pngrutil.c source code [engine/third_party/libpng/pngrutil.c]

1
2	/ pngrutil.c - utilities to read a PNG file*
3	*
4	* Last changed in libpng 1.6.20 [December 3, 2014]
5	* Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
6	* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7	* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8	*
9	* This code is released under the libpng license.
10	* For conditions of distribution and use, see the disclaimer
11	* and license in png.h
12	*
13	* This file contains routines that are only called from within
14	* libpng itself during the course of reading an image.
15	*/
16
17	#include "pngpriv.h"
18
19	#ifdef PNG_READ_SUPPORTED
20
21	png_uint_32 PNGAPI
22	png_get_uint_31(png_const_structrp png_ptr, png_const_bytep buf)
23	{
24	png_uint_32 uval = png_get_uint_32(buf);
25
26	if (uval > PNG_UINT_31_MAX)
27	png_error(png_ptr, "PNG unsigned integer out of range");
28
29	return (uval);
30	}
31
32	#if defined(PNG_READ_gAMA_SUPPORTED) \|\| defined(PNG_READ_cHRM_SUPPORTED)
33	/ The following is a variation on the above for use with the fixed*
34	* point values used for gAMA and cHRM. Instead of png_error it
35	* issues a warning and returns (-1) - an invalid value because both
36	* gAMA and cHRM use unsigned integers for fixed point values.
37	*/
38	#define PNG_FIXED_ERROR (-1)
39
40	static png_fixed_point / PRIVATE /
41	png_get_fixed_point(png_structrp png_ptr, png_const_bytep buf)
42	{
43	png_uint_32 uval = png_get_uint_32(buf);
44
45	if (uval <= PNG_UINT_31_MAX)
46	return (png_fixed_point)uval; / known to be in range /
47
48	/ The caller can turn off the warning by passing NULL. /
49	if (png_ptr != NULL)
50	png_warning(png_ptr, "PNG fixed point integer out of range");
51
52	return PNG_FIXED_ERROR;
53	}
54	#endif
55
56	#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED
57	/ NOTE: the read macros will obscure these definitions, so that if*
58	* PNG_USE_READ_MACROS is set the library will not use them internally,
59	* but the APIs will still be available externally.
60	*
61	* The parentheses around "PNGAPI function_name" in the following three
62	* functions are necessary because they allow the macros to co-exist with
63	* these (unused but exported) functions.
64	*/
65
66	/ Grab an unsigned 32-bit integer from a buffer in big-endian format. /
67	png_uint_32 (PNGAPI
68	png_get_uint_32)(png_const_bytep buf)
69	{
70	png_uint_32 uval =
71	((png_uint_32)(*(buf )) << `24`) +
72	((png_uint_32)(*(buf + `1`)) << `16`) +
73	((png_uint_32)(*(buf + `2`)) << `8`) +
74	((png_uint_32)(*(buf + `3`)) ) ;
75
76	return uval;
77	}
78
79	/ Grab a signed 32-bit integer from a buffer in big-endian format. The*
80	* data is stored in the PNG file in two's complement format and there
81	* is no guarantee that a 'png_int_32' is exactly 32 bits, therefore
82	* the following code does a two's complement to native conversion.
83	*/
84	png_int_32 (PNGAPI
85	png_get_int_32)(png_const_bytep buf)
86	{
87	png_uint_32 uval = png_get_uint_32(buf);
88	if ((uval & `0x80000000`) == `0`) / non-negative /
89	return uval;
90
91	uval = (uval ^ `0xffffffff`) + `1`; / 2's complement: -x = ~x+1 /
92	if ((uval & `0x80000000`) == `0`) / no overflow /
93	return -(png_int_32)uval;
94	/ The following has to be safe; this function only gets called on PNG data*
95	* and if we get here that data is invalid. 0 is the most safe value and
96	* if not then an attacker would surely just generate a PNG with 0 instead.
97	*/
98	return `0`;
99	}
100
101	/ Grab an unsigned 16-bit integer from a buffer in big-endian format. /
102	png_uint_16 (PNGAPI
103	png_get_uint_16)(png_const_bytep buf)
104	{
105	/ ANSI-C requires an int value to accomodate at least 16 bits so this*
106	* works and allows the compiler not to worry about possible narrowing
107	* on 32-bit systems. (Pre-ANSI systems did not make integers smaller
108	* than 16 bits either.)
109	*/
110	unsigned int val =
111	((unsigned int)(*buf) << `8`) +
112	((unsigned int)(*(buf + `1`)));
113
114	return (png_uint_16)val;
115	}
116
117	#endif /* READ_INT_FUNCTIONS */
118
119	/ Read and check the PNG file signature /
120	void / PRIVATE /
121	png_read_sig(png_structrp png_ptr, png_inforp info_ptr)
122	{
123	png_size_t num_checked, num_to_check;
124
125	/ Exit if the user application does not expect a signature. /
126	if (png_ptr->sig_bytes >= `8`)
127	return;
128
129	num_checked = png_ptr->sig_bytes;
130	num_to_check = `8` - num_checked;
131
132	#ifdef PNG_IO_STATE_SUPPORTED
133	png_ptr->io_state = PNG_IO_READING \| PNG_IO_SIGNATURE;
134	#endif
135
136	/ The signature must be serialized in a single I/O call. /
137	png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);
138	png_ptr->sig_bytes = `8`;
139
140	if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != `0`)
141	{
142	if (num_checked < `4` &&
143	png_sig_cmp(info_ptr->signature, num_checked, num_to_check - `4`))
144	png_error(png_ptr, "Not a PNG file");
145	else
146	png_error(png_ptr, "PNG file corrupted by ASCII conversion");
147	}
148	if (num_checked < `3`)
149	png_ptr->mode \|= PNG_HAVE_PNG_SIGNATURE;
150	}
151
152	/ Read the chunk header (length + type name).*
153	* Put the type name into png_ptr->chunk_name, and return the length.
154	*/
155	png_uint_32 / PRIVATE /
156	png_read_chunk_header(png_structrp png_ptr)
157	{
158	png_byte buf[`8`];
159	png_uint_32 length;
160
161	#ifdef PNG_IO_STATE_SUPPORTED
162	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_HDR;
163	#endif
164
165	/ Read the length and the chunk name.*
166	* This must be performed in a single I/O call.
167	*/
168	png_read_data(png_ptr, buf, `8`);
169	length = png_get_uint_31(png_ptr, buf);
170
171	/ Put the chunk name into png_ptr->chunk_name. /
172	png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(buf+`4`);
173
174	png_debug2(`0`, "Reading %lx chunk, length = %lu",
175	(unsigned long)png_ptr->chunk_name, (unsigned long)length);
176
177	/ Reset the crc and run it over the chunk name. /
178	png_reset_crc(png_ptr);
179	png_calculate_crc(png_ptr, buf + `4`, `4`);
180
181	/ Check to see if chunk name is valid. /
182	png_check_chunk_name(png_ptr, png_ptr->chunk_name);
183
184	#ifdef PNG_IO_STATE_SUPPORTED
185	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_DATA;
186	#endif
187
188	return length;
189	}
190
191	/ Read data, and (optionally) run it through the CRC. /
192	void / PRIVATE /
193	png_crc_read(png_structrp png_ptr, png_bytep buf, png_uint_32 length)
194	{
195	if (png_ptr == NULL)
196	return;
197
198	png_read_data(png_ptr, buf, length);
199	png_calculate_crc(png_ptr, buf, length);
200	}
201
202	/ Optionally skip data and then check the CRC. Depending on whether we*
203	* are reading an ancillary or critical chunk, and how the program has set
204	* things up, we may calculate the CRC on the data and print a message.
205	* Returns '1' if there was a CRC error, '0' otherwise.
206	*/
207	int / PRIVATE /
208	png_crc_finish(png_structrp png_ptr, png_uint_32 skip)
209	{
210	/ The size of the local buffer for inflate is a good guess as to a*
211	* reasonable size to use for buffering reads from the application.
