNG_READ_tRNS_SUPPORTED
1815	void / PRIVATE /
1816	png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1817	{
1818	png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1819
1820	png_debug(`1`, "in png_handle_tRNS");
1821
1822	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1823	png_chunk_error(png_ptr, "missing IHDR");
1824
1825	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
1826	{
1827	png_crc_finish(png_ptr, length);
1828	png_chunk_benign_error(png_ptr, "out of place");
1829	return;
1830	}
1831
1832	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != `0`)
1833	{
1834	png_crc_finish(png_ptr, length);
1835	png_chunk_benign_error(png_ptr, "duplicate");
1836	return;
1837	}
1838
1839	if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1840	{
1841	png_byte buf[`2`];
1842
1843	if (length != `2`)
1844	{
1845	png_crc_finish(png_ptr, length);
1846	png_chunk_benign_error(png_ptr, "invalid");
1847	return;
1848	}
1849
1850	png_crc_read(png_ptr, buf, `2`);
1851	png_ptr->num_trans = `1`;
1852	png_ptr->trans_color.gray = png_get_uint_16(buf);
1853	}
1854
1855	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1856	{
1857	png_byte buf[`6`];
1858
1859	if (length != `6`)
1860	{
1861	png_crc_finish(png_ptr, length);
1862	png_chunk_benign_error(png_ptr, "invalid");
1863	return;
1864	}
1865
1866	png_crc_read(png_ptr, buf, length);
1867	png_ptr->num_trans = `1`;
1868	png_ptr->trans_color.red = png_get_uint_16(buf);
1869	png_ptr->trans_color.green = png_get_uint_16(buf + `2`);
1870	png_ptr->trans_color.blue = png_get_uint_16(buf + `4`);
1871	}
1872
1873	else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1874	{
1875	if ((png_ptr->mode & PNG_HAVE_PLTE) == `0`)
1876	{
1877	/ TODO: is this actually an error in the ISO spec? /
1878	png_crc_finish(png_ptr, length);
1879	png_chunk_benign_error(png_ptr, "out of place");
1880	return;
1881	}
1882
1883	if (length > (unsigned int) png_ptr->num_palette \|\|
1884	length > (unsigned int) PNG_MAX_PALETTE_LENGTH \|\|
1885	length == `0`)
1886	{
1887	png_crc_finish(png_ptr, length);
1888	png_chunk_benign_error(png_ptr, "invalid");
1889	return;
1890	}
1891
1892	png_crc_read(png_ptr, readbuf, length);
1893	png_ptr->num_trans = (png_uint_16)length;
1894	}
1895
1896	else
1897	{
1898	png_crc_finish(png_ptr, length);
1899	png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1900	return;
1901	}
1902
1903	if (png_crc_finish(png_ptr, `0`) != `0`)
1904	{
1905	png_ptr->num_trans = `0`;
1906	return;
1907	}
1908
1909	/ TODO: this is a horrible side effect in the palette case because the*
1910	* png_struct ends up with a pointer to the tRNS buffer owned by the
1911	* png_info. Fix this.
1912	*/
1913	png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1914	&(png_ptr->trans_color));
1915	}
1916	#endif
1917
1918	#ifdef PNG_READ_bKGD_SUPPORTED
1919	void / PRIVATE /
1920	png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1921	{
1922	unsigned int truelen;
1923	png_byte buf[`6`];
1924	png_color_16 background;
1925
1926	png_debug(`1`, "in png_handle_bKGD");
1927
1928	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1929	png_chunk_error(png_ptr, "missing IHDR");
1930
1931	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0` \|\|
1932	(png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1933	(png_ptr->mode & PNG_HAVE_PLTE) == `0`))
1934	{
1935	png_crc_finish(png_ptr, length);
1936	png_chunk_benign_error(png_ptr, "out of place");
1937	return;
1938	}
1939
1940	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != `0`)
1941	{
1942	png_crc_finish(png_ptr, length);
1943	png_chunk_benign_error(png_ptr, "duplicate");
1944	return;
1945	}
1946
1947	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1948	truelen = `1`;
1949
1950	else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != `0`)
1951	truelen = `6`;
1952
1953	else
1954	truelen = `2`;
1955
1956	if (length != truelen)
1957	{
1958	png_crc_finish(png_ptr, length);
1959	png_chunk_benign_error(png_ptr, "invalid");
1960	return;
1961	}
1962
1963	png_crc_read(png_ptr, buf, truelen);
1964
1965	if (png_crc_finish(png_ptr, `0`) != `0`)
1966	return;
1967
1968	/ We convert the index value into RGB components so that we can allow*
1969	* arbitrary RGB values for background when we have transparency, and
1970	* so it is easy to determine the RGB values of the background color
1971	* from the info_ptr struct.
1972	*/
1973	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1974	{
1975	background.index = buf[`0`];
1976
1977	if (info_ptr != NULL && info_ptr->num_palette != `0`)
1978	{
1979	if (buf[`0`] >= info_ptr->num_palette)
1980	{
1981	png_chunk_benign_error(png_ptr, "invalid index");
1982	return;
1983	}
1984
1985	background.red = (png_uint_16)png_ptr->palette[buf[`0`]].red;
1986	background.green = (png_uint_16)png_ptr->palette[buf[`0`]].green;
1987	background.blue = (png_uint_16)png_ptr->palette[buf[`0`]].blue;
1988	}
1989
1990	else
1991	background.red = background.green = background.blue = `0`;
1992
1993	background.gray = `0`;
1994	}
1995
1996	else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == `0`) / GRAY /
1997	{
1998	if (png_ptr->bit_depth <= `8`)
1999	{
2000	if (buf[`0`] != `0` \|\| buf[`1`] >= (unsigned int)(`1` << png_ptr->bit_depth))
2001	{
2002	png_chunk_benign_error(png_ptr, "invalid gray level");
2003	return;
2004	}
2005	}
2006
2007	background.index = `0`;
2008	background.red =
2009	background.green =
2010	background.blue =
2011	background.gray = png_get_uint_16(buf);
2012	}
2013
2014	else
2015	{
2016	if (png_ptr->bit_depth <= `8`)
2017	{
2018	if (buf[`0`] != `0` \|\| buf[`2`] != `0` \|\| buf[`4`] != `0`)
2019	{
2020	png_chunk_benign_error(png_ptr, "invalid color");
2021	return;
2022	}
2023	}
2024
2025	background.index = `0`;
2026	background.red = png_get_uint_16(buf);
2027	background.green = png_get_uint_16(buf + `2`);
2028	background.blue = png_get_uint_16(buf + `4`);
2029	background.gray = `0`;
2030	}
2031
2032	png_set_bKGD(png_ptr, info_ptr, &background);
2033	}
2034	#endif
2035
2036	#ifdef PNG_READ_eXIf_SUPPORTED
2037	void / PRIVATE /
2038	png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2039	{
2040	unsigned int i;
2041
2042	png_debug(`1`, "in png_handle_eXIf");
2043
2044	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2045	png_chunk_error(png_ptr, "missing IHDR");
2046
2047	if (length < `2`)
2048	{
2049	png_crc_finish(png_ptr, length);
2050	png_chunk_benign_error(png_ptr, "too short");
2051	return;
2052	}
2053
2054	else if (info_ptr == NULL \|\| (info_ptr->valid & PNG_INFO_eXIf) != `0`)
2055	{
2056	png_crc_finish(png_ptr, length);
2057	png_chunk_benign_error(png_ptr, "duplicate");
2058	return;
2059	}
2060
2061	info_ptr->free_me \|= PNG_FREE_EXIF;
2062
2063	info_ptr->eXIf_buf = png_voidcast(png_bytep,
2064	png_malloc_warn(png_ptr, length));
2065
2066	if (info_ptr->eXIf_buf == NULL)
2067	{
2068	png_crc_finish(png_ptr, length);
2069	png_chunk_benign_error(png_ptr, "out of memory");
2070	return;
2071	}
2072
2073	for (i = `0`; i < length; i++)
2074	{
2075	png_byte buf[`1`];
2076	png_crc_read(png_ptr, buf, `1`);
2077	info_ptr->eXIf_buf[i] = buf[`0`];
2078	if (i == `1` && buf[`0`] != `'M'` && buf[`0`] != `'I'`
2079	&& info_ptr->eXIf_buf[`0`] != buf[`0`])
2080	{
2081	png_crc_finish(png_ptr, length-i-`1`);
2082	png_chunk_benign_error(png_ptr, "incorrect byte-order specifier");
2083	png_free(png_ptr, info_ptr->eXIf_buf);
2084	info_ptr->eXIf_buf = NULL;
2085	return;
2086	}
2087	}
2088
2089	if (png_crc_finish(png_ptr, `0`) == `0`)
2090	png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
2091
2092	png_free(png_ptr, info_ptr->eXIf_buf);
2093	info_ptr->eXIf_buf = NULL;
2094	}
2095	#endif
2096
2097	#ifdef PNG_READ_hIST_SUPPORTED
2098	void / PRIVATE /
2099	png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2100	{
2101	unsigned int num, i;
2102	png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2103
2104	png_debug(`1`, "in png_handle_hIST");
2105
2106	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2107	png_chunk_error(png_ptr, "missing IHDR");
2108
2109	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0` \|\|
2110	(png_ptr->mode & PNG_HAVE_PLTE) == `0`)
2111	{
2112	png_crc_finish(png_ptr, length);
2113	png_chunk_benign_error(png_ptr, "out of place");
2114	return;
2115	}
2116
2117	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != `0`)
2118	{
2119	png_crc_finish(png_ptr, length);
2120	png_chunk_benign_error(png_ptr, "duplicate");
2121	return;
2122	}
2123
2124	num = length / `2` ;
2125
2126	if (num != (unsigned int) png_ptr->num_palette \|\|
2127	num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
2128	{
2129	png_crc_finish(png_ptr, length);
2130	png_chunk_benign_error(png_ptr, "invalid");
2131	return;
2132	}
2133
2134	for (i = `0`; i < num; i++)
2135	{
2136	png_byte buf[`2`];
2137
2138	png_crc_read(png_ptr, buf, `2`);
2139	readbuf[i] = png_get_uint_16(buf);
2140	}
2141
2142	if (png_crc_finish(png_ptr, `0`) != `0`)
2143	return;
2144
2145	png_set_hIST(png_ptr, info_ptr, readbuf);
2146	}
2147	#endif
2148
2149	#ifdef PNG_READ_pHYs_SUPPORTED
2150	void / PRIVATE /
2151	png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2152	{
2153	png_byte buf[`9`];
2154	png_uint_32 res_x, res_y;
2155	int unit_type;
2156
2157	png_debug(`1`, "in png_handle_pHYs");
2158
2159	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2160	png_chunk_error(png_ptr, "missing IHDR");
2161
2162	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2163	{
2164	png_crc_finish(png_ptr, length);
2165	png_chunk_benign_error(png_ptr, "out of place");
2166	return;
2167	}
2168
2169	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != `0`)
2170	{
2171	png_crc_finish(png_ptr, length);
2172	png_chunk_benign_error(png_ptr, "duplicate");
2173	return;
2174	}
2175
2176	if (length != `9`)
2177	{
2178	png_crc_finish(png_ptr, length);
2179	png_chunk_benign_error(png_ptr, "invalid");
2180	return;
2181	}
2182
2183	png_crc_read(png_ptr, buf, `9`);
2184
2185	if (png_crc_finish(png_ptr, `0`) != `0`)
2186	return;
2187
2188	res_x = png_get_uint_32(buf);
2189	res_y = png_get_uint_32(buf + `4`);
2190	unit_type = buf[`8`];
2191	png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2192	}
2193	#endif
2194
2195	#ifdef PNG_READ_oFFs_SUPPORTED
2196	void / PRIVATE /
2197	png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2198	{
2199	png_byte buf[`9`];
2200	png_int_32 offset_x, offset_y;
2201	int unit_type;
2202
2203	png_debug(`1`, "in png_handle_oFFs");
2204
2205	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2206	png_chunk_error(png_ptr, "missing IHDR");
2207
2208	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2209	{
2210	png_crc_finish(png_ptr, length);
2211	png_chunk_benign_error(png_ptr, "out of place");
2212	return;
2213	}
2214
2215	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != `0`)
2216	{
2217	png_crc_finish(png_ptr, length);
2218	png_chunk_benign_error(png_ptr, "duplicate");
2219	return;
2220	}
2221
2222	if (length != `9`)
2223	{
2224	png_crc_finish(png_ptr, length);
2225	png_chunk_benign_error(png_ptr, "invalid");
2226	return;
2227	}
2228
2229	png_crc_read(png_ptr, buf, `9`);
2230
2231	if (png_crc_finish(png_ptr, `0`) != `0`)
2232	return;
2233
2234	offset_x = png_get_int_32(buf);
2235	offset_y = png_get_int_32(buf + `4`);
2236	unit_type = buf[`8`];
2237	png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2238	}
2239	#endif
2240
2241	#ifdef PNG_READ_pCAL_SUPPORTED
2242	/ Read the pCAL chunk (described in the PNG Extensions document) /
2243	void / PRIVATE /
2244	png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2245	{
2246	png_int_32 X0, X1;
2247	png_byte type, nparams;
2248	png_bytep buffer, buf, units, endptr;
2249	png_charpp params;
2250	int i;
2251
2252	png_debug(`1`, "in png_handle_pCAL");
2253
2254	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2255	png_chunk_error(png_ptr, "missing IHDR");
2256
2257	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2258	{
2259	png_crc_finish(png_ptr, length);
2260	png_chunk_benign_error(png_ptr, "out of place");
2261	return;
2262	}
2263
2264	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != `0`)
2265	{
2266	png_crc_finish(png_ptr, length);
2267	png_chunk_benign_error(png_ptr, "duplicate");
2268	return;
2269	}
2270
2271	png_debug1(`2`, "Allocating and reading pCAL chunk data (%u bytes)",
2272	length + `1`);
2273
2274	buffer = png_read_buffer(png_ptr, length+`1`, `2`/silent/);
2275
2276	if (buffer == NULL)
2277	{
2278	png_crc_finish(png_ptr, length);
2279	png_chunk_benign_error(png_ptr, "out of memory");
2280	return;
2281	}
2282
2283	png_crc_read(png_ptr, buffer, length);
2284
2285	if (png_crc_finish(png_ptr, `0`) != `0`)
2286	return;
2287
2288	buffer[length] = `0`; / Null terminate the last string /
2289
2290	png_debug(`3`, "Finding end of pCAL purpose string");
2291	for (buf = buffer; *buf; buf++)
2292	/ Empty loop / ;
2293
2294	endptr = buffer + length;
2295
2296	/ We need to have at least 12 bytes after the purpose string*
2297	* in order to get the parameter information.