212	*/
213	while (skip > `0`)
214	{
215	png_uint_32 len;
216	png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
217
218	len = (sizeof tmpbuf);
219	if (len > skip)
220	len = skip;
221	skip -= len;
222
223	png_crc_read(png_ptr, tmpbuf, len);
224	}
225
226	if (png_crc_error(png_ptr) != `0`)
227	{
228	if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != `0` ?
229	(png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == `0` :
230	(png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != `0`)
231	{
232	png_chunk_warning(png_ptr, "CRC error");
233	}
234
235	else
236	png_chunk_error(png_ptr, "CRC error");
237
238	return (`1`);
239	}
240
241	return (`0`);
242	}
243
244	/ Compare the CRC stored in the PNG file with that calculated by libpng from*
245	* the data it has read thus far.
246	*/
247	int / PRIVATE /
248	png_crc_error(png_structrp png_ptr)
249	{
250	png_byte crc_bytes[`4`];
251	png_uint_32 crc;
252	int need_crc = `1`;
253
254	if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != `0`)
255	{
256	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
257	(PNG_FLAG_CRC_ANCILLARY_USE \| PNG_FLAG_CRC_ANCILLARY_NOWARN))
258	need_crc = `0`;
259	}
260
261	else / critical /
262	{
263	if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != `0`)
264	need_crc = `0`;
265	}
266
267	#ifdef PNG_IO_STATE_SUPPORTED
268	png_ptr->io_state = PNG_IO_READING \| PNG_IO_CHUNK_CRC;
269	#endif
270
271	/ The chunk CRC must be serialized in a single I/O call. /
272	png_read_data(png_ptr, crc_bytes, `4`);
273
274	if (need_crc != `0`)
275	{
276	crc = png_get_uint_32(crc_bytes);
277	return ((int)(crc != png_ptr->crc));
278	}
279
280	else
281	return (`0`);
282	}
283
284	#if defined(PNG_READ_iCCP_SUPPORTED) \|\| defined(PNG_READ_iTXt_SUPPORTED) \|\|\
285	defined(PNG_READ_pCAL_SUPPORTED) \|\| defined(PNG_READ_sCAL_SUPPORTED) \|\|\
286	defined(PNG_READ_sPLT_SUPPORTED) \|\| defined(PNG_READ_tEXt_SUPPORTED) \|\|\
287	defined(PNG_READ_zTXt_SUPPORTED) \|\| defined(PNG_SEQUENTIAL_READ_SUPPORTED)
288	/ Manage the read buffer; this simply reallocates the buffer if it is not small*
289	* enough (or if it is not allocated). The routine returns a pointer to the
290	* buffer; if an error occurs and 'warn' is set the routine returns NULL, else
291	* it will call png_error (via png_malloc) on failure. (warn == 2 means
292	* 'silent').
293	*/
294	static png_bytep
295	png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn)
296	{
297	png_bytep buffer = png_ptr->read_buffer;
298
299	if (buffer != NULL && new_size > png_ptr->read_buffer_size)
300	{
301	png_ptr->read_buffer = NULL;
302	png_ptr->read_buffer = NULL;
303	png_ptr->read_buffer_size = `0`;
304	png_free(png_ptr, buffer);
305	buffer = NULL;
306	}
307
308	if (buffer == NULL)
309	{
310	buffer = png_voidcast(png_bytep, png_malloc_base(png_ptr, new_size));
311
312	if (buffer != NULL)
313	{
314	png_ptr->read_buffer = buffer;
315	png_ptr->read_buffer_size = new_size;
316	}
317
318	else if (warn < `2`) / else silent /
319	{
320	if (warn != `0`)
321	png_chunk_warning(png_ptr, "insufficient memory to read chunk");
322
323	else
324	png_chunk_error(png_ptr, "insufficient memory to read chunk");
325	}
326	}
327
328	return buffer;
329	}
330	#endif /* READ_iCCP\|iTXt\|pCAL\|sCAL\|sPLT\|tEXt\|zTXt\|SEQUENTIAL_READ */
331
332	/ png_inflate_claim: claim the zstream for some nefarious purpose that involves*
333	* decompression. Returns Z_OK on success, else a zlib error code. It checks
334	* the owner but, in final release builds, just issues a warning if some other
335	* chunk apparently owns the stream. Prior to release it does a png_error.
336	*/
337	static int
338	png_inflate_claim(png_structrp png_ptr, png_uint_32 owner)
339	{
340	if (png_ptr->zowner != `0`)
341	{
342	char msg[`64`];
343
344	PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);
345	/ So the message that results is "<chunk> using zstream"; this is an*
346	* internal error, but is very useful for debugging. i18n requirements
347	* are minimal.
348	*/
349	(void)png_safecat(msg, (sizeof msg), `4`, " using zstream");
350	#if PNG_RELEASE_BUILD
351	png_chunk_warning(png_ptr, msg);
352	png_ptr->zowner = `0`;
353	#else
354	png_chunk_error(png_ptr, msg);
355	#endif
356	}
357
358	/ Implementation note: unlike 'png_deflate_claim' this internal function*
359	* does not take the size of the data as an argument. Some efficiency could
360	* be gained by using this when it is known if the zlib stream itself does
361	* not record the number; however, this is an illusion: the original writer
362	* of the PNG may have selected a lower window size, and we really must
363	* follow that because, for systems with with limited capabilities, we
364	* would otherwise reject the application's attempts to use a smaller window
365	* size (zlib doesn't have an interface to say "this or lower"!).
366	*
367	* inflateReset2 was added to zlib 1.2.4; before this the window could not be
368	* reset, therefore it is necessary to always allocate the maximum window
369	* size with earlier zlibs just in case later compressed chunks need it.
370	*/
371	{
372	int ret; / zlib return code /
373	#if PNG_ZLIB_VERNUM >= 0x1240
374
375	# if defined(PNG_SET_OPTION_SUPPORTED) && defined(PNG_MAXIMUM_INFLATE_WINDOW)
376	int window_bits;
377
378	if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & `3`) ==
379	PNG_OPTION_ON)
380	{
381	window_bits = `15`;
382	png_ptr->zstream_start = `0`; / fixed window size /
383	}
384
385	else
386	{
387	window_bits = `0`;
388	png_ptr->zstream_start = `1`;
389	}
390	# else
391	# define window_bits 0
392	# endif
393	#endif
394
395	/ Set this for safety, just in case the previous owner left pointers to*
396	* memory allocations.
397	*/
398	png_ptr->zstream.next_in = NULL;
399	png_ptr->zstream.avail_in = `0`;
400	png_ptr->zstream.next_out = NULL;
401	png_ptr->zstream.avail_out = `0`;
402
403	if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != `0`)
404	{
405	#if PNG_ZLIB_VERNUM < 0x1240
406	ret = inflateReset(&png_ptr->zstream);
407	#else
408	ret = inflateReset2(&png_ptr->zstream, window_bits);
409	#endif
410	}
411
412	else
413	{
414	#if PNG_ZLIB_VERNUM < 0x1240
415	ret = inflateInit(&png_ptr->zstream);
416	#else
417	ret = inflateInit2(&png_ptr->zstream, window_bits);
418	#endif
419
420	if (ret == Z_OK)
421	png_ptr->flags \|= PNG_FLAG_ZSTREAM_INITIALIZED;
422	}
423
424	if (ret == Z_OK)
425	png_ptr->zowner = owner;
426
427	else
428	png_zstream_error(png_ptr, ret);
429
430	return ret;
431	}
432
433	#ifdef window_bits
434	# undef window_bits
435	#endif
436	}
437
438	#if PNG_ZLIB_VERNUM >= 0x1240
439	/ Handle the start of the inflate stream if we called inflateInit2(strm,0);*
440	* in this case some zlib versions skip validation of the CINFO field and, in
441	* certain circumstances, libpng may end up displaying an invalid image, in
442	* contrast to implementations that call zlib in the normal way (e.g. libpng
443	* 1.5).