2298	*/
2299	if (endptr - buf <= `12`)
2300	{
2301	png_chunk_benign_error(png_ptr, "invalid");
2302	return;
2303	}
2304
2305	png_debug(`3`, "Reading pCAL X0, X1, type, nparams, and units");
2306	X0 = png_get_int_32((png_bytep)buf+`1`);
2307	X1 = png_get_int_32((png_bytep)buf+`5`);
2308	type = buf[`9`];
2309	nparams = buf[`10`];
2310	units = buf + `11`;
2311
2312	png_debug(`3`, "Checking pCAL equation type and number of parameters");
2313	/ Check that we have the right number of parameters for known*
2314	* equation types.
2315	*/
2316	if ((type == PNG_EQUATION_LINEAR && nparams != `2`) \|\|
2317	(type == PNG_EQUATION_BASE_E && nparams != `3`) \|\|
2318	(type == PNG_EQUATION_ARBITRARY && nparams != `3`) \|\|
2319	(type == PNG_EQUATION_HYPERBOLIC && nparams != `4`))
2320	{
2321	png_chunk_benign_error(png_ptr, "invalid parameter count");
2322	return;
2323	}
2324
2325	else if (type >= PNG_EQUATION_LAST)
2326	{
2327	png_chunk_benign_error(png_ptr, "unrecognized equation type");
2328	}
2329
2330	for (buf = units; *buf; buf++)
2331	/ Empty loop to move past the units string. / ;
2332
2333	png_debug(`3`, "Allocating pCAL parameters array");
2334
2335	params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2336	nparams * (sizeof (png_charp))));
2337
2338	if (params == NULL)
2339	{
2340	png_chunk_benign_error(png_ptr, "out of memory");
2341	return;
2342	}
2343
2344	/ Get pointers to the start of each parameter string. /
2345	for (i = `0`; i < nparams; i++)
2346	{
2347	buf++; / Skip the null string terminator from previous parameter. /
2348
2349	png_debug1(`3`, "Reading pCAL parameter %d", i);
2350
2351	for (params[i] = (png_charp)buf; buf <= endptr && *buf != `0`; buf++)
2352	/ Empty loop to move past each parameter string / ;
2353
2354	/ Make sure we haven't run out of data yet /
2355	if (buf > endptr)
2356	{
2357	png_free(png_ptr, params);
2358	png_chunk_benign_error(png_ptr, "invalid data");
2359	return;
2360	}
2361	}
2362
2363	png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
2364	(png_charp)units, params);
2365
2366	png_free(png_ptr, params);
2367	}
2368	#endif
2369
2370	#ifdef PNG_READ_sCAL_SUPPORTED
2371	/ Read the sCAL chunk /
2372	void / PRIVATE /
2373	png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2374	{
2375	png_bytep buffer;
2376	size_t i;
2377	int state;
2378
2379	png_debug(`1`, "in png_handle_sCAL");
2380
2381	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2382	png_chunk_error(png_ptr, "missing IHDR");
2383
2384	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2385	{
2386	png_crc_finish(png_ptr, length);
2387	png_chunk_benign_error(png_ptr, "out of place");
2388	return;
2389	}
2390
2391	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != `0`)
2392	{
2393	png_crc_finish(png_ptr, length);
2394	png_chunk_benign_error(png_ptr, "duplicate");
2395	return;
2396	}
2397
2398	/ Need unit type, width, \0, height: minimum 4 bytes /
2399	else if (length < `4`)
2400	{
2401	png_crc_finish(png_ptr, length);
2402	png_chunk_benign_error(png_ptr, "invalid");
2403	return;
2404	}
2405
2406	png_debug1(`2`, "Allocating and reading sCAL chunk data (%u bytes)",
2407	length + `1`);
2408
2409	buffer = png_read_buffer(png_ptr, length+`1`, `2`/silent/);
2410
2411	if (buffer == NULL)
2412	{
2413	png_chunk_benign_error(png_ptr, "out of memory");
2414	png_crc_finish(png_ptr, length);
2415	return;
2416	}
2417
2418	png_crc_read(png_ptr, buffer, length);
2419	buffer[length] = `0`; / Null terminate the last string /
2420
2421	if (png_crc_finish(png_ptr, `0`) != `0`)
2422	return;
2423
2424	/ Validate the unit. /
2425	if (buffer[`0`] != `1` && buffer[`0`] != `2`)
2426	{
2427	png_chunk_benign_error(png_ptr, "invalid unit");
2428	return;
2429	}
2430
2431	/ Validate the ASCII numbers, need two ASCII numbers separated by*
2432	* a '\0' and they need to fit exactly in the chunk data.
2433	*/
2434	i = `1`;
2435	state = `0`;
2436
2437	if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == `0` \|\|
2438	i >= length \|\| buffer[i++] != `0`)
2439	png_chunk_benign_error(png_ptr, "bad width format");
2440
2441	else if (PNG_FP_IS_POSITIVE(state) == `0`)
2442	png_chunk_benign_error(png_ptr, "non-positive width");
2443
2444	else
2445	{
2446	size_t heighti = i;
2447
2448	state = `0`;
2449	if (png_check_fp_number((png_const_charp)buffer, length,
2450	&state, &i) == `0` \|\| i != length)
2451	png_chunk_benign_error(png_ptr, "bad height format");
2452
2453	else if (PNG_FP_IS_POSITIVE(state) == `0`)
2454	png_chunk_benign_error(png_ptr, "non-positive height");
2455
2456	else
2457	/ This is the (only) success case. /
2458	png_set_sCAL_s(png_ptr, info_ptr, buffer[`0`],
2459	(png_charp)buffer+`1`, (png_charp)buffer+heighti);
2460	}
2461	}
2462	#endif
2463
2464	#ifdef PNG_READ_tIME_SUPPORTED
2465	void / PRIVATE /
2466	png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2467	{
2468	png_byte buf[`7`];
2469	png_time mod_time;
2470
2471	png_debug(`1`, "in png_handle_tIME");
2472
2473	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2474	png_chunk_error(png_ptr, "missing IHDR");
2475
2476	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != `0`)
2477	{
2478	png_crc_finish(png_ptr, length);
2479	png_chunk_benign_error(png_ptr, "duplicate");
2480	return;
2481	}
2482
2483	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2484	png_ptr->mode \|= PNG_AFTER_IDAT;
2485
2486	if (length != `7`)
2487	{
2488	png_crc_finish(png_ptr, length);
2489	png_chunk_benign_error(png_ptr, "invalid");
2490	return;
2491	}
2492
2493	png_crc_read(png_ptr, buf, `7`);
2494
2495	if (png_crc_finish(png_ptr, `0`) != `0`)
2496	return;
2497
2498	mod_time.second = buf[`6`];
2499	mod_time.minute = buf[`5`];
2500	mod_time.hour = buf[`4`];
2501	mod_time.day = buf[`3`];
2502	mod_time.month = buf[`2`];
2503	mod_time.year = png_get_uint_16(buf);
2504
2505	png_set_tIME(png_ptr, info_ptr, &mod_time);
2506	}
2507	#endif
2508
2509	#ifdef PNG_READ_tEXt_SUPPORTED
2510	/ Note: this does not properly handle chunks that are > 64K under DOS /
2511	void / PRIVATE /
2512	png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2513	{
2514	png_text text_info;
2515	png_bytep buffer;
2516	png_charp key;
2517	png_charp text;
2518	png_uint_32 skip = `0`;
2519
2520	png_debug(`1`, "in png_handle_tEXt");
2521
2522	#ifdef PNG_USER_LIMITS_SUPPORTED
2523	if (png_ptr->user_chunk_cache_max != `0`)
2524	{
2525	if (png_ptr->user_chunk_cache_max == `1`)
2526	{
2527	png_crc_finish(png_ptr, length);
2528	return;
2529	}
2530
2531	if (--png_ptr->user_chunk_cache_max == `1`)
2532	{
2533	png_crc_finish(png_ptr, length);
2534	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2535	return;
2536	}
2537	}
2538	#endif
2539
2540	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2541	png_chunk_error(png_ptr, "missing IHDR");
2542
2543	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2544	png_ptr->mode \|= PNG_AFTER_IDAT;
2545
2546	#ifdef PNG_MAX_MALLOC_64K
2547	if (length > `65535U`)
2548	{
2549	png_crc_finish(png_ptr, length);
2550	png_chunk_benign_error(png_ptr, "too large to fit in memory");
2551	return;
2552	}
2553	#endif
2554
2555	buffer = png_read_buffer(png_ptr, length+`1`, `1`/warn/);
2556
2557	if (buffer == NULL)
2558	{
2559	png_chunk_benign_error(png_ptr, "out of memory");
2560	return;
2561	}
2562
2563	png_crc_read(png_ptr, buffer, length);
2564
2565	if (png_crc_finish(png_ptr, skip) != `0`)
2566	return;
2567
2568	key = (png_charp)buffer;
2569	key[length] = `0`;
2570
2571	for (text = key; *text; text++)
2572	/ Empty loop to find end of key / ;
2573
2574	if (text != key + length)
2575	text++;
2576
2577	text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2578	text_info.key = key;
2579	text_info.lang = NULL;
2580	text_info.lang_key = NULL;
2581	text_info.itxt_length = `0`;
2582	text_info.text = text;
2583	text_info.text_length = strlen(text);
2584
2585	if (png_set_text_2(png_ptr, info_ptr, &text_info, `1`) != `0`)
2586	png_warning(png_ptr, "Insufficient memory to process text chunk");
2587	}
2588	#endif
2589
2590	#ifdef PNG_READ_zTXt_SUPPORTED
2591	/ Note: this does not correctly handle chunks that are > 64K under DOS /
2592	void / PRIVATE /
2593	png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2594	{
2595	png_const_charp errmsg = NULL;
2596	png_bytep buffer;
2597	png_uint_32 keyword_length;
2598
2599	png_debug(`1`, "in png_handle_zTXt");
2600
2601	#ifdef PNG_USER_LIMITS_SUPPORTED
2602	if (png_ptr->user_chunk_cache_max != `0`)
2603	{
2604	if (png_ptr->user_chunk_cache_max == `1`)
2605	{
2606	png_crc_finish(png_ptr, length);
2607	return;
2608	}
2609
2610	if (--png_ptr->user_chunk_cache_max == `1`)
2611	{
2612	png_crc_finish(png_ptr, length);
2613	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2614	return;
2615	}
2616	}
2617	#endif
2618
2619	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2620	png_chunk_error(png_ptr, "missing IHDR");
2621
2622	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2623	png_ptr->mode \|= PNG_AFTER_IDAT;
2624
2625	/ Note, "length" is sufficient here; we won't be adding*
2626	* a null terminator later.
2627	*/
2628	buffer = png_read_buffer(png_ptr, length, `2`/silent/);
2629
2630	if (buffer == NULL)
2631	{
2632	png_crc_finish(png_ptr, length);
2633	png_chunk_benign_error(png_ptr, "out of memory");
2634	return;
2635	}
2636
2637	png_crc_read(png_ptr, buffer, length);
2638
2639	if (png_crc_finish(png_ptr, `0`) != `0`)
2640	return;
2641
2642	/ TODO: also check that the keyword contents match the spec! /
2643	for (keyword_length = `0`;
2644	keyword_length < length && buffer[keyword_length] != `0`;
2645	++keyword_length)
2646	/ Empty loop to find end of name / ;
2647
2648	if (keyword_length > `79` \|\| keyword_length < `1`)
2649	errmsg = "bad keyword";
2650
2651	/ zTXt must have some LZ data after the keyword, although it may expand to*
2652	* zero bytes; we need a '\0' at the end of the keyword, the compression type
2653	* then the LZ data:
2654	*/
2655	else if (keyword_length + `3` > length)
2656	errmsg = "truncated";
2657
2658	else if (buffer[keyword_length+`1`] != PNG_COMPRESSION_TYPE_BASE)
2659	errmsg = "unknown compression type";
2660
2661	else
2662	{
2663	png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2664
2665	/ TODO: at present png_decompress_chunk imposes a single application*
2666	* level memory limit, this should be split to different values for iCCP
2667	* and text chunks.
2668	*/
2669	if (png_decompress_chunk(png_ptr, length, keyword_length+`2`,
2670	&uncompressed_length, `1`/terminate/) == Z_STREAM_END)
2671	{
2672	png_text text;
2673
2674	if (png_ptr->read_buffer == NULL)
2675	errmsg="Read failure in png_handle_zTXt";
2676	else
2677	{
2678	/ It worked; png_ptr->read_buffer now looks like a tEXt chunk*
2679	* except for the extra compression type byte and the fact that
2680	* it isn't necessarily '\0' terminated.
2681	*/
2682	buffer = png_ptr->read_buffer;
2683	buffer[uncompressed_length+(keyword_length+`2`)] = `0`;
2684
2685	text.compression = PNG_TEXT_COMPRESSION_zTXt;
2686	text.key = (png_charp)buffer;
2687	text.text = (png_charp)(buffer + keyword_length+`2`);
2688	text.text_length = uncompressed_length;
2689	text.itxt_length = `0`;
2690	text.lang = NULL;
2691	text.lang_key = NULL;
2692
2693	if (png_set_text_2(png_ptr, info_ptr, &text, `1`) != `0`)
2694	errmsg = "insufficient memory";
2695	}
2696	}
2697
2698	else
2699	errmsg = png_ptr->zstream.msg;
2700	}
2701
2702	if (errmsg != NULL)
2703	png_chunk_benign_error(png_ptr, errmsg);
2704	}
2705	#endif
2706
2707	#ifdef PNG_READ_iTXt_SUPPORTED
2708	/ Note: this does not correctly handle chunks that are > 64K under DOS /
2709	void / PRIVATE /
2710	png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2711	{
2712	png_const_charp errmsg = NULL;
2713	png_bytep buffer;
2714	png_uint_32 prefix_length;
2715
2716	png_debug(`1`, "in png_handle_iTXt");
2717
2718	#ifdef PNG_USER_LIMITS_SUPPORTED
2719	if (png_ptr->user_chunk_cache_max != `0`)
2720	{
2721	if (png_ptr->user_chunk_cache_max == `1`)
2722	{
2723	png_crc_finish(png_ptr, length);
2724	return;
2725	}
2726
2727	if (--png_ptr->user_chunk_cache_max == `1`)
2728	{
2729	png_crc_finish(png_ptr, length);
2730	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2731	return;
2732	}
2733	}
2734	#endif
2735
2736	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2737	png_chunk_error(png_ptr, "missing IHDR");
2738
2739	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2740	png_ptr->mode \|= PNG_AFTER_IDAT;
2741
2742	buffer = png_read_buffer(png_ptr, length+`1`, `1`/warn/);
2743
2744	if (buffer == NULL)
2745	{
2746	png_crc_finish(png_ptr, length);
2747	png_chunk_benign_error(png_ptr, "out of memory");
2748	return;
2749	}
2750
2751	png_crc_read(png_ptr, buffer, length);
2752
2753	if (png_crc_finish(png_ptr, `0`) != `0`)
2754	return;
2755
2756	/ First the keyword. /
2757	for (prefix_length=`0`;
2758	prefix_length < length && buffer[prefix_length] != `0`;
2759	++prefix_length)
2760	/ Empty loop / ;
2761
2762	/ Perform a basic check on the keyword length here. /
2763	if (prefix_length > `79` \|\| prefix_length < `1`)
2764	errmsg = "bad keyword";
2765
2766	/ Expect keyword, compression flag, compression type, language, translated*
2767	* keyword (both may be empty but are 0 terminated) then the text, which may
2768	* be empty.
2769	*/
2770	else if (prefix_length + `5` > length)
2771	errmsg = "truncated";
2772
2773	else if (buffer[prefix_length+`1`] == `0` \|\|
2774	(buffer[prefix_length+`1`] == `1` &&
2775	buffer[prefix_length+`2`] == PNG_COMPRESSION_TYPE_BASE))
2776	{
2777	int compressed = buffer[prefix_length+`1`] != `0`;
2778	png_uint_32 language_offset, translated_keyword_offset;
2779	png_alloc_size_t uncompressed_length = `0`;
2780
2781	/ Now the language tag /
2782	prefix_length += `3`;
2783	language_offset = prefix_length;
2784
2785	for (; prefix_length < length && buffer[prefix_length] != `0`;
2786	++prefix_length)
2787	/ Empty loop / ;
2788
2789	/ WARNING: the length may be invalid here, this is checked below. /
2790	translated_keyword_offset = ++prefix_length;
2791
2792	for (; prefix_length < length && buffer[prefix_length] != `0`;
2793	++prefix_length)
2794	/ Empty loop / ;
2795
2796	/ prefix_length should now be at the trailing '\0' of the translated*
2797	* keyword, but it may already be over the end. None of this arithmetic
2798	* can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2799	* systems the available allocation may overflow.
2800	*/
2801	++prefix_length;
2802
2803	if (compressed == `0` && prefix_length <= length)
2804	uncompressed_length = length - prefix_length;
2805
2806	else if (compressed != `0` && prefix_length < length)
2807	{
2808	uncompressed_length = PNG_SIZE_MAX;
2809
2810	/ TODO: at present png_decompress_chunk imposes a single application*
2811	* level memory limit, this should be split to different values for
2812	* iCCP and text chunks.
2813	*/
2814	if (png_decompress_chunk(png_ptr, length, prefix_length,
2815	&uncompressed_length, `1`/terminate/) == Z_STREAM_END)
2816	buffer = png_ptr->read_buffer;
2817
2818	else
2819	errmsg = png_ptr->zstream.msg;
2820	}
2821
2822	else
2823	errmsg = "truncated";
2824
2825	if (errmsg == NULL)
2826	{
2827	png_text text;
2828
2829	buffer[uncompressed_length+prefix_length] = `0`;
2830
2831	if (compressed == `0`)
2832	text.compression = PNG_ITXT_COMPRESSION_NONE;
2833
2834	else
2835	text.compression = PNG_ITXT_COMPRESSION_zTXt;
2836
2837	text.key = (png_charp)buffer;
2838	text.lang = (png_charp)buffer + language_offset;
2839	text.lang_key = (png_charp)buffer + translated_keyword_offset;
2840	text.text = (png_charp)buffer + prefix_length;
2841	text.text_length = `0`;
2842	text.itxt_length = uncompressed_length;
2843
2844	if (png_set_text_2(png_ptr, info_ptr, &text, `1`) != `0`)
2845	errmsg = "insufficient memory";
2846	}
2847	}
2848
2849	else
2850	errmsg = "bad compression info";
2851
2852	if (errmsg != NULL)
2853	png_chunk_benign_error(png_ptr, errmsg);
2854	}
2855	#endif
2856
2857	#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2858	/ Utility function for png_handle_unknown; set up png_ptr::unknown_chunk /
2859	static int
2860	png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2861	{
2862	png_alloc_size_t limit = PNG_SIZE_MAX;
2863
2864	if (png_ptr->unknown_chunk.data != NULL)
2865	{
2866	png_free(png_ptr, png_ptr->unknown_chunk.data);
2867	png_ptr->unknown_chunk.data = NULL;
2868	}
2869
2870	# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2871	if (png_ptr->user_chunk_malloc_max > `0` &&
2872	png_ptr->user_chunk_malloc_max < limit)
2873	limit = png_ptr->user_chunk_malloc_max;
2874
2875	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
2876	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2877	limit = PNG_USER_CHUNK_MALLOC_MAX;
2878	# endif
2879
2880	if (length <= limit)
2881	{
2882	PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2883	/ The following is safe because of the PNG_SIZE_MAX init above /
2884	png_ptr->unknown_chunk.size = (size_t)length/SAFE/;
2885	/ 'mode' is a flag array, only the bottom four bits matter here /
2886	png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/SAFE/;
2887
2888	if (length == `0`)
2889	png_ptr->unknown_chunk.data = NULL;
2890
2891	else
2892	{
2893	/ Do a 'warn' here - it is handled below. /
2894	png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2895	png_malloc_warn(png_ptr, length));
2896	}
2897	}
2898
2899	if (png_ptr->unknown_chunk.data == NULL && length > `0`)
2900	{
2901	/ This is benign because we clean up correctly /
2902	png_crc_finish(png_ptr, length);
2903	png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2904	return `0`;
2905	}
2906
2907	else
2908	{
2909	if (length > `0`)
2910	png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2911	png_crc_finish(png_ptr, `0`);
2912	return `1`;
2913	}
2914	}
2915	#endif /* READ_UNKNOWN_CHUNKS */
2916
2917	/ Handle an unknown, or known but disabled, chunk /
2918	void / PRIVATE /
2919	png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2920	png_uint_32 length, int keep)
2921	{
2922	int handled = `0`; / the chunk was handled /
2923
2924	png_debug(`1`, "in png_handle_unknown");
2925
2926	#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2927	/ NOTE: this code is based on the code in libpng-1.4.12 except for fixing*
2928	* the bug which meant that setting a non-default behavior for a specific
2929	* chunk would be ignored (the default was always used unless a user
2930	* callback was installed).
2931	*
2932	* 'keep' is the value from the png_chunk_unknown_handling, the setting for
2933	* this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2934	* will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2935	* This is just an optimization to avoid multiple calls to the lookup
2936	* function.
2937	*/
2938	# ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2939	# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2940	keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2941	# endif
2942	# endif
2943
2944	/ One of the following methods will read the chunk or skip it (at least one*
2945	* of these is always defined because this is the only way to switch on
2946	* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2947	*/
2948	# ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2949	/ The user callback takes precedence over the chunk keep value, but the*
2950	* keep value is still required to validate a save of a critical chunk.
2951	*/
2952	if (png_ptr->read_user_chunk_fn != NULL)
2953	{
2954	if (png_cache_unknown_chunk(png_ptr, length) != `0`)
2955	{
2956	/ Callback to user unknown chunk handler /
2957	int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2958	&png_ptr->unknown_chunk);
2959
2960	/ ret is:*
2961	* negative: An error occurred; png_chunk_error will be called.