444	*/
445	int / PRIVATE /
446	png_zlib_inflate(png_structrp png_ptr, int flush)
447	{
448	if (png_ptr->zstream_start && png_ptr->zstream.avail_in > `0`)
449	{
450	if ((*png_ptr->zstream.next_in >> `4`) > `7`)
451	{
452	png_ptr->zstream.msg = "invalid window size (libpng)";
453	return Z_DATA_ERROR;
454	}
455
456	png_ptr->zstream_start = `0`;
457	}
458
459	return inflate(&png_ptr->zstream, flush);
460	}
461	#endif /* Zlib >= 1.2.4 */
462
463	#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED
464	/ png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to*
465	* allow the caller to do multiple calls if required. If the 'finish' flag is
466	* set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must
467	* be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and
468	* Z_OK or Z_STREAM_END will be returned on success.
469	*
470	* The input and output sizes are updated to the actual amounts of data consumed
471	* or written, not the amount available (as in a z_stream). The data pointers
472	* are not changed, so the next input is (data+input_size) and the next
473	* available output is (output+output_size).
474	*/
475	static int
476	png_inflate(png_structrp png_ptr, png_uint_32 owner, int finish,
477	/ INPUT: / png_const_bytep input, png_uint_32p input_size_ptr,
478	/ OUTPUT: / png_bytep output, png_alloc_size_t *output_size_ptr)
479	{
480	if (png_ptr->zowner == owner) / Else not claimed /
481	{
482	int ret;
483	png_alloc_size_t avail_out = *output_size_ptr;
484	png_uint_32 avail_in = *input_size_ptr;
485
486	/ zlib can't necessarily handle more than 65535 bytes at once (i.e. it*
487	* can't even necessarily handle 65536 bytes) because the type uInt is
488	* "16 bits or more". Consequently it is necessary to chunk the input to
489	* zlib. This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the
490	* maximum value that can be stored in a uInt.) It is possible to set
491	* ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have
492	* a performance advantage, because it reduces the amount of data accessed
493	* at each step and that may give the OS more time to page it in.
494	*/
495	png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
496	/ avail_in and avail_out are set below from 'size' /
497	png_ptr->zstream.avail_in = `0`;
498	png_ptr->zstream.avail_out = `0`;
499
500	/ Read directly into the output if it is available (this is set to*
501	* a local buffer below if output is NULL).
502	*/
503	if (output != NULL)
504	png_ptr->zstream.next_out = output;
505
506	do
507	{
508	uInt avail;
509	Byte local_buffer[PNG_INFLATE_BUF_SIZE];
510
511	/ zlib INPUT BUFFER /
512	/ The setting of 'avail_in' used to be outside the loop; by setting it*
513	* inside it is possible to chunk the input to zlib and simply rely on
514	* zlib to advance the 'next_in' pointer. This allows arbitrary
515	* amounts of data to be passed through zlib at the unavoidable cost of
516	* requiring a window save (memcpy of up to 32768 output bytes)
517	* every ZLIB_IO_MAX input bytes.
518	*/
519	avail_in += png_ptr->zstream.avail_in; / not consumed last time /
520
521	avail = ZLIB_IO_MAX;
522
523	if (avail_in < avail)
524	avail = (uInt)avail_in; / safe: < than ZLIB_IO_MAX /
525
526	avail_in -= avail;
527	png_ptr->zstream.avail_in = avail;
528
529	/ zlib OUTPUT BUFFER /
530	avail_out += png_ptr->zstream.avail_out; / not written last time /
531
532	avail = ZLIB_IO_MAX; / maximum zlib can process /
533
534	if (output == NULL)
535	{
536	/ Reset the output buffer each time round if output is NULL and*
537	* make available the full buffer, up to 'remaining_space'
538	*/
539	png_ptr->zstream.next_out = local_buffer;
540	if ((sizeof local_buffer) < avail)
541	avail = (sizeof local_buffer);
542	}
543
544	if (avail_out < avail)
545	avail = (uInt)avail_out; / safe: < ZLIB_IO_MAX /
546
547	png_ptr->zstream.avail_out = avail;
548	avail_out -= avail;
549
550	/ zlib inflate call /
551	/ In fact 'avail_out' may be 0 at this point, that happens at the end*
552	* of the read when the final LZ end code was not passed at the end of
553	* the previous chunk of input data. Tell zlib if we have reached the
554	* end of the output buffer.
555	*/
556	ret = PNG_INFLATE(png_ptr, avail_out > `0` ? Z_NO_FLUSH :
557	(finish ? Z_FINISH : Z_SYNC_FLUSH));
558	} while (ret == Z_OK);
559
560	/ For safety kill the local buffer pointer now /
561	if (output == NULL)
562	png_ptr->zstream.next_out = NULL;
563
564	/ Claw back the 'size' and 'remaining_space' byte counts. /
565	avail_in += png_ptr->zstream.avail_in;
566	avail_out += png_ptr->zstream.avail_out;
567
568	/ Update the input and output sizes; the updated values are the amount*
569	* consumed or written, effectively the inverse of what zlib uses.
570	*/
571	if (avail_out > `0`)
572	*output_size_ptr -= avail_out;
573
574	if (avail_in > `0`)
575	*input_size_ptr -= avail_in;
576
577	/ Ensure png_ptr->zstream.msg is set (even in the success case!) /
578	png_zstream_error(png_ptr, ret);
579	return ret;
580	}
581
582	else
583	{
584	/ This is a bad internal error. The recovery assigns to the zstream msg*
585	* pointer, which is not owned by the caller, but this is safe; it's only
586	* used on errors!
587	*/
588	png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
589	return Z_STREAM_ERROR;
590	}
591	}
592
593	/*
594	* Decompress trailing data in a chunk. The assumption is that read_buffer
595	* points at an allocated area holding the contents of a chunk with a
596	* trailing compressed part. What we get back is an allocated area
597	* holding the original prefix part and an uncompressed version of the
598	* trailing part (the malloc area passed in is freed).
599	*/
600	static int
601	png_decompress_chunk(png_structrp png_ptr,
602	png_uint_32 chunklength, png_uint_32 prefix_size,
603	png_alloc_size_t newlength /* must be initialized to the maximum! /,
604	int terminate /add a '\0' to the end of the uncompressed data/)
605	{
606	/ TODO: implement different limits for different types of chunk.*
607	*
608	* The caller supplies *newlength set to the maximum length of the
609	* uncompressed data, but this routine allocates space for the prefix and
610	* maybe a '\0' terminator too. We have to assume that 'prefix_size' is
611	* limited only by the maximum chunk size.
612	*/
613	png_alloc_size_t limit = PNG_SIZE_MAX;
614
615	# ifdef PNG_SET_USER_LIMITS_SUPPORTED
616	if (png_ptr->user_chunk_malloc_max > `0` &&
617	png_ptr->user_chunk_malloc_max < limit)
618	limit = png_ptr->user_chunk_malloc_max;
619	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
620	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
621	limit = PNG_USER_CHUNK_MALLOC_MAX;
622	# endif
623
624	if (limit >= prefix_size + (terminate != `0`))
625	{
626	int ret;
627
628	limit -= prefix_size + (terminate != `0`);
629
630	if (limit < *newlength)
631	*newlength = limit;
632
633	/ Now try to claim the stream. /
634	ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);
635
636	if (ret == Z_OK)
637	{
638	png_uint_32 lzsize = chunklength - prefix_size;
639
640	ret = png_inflate(png_ptr, png_ptr->chunk_name, `1`/finish/,
641	/ input: / png_ptr->read_buffer + prefix_size, &lzsize,
642	/ output: / NULL, newlength);
643
644	if (ret == Z_STREAM_END)
645	{
646	/ Use 'inflateReset' here, not 'inflateReset2' because this*
647	* preserves the previously decided window size (otherwise it would
648	* be necessary to store the previous window size.) In practice
649	* this doesn't matter anyway, because png_inflate will call inflate
650	* with Z_FINISH in almost all cases, so the window will not be
651	* maintained.
652	*/
653	if (inflateReset(&png_ptr->zstream) == Z_OK)
654	{
655	/ Because of the limit checks above we know that the new,*
656	* expanded, size will fit in a size_t (let alone an
657	* png_alloc_size_t). Use png_malloc_base here to avoid an
658	* extra OOM message.
659	*/
660	png_alloc_size_t new_size = *newlength;
661	png_alloc_size_t buffer_size = prefix_size + new_size +
662	(terminate != `0`);
663	png_bytep text = png_voidcast(png_bytep, png_malloc_base(png_ptr,
664	buffer_size));
665
666	if (text != NULL)
667	{
668	ret = png_inflate(png_ptr, png_ptr->chunk_name, `1`/finish/,
669	png_ptr->read_buffer + prefix_size, &lzsize,
670	text + prefix_size, newlength);
671
672	if (ret == Z_STREAM_END)
673	{
674	if (new_size == *newlength)
675	{
676	if (terminate != `0`)
677	text[prefix_size + *newlength] = `0`;
678
679	if (prefix_size > `0`)
680	memcpy(text, png_ptr->read_buffer, prefix_size);
681
682	{
683	png_bytep old_ptr = png_ptr->read_buffer;
684
685	png_ptr->read_buffer = text;
686	png_ptr->read_buffer_size = buffer_size;
687	text = old_ptr; / freed below /
688	}
689	}
690
691	else
692	{
693	/ The size changed on the second read, there can be no*
694	* guarantee that anything is correct at this point.
695	* The 'msg' pointer has been set to "unexpected end of
696	* LZ stream", which is fine, but return an error code
697	* that the caller won't accept.
698	*/
699	ret = PNG_UNEXPECTED_ZLIB_RETURN;
700	}
701	}
702
703	else if (ret == Z_OK)
704	ret = PNG_UNEXPECTED_ZLIB_RETURN; / for safety /
705
706	/ Free the text pointer (this is the old read_buffer on*
707	* success)
708	*/
709	png_free(png_ptr, text);
710
711	/ This really is very benign, but it's still an error because*
712	* the extra space may otherwise be used as a Trojan Horse.
713	*/
714	if (ret == Z_STREAM_END &&
715	chunklength - prefix_size != lzsize)
716	png_chunk_benign_error(png_ptr, "extra compressed data");
717	}
718
719	else
720	{
721	/ Out of memory allocating the buffer /
722	ret = Z_MEM_ERROR;
723	png_zstream_error(png_ptr, Z_MEM_ERROR);
724	}
725	}
726
727	else
728	{
729	/ inflateReset failed, store the error message /
730	png_zstream_error(png_ptr, ret);
731
732	if (ret == Z_STREAM_END)
733	ret = PNG_UNEXPECTED_ZLIB_RETURN;
734	}
735	}
736
737	else if (ret == Z_OK)
738	ret = PNG_UNEXPECTED_ZLIB_RETURN;
739
740	/ Release the claimed stream /
741	png_ptr->zowner = `0`;
742	}
743
744	else / the claim failed / if (ret == Z_STREAM_END) / impossible! /
745	ret = PNG_UNEXPECTED_ZLIB_RETURN;
746
747	return ret;
748	}
749
750	else
751	{
752	/ Application/configuration limits exceeded /
753	png_zstream_error(png_ptr, Z_MEM_ERROR);
754	return Z_MEM_ERROR;
755	}
756	}
757	#endif /* READ_COMPRESSED_TEXT */
758
759	#ifdef PNG_READ_iCCP_SUPPORTED
760	/ Perform a partial read and decompress, producing 'avail_out' bytes and*
761	* reading from the current chunk as required.
762	*/
763	static int
764	png_inflate_read(png_structrp png_ptr, png_bytep read_buffer, uInt read_size,
765	png_uint_32p chunk_bytes, png_bytep next_out, png_alloc_size_t *out_size,
766	int finish)
767	{
768	if (png_ptr->zowner == png_ptr->chunk_name)
769	{
770	int ret;
771
772	/ next_in and avail_in must have been initialized by the caller. /
773	png_ptr->zstream.next_out = next_out;
774	png_ptr->zstream.avail_out = `0`; / set in the loop /
775
776	do
777	{
778	if (png_ptr->zstream.avail_in == `0`)
779	{
780	if (read_size > *chunk_bytes)
781	read_size = (uInt)*chunk_bytes;
782	*chunk_bytes -= read_size;
783
784	if (read_size > `0`)
785	png_crc_read(png_ptr, read_buffer, read_size);
786
787	png_ptr->zstream.next_in = read_buffer;
788	png_ptr->zstream.avail_in = read_size;
789	}
790
791	if (png_ptr->zstream.avail_out == `0`)
792	{
793	uInt avail = ZLIB_IO_MAX;
794	if (avail > *out_size)
795	avail = (uInt)*out_size;
796	*out_size -= avail;
797
798	png_ptr->zstream.avail_out = avail;
799	}
800
801	/ Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all*
802	* the available output is produced; this allows reading of truncated
803	* streams.
804	*/
805	ret = PNG_INFLATE(png_ptr,
806	*chunk_bytes > `0` ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));
807	}
808	while (ret == Z_OK && (*out_size > `0` \|\| png_ptr->zstream.avail_out > `0`));
809
810	*out_size += png_ptr->zstream.avail_out;
811	png_ptr->zstream.avail_out = `0`; / Should not be required, but is safe /
812
813	/ Ensure the error message pointer is always set: /
814	png_zstream_error(png_ptr, ret);
815	return ret;
816	}
817
818	else
819	{
820	png_ptr->zstream.msg = PNGZ_MSG_CAST("zstream unclaimed");
821	return Z_STREAM_ERROR;
822	}
823	}
824	#endif
825
826	/ Read and check the IDHR chunk /
827
828	void / PRIVATE /
829	png_handle_IHDR(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
830	{
831	png_byte buf[`13`];
832	png_uint_32 width, height;
833	int bit_depth, color_type, compression_type, filter_type;
834	int interlace_type;
835
836	png_debug(`1`, "in png_handle_IHDR");
837
838	if ((png_ptr->mode & PNG_HAVE_IHDR) != `0`)
839	png_chunk_error(png_ptr, "out of place");
840
841	/ Check the length /
842	if (length != `13`)
843	png_chunk_error(png_ptr, "invalid");
844
845	png_ptr->mode \|= PNG_HAVE_IHDR;
846
847	png_crc_read(png_ptr, buf, `13`);
848	png_crc_finish(png_ptr, `0`);
849
850	width = png_get_uint_31(png_ptr, buf);
851	height = png_get_uint_31(png_ptr, buf + `4`);
852	bit_depth = buf[`8`];
853	color_type = buf[`9`];
854	compression_type = buf[`10`];
855	filter_type = buf[`11`];
856	interlace_type = buf[`12`];
857
858	/ Set internal variables /
859	png_ptr->width = width;
860	png_ptr->height = height;
861	png_ptr->bit_depth = (png_byte)bit_depth;
862	png_ptr->interlaced = (png_byte)interlace_type;
863	png_ptr->color_type = (png_byte)color_type;
864	#ifdef PNG_MNG_FEATURES_SUPPORTED
865	png_ptr->filter_type = (png_byte)filter_type;
866	#endif
867	png_ptr->compression_type = (png_byte)compression_type;
868
869	/ Find number of channels /
870	switch (png_ptr->color_type)
871	{
872	default: / invalid, png_set_IHDR calls png_error /
873	case PNG_COLOR_TYPE_GRAY:
874	case PNG_COLOR_TYPE_PALETTE:
875	png_ptr->channels = `1`;
876	break;
877
878	case PNG_COLOR_TYPE_RGB:
879	png_ptr->channels = `3`;
880	break;
881
882	case PNG_COLOR_TYPE_GRAY_ALPHA:
883	png_ptr->channels = `2`;
884	break;
885
886	case PNG_COLOR_TYPE_RGB_ALPHA:
887	png_ptr->channels = `4`;
888	break;
889	}
890
891	/ Set up other useful info /
892	png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);
893	png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);
894	png_debug1(`3`, "bit_depth = %d", png_ptr->bit_depth);
895	png_debug1(`3`, "channels = %d", png_ptr->channels);
896	png_debug1(`3`, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);
897	png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,
898	color_type, interlace_type, compression_type, filter_type);
899	}
900
901	/ Read and check the palette /
902	void / PRIVATE /
903	png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
904	{
905	png_color palette[PNG_MAX_PALETTE_LENGTH];
906	int max_palette_length, num, i;
907	#ifdef PNG_POINTER_INDEXING_SUPPORTED
908	png_colorp pal_ptr;
909	#endif
910
911	png_debug(`1`, "in png_handle_PLTE");
912
913	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
914	png_chunk_error(png_ptr, "missing IHDR");
915
916	/ Moved to before the 'after IDAT' check below because otherwise duplicate*
917	* PLTE chunks are potentially ignored (the spec says there shall not be more
918	* than one PLTE, the error is not treated as benign, so this check trumps
919	* the requirement that PLTE appears before IDAT.)