2962	* zero: The chunk was not handled, the chunk will be discarded
2963	* unless png_set_keep_unknown_chunks has been used to set
2964	* a 'keep' behavior for this particular chunk, in which
2965	* case that will be used. A critical chunk will cause an
2966	* error at this point unless it is to be saved.
2967	* positive: The chunk was handled, libpng will ignore/discard it.
2968	*/
2969	if (ret < `0`)
2970	png_chunk_error(png_ptr, "error in user chunk");
2971
2972	else if (ret == `0`)
2973	{
2974	/ If the keep value is 'default' or 'never' override it, but*
2975	* still error out on critical chunks unless the keep value is
2976	* 'always' While this is weird it is the behavior in 1.4.12.
2977	* A possible improvement would be to obey the value set for the
2978	* chunk, but this would be an API change that would probably
2979	* damage some applications.
2980	*
2981	* The png_app_warning below catches the case that matters, where
2982	* the application has not set specific save or ignore for this
2983	* chunk or global save or ignore.
2984	*/
2985	if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2986	{
2987	# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2988	if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2989	{
2990	png_chunk_warning(png_ptr, "Saving unknown chunk:");
2991	png_app_warning(png_ptr,
2992	"forcing save of an unhandled chunk;"
2993	" please call png_set_keep_unknown_chunks");
2994	/ with keep = PNG_HANDLE_CHUNK_IF_SAFE /
2995	}
2996	# endif
2997	keep = PNG_HANDLE_CHUNK_IF_SAFE;
2998	}
2999	}
3000
3001	else / chunk was handled /
3002	{
3003	handled = `1`;
3004	/ Critical chunks can be safely discarded at this point. /
3005	keep = PNG_HANDLE_CHUNK_NEVER;
3006	}
3007	}
3008
3009	else
3010	keep = PNG_HANDLE_CHUNK_NEVER; / insufficient memory /
3011	}
3012
3013	else
3014	/ Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk /
3015	# endif /* READ_USER_CHUNKS */
3016
3017	# ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
3018	{
3019	/ keep is currently just the per-chunk setting, if there was no*
3020	* setting change it to the global default now (not that this may
3021	* still be AS_DEFAULT) then obtain the cache of the chunk if required,
3022	* if not simply skip the chunk.
3023	*/
3024	if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
3025	keep = png_ptr->unknown_default;
3026
3027	if (keep == PNG_HANDLE_CHUNK_ALWAYS \|\|
3028	(keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3029	PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3030	{
3031	if (png_cache_unknown_chunk(png_ptr, length) == `0`)
3032	keep = PNG_HANDLE_CHUNK_NEVER;
3033	}
3034
3035	else
3036	png_crc_finish(png_ptr, length);
3037	}
3038	# else
3039	# ifndef PNG_READ_USER_CHUNKS_SUPPORTED
3040	# error no method to support READ_UNKNOWN_CHUNKS
3041	# endif
3042
3043	{
3044	/ If here there is no read callback pointer set and no support is*
3045	* compiled in to just save the unknown chunks, so simply skip this
3046	* chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
3047	* the app has erroneously asked for unknown chunk saving when there
3048	* is no support.
3049	*/
3050	if (keep > PNG_HANDLE_CHUNK_NEVER)
3051	png_app_error(png_ptr, "no unknown chunk support available");
3052
3053	png_crc_finish(png_ptr, length);
3054	}
3055	# endif
3056
3057	# ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
3058	/ Now store the chunk in the chunk list if appropriate, and if the limits*
3059	* permit it.
3060	*/
3061	if (keep == PNG_HANDLE_CHUNK_ALWAYS \|\|
3062	(keep == PNG_HANDLE_CHUNK_IF_SAFE &&
3063	PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
3064	{
3065	# ifdef PNG_USER_LIMITS_SUPPORTED
3066	switch (png_ptr->user_chunk_cache_max)
3067	{
3068	case `2`:
3069	png_ptr->user_chunk_cache_max = `1`;
3070	png_chunk_benign_error(png_ptr, "no space in chunk cache");
3071	/ FALLTHROUGH /
3072	case `1`:
3073	/ NOTE: prior to 1.6.0 this case resulted in an unknown critical*
3074	* chunk being skipped, now there will be a hard error below.
3075	*/
3076	break;
3077
3078	default: / not at limit /
3079	--(png_ptr->user_chunk_cache_max);
3080	/ FALLTHROUGH /
3081	case `0`: / no limit /
3082	# endif /* USER_LIMITS */
3083	/ Here when the limit isn't reached or when limits are compiled*
3084	* out; store the chunk.
3085	*/
3086	png_set_unknown_chunks(png_ptr, info_ptr,
3087	&png_ptr->unknown_chunk, `1`);
3088	handled = `1`;
3089	# ifdef PNG_USER_LIMITS_SUPPORTED
3090	break;
3091	}
3092	# endif
3093	}
3094	# else /* no store support: the chunk must be handled by the user callback */
3095	PNG_UNUSED(info_ptr)
3096	# endif
3097
3098	/ Regardless of the error handling below the cached data (if any) can be*
3099	* freed now. Notice that the data is not freed if there is a png_error, but
3100	* it will be freed by destroy_read_struct.
3101	*/
3102	if (png_ptr->unknown_chunk.data != NULL)
3103	png_free(png_ptr, png_ptr->unknown_chunk.data);
3104	png_ptr->unknown_chunk.data = NULL;
3105
3106	#else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
3107	/ There is no support to read an unknown chunk, so just skip it. /
3108	png_crc_finish(png_ptr, length);
3109	PNG_UNUSED(info_ptr)
3110	PNG_UNUSED(keep)
3111	#endif /* !READ_UNKNOWN_CHUNKS */
3112
3113	/ Check for unhandled critical chunks /
3114	if (handled == `0` && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3115	png_chunk_error(png_ptr, "unhandled critical chunk");
3116	}
3117
3118	/ This function is called to verify that a chunk name is valid.*
3119	* This function can't have the "critical chunk check" incorporated
3120	* into it, since in the future we will need to be able to call user
3121	* functions to handle unknown critical chunks after we check that
3122	* the chunk name itself is valid.
3123	*/
3124
3125	/ Bit hacking: the test for an invalid byte in the 4 byte chunk name is:*
3126	*
3127	* ((c) < 65 \|\| (c) > 122 \|\| ((c) > 90 && (c) < 97))
3128	*/
3129
3130	void / PRIVATE /
3131	png_check_chunk_name(png_const_structrp png_ptr, png_uint_32 chunk_name)
3132	{
3133	int i;
3134	png_uint_32 cn=chunk_name;
3135
3136	png_debug(`1`, "in png_check_chunk_name");
3137
3138	for (i=`1`; i<=`4`; ++i)
3139	{
3140	int c = cn & `0xff`;
3141
3142	if (c < `65` \|\| c > `122` \|\| (c > `90` && c < `97`))
3143	png_chunk_error(png_ptr, "invalid chunk type");
3144
3145	cn >>= `8`;
3146	}
3147	}
3148
3149	void / PRIVATE /
3150	png_check_chunk_length(png_const_structrp png_ptr, png_uint_32 length)
3151	{
3152	png_alloc_size_t limit = PNG_UINT_31_MAX;
3153
3154	# ifdef PNG_SET_USER_LIMITS_SUPPORTED
3155	if (png_ptr->user_chunk_malloc_max > `0` &&
3156	png_ptr->user_chunk_malloc_max < limit)
3157	limit = png_ptr->user_chunk_malloc_max;
3158	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
3159	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
3160	limit = PNG_USER_CHUNK_MALLOC_MAX;
3161	# endif
3162	if (png_ptr->chunk_name == png_IDAT)
3163	{
3164	png_alloc_size_t idat_limit = PNG_UINT_31_MAX;
3165	size_t row_factor =
3166	(size_t)png_ptr->width
3167	* (size_t)png_ptr->channels
3168	* (png_ptr->bit_depth > `8`? `2`: `1`)
3169	+ `1`
3170	+ (png_ptr->interlaced? `6`: `0`);
3171	if (png_ptr->height > PNG_UINT_32_MAX/row_factor)
3172	idat_limit = PNG_UINT_31_MAX;
3173	else
3174	idat_limit = png_ptr->height * row_factor;
3175	row_factor = row_factor > `32566`? `32566` : row_factor;
3176	idat_limit += `6` + `5`(idat_limit/row_factor+`1`); /* zlib+deflate overhead /
3177	idat_limit=idat_limit < PNG_UINT_31_MAX? idat_limit : PNG_UINT_31_MAX;
3178	limit = limit < idat_limit? idat_limit : limit;
3179	}
3180
3181	if (length > limit)
3182	{
3183	png_debug2(`0`," length = %lu, limit = %lu",
3184	(unsigned long)length,(unsigned long)limit);
3185	png_chunk_error(png_ptr, "chunk data is too large");
3186	}
3187	}
3188
3189	/ Combines the row recently read in with the existing pixels in the row. This*
3190	* routine takes care of alpha and transparency if requested. This routine also
3191	* handles the two methods of progressive display of interlaced images,
3192	* depending on the 'display' value; if 'display' is true then the whole row
3193	* (dp) is filled from the start by replicating the available pixels. If
3194	* 'display' is false only those pixels present in the pass are filled in.
3195	*/
3196	void / PRIVATE /
3197	png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3198	{
3199	unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3200	png_const_bytep sp = png_ptr->row_buf + `1`;
3201	png_alloc_size_t row_width = png_ptr->width;
3202	unsigned int pass = png_ptr->pass;
3203	png_bytep end_ptr = `0`;
3204	png_byte end_byte = `0`;
3205	unsigned int end_mask;
3206
3207	png_debug(`1`, "in png_combine_row");
3208
3209	/ Added in 1.5.6: it should not be possible to enter this routine until at*
3210	* least one row has been read from the PNG data and transformed.
3211	*/
3212	if (pixel_depth == `0`)
3213	png_error(png_ptr, "internal row logic error");
3214
3215	/ Added in 1.5.4: the pixel depth should match the information returned by*
3216	* any call to png_read_update_info at this point. Do not continue if we got
3217	* this wrong.
3218	*/
3219	if (png_ptr->info_rowbytes != `0` && png_ptr->info_rowbytes !=
3220	PNG_ROWBYTES(pixel_depth, row_width))
3221	png_error(png_ptr, "internal row size calculation error");
3222
3223	/ Don't expect this to ever happen: /
3224	if (row_width == `0`)
3225	png_error(png_ptr, "internal row width error");
3226
3227	/ Preserve the last byte in cases where only part of it will be overwritten,*
3228	* the multiply below may overflow, we don't care because ANSI-C guarantees
3229	* we get the low bits.
3230	*/
3231	end_mask = (pixel_depth * row_width) & `7`;
3232	if (end_mask != `0`)
3233	{
3234	/ end_ptr == NULL is a flag to say do nothing /
3235	end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - `1`;
3236	end_byte = *end_ptr;
3237	# ifdef PNG_READ_PACKSWAP_SUPPORTED
3238	if ((png_ptr->transformations & PNG_PACKSWAP) != `0`)
3239	/ little-endian byte /
3240	end_mask = (unsigned int)(`0xff` << end_mask);
3241
3242	else / big-endian byte /
3243	# endif
3244	end_mask = `0xff` >> end_mask;
3245	/ end_mask is now the bits to keep from the destination row /
3246	}
3247
3248	/ For non-interlaced images this reduces to a memcpy(). A memcpy()*
3249	* will also happen if interlacing isn't supported or if the application
3250	* does not call png_set_interlace_handling(). In the latter cases the
3251	* caller just gets a sequence of the unexpanded rows from each interlace
3252	* pass.
3253	*/
3254	#ifdef PNG_READ_INTERLACING_SUPPORTED
3255	if (png_ptr->interlaced != `0` &&
3256	(png_ptr->transformations & PNG_INTERLACE) != `0` &&
3257	pass < `6` && (display == `0` \|\|
3258	/ The following copies everything for 'display' on passes 0, 2 and 4. /
3259	(display == `1` && (pass & `1`) != `0`)))
3260	{
3261	/ Narrow images may have no bits in a pass; the caller should handle*
3262	* this, but this test is cheap:
3263	*/
3264	if (row_width <= PNG_PASS_START_COL(pass))
3265	return;
3266
3267	if (pixel_depth < `8`)
3268	{
3269	/ For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit*
3270	* into 32 bits, then a single loop over the bytes using the four byte
3271	* values in the 32-bit mask can be used. For the 'display' option the
3272	* expanded mask may also not require any masking within a byte. To
3273	* make this work the PACKSWAP option must be taken into account - it
3274	* simply requires the pixels to be reversed in each byte.
3275	*
3276	* The 'regular' case requires a mask for each of the first 6 passes,
3277	* the 'display' case does a copy for the even passes in the range
3278	* 0..6. This has already been handled in the test above.
3279	*
3280	* The masks are arranged as four bytes with the first byte to use in
3281	* the lowest bits (little-endian) regardless of the order (PACKSWAP or
3282	* not) of the pixels in each byte.
3283	*
3284	* NOTE: the whole of this logic depends on the caller of this function
3285	* only calling it on rows appropriate to the pass. This function only
3286	* understands the 'x' logic; the 'y' logic is handled by the caller.
3287	*
3288	* The following defines allow generation of compile time constant bit
3289	* masks for each pixel depth and each possibility of swapped or not
3290	* swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3291	* is in the range 0..7; and the result is 1 if the pixel is to be
3292	* copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3293	* for the block method.
3294	*
3295	* With some compilers a compile time expression of the general form:
3296	*
3297	* (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3298	*
3299	* Produces warnings with values of 'shift' in the range 33 to 63
3300	* because the right hand side of the ?: expression is evaluated by
3301	* the compiler even though it isn't used. Microsoft Visual C (various
3302	* versions) and the Intel C compiler are known to do this. To avoid
3303	* this the following macros are used in 1.5.6. This is a temporary
3304	* solution to avoid destabilizing the code during the release process.
3305	*/
3306	# if PNG_USE_COMPILE_TIME_MASKS
3307	# define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3308	# define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3309	# else
3310	# define PNG_LSR(x,s) ((x)>>(s))
3311	# define PNG_LSL(x,s) ((x)<<(s))
3312	# endif
3313	# define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3314	PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3315	# define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3316	PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3317
3318	/ Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is*
3319	* little endian - the first pixel is at bit 0 - however the extra
3320	* parameter 's' can be set to cause the mask position to be swapped
3321	* within each byte, to match the PNG format. This is done by XOR of
3322	* the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3323	*/
3324	# define PIXEL_MASK(p,x,d,s) \
3325	(PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3326
3327	/ Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.*
3328	*/
3329	# define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3330	# define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3331
3332	/ Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp*
3333	* cases the result needs replicating, for the 4-bpp case the above
3334	* generates a full 32 bits.
3335	*/
3336	# define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3337
3338	# define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3339	S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3340	S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3341
3342	# define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3343	B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3344	B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3345
3346	#if PNG_USE_COMPILE_TIME_MASKS
3347	/ Utility macros to construct all the masks for a depth/swap*
3348	* combination. The 's' parameter says whether the format is PNG
3349	* (big endian bytes) or not. Only the three odd-numbered passes are
3350	* required for the display/block algorithm.
3351	*/
3352	# define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3353	S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3354
3355	# define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3356
3357	# define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3358
3359	/ Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and*
3360	* then pass:
3361	*/
3362	static const png_uint_32 row_mask[`2`/PACKSWAP/][`3`/depth/][`6`] =
3363	{
3364	/ Little-endian byte masks for PACKSWAP /
3365	{ S_MASKS(`1`,`0`), S_MASKS(`2`,`0`), S_MASKS(`4`,`0`) },
3366	/ Normal (big-endian byte) masks - PNG format /
3367	{ S_MASKS(`1`,`1`), S_MASKS(`2`,`1`), S_MASKS(`4`,`1`) }
3368	};
3369
3370	/ display_mask has only three entries for the odd passes, so index by*
3371	* pass>>1.
3372	*/
3373	static const png_uint_32 display_mask[`2`][`3`][`3`] =
3374	{
3375	/ Little-endian byte masks for PACKSWAP /
3376	{ B_MASKS(`1`,`0`), B_MASKS(`2`,`0`), B_MASKS(`4`,`0`) },
3377	/ Normal (big-endian byte) masks - PNG format /
3378	{ B_MASKS(`1`,`1`), B_MASKS(`2`,`1`), B_MASKS(`4`,`1`) }
3379	};
3380
3381	# define MASK(pass,depth,display,png)\
3382	((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3383	row_mask[png][DEPTH_INDEX(depth)][pass])
3384
3385	#else /* !PNG_USE_COMPILE_TIME_MASKS */
3386	/ This is the runtime alternative: it seems unlikely that this will*
3387	* ever be either smaller or faster than the compile time approach.
3388	*/
3389	# define MASK(pass,depth,display,png)\
3390	((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3391	#endif /* !USE_COMPILE_TIME_MASKS */
3392
3393	/ Use the appropriate mask to copy the required bits. In some cases*
3394	* the byte mask will be 0 or 0xff; optimize these cases. row_width is
3395	* the number of pixels, but the code copies bytes, so it is necessary
3396	* to special case the end.
3397	*/
3398	png_uint_32 pixels_per_byte = `8` / pixel_depth;
3399	png_uint_32 mask;
3400
3401	# ifdef PNG_READ_PACKSWAP_SUPPORTED
3402	if ((png_ptr->transformations & PNG_PACKSWAP) != `0`)
3403	mask = MASK(pass, pixel_depth, display, `0`);
3404
3405	else
3406	# endif
3407	mask = MASK(pass, pixel_depth, display, `1`);
3408
3409	for (;;)
3410	{
3411	png_uint_32 m;
3412
3413	/ It doesn't matter in the following if png_uint_32 has more than*
3414	* 32 bits because the high bits always match those in m<<24; it is,
3415	* however, essential to use OR here, not +, because of this.
3416	*/
3417	m = mask;
3418	mask = (m >> `8`) \| (m << `24`); / rotate right to good compilers /
3419	m &= `0xff`;
3420
3421	if (m != `0`) / something to copy /
3422	{
3423	if (m != `0xff`)
3424	dp = (png_byte)((dp & ~m) \| (*sp & m));
3425	else
3426	dp = sp;
3427	}
3428
3429	/ NOTE: this may overwrite the last byte with garbage if the image*
3430	* is not an exact number of bytes wide; libpng has always done
3431	* this.
3432	*/
3433	if (row_width <= pixels_per_byte)
3434	break; / May need to restore part of the last byte /
3435
3436	row_width -= pixels_per_byte;
3437	++dp;
3438	++sp;
3439	}
3440	}
3441
3442	else / pixel_depth >= 8 /
3443	{
3444	unsigned int bytes_to_copy, bytes_to_jump;
3445
3446	/ Validate the depth - it must be a multiple of 8 /
3447	if (pixel_depth & `7`)
3448	png_error(png_ptr, "invalid user transform pixel depth");
3449
3450	pixel_depth >>= `3`; / now in bytes /
3451	row_width *= pixel_depth;
3452
3453	/ Regardless of pass number the Adam 7 interlace always results in a*
3454	* fixed number of pixels to copy then to skip. There may be a
3455	* different number of pixels to skip at the start though.
3456	*/
3457	{
3458	unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3459
3460	row_width -= offset;
3461	dp += offset;
3462	sp += offset;
3463	}
3464
3465	/ Work out the bytes to copy. /
3466	if (display != `0`)
3467	{
3468	/ When doing the 'block' algorithm the pixel in the pass gets*
3469	* replicated to adjacent pixels. This is why the even (0,2,4,6)
3470	* passes are skipped above - the entire expanded row is copied.
3471	*/
3472	bytes_to_copy = (`1`<<((`6`-pass)>>`1`)) * pixel_depth;
3473
3474	/ But don't allow this number to exceed the actual row width. /
3475	if (bytes_to_copy > row_width)
3476	bytes_to_copy = (unsigned int)/SAFE/row_width;
3477	}
3478
3479	else / normal row; Adam7 only ever gives us one pixel to copy. /
3480	bytes_to_copy = pixel_depth;
3481
3482	/ In Adam7 there is a constant offset between where the pixels go. /
3483	bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3484
3485	/ And simply copy these bytes. Some optimization is possible here,*
3486	* depending on the value of 'bytes_to_copy'. Special case the low
3487	* byte counts, which we know to be frequent.
3488	*
3489	* Notice that these cases all 'return' rather than 'break' - this
3490	* avoids an unnecessary test on whether to restore the last byte
3491	* below.
3492	*/
3493	switch (bytes_to_copy)
3494	{
3495	case `1`:
3496	for (;;)
3497	{
3498	dp = sp;
3499
3500	if (row_width <= bytes_to_jump)
3501	return;
3502
3503	dp += bytes_to_jump;
3504	sp += bytes_to_jump;
3505	row_width -= bytes_to_jump;
3506	}
3507
3508	case `2`:
3509	/ There is a possibility of a partial copy at the end here; this*
3510	* slows the code down somewhat.
3511	*/
3512	do
3513	{
3514	dp[`0`] = sp[`0`]; dp[`1`] = sp[`1`];
3515
3516	if (row_width <= bytes_to_jump)
3517	return;
3518
3519	sp += bytes_to_jump;
3520	dp += bytes_to_jump;
3521	row_width -= bytes_to_jump;
3522	}
3523	while (row_width > `1`);
3524
3525	/ And there can only be one byte left at this point: /
3526	dp = sp;
3527	return;
3528
3529	case `3`:
3530	/ This can only be the RGB case, so each copy is exactly one*
3531	* pixel and it is not necessary to check for a partial copy.
3532	*/
3533	for (;;)
3534	{
3535	dp[`0`] = sp[`0`]; dp[`1`] = sp[`1`]; dp[`2`] = sp[`2`];
3536
3537	if (row_width <= bytes_to_jump)
3538	return;
3539
3540	sp += bytes_to_jump;
3541	dp += bytes_to_jump;
3542	row_width -= bytes_to_jump;
3543	}
3544
3545	default:
3546	#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3547	/ Check for double byte alignment and, if possible, use a*
3548	* 16-bit copy. Don't attempt this for narrow images - ones that
3549	* are less than an interlace panel wide. Don't attempt it for
3550	* wide bytes_to_copy either - use the memcpy there.
3551	*/
3552	if (bytes_to_copy < `16` /else use memcpy/ &&
3553	png_isaligned(dp, png_uint_16) &&
3554	png_isaligned(sp, png_uint_16) &&
3555	bytes_to_copy % (sizeof (png_uint_16)) == `0` &&
3556	bytes_to_jump % (sizeof (png_uint_16)) == `0`)
3557	{
3558	/ Everything is aligned for png_uint_16 copies, but try for*
3559	* png_uint_32 first.
3560	*/
3561	if (png_isaligned(dp, png_uint_32) &&
3562	png_isaligned(sp, png_uint_32) &&
3563	bytes_to_copy % (sizeof (png_uint_32)) == `0` &&
3564	bytes_to_jump % (sizeof (png_uint_32)) == `0`)
3565	{
3566	png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3567	png_const_uint_32p sp32 = png_aligncastconst(
3568	png_const_uint_32p, sp);
3569	size_t skip = (bytes_to_jump-bytes_to_copy) /
3570	(sizeof (png_uint_32));
3571
3572	do
3573	{
3574	size_t c = bytes_to_copy;
3575	do
3576	{
3577	dp32++ = sp32++;
3578	c -= (sizeof (png_uint_32));
3579	}
3580	while (c > `0`);
3581
3582	if (row_width <= bytes_to_jump)
3583	return;
3584
3585	dp32 += skip;
3586	sp32 += skip;
3587	row_width -= bytes_to_jump;
3588	}
3589	while (bytes_to_copy <= row_width);
3590
3591	/ Get to here when the row_width truncates the final copy.*
3592	* There will be 1-3 bytes left to copy, so don't try the
3593	* 16-bit loop below.
3594	*/
3595	dp = (png_bytep)dp32;
3596	sp = (png_const_bytep)sp32;
3597	do
3598	dp++ = sp++;
3599	while (--row_width > `0`);
3600	return;
3601	}
3602
3603	/ Else do it in 16-bit quantities, but only if the size is*
3604	* not too large.