920	*/
921	else if ((png_ptr->mode & PNG_HAVE_PLTE) != `0`)
922	png_chunk_error(png_ptr, "duplicate");
923
924	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
925	{
926	/ This is benign because the non-benign error happened before, when an*
927	* IDAT was encountered in a color-mapped image with no PLTE.
928	*/
929	png_crc_finish(png_ptr, length);
930	png_chunk_benign_error(png_ptr, "out of place");
931	return;
932	}
933
934	png_ptr->mode \|= PNG_HAVE_PLTE;
935
936	if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == `0`)
937	{
938	png_crc_finish(png_ptr, length);
939	png_chunk_benign_error(png_ptr, "ignored in grayscale PNG");
940	return;
941	}
942
943	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
944	if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
945	{
946	png_crc_finish(png_ptr, length);
947	return;
948	}
949	#endif
950
951	if (length > `3`*PNG_MAX_PALETTE_LENGTH \|\| length % `3`)
952	{
953	png_crc_finish(png_ptr, length);
954
955	if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE)
956	png_chunk_benign_error(png_ptr, "invalid");
957
958	else
959	png_chunk_error(png_ptr, "invalid");
960
961	return;
962	}
963
964	/ The cast is safe because 'length' is less than 3PNG_MAX_PALETTE_LENGTH /*
965	num = (int)length / `3`;
966
967	/ If the palette has 256 or fewer entries but is too large for the bit*
968	* depth, we don't issue an error, to preserve the behavior of previous
969	* libpng versions. We silently truncate the unused extra palette entries
970	* here.
971	*/
972	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
973	max_palette_length = (`1` << png_ptr->bit_depth);
974	else
975	max_palette_length = PNG_MAX_PALETTE_LENGTH;
976
977	if (num > max_palette_length)
978	num = max_palette_length;
979
980	#ifdef PNG_POINTER_INDEXING_SUPPORTED
981	for (i = `0`, pal_ptr = palette; i < num; i++, pal_ptr++)
982	{
983	png_byte buf[`3`];
984
985	png_crc_read(png_ptr, buf, `3`);
986	pal_ptr->red = buf[`0`];
987	pal_ptr->green = buf[`1`];
988	pal_ptr->blue = buf[`2`];
989	}
990	#else
991	for (i = `0`; i < num; i++)
992	{
993	png_byte buf[`3`];
994
995	png_crc_read(png_ptr, buf, `3`);
996	/ Don't depend upon png_color being any order /
997	palette[i].red = buf[`0`];
998	palette[i].green = buf[`1`];
999	palette[i].blue = buf[`2`];
1000	}
1001	#endif
1002
1003	/ If we actually need the PLTE chunk (ie for a paletted image), we do*
1004	* whatever the normal CRC configuration tells us. However, if we
1005	* have an RGB image, the PLTE can be considered ancillary, so
1006	* we will act as though it is.
1007	*/
1008	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1009	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1010	#endif
1011	{
1012	png_crc_finish(png_ptr, (int) length - num * `3`);
1013	}
1014
1015	#ifndef PNG_READ_OPT_PLTE_SUPPORTED
1016	else if (png_crc_error(png_ptr) != `0`) / Only if we have a CRC error /
1017	{
1018	/ If we don't want to use the data from an ancillary chunk,*
1019	* we have two options: an error abort, or a warning and we
1020	* ignore the data in this chunk (which should be OK, since
1021	* it's considered ancillary for a RGB or RGBA image).
1022	*
1023	* IMPLEMENTATION NOTE: this is only here because png_crc_finish uses the
1024	* chunk type to determine whether to check the ancillary or the critical
1025	* flags.
1026	*/
1027	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_USE) == `0`)
1028	{
1029	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) != `0`)
1030	return;
1031
1032	else
1033	png_chunk_error(png_ptr, "CRC error");
1034	}
1035
1036	/ Otherwise, we (optionally) emit a warning and use the chunk. /
1037	else if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == `0`)
1038	png_chunk_warning(png_ptr, "CRC error");
1039	}
1040	#endif
1041
1042	/ TODO: png_set_PLTE has the side effect of setting png_ptr->palette to its*
1043	* own copy of the palette. This has the side effect that when png_start_row
1044	* is called (this happens after any call to png_read_update_info) the
1045	* info_ptr palette gets changed. This is extremely unexpected and
1046	* confusing.
1047	*
1048	* Fix this by not sharing the palette in this way.
1049	*/
1050	png_set_PLTE(png_ptr, info_ptr, palette, num);
1051
1052	/ The three chunks, bKGD, hIST and tRNS must appear after PLTE and before*
1053	* IDAT. Prior to 1.6.0 this was not checked; instead the code merely
1054	* checked the apparent validity of a tRNS chunk inserted before PLTE on a
1055	* palette PNG. 1.6.0 attempts to rigorously follow the standard and
1056	* therefore does a benign error if the erroneous condition is detected and
1057	* cancels the tRNS if the benign error returns. The alternative is to
1058	* amend the standard since it would be rather hypocritical of the standards
1059	* maintainers to ignore it.
1060	*/
1061	#ifdef PNG_READ_tRNS_SUPPORTED
1062	if (png_ptr->num_trans > `0` \|\|
1063	(info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != `0`))
1064	{
1065	/ Cancel this because otherwise it would be used if the transforms*
1066	* require it. Don't cancel the 'valid' flag because this would prevent
1067	* detection of duplicate chunks.