3605	*/
3606	else
3607	{
3608	png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3609	png_const_uint_16p sp16 = png_aligncastconst(
3610	png_const_uint_16p, sp);
3611	size_t skip = (bytes_to_jump-bytes_to_copy) /
3612	(sizeof (png_uint_16));
3613
3614	do
3615	{
3616	size_t c = bytes_to_copy;
3617	do
3618	{
3619	dp16++ = sp16++;
3620	c -= (sizeof (png_uint_16));
3621	}
3622	while (c > `0`);
3623
3624	if (row_width <= bytes_to_jump)
3625	return;
3626
3627	dp16 += skip;
3628	sp16 += skip;
3629	row_width -= bytes_to_jump;
3630	}
3631	while (bytes_to_copy <= row_width);
3632
3633	/ End of row - 1 byte left, bytes_to_copy > row_width: /
3634	dp = (png_bytep)dp16;
3635	sp = (png_const_bytep)sp16;
3636	do
3637	dp++ = sp++;
3638	while (--row_width > `0`);
3639	return;
3640	}
3641	}
3642	#endif /* ALIGN_TYPE code */
3643
3644	/ The true default - use a memcpy: /
3645	for (;;)
3646	{
3647	memcpy(dp, sp, bytes_to_copy);
3648
3649	if (row_width <= bytes_to_jump)
3650	return;
3651
3652	sp += bytes_to_jump;
3653	dp += bytes_to_jump;
3654	row_width -= bytes_to_jump;
3655	if (bytes_to_copy > row_width)
3656	bytes_to_copy = (unsigned int)/SAFE/row_width;
3657	}
3658	}
3659
3660	/ NOT REACHED/
3661	} / pixel_depth >= 8 /
3662
3663	/ Here if pixel_depth < 8 to check 'end_ptr' below. /
3664	}
3665	else
3666	#endif /* READ_INTERLACING */
3667
3668	/ If here then the switch above wasn't used so just memcpy the whole row*
3669	* from the temporary row buffer (notice that this overwrites the end of the
3670	* destination row if it is a partial byte.)
3671	*/
3672	memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3673
3674	/ Restore the overwritten bits from the last byte if necessary. /
3675	if (end_ptr != NULL)
3676	end_ptr = (png_byte)((end_byte & end_mask) \| (end_ptr & ~end_mask));
3677	}
3678
3679	#ifdef PNG_READ_INTERLACING_SUPPORTED
3680	void / PRIVATE /
3681	png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3682	png_uint_32 transformations / Because these may affect the byte layout /)
3683	{
3684	/ Arrays to facilitate easy interlacing - use pass (0 - 6) as index /
3685	/ Offset to next interlace block /
3686	static const unsigned int png_pass_inc[`7`] = {`8`, `8`, `4`, `4`, `2`, `2`, `1`};
3687
3688	png_debug(`1`, "in png_do_read_interlace");
3689	if (row != NULL && row_info != NULL)
3690	{
3691	png_uint_32 final_width;
3692
3693	final_width = row_info->width * png_pass_inc[pass];
3694
3695	switch (row_info->pixel_depth)
3696	{
3697	case `1`:
3698	{
3699	png_bytep sp = row + (size_t)((row_info->width - `1`) >> `3`);
3700	png_bytep dp = row + (size_t)((final_width - `1`) >> `3`);
3701	unsigned int sshift, dshift;
3702	unsigned int s_start, s_end;
3703	int s_inc;
3704	int jstop = (int)png_pass_inc[pass];
3705	png_byte v;
3706	png_uint_32 i;
3707	int j;
3708
3709	#ifdef PNG_READ_PACKSWAP_SUPPORTED
3710	if ((transformations & PNG_PACKSWAP) != `0`)
3711	{
3712	sshift = ((row_info->width + `7`) & `0x07`);
3713	dshift = ((final_width + `7`) & `0x07`);
3714	s_start = `7`;
3715	s_end = `0`;
3716	s_inc = -`1`;
3717	}
3718
3719	else
3720	#endif
3721	{
3722	sshift = `7` - ((row_info->width + `7`) & `0x07`);
3723	dshift = `7` - ((final_width + `7`) & `0x07`);
3724	s_start = `0`;
3725	s_end = `7`;
3726	s_inc = `1`;
3727	}
3728
3729	for (i = `0`; i < row_info->width; i++)
3730	{
3731	v = (png_byte)((*sp >> sshift) & `0x01`);
3732	for (j = `0`; j < jstop; j++)
3733	{
3734	unsigned int tmp = *dp & (`0x7f7f` >> (`7` - dshift));
3735	tmp \|= (unsigned int)(v << dshift);
3736	*dp = (png_byte)(tmp & `0xff`);
3737
3738	if (dshift == s_end)
3739	{
3740	dshift = s_start;
3741	dp--;
3742	}
3743
3744	else
3745	dshift = (unsigned int)((int)dshift + s_inc);
3746	}
3747
3748	if (sshift == s_end)
3749	{
3750	sshift = s_start;
3751	sp--;
3752	}
3753
3754	else
3755	sshift = (unsigned int)((int)sshift + s_inc);
3756	}
3757	break;
3758	}
3759
3760	case `2`:
3761	{
3762	png_bytep sp = row + (png_uint_32)((row_info->width - `1`) >> `2`);
3763	png_bytep dp = row + (png_uint_32)((final_width - `1`) >> `2`);
3764	unsigned int sshift, dshift;
3765	unsigned int s_start, s_end;
3766	int s_inc;
3767	int jstop = (int)png_pass_inc[pass];
3768	png_uint_32 i;
3769
3770	#ifdef PNG_READ_PACKSWAP_SUPPORTED
3771	if ((transformations & PNG_PACKSWAP) != `0`)
3772	{
3773	sshift = (((row_info->width + `3`) & `0x03`) << `1`);
3774	dshift = (((final_width + `3`) & `0x03`) << `1`);
3775	s_start = `6`;
3776	s_end = `0`;
3777	s_inc = -`2`;
3778	}
3779
3780	else
3781	#endif
3782	{
3783	sshift = ((`3` - ((row_info->width + `3`) & `0x03`)) << `1`);
3784	dshift = ((`3` - ((final_width + `3`) & `0x03`)) << `1`);
3785	s_start = `0`;
3786	s_end = `6`;
3787	s_inc = `2`;
3788	}
3789
3790	for (i = `0`; i < row_info->width; i++)
3791	{
3792	png_byte v;
3793	int j;
3794
3795	v = (png_byte)((*sp >> sshift) & `0x03`);
3796	for (j = `0`; j < jstop; j++)
3797	{
3798	unsigned int tmp = *dp & (`0x3f3f` >> (`6` - dshift));
3799	tmp \|= (unsigned int)(v << dshift);
3800	*dp = (png_byte)(tmp & `0xff`);
3801
3802	if (dshift == s_end)
3803	{
3804	dshift = s_start;
3805	dp--;
3806	}
3807
3808	else
3809	dshift = (unsigned int)((int)dshift + s_inc);
3810	}
3811
3812	if (sshift == s_end)
3813	{
3814	sshift = s_start;
3815	sp--;
3816	}
3817
3818	else
3819	sshift = (unsigned int)((int)sshift + s_inc);
3820	}
3821	break;
3822	}
3823
3824	case `4`:
3825	{
3826	png_bytep sp = row + (size_t)((row_info->width - `1`) >> `1`);
3827	png_bytep dp = row + (size_t)((final_width - `1`) >> `1`);
3828	unsigned int sshift, dshift;
3829	unsigned int s_start, s_end;
3830	int s_inc;
3831	png_uint_32 i;
3832	int jstop = (int)png_pass_inc[pass];
3833
3834	#ifdef PNG_READ_PACKSWAP_SUPPORTED
3835	if ((transformations & PNG_PACKSWAP) != `0`)
3836	{
3837	sshift = (((row_info->width + `1`) & `0x01`) << `2`);
3838	dshift = (((final_width + `1`) & `0x01`) << `2`);
3839	s_start = `4`;
3840	s_end = `0`;
3841	s_inc = -`4`;
3842	}
3843
3844	else
3845	#endif
3846	{
3847	sshift = ((`1` - ((row_info->width + `1`) & `0x01`)) << `2`);
3848	dshift = ((`1` - ((final_width + `1`) & `0x01`)) << `2`);
3849	s_start = `0`;
3850	s_end = `4`;
3851	s_inc = `4`;
3852	}
3853
3854	for (i = `0`; i < row_info->width; i++)
3855	{
3856	png_byte v = (png_byte)((*sp >> sshift) & `0x0f`);
3857	int j;
3858
3859	for (j = `0`; j < jstop; j++)
3860	{
3861	unsigned int tmp = *dp & (`0xf0f` >> (`4` - dshift));
3862	tmp \|= (unsigned int)(v << dshift);
3863	*dp = (png_byte)(tmp & `0xff`);
3864
3865	if (dshift == s_end)
3866	{
3867	dshift = s_start;
3868	dp--;
3869	}
3870
3871	else
3872	dshift = (unsigned int)((int)dshift + s_inc);
3873	}
3874
3875	if (sshift == s_end)
3876	{
3877	sshift = s_start;
3878	sp--;
3879	}
3880
3881	else
3882	sshift = (unsigned int)((int)sshift + s_inc);
3883	}
3884	break;
3885	}
3886
3887	default:
3888	{
3889	size_t pixel_bytes = (row_info->pixel_depth >> `3`);
3890
3891	png_bytep sp = row + (size_t)(row_info->width - `1`)
3892	* pixel_bytes;
3893
3894	png_bytep dp = row + (size_t)(final_width - `1`) * pixel_bytes;
3895
3896	int jstop = (int)png_pass_inc[pass];
3897	png_uint_32 i;
3898
3899	for (i = `0`; i < row_info->width; i++)
3900	{
3901	png_byte v[`8`]; / SAFE; pixel_depth does not exceed 64 /
3902	int j;
3903
3904	memcpy(v, sp, pixel_bytes);
3905
3906	for (j = `0`; j < jstop; j++)
3907	{
3908	memcpy(dp, v, pixel_bytes);
3909	dp -= pixel_bytes;
3910	}
3911
3912	sp -= pixel_bytes;
3913	}
3914	break;
3915	}
3916	}
3917
3918	row_info->width = final_width;
3919	row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3920	}
3921	#ifndef PNG_READ_PACKSWAP_SUPPORTED
3922	PNG_UNUSED(transformations) / Silence compiler warning /
3923	#endif
3924	}
3925	#endif /* READ_INTERLACING */
3926
3927	static void
3928	png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3929	png_const_bytep prev_row)
3930	{
3931	size_t i;
3932	size_t istop = row_info->rowbytes;
3933	unsigned int bpp = (row_info->pixel_depth + `7`) >> `3`;
3934	png_bytep rp = row + bpp;
3935
3936	PNG_UNUSED(prev_row)
3937
3938	for (i = bpp; i < istop; i++)
3939	{
3940	rp = (png_byte)(((int)(rp) + (int)(*(rp-bpp))) & `0xff`);
3941	rp++;
3942	}
3943	}
3944
3945	static void
3946	png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3947	png_const_bytep prev_row)
3948	{
3949	size_t i;
3950	size_t istop = row_info->rowbytes;
3951	png_bytep rp = row;
3952	png_const_bytep pp = prev_row;
3953
3954	for (i = `0`; i < istop; i++)
3955	{
3956	rp = (png_byte)(((int)(rp) + (int)(*pp++)) & `0xff`);
3957	rp++;
3958	}
3959	}
3960
3961	static void
3962	png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3963	png_const_bytep prev_row)
3964	{
3965	size_t i;
3966	png_bytep rp = row;
3967	png_const_bytep pp = prev_row;
3968	unsigned int bpp = (row_info->pixel_depth + `7`) >> `3`;
3969	size_t istop = row_info->rowbytes - bpp;
3970
3971	for (i = `0`; i < bpp; i++)
3972	{
3973	rp = (png_byte)(((int)(rp) +
3974	((int)(*pp++) / `2` )) & `0xff`);
3975
3976	rp++;
3977	}
3978
3979	for (i = `0`; i < istop; i++)
3980	{
3981	rp = (png_byte)(((int)(rp) +
3982	(int)(pp++ + (rp-bpp)) / `2` ) & `0xff`);
3983
3984	rp++;
3985	}
3986	}
3987
3988	static void
3989	png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3990	png_const_bytep prev_row)
3991	{
3992	png_bytep rp_end = row + row_info->rowbytes;
3993	int a, c;
3994
3995	/ First pixel/byte /
3996	c = *prev_row++;
3997	a = *row + c;
3998	*row++ = (png_byte)a;
3999
4000	/ Remainder /
4001	while (row < rp_end)
4002	{
4003	int b, pa, pb, pc, p;
4004
4005	a &= `0xff`; / From previous iteration or start /
4006	b = *prev_row++;
4007
4008	p = b - c;
4009	pc = a - c;
4010
4011	#ifdef PNG_USE_ABS
4012	pa = abs(p);
4013	pb = abs(pc);
4014	pc = abs(p + pc);
4015	#else
4016	pa = p < `0` ? -p : p;
4017	pb = pc < `0` ? -pc : pc;
4018	pc = (p + pc) < `0` ? -(p + pc) : p + pc;
4019	#endif
4020
4021	/ Find the best predictor, the least of pa, pb, pc favoring the earlier*
4022	* ones in the case of a tie.