1068	*/
1069	png_ptr->num_trans = `0`;
1070
1071	if (info_ptr != NULL)
1072	info_ptr->num_trans = `0`;
1073
1074	png_chunk_benign_error(png_ptr, "tRNS must be after");
1075	}
1076	#endif
1077
1078	#ifdef PNG_READ_hIST_SUPPORTED
1079	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != `0`)
1080	png_chunk_benign_error(png_ptr, "hIST must be after");
1081	#endif
1082
1083	#ifdef PNG_READ_bKGD_SUPPORTED
1084	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != `0`)
1085	png_chunk_benign_error(png_ptr, "bKGD must be after");
1086	#endif
1087	}
1088
1089	void / PRIVATE /
1090	png_handle_IEND(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1091	{
1092	png_debug(`1`, "in png_handle_IEND");
1093
1094	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0` \|\|
1095	(png_ptr->mode & PNG_HAVE_IDAT) == `0`)
1096	png_chunk_error(png_ptr, "out of place");
1097
1098	png_ptr->mode \|= (PNG_AFTER_IDAT \| PNG_HAVE_IEND);
1099
1100	png_crc_finish(png_ptr, length);
1101
1102	if (length != `0`)
1103	png_chunk_benign_error(png_ptr, "invalid");
1104
1105	PNG_UNUSED(info_ptr)
1106	}
1107
1108	#ifdef PNG_READ_gAMA_SUPPORTED
1109	void / PRIVATE /
1110	png_handle_gAMA(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1111	{
1112	png_fixed_point igamma;
1113	png_byte buf[`4`];
1114
1115	png_debug(`1`, "in png_handle_gAMA");
1116
1117	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1118	png_chunk_error(png_ptr, "missing IHDR");
1119
1120	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1121	{
1122	png_crc_finish(png_ptr, length);
1123	png_chunk_benign_error(png_ptr, "out of place");
1124	return;
1125	}
1126
1127	if (length != `4`)
1128	{
1129	png_crc_finish(png_ptr, length);
1130	png_chunk_benign_error(png_ptr, "invalid");
1131	return;
1132	}
1133
1134	png_crc_read(png_ptr, buf, `4`);
1135
1136	if (png_crc_finish(png_ptr, `0`) != `0`)
1137	return;
1138
1139	igamma = png_get_fixed_point(NULL, buf);
1140
1141	png_colorspace_set_gamma(png_ptr, &png_ptr->colorspace, igamma);
1142	png_colorspace_sync(png_ptr, info_ptr);
1143	}
1144	#endif
1145
1146	#ifdef PNG_READ_sBIT_SUPPORTED
1147	void / PRIVATE /
1148	png_handle_sBIT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1149	{
1150	unsigned int truelen, i;
1151	png_byte sample_depth;
1152	png_byte buf[`4`];
1153
1154	png_debug(`1`, "in png_handle_sBIT");
1155
1156	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1157	png_chunk_error(png_ptr, "missing IHDR");
1158
1159	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1160	{
1161	png_crc_finish(png_ptr, length);
1162	png_chunk_benign_error(png_ptr, "out of place");
1163	return;
1164	}
1165
1166	if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT) != `0`)
1167	{
1168	png_crc_finish(png_ptr, length);
1169	png_chunk_benign_error(png_ptr, "duplicate");
1170	return;
1171	}
1172
1173	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1174	{
1175	truelen = `3`;
1176	sample_depth = `8`;
1177	}
1178
1179	else
1180	{
1181	truelen = png_ptr->channels;
1182	sample_depth = png_ptr->bit_depth;
1183	}
1184
1185	if (length != truelen \|\| length > `4`)
1186	{
1187	png_chunk_benign_error(png_ptr, "invalid");
1188	png_crc_finish(png_ptr, length);
1189	return;
1190	}
1191
1192	buf[`0`] = buf[`1`] = buf[`2`] = buf[`3`] = sample_depth;
1193	png_crc_read(png_ptr, buf, truelen);
1194
1195	if (png_crc_finish(png_ptr, `0`) != `0`)
1196	return;
1197
1198	for (i=`0`; i<truelen; ++i)
1199	{
1200	if (buf[i] == `0` \|\| buf[i] > sample_depth)
1201	{
1202	png_chunk_benign_error(png_ptr, "invalid");
1203	return;
1204	}
1205	}
1206
1207	if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != `0`)
1208	{
1209	png_ptr->sig_bit.red = buf[`0`];
1210	png_ptr->sig_bit.green = buf[`1`];
1211	png_ptr->sig_bit.blue = buf[`2`];
1212	png_ptr->sig_bit.alpha = buf[`3`];
1213	}
1214
1215	else
1216	{
1217	png_ptr->sig_bit.gray = buf[`0`];
1218	png_ptr->sig_bit.red = buf[`0`];
1219	png_ptr->sig_bit.green = buf[`0`];
1220	png_ptr->sig_bit.blue = buf[`0`];
1221	png_ptr->sig_bit.alpha = buf[`1`];
1222	}
1223
1224	png_set_sBIT(png_ptr, info_ptr, &(png_ptr->sig_bit));
1225	}
1226	#endif
1227
1228	#ifdef PNG_READ_cHRM_SUPPORTED
1229	void / PRIVATE /
1230	png_handle_cHRM(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1231	{
1232	png_byte buf[`32`];
1233	png_xy xy;
1234
1235	png_debug(`1`, "in png_handle_cHRM");
1236
1237	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1238	png_chunk_error(png_ptr, "missing IHDR");
1239
1240	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1241	{
1242	png_crc_finish(png_ptr, length);
1243	png_chunk_benign_error(png_ptr, "out of place");
1244	return;
1245	}
1246
1247	if (length != `32`)
1248	{
1249	png_crc_finish(png_ptr, length);
1250	png_chunk_benign_error(png_ptr, "invalid");
1251	return;
1252	}
1253
1254	png_crc_read(png_ptr, buf, `32`);
1255
1256	if (png_crc_finish(png_ptr, `0`) != `0`)
1257	return;
1258
1259	xy.whitex = png_get_fixed_point(NULL, buf);
1260	xy.whitey = png_get_fixed_point(NULL, buf + `4`);
1261	xy.redx = png_get_fixed_point(NULL, buf + `8`);
1262	xy.redy = png_get_fixed_point(NULL, buf + `12`);
1263	xy.greenx = png_get_fixed_point(NULL, buf + `16`);
1264	xy.greeny = png_get_fixed_point(NULL, buf + `20`);
1265	xy.bluex = png_get_fixed_point(NULL, buf + `24`);
1266	xy.bluey = png_get_fixed_point(NULL, buf + `28`);
1267
1268	if (xy.whitex == PNG_FIXED_ERROR \|\|
1269	xy.whitey == PNG_FIXED_ERROR \|\|
1270	xy.redx == PNG_FIXED_ERROR \|\|
1271	xy.redy == PNG_FIXED_ERROR \|\|
1272	xy.greenx == PNG_FIXED_ERROR \|\|
1273	xy.greeny == PNG_FIXED_ERROR \|\|
1274	xy.bluex == PNG_FIXED_ERROR \|\|
1275	xy.bluey == PNG_FIXED_ERROR)
1276	{
1277	png_chunk_benign_error(png_ptr, "invalid values");
1278	return;
1279	}
1280
1281	/ If a colorspace error has already been output skip this chunk /
1282	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1283	return;
1284
1285	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != `0`)
1286	{
1287	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
1288	png_colorspace_sync(png_ptr, info_ptr);
1289	png_chunk_benign_error(png_ptr, "duplicate");
1290	return;
1291	}
1292
1293	png_ptr->colorspace.flags \|= PNG_COLORSPACE_FROM_cHRM;
1294	(void)png_colorspace_set_chromaticities(png_ptr, &png_ptr->colorspace, &xy,
1295	`1`/prefer cHRM values/);
1296	png_colorspace_sync(png_ptr, info_ptr);
1297	}
1298	#endif
1299
1300	#ifdef PNG_READ_sRGB_SUPPORTED
1301	void / PRIVATE /
1302	png_handle_sRGB(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1303	{
1304	png_byte intent;
1305
1306	png_debug(`1`, "in png_handle_sRGB");
1307
1308	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1309	png_chunk_error(png_ptr, "missing IHDR");
1310
1311	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1312	{
1313	png_crc_finish(png_ptr, length);
1314	png_chunk_benign_error(png_ptr, "out of place");
1315	return;
1316	}
1317
1318	if (length != `1`)
1319	{
1320	png_crc_finish(png_ptr, length);
1321	png_chunk_benign_error(png_ptr, "invalid");
1322	return;
1323	}
1324
1325	png_crc_read(png_ptr, &intent, `1`);
1326
1327	if (png_crc_finish(png_ptr, `0`) != `0`)
1328	return;
1329
1330	/ If a colorspace error has already been output skip this chunk /
1331	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1332	return;
1333
1334	/ Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect*
1335	* this.