4023	*/
4024	if (pb < pa)
4025	{
4026	pa = pb; a = b;
4027	}
4028	if (pc < pa) a = c;
4029
4030	/ Calculate the current pixel in a, and move the previous row pixel to c*
4031	* for the next time round the loop
4032	*/
4033	c = b;
4034	a += *row;
4035	*row++ = (png_byte)a;
4036	}
4037	}
4038
4039	static void
4040	png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
4041	png_const_bytep prev_row)
4042	{
4043	unsigned int bpp = (row_info->pixel_depth + `7`) >> `3`;
4044	png_bytep rp_end = row + bpp;
4045
4046	/ Process the first pixel in the row completely (this is the same as 'up'*
4047	* because there is only one candidate predictor for the first row).
4048	*/
4049	while (row < rp_end)
4050	{
4051	int a = row + prev_row++;
4052	*row++ = (png_byte)a;
4053	}
4054
4055	/ Remainder /
4056	rp_end = rp_end + (row_info->rowbytes - bpp);
4057
4058	while (row < rp_end)
4059	{
4060	int a, b, c, pa, pb, pc, p;
4061
4062	c = *(prev_row - bpp);
4063	a = *(row - bpp);
4064	b = *prev_row++;
4065
4066	p = b - c;
4067	pc = a - c;
4068
4069	#ifdef PNG_USE_ABS
4070	pa = abs(p);
4071	pb = abs(pc);
4072	pc = abs(p + pc);
4073	#else
4074	pa = p < `0` ? -p : p;
4075	pb = pc < `0` ? -pc : pc;
4076	pc = (p + pc) < `0` ? -(p + pc) : p + pc;
4077	#endif
4078
4079	if (pb < pa)
4080	{
4081	pa = pb; a = b;
4082	}
4083	if (pc < pa) a = c;
4084
4085	a += *row;
4086	*row++ = (png_byte)a;
4087	}
4088	}
4089
4090	static void
4091	png_init_filter_functions(png_structrp pp)
4092	/ This function is called once for every PNG image (except for PNG images*
4093	* that only use PNG_FILTER_VALUE_NONE for all rows) to set the
4094	* implementations required to reverse the filtering of PNG rows. Reversing
4095	* the filter is the first transformation performed on the row data. It is
4096	* performed in place, therefore an implementation can be selected based on
4097	* the image pixel format. If the implementation depends on image width then
4098	* take care to ensure that it works correctly if the image is interlaced -
4099	* interlacing causes the actual row width to vary.
4100	*/
4101	{
4102	unsigned int bpp = (pp->pixel_depth + `7`) >> `3`;
4103
4104	pp->read_filter[PNG_FILTER_VALUE_SUB-`1`] = png_read_filter_row_sub;
4105	pp->read_filter[PNG_FILTER_VALUE_UP-`1`] = png_read_filter_row_up;
4106	pp->read_filter[PNG_FILTER_VALUE_AVG-`1`] = png_read_filter_row_avg;
4107	if (bpp == `1`)
4108	pp->read_filter[PNG_FILTER_VALUE_PAETH-`1`] =
4109	png_read_filter_row_paeth_1byte_pixel;
4110	else
4111	pp->read_filter[PNG_FILTER_VALUE_PAETH-`1`] =
4112	png_read_filter_row_paeth_multibyte_pixel;
4113
4114	#ifdef PNG_FILTER_OPTIMIZATIONS
4115	/ To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to*
4116	* call to install hardware optimizations for the above functions; simply
4117	* replace whatever elements of the pp->read_filter[] array with a hardware
4118	* specific (or, for that matter, generic) optimization.
4119	*
4120	* To see an example of this examine what configure.ac does when
4121	* --enable-arm-neon is specified on the command line.
4122	*/
4123	PNG_FILTER_OPTIMIZATIONS(pp, bpp);
4124	#endif
4125	}
4126
4127	void / PRIVATE /
4128	png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
4129	png_const_bytep prev_row, int filter)
4130	{
4131	/ OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define*
4132	* PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
4133	* implementations. See png_init_filter_functions above.
4134	*/
4135	if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
4136	{
4137	if (pp->read_filter[`0`] == NULL)
4138	png_init_filter_functions(pp);
4139
4140	pp->read_filter[filter-`1`](row_info, row, prev_row);
4141	}
4142	}
4143
4144	#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
4145	void / PRIVATE /
4146	png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
4147	png_alloc_size_t avail_out)
4148	{
4149	/ Loop reading IDATs and decompressing the result into output[avail_out] /
4150	png_ptr->zstream.next_out = output;
4151	png_ptr->zstream.avail_out = `0`; / safety: set below /
4152
4153	if (output == NULL)
4154	avail_out = `0`;
4155
4156	do
4157	{
4158	int ret;
4159	png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4160
4161	if (png_ptr->zstream.avail_in == `0`)
4162	{
4163	uInt avail_in;
4164	png_bytep buffer;
4165
4166	while (png_ptr->idat_size == `0`)
4167	{
4168	png_crc_finish(png_ptr, `0`);
4169
4170	png_ptr->idat_size = png_read_chunk_header(png_ptr);
4171	/ This is an error even in the 'check' case because the code just*
4172	* consumed a non-IDAT header.
4173	*/
4174	if (png_ptr->chunk_name != png_IDAT)
4175	png_error(png_ptr, "Not enough image data");
4176	}
4177
4178	avail_in = png_ptr->IDAT_read_size;
4179
4180	if (avail_in > png_ptr->idat_size)
4181	avail_in = (uInt)png_ptr->idat_size;
4182
4183	/ A PNG with a gradually increasing IDAT size will defeat this attempt*
4184	* to minimize memory usage by causing lots of re-allocs, but
4185	* realistically doing IDAT_read_size re-allocs is not likely to be a
4186	* big problem.
4187	*/
4188	buffer = png_read_buffer(png_ptr, avail_in, `0`/error/);
4189
4190	png_crc_read(png_ptr, buffer, avail_in);
4191	png_ptr->idat_size -= avail_in;
4192
4193	png_ptr->zstream.next_in = buffer;
4194	png_ptr->zstream.avail_in = avail_in;
4195	}
4196
4197	/ And set up the output side. /
4198	if (output != NULL) / standard read /
4199	{
4200	uInt out = ZLIB_IO_MAX;
4201
4202	if (out > avail_out)
4203	out = (uInt)avail_out;
4204
4205	avail_out -= out;
4206	png_ptr->zstream.avail_out = out;
4207	}
4208
4209	else / after last row, checking for end /
4210	{
4211	png_ptr->zstream.next_out = tmpbuf;
4212	png_ptr->zstream.avail_out = (sizeof tmpbuf);
4213	}
4214
4215	/ Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the*
4216	* process. If the LZ stream is truncated the sequential reader will
4217	* terminally damage the stream, above, by reading the chunk header of the
4218	* following chunk (it then exits with png_error).
4219	*
4220	* TODO: deal more elegantly with truncated IDAT lists.
4221	*/
4222	ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4223
4224	/ Take the unconsumed output back. /
4225	if (output != NULL)
4226	avail_out += png_ptr->zstream.avail_out;
4227
4228	else / avail_out counts the extra bytes /
4229	avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4230
4231	png_ptr->zstream.avail_out = `0`;
4232
4233	if (ret == Z_STREAM_END)
4234	{
4235	/ Do this for safety; we won't read any more into this row. /
4236	png_ptr->zstream.next_out = NULL;
4237
4238	png_ptr->mode \|= PNG_AFTER_IDAT;
4239	png_ptr->flags \|= PNG_FLAG_ZSTREAM_ENDED;
4240
4241	if (png_ptr->zstream.avail_in > `0` \|\| png_ptr->idat_size > `0`)
4242	png_chunk_benign_error(png_ptr, "Extra compressed data");
4243	break;
4244	}
4245
4246	if (ret != Z_OK)
4247	{
4248	png_zstream_error(png_ptr, ret);
4249
4250	if (output != NULL)
4251	png_chunk_error(png_ptr, png_ptr->zstream.msg);
4252
4253	else / checking /
4254	{
4255	png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4256	return;
4257	}
4258	}
4259	} while (avail_out > `0`);
4260
4261	if (avail_out > `0`)
4262	{
4263	/ The stream ended before the image; this is the same as too few IDATs so*
4264	* should be handled the same way.
4265	*/
4266	if (output != NULL)
4267	png_error(png_ptr, "Not enough image data");
4268
4269	else / the deflate stream contained extra data /
4270	png_chunk_benign_error(png_ptr, "Too much image data");
4271	}
4272	}
4273
4274	void / PRIVATE /
4275	png_read_finish_IDAT(png_structrp png_ptr)
4276	{
4277	/ We don't need any more data and the stream should have ended, however the*
4278	* LZ end code may actually not have been processed. In this case we must
4279	* read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4280	* may still remain to be consumed.
4281	*/
4282	if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == `0`)
4283	{
4284	/ The NULL causes png_read_IDAT_data to swallow any remaining bytes in*
4285	* the compressed stream, but the stream may be damaged too, so even after
4286	* this call we may need to terminate the zstream ownership.
4287	*/
4288	png_read_IDAT_data(png_ptr, NULL, `0`);
4289	png_ptr->zstream.next_out = NULL; / safety /
4290
4291	/ Now clear everything out for safety; the following may not have been*
4292	* done.
4293	*/
4294	if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == `0`)
4295	{
4296	png_ptr->mode \|= PNG_AFTER_IDAT;
4297	png_ptr->flags \|= PNG_FLAG_ZSTREAM_ENDED;
4298	}
4299	}
4300
4301	/ If the zstream has not been released do it now and terminate the reading*
4302	* of the final IDAT chunk.
4303	*/
4304	if (png_ptr->zowner == png_IDAT)
4305	{
4306	/ Always do this; the pointers otherwise point into the read buffer. /
4307	png_ptr->zstream.next_in = NULL;
4308	png_ptr->zstream.avail_in = `0`;
4309
4310	/ Now we no longer own the zstream. /
4311	png_ptr->zowner = `0`;
4312
4313	/ The slightly weird semantics of the sequential IDAT reading is that we*
4314	* are always in or at the end of an IDAT chunk, so we always need to do a
4315	* crc_finish here. If idat_size is non-zero we also need to read the
4316	* spurious bytes at the end of the chunk now.
4317	*/
4318	(void)png_crc_finish(png_ptr, png_ptr->idat_size);
4319	}
4320	}
4321
4322	void / PRIVATE /
4323	png_read_finish_row(png_structrp png_ptr)
4324	{
4325	/ Arrays to facilitate easy interlacing - use pass (0 - 6) as index /
4326
4327	/ Start of interlace block /
4328	static const png_byte png_pass_start[`7`] = {`0`, `4`, `0`, `2`, `0`, `1`, `0`};
4329
4330	/ Offset to next interlace block /
4331	static const png_byte png_pass_inc[`7`] = {`8`, `8`, `4`, `4`, `2`, `2`, `1`};
4332
4333	/ Start of interlace block in the y direction /
4334	static const png_byte png_pass_ystart[`7`] = {`0`, `0`, `4`, `0`, `2`, `0`, `1`};
4335
4336	/ Offset to next interlace block in the y direction /
4337	static const png_byte png_pass_yinc[`7`] = {`8`, `8`, `8`, `4`, `4`, `2`, `2`};
4338
4339	png_debug(`1`, "in png_read_finish_row");
4340	png_ptr->row_number++;
4341	if (png_ptr->row_number < png_ptr->num_rows)
4342	return;
4343
4344	if (png_ptr->interlaced != `0`)
4345	{
4346	png_ptr->row_number = `0`;
4347
4348	/ TO DO: don't do this if prev_row isn't needed (requires*
4349	* read-ahead of the next row's filter byte.