1336	*/
1337	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) != `0`)
1338	{
1339	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
1340	png_colorspace_sync(png_ptr, info_ptr);
1341	png_chunk_benign_error(png_ptr, "too many profiles");
1342	return;
1343	}
1344
1345	(void)png_colorspace_set_sRGB(png_ptr, &png_ptr->colorspace, intent);
1346	png_colorspace_sync(png_ptr, info_ptr);
1347	}
1348	#endif /* READ_sRGB */
1349
1350	#ifdef PNG_READ_iCCP_SUPPORTED
1351	void / PRIVATE /
1352	png_handle_iCCP(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1353	/ Note: this does not properly handle profiles that are > 64K under DOS /
1354	{
1355	png_const_charp errmsg = NULL; / error message output, or no error /
1356	int finished = `0`; / crc checked /
1357
1358	png_debug(`1`, "in png_handle_iCCP");
1359
1360	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1361	png_chunk_error(png_ptr, "missing IHDR");
1362
1363	else if ((png_ptr->mode & (PNG_HAVE_IDAT\|PNG_HAVE_PLTE)) != `0`)
1364	{
1365	png_crc_finish(png_ptr, length);
1366	png_chunk_benign_error(png_ptr, "out of place");
1367	return;
1368	}
1369
1370	/* Consistent with all the above colorspace handling an obviously invalid
1371	* chunk is just ignored, so does not invalidate the color space. An
1372	* alternative is to set the 'invalid' flags at the start of this routine
1373	* and only clear them in they were not set before and all the tests pass.
1374	* The minimum 'deflate' stream is assumed to be just the 2 byte header and
1375	* 4 byte checksum. The keyword must be at least one character and there is
1376	* a terminator (0) byte and the compression method.
1377	*/
1378	if (length < `9`)
1379	{
1380	png_crc_finish(png_ptr, length);
1381	png_chunk_benign_error(png_ptr, "too short");
1382	return;
1383	}
1384
1385	/ If a colorspace error has already been output skip this chunk /
1386	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1387	{
1388	png_crc_finish(png_ptr, length);
1389	return;
1390	}
1391
1392	/ Only one sRGB or iCCP chunk is allowed, use the HAVE_INTENT flag to detect*
1393	* this.
1394	*/
1395	if ((png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_INTENT) == `0`)
1396	{
1397	uInt read_length, keyword_length;
1398	char keyword[`81`];
1399
1400	/ Find the keyword; the keyword plus separator and compression method*
1401	* bytes can be at most 81 characters long.
1402	*/
1403	read_length = `81`; / maximum /
1404	if (read_length > length)
1405	read_length = (uInt)length;
1406
1407	png_crc_read(png_ptr, (png_bytep)keyword, read_length);
1408	length -= read_length;
1409
1410	keyword_length = `0`;
1411	while (keyword_length < `80` && keyword_length < read_length &&
1412	keyword[keyword_length] != `0`)
1413	++keyword_length;
1414
1415	/ TODO: make the keyword checking common /
1416	if (keyword_length >= `1` && keyword_length <= `79`)
1417	{
1418	/ We only understand '0' compression - deflate - so if we get a*
1419	* different value we can't safely decode the chunk.
1420	*/
1421	if (keyword_length+`1` < read_length &&
1422	keyword[keyword_length+`1`] == PNG_COMPRESSION_TYPE_BASE)
1423	{
1424	read_length -= keyword_length+`2`;
1425
1426	if (png_inflate_claim(png_ptr, png_iCCP) == Z_OK)
1427	{
1428	Byte profile_header[`132`];
1429	Byte local_buffer[PNG_INFLATE_BUF_SIZE];
1430	png_alloc_size_t size = (sizeof profile_header);
1431
1432	png_ptr->zstream.next_in = (Bytef*)keyword + (keyword_length+`2`);
1433	png_ptr->zstream.avail_in = read_length;
1434	(void)png_inflate_read(png_ptr, local_buffer,
1435	(sizeof local_buffer), &length, profile_header, &size,
1436	`0`/finish: don't, because the output is too small/);
1437
1438	if (size == `0`)
1439	{
1440	/ We have the ICC profile header; do the basic header checks.*
1441	*/
1442	const png_uint_32 profile_length =
1443	png_get_uint_32(profile_header);
1444
1445	if (png_icc_check_length(png_ptr, &png_ptr->colorspace,
1446	keyword, profile_length) != `0`)
1447	{
1448	/ The length is apparently ok, so we can check the 132*
1449	* byte header.
1450	*/
1451	if (png_icc_check_header(png_ptr, &png_ptr->colorspace,
1452	keyword, profile_length, profile_header,
1453	png_ptr->color_type) != `0`)
1454	{
1455	/ Now read the tag table; a variable size buffer is*
1456	* needed at this point, allocate one for the whole
1457	* profile. The header check has already validated
1458	* that none of these stuff will overflow.
1459	*/
1460	const png_uint_32 tag_count = png_get_uint_32(
1461	profile_header+`128`);
1462	png_bytep profile = png_read_buffer(png_ptr,
1463	profile_length, `2`/silent/);
1464
1465	if (profile != NULL)
1466	{
1467	memcpy(profile, profile_header,
1468	(sizeof profile_header));
1469
1470	size = `12` * tag_count;
1471
1472	(void)png_inflate_read(png_ptr, local_buffer,
1473	(sizeof local_buffer), &length,
1474	profile + (sizeof profile_header), &size, `0`);
1475
1476	/ Still expect a buffer error because we expect*
1477	* there to be some tag data!
1478	*/
1479	if (size == `0`)
1480	{
1481	if (png_icc_check_tag_table(png_ptr,
1482	&png_ptr->colorspace, keyword, profile_length,
1483	profile) != `0`)
1484	{
1485	/ The profile has been validated for basic*
1486	* security issues, so read the whole thing in.
1487	*/
1488	size = profile_length - (sizeof profile_header)
1489	- `12` * tag_count;
1490
1491	(void)png_inflate_read(png_ptr, local_buffer,
1492	(sizeof local_buffer), &length,
1493	profile + (sizeof profile_header) +
1494	`12` * tag_count, &size, `1`/finish/);
1495
1496	if (length > `0` && !(png_ptr->flags &
1497	PNG_FLAG_BENIGN_ERRORS_WARN))
1498	errmsg = "extra compressed data";
1499
1500	/ But otherwise allow extra data: /
1501	else if (size == `0`)
1502	{
1503	if (length > `0`)
1504	{
1505	/ This can be handled completely, so*
1506	* keep going.
1507	*/
1508	png_chunk_warning(png_ptr,
1509	"extra compressed data");
1510	}
1511
1512	png_crc_finish(png_ptr, length);
1513	finished = `1`;
1514
1515	# ifdef PNG_sRGB_SUPPORTED
1516	/ Check for a match against sRGB /
1517	png_icc_set_sRGB(png_ptr,
1518	&png_ptr->colorspace, profile,
1519	png_ptr->zstream.adler);
1520	# endif
1521
1522	/ Steal the profile for info_ptr. /
1523	if (info_ptr != NULL)
1524	{
1525	png_free_data(png_ptr, info_ptr,
1526	PNG_FREE_ICCP, `0`);
1527
1528	info_ptr->iccp_name = png_voidcast(char*,
1529	png_malloc_base(png_ptr,
1530	keyword_length+`1`));
1531	if (info_ptr->iccp_name != NULL)
1532	{
1533	memcpy(info_ptr->iccp_name, keyword,
1534	keyword_length+`1`);
1535	info_ptr->iccp_proflen =
1536	profile_length;
1537	info_ptr->iccp_profile = profile;
1538	png_ptr->read_buffer = NULL; /steal/
1539	info_ptr->free_me \|= PNG_FREE_ICCP;
1540	info_ptr->valid \|= PNG_INFO_iCCP;
1541	}
1542
1543	else
1544	{
1545	png_ptr->colorspace.flags \|=
1546	PNG_COLORSPACE_INVALID;
1547	errmsg = "out of memory";
1548	}
1549	}
1550
1551	/ else the profile remains in the read*
1552	* buffer which gets reused for subsequent
1553	* chunks.