4350	*/
4351	memset(png_ptr->prev_row, `0`, png_ptr->rowbytes + `1`);
4352
4353	do
4354	{
4355	png_ptr->pass++;
4356
4357	if (png_ptr->pass >= `7`)
4358	break;
4359
4360	png_ptr->iwidth = (png_ptr->width +
4361	png_pass_inc[png_ptr->pass] - `1` -
4362	png_pass_start[png_ptr->pass]) /
4363	png_pass_inc[png_ptr->pass];
4364
4365	if ((png_ptr->transformations & PNG_INTERLACE) == `0`)
4366	{
4367	png_ptr->num_rows = (png_ptr->height +
4368	png_pass_yinc[png_ptr->pass] - `1` -
4369	png_pass_ystart[png_ptr->pass]) /
4370	png_pass_yinc[png_ptr->pass];
4371	}
4372
4373	else / if (png_ptr->transformations & PNG_INTERLACE) /
4374	break; / libpng deinterlacing sees every row /
4375
4376	} while (png_ptr->num_rows == `0` \|\| png_ptr->iwidth == `0`);
4377
4378	if (png_ptr->pass < `7`)
4379	return;
4380	}
4381
4382	/ Here after at the end of the last row of the last pass. /
4383	png_read_finish_IDAT(png_ptr);
4384	}
4385	#endif /* SEQUENTIAL_READ */
4386
4387	void / PRIVATE /
4388	png_read_start_row(png_structrp png_ptr)
4389	{
4390	/ Arrays to facilitate easy interlacing - use pass (0 - 6) as index /
4391
4392	/ Start of interlace block /
4393	static const png_byte png_pass_start[`7`] = {`0`, `4`, `0`, `2`, `0`, `1`, `0`};
4394
4395	/ Offset to next interlace block /
4396	static const png_byte png_pass_inc[`7`] = {`8`, `8`, `4`, `4`, `2`, `2`, `1`};
4397
4398	/ Start of interlace block in the y direction /
4399	static const png_byte png_pass_ystart[`7`] = {`0`, `0`, `4`, `0`, `2`, `0`, `1`};
4400
4401	/ Offset to next interlace block in the y direction /
4402	static const png_byte png_pass_yinc[`7`] = {`8`, `8`, `8`, `4`, `4`, `2`, `2`};
4403
4404	unsigned int max_pixel_depth;
4405	size_t row_bytes;
4406
4407	png_debug(`1`, "in png_read_start_row");
4408
4409	#ifdef PNG_READ_TRANSFORMS_SUPPORTED
4410	png_init_read_transformations(png_ptr);
4411	#endif
4412	if (png_ptr->interlaced != `0`)
4413	{
4414	if ((png_ptr->transformations & PNG_INTERLACE) == `0`)
4415	png_ptr->num_rows = (png_ptr->height + png_pass_yinc[`0`] - `1` -
4416	png_pass_ystart[`0`]) / png_pass_yinc[`0`];
4417
4418	else
4419	png_ptr->num_rows = png_ptr->height;
4420
4421	png_ptr->iwidth = (png_ptr->width +
4422	png_pass_inc[png_ptr->pass] - `1` -
4423	png_pass_start[png_ptr->pass]) /
4424	png_pass_inc[png_ptr->pass];
4425	}
4426
4427	else
4428	{
4429	png_ptr->num_rows = png_ptr->height;
4430	png_ptr->iwidth = png_ptr->width;
4431	}
4432
4433	max_pixel_depth = (unsigned int)png_ptr->pixel_depth;
4434
4435	/ WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of*
4436	* calculations to calculate the final pixel depth, then
4437	* png_do_read_transforms actually does the transforms. This means that the
4438	* code which effectively calculates this value is actually repeated in three
4439	* separate places. They must all match. Innocent changes to the order of
4440	* transformations can and will break libpng in a way that causes memory
4441	* overwrites.
4442	*
4443	* TODO: fix this.
4444	*/
4445	#ifdef PNG_READ_PACK_SUPPORTED
4446	if ((png_ptr->transformations & PNG_PACK) != `0` && png_ptr->bit_depth < `8`)
4447	max_pixel_depth = `8`;
4448	#endif
4449
4450	#ifdef PNG_READ_EXPAND_SUPPORTED
4451	if ((png_ptr->transformations & PNG_EXPAND) != `0`)
4452	{
4453	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4454	{
4455	if (png_ptr->num_trans != `0`)
4456	max_pixel_depth = `32`;
4457
4458	else
4459	max_pixel_depth = `24`;
4460	}
4461
4462	else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4463	{
4464	if (max_pixel_depth < `8`)
4465	max_pixel_depth = `8`;
4466
4467	if (png_ptr->num_trans != `0`)
4468	max_pixel_depth *= `2`;
4469	}
4470
4471	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4472	{
4473	if (png_ptr->num_trans != `0`)
4474	{
4475	max_pixel_depth *= `4`;
4476	max_pixel_depth /= `3`;
4477	}
4478	}
4479	}
4480	#endif
4481
4482	#ifdef PNG_READ_EXPAND_16_SUPPORTED
4483	if ((png_ptr->transformations & PNG_EXPAND_16) != `0`)
4484	{
4485	# ifdef PNG_READ_EXPAND_SUPPORTED
4486	/ In fact it is an error if it isn't supported, but checking is*
4487	* the safe way.
4488	*/
4489	if ((png_ptr->transformations & PNG_EXPAND) != `0`)
4490	{
4491	if (png_ptr->bit_depth < `16`)
4492	max_pixel_depth *= `2`;
4493	}
4494	else
4495	# endif
4496	png_ptr->transformations &= ~PNG_EXPAND_16;
4497	}
4498	#endif
4499
4500	#ifdef PNG_READ_FILLER_SUPPORTED
4501	if ((png_ptr->transformations & (PNG_FILLER)) != `0`)
4502	{
4503	if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4504	{
4505	if (max_pixel_depth <= `8`)
4506	max_pixel_depth = `16`;
4507
4508	else
4509	max_pixel_depth = `32`;
4510	}
4511
4512	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB \|\|
4513	png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4514	{
4515	if (max_pixel_depth <= `32`)
4516	max_pixel_depth = `32`;
4517
4518	else
4519	max_pixel_depth = `64`;
4520	}
4521	}
4522	#endif
4523
4524	#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4525	if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != `0`)
4526	{
4527	if (
4528	#ifdef PNG_READ_EXPAND_SUPPORTED
4529	(png_ptr->num_trans != `0` &&
4530	(png_ptr->transformations & PNG_EXPAND) != `0`) \|\|
4531	#endif
4532	#ifdef PNG_READ_FILLER_SUPPORTED
4533	(png_ptr->transformations & (PNG_FILLER)) != `0` \|\|
4534	#endif
4535	png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4536	{
4537	if (max_pixel_depth <= `16`)
4538	max_pixel_depth = `32`;
4539
4540	else
4541	max_pixel_depth = `64`;
4542	}
4543
4544	else
4545	{
4546	if (max_pixel_depth <= `8`)
4547	{
4548	if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4549	max_pixel_depth = `32`;
4550
4551	else
4552	max_pixel_depth = `24`;
4553	}
4554
4555	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4556	max_pixel_depth = `64`;
4557
4558	else
4559	max_pixel_depth = `48`;
4560	}
4561	}
4562	#endif
4563
4564	#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4565	defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4566	if ((png_ptr->transformations & PNG_USER_TRANSFORM) != `0`)
4567	{
4568	unsigned int user_pixel_depth = png_ptr->user_transform_depth *
4569	png_ptr->user_transform_channels;
4570
4571	if (user_pixel_depth > max_pixel_depth)
4572	max_pixel_depth = user_pixel_depth;
4573	}
4574	#endif
4575
4576	/ This value is stored in png_struct and double checked in the row read*
4577	* code.
4578	*/
4579	png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4580	png_ptr->transformed_pixel_depth = `0`; / calculated on demand /
4581
4582	/ Align the width on the next larger 8 pixels. Mainly used*
4583	* for interlacing
4584	*/
4585	row_bytes = ((png_ptr->width + `7`) & ~((png_uint_32)`7`));
4586	/ Calculate the maximum bytes needed, adding a byte and a pixel*
4587	* for safety's sake
4588	*/
4589	row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4590	`1` + ((max_pixel_depth + `7`) >> `3U`);
4591
4592	#ifdef PNG_MAX_MALLOC_64K
4593	if (row_bytes > (png_uint_32)`65536L`)
4594	png_error(png_ptr, "This image requires a row greater than 64KB");
4595	#endif
4596
4597	if (row_bytes + `48` > png_ptr->old_big_row_buf_size)
4598	{
4599	png_free(png_ptr, png_ptr->big_row_buf);
4600	png_free(png_ptr, png_ptr->big_prev_row);
4601
4602	if (png_ptr->interlaced != `0`)
4603	png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4604	row_bytes + `48`);
4605
4606	else
4607	png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + `48`);
4608
4609	png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + `48`);
4610
4611	#ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4612	/ Use 16-byte aligned memory for row_buf with at least 16 bytes*
4613	* of padding before and after row_buf; treat prev_row similarly.
4614	* NOTE: the alignment is to the start of the pixels, one beyond the start
4615	* of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4616	* was incorrect; the filter byte was aligned, which had the exact
4617	* opposite effect of that intended.
4618	*/
4619	{
4620	png_bytep temp = png_ptr->big_row_buf + `32`;
4621	int extra = (int)((temp - (png_bytep)`0`) & `0x0f`);
4622	png_ptr->row_buf = temp - extra - `1`/filter byte/;
4623
4624	temp = png_ptr->big_prev_row + `32`;
4625	extra = (int)((temp - (png_bytep)`0`) & `0x0f`);
4626	png_ptr->prev_row = temp - extra - `1`/filter byte/;
4627	}
4628
4629	#else
4630	/ Use 31 bytes of padding before and 17 bytes after row_buf. /
4631	png_ptr->row_buf = png_ptr->big_row_buf + `31`;
4632	png_ptr->prev_row = png_ptr->big_prev_row + `31`;
4633	#endif
4634	png_ptr->old_big_row_buf_size = row_bytes + `48`;
4635	}
4636
4637	#ifdef PNG_MAX_MALLOC_64K
4638	if (png_ptr->rowbytes > `65535`)
4639	png_error(png_ptr, "This image requires a row greater than 64KB");
4640
4641	#endif
4642	if (png_ptr->rowbytes > (PNG_SIZE_MAX - `1`))
4643	png_error(png_ptr, "Row has too many bytes to allocate in memory");
4644
4645	memset(png_ptr->prev_row, `0`, png_ptr->rowbytes + `1`);
4646
4647	png_debug1(`3`, "width = %u,", png_ptr->width);
4648	png_debug1(`3`, "height = %u,", png_ptr->height);
4649	png_debug1(`3`, "iwidth = %u,", png_ptr->iwidth);
4650	png_debug1(`3`, "num_rows = %u,", png_ptr->num_rows);
4651	png_debug1(`3`, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4652	png_debug1(`3`, "irowbytes = %lu",
4653	(unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + `1`);
4654
4655	/ The sequential reader needs a buffer for IDAT, but the progressive reader*
4656	* does not, so free the read buffer now regardless; the sequential reader
4657	* reallocates it on demand.
4658	*/
4659	if (png_ptr->read_buffer != NULL)
4660	{
4661	png_bytep buffer = png_ptr->read_buffer;
4662
4663	png_ptr->read_buffer_size = `0`;
4664	png_ptr->read_buffer = NULL;
4665	png_free(png_ptr, buffer);
4666	}
4667
4668	/ Finally claim the zstream for the inflate of the IDAT data, use the bits*
4669	* value from the stream (note that this will result in a fatal error if the
4670	* IDAT stream has a bogus deflate header window_bits value, but this should
4671	* not be happening any longer!)
4672	*/
4673	if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
4674	png_error(png_ptr, png_ptr->zstream.msg);
4675
4676	png_ptr->flags \|= PNG_FLAG_ROW_INIT;
4677	}
4678	#endif /* READ */
4679

Browse the source code of Aseprite/third_party/libpng/pngrutil.c