1554	*/
1555
1556	if (info_ptr != NULL)
1557	png_colorspace_sync(png_ptr, info_ptr);
1558
1559	if (errmsg == NULL)
1560	{
1561	png_ptr->zowner = `0`;
1562	return;
1563	}
1564	}
1565
1566	else if (size > `0`)
1567	errmsg = "truncated";
1568
1569	#ifndef __COVERITY__
1570	else
1571	errmsg = png_ptr->zstream.msg;
1572	#endif
1573	}
1574
1575	/ else png_icc_check_tag_table output an error /
1576	}
1577
1578	else / profile truncated /
1579	errmsg = png_ptr->zstream.msg;
1580	}
1581
1582	else
1583	errmsg = "out of memory";
1584	}
1585
1586	/ else png_icc_check_header output an error /
1587	}
1588
1589	/ else png_icc_check_length output an error /
1590	}
1591
1592	else / profile truncated /
1593	errmsg = png_ptr->zstream.msg;
1594
1595	/ Release the stream /
1596	png_ptr->zowner = `0`;
1597	}
1598
1599	else / png_inflate_claim failed /
1600	errmsg = png_ptr->zstream.msg;
1601	}
1602
1603	else
1604	errmsg = "bad compression method"; / or missing /
1605	}
1606
1607	else
1608	errmsg = "bad keyword";
1609	}
1610
1611	else
1612	errmsg = "too many profiles";
1613
1614	/ Failure: the reason is in 'errmsg' /
1615	if (finished == `0`)
1616	png_crc_finish(png_ptr, length);
1617
1618	png_ptr->colorspace.flags \|= PNG_COLORSPACE_INVALID;
1619	png_colorspace_sync(png_ptr, info_ptr);
1620	if (errmsg != NULL) / else already output /
1621	png_chunk_benign_error(png_ptr, errmsg);
1622	}
1623	#endif /* READ_iCCP */
1624
1625	#ifdef PNG_READ_sPLT_SUPPORTED
1626	void / PRIVATE /
1627	png_handle_sPLT(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1628	/ Note: this does not properly handle chunks that are > 64K under DOS /
1629	{
1630	png_bytep entry_start, buffer;
1631	png_sPLT_t new_palette;
1632	png_sPLT_entryp pp;
1633	png_uint_32 data_length;
1634	int entry_size, i;
1635	png_uint_32 skip = `0`;
1636	png_uint_32 dl;
1637	png_size_t max_dl;
1638
1639	png_debug(`1`, "in png_handle_sPLT");
1640
1641	#ifdef PNG_USER_LIMITS_SUPPORTED
1642	if (png_ptr->user_chunk_cache_max != `0`)
1643	{
1644	if (png_ptr->user_chunk_cache_max == `1`)
1645	{
1646	png_crc_finish(png_ptr, length);
1647	return;
1648	}
1649
1650	if (--png_ptr->user_chunk_cache_max == `1`)
1651	{
1652	png_warning(png_ptr, "No space in chunk cache for sPLT");
1653	png_crc_finish(png_ptr, length);
1654	return;
1655	}
1656	}
1657	#endif
1658
1659	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1660	png_chunk_error(png_ptr, "missing IHDR");
1661
1662	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
1663	{
1664	png_crc_finish(png_ptr, length);
1665	png_chunk_benign_error(png_ptr, "out of place");
1666	return;
1667	}
1668
1669	#ifdef PNG_MAX_MALLOC_64K
1670	if (length > `65535U`)
1671	{
1672	png_crc_finish(png_ptr, length);
1673	png_chunk_benign_error(png_ptr, "too large to fit in memory");
1674	return;
1675	}
1676	#endif
1677
1678	buffer = png_read_buffer(png_ptr, length+`1`, `2`/silent/);
1679	if (buffer == NULL)
1680	{
1681	png_crc_finish(png_ptr, length);
1682	png_chunk_benign_error(png_ptr, "out of memory");
1683	return;
1684	}
1685
1686
1687	/ WARNING: this may break if size_t is less than 32 bits; it is assumed*
1688	* that the PNG_MAX_MALLOC_64K test is enabled in this case, but this is a
1689	* potential breakage point if the types in pngconf.h aren't exactly right.
1690	*/
1691	png_crc_read(png_ptr, buffer, length);
1692
1693	if (png_crc_finish(png_ptr, skip) != `0`)
1694	return;
1695
1696	buffer[length] = `0`;
1697
1698	for (entry_start = buffer; *entry_start; entry_start++)
1699	/ Empty loop to find end of name / ;
1700
1701	++entry_start;
1702
1703	/ A sample depth should follow the separator, and we should be on it /
1704	if (length < `2U` \|\| entry_start > buffer + (length - `2U`))
1705	{
1706	png_warning(png_ptr, "malformed sPLT chunk");
1707	return;
1708	}
1709
1710	new_palette.depth = *entry_start++;
1711	entry_size = (new_palette.depth == `8` ? `6` : `10`);
1712	/ This must fit in a png_uint_32 because it is derived from the original*
1713	* chunk data length.
1714	*/
1715	data_length = length - (png_uint_32)(entry_start - buffer);
1716
1717	/ Integrity-check the data length /
1718	if ((data_length % entry_size) != `0`)
1719	{
1720	png_warning(png_ptr, "sPLT chunk has bad length");
1721	return;
1722	}
1723
1724	dl = (png_int_32)(data_length / entry_size);
1725	max_dl = PNG_SIZE_MAX / (sizeof (png_sPLT_entry));
1726
1727	if (dl > max_dl)
1728	{
1729	png_warning(png_ptr, "sPLT chunk too long");
1730	return;
1731	}
1732
1733	new_palette.nentries = (png_int_32)(data_length / entry_size);
1734
1735	new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
1736	png_ptr, new_palette.nentries * (sizeof (png_sPLT_entry)));
1737
1738	if (new_palette.entries == NULL)
1739	{
1740	png_warning(png_ptr, "sPLT chunk requires too much memory");
1741	return;
1742	}
1743
1744	#ifdef PNG_POINTER_INDEXING_SUPPORTED
1745	for (i = `0`; i < new_palette.nentries; i++)
1746	{
1747	pp = new_palette.entries + i;
1748
1749	if (new_palette.depth == `8`)
1750	{
1751	pp->red = *entry_start++;
1752	pp->green = *entry_start++;
1753	pp->blue = *entry_start++;
1754	pp->alpha = *entry_start++;
1755	}
1756
1757	else
1758	{
1759	pp->red = png_get_uint_16(entry_start); entry_start += `2`;
1760	pp->green = png_get_uint_16(entry_start); entry_start += `2`;
1761	pp->blue = png_get_uint_16(entry_start); entry_start += `2`;
1762	pp->alpha = png_get_uint_16(entry_start); entry_start += `2`;
1763	}
1764
1765	pp->frequency = png_get_uint_16(entry_start); entry_start += `2`;
1766	}
1767	#else
1768	pp = new_palette.entries;
1769
1770	for (i = `0`; i < new_palette.nentries; i++)
1771	{
1772
1773	if (new_palette.depth == `8`)
1774	{
1775	pp[i].red = *entry_start++;
1776	pp[i].green = *entry_start++;
1777	pp[i].blue = *entry_start++;
1778	pp[i].alpha = *entry_start++;
1779	}
1780
1781	else
1782	{
1783	pp[i].red = png_get_uint_16(entry_start); entry_start += `2`;
1784	pp[i].green = png_get_uint_16(entry_start); entry_start += `2`;
1785	pp[i].blue = png_get_uint_16(entry_start); entry_start += `2`;
1786	pp[i].alpha = png_get_uint_16(entry_start); entry_start += `2`;
1787	}
1788
1789	pp[i].frequency = png_get_uint_16(entry_start); entry_start += `2`;
1790	}
1791	#endif
1792
1793	/ Discard all chunk data except the name and stash that /
1794	new_palette.name = (png_charp)buffer;
1795
1796	png_set_sPLT(png_ptr, info_ptr, &new_palette, `1`);
1797
1798	png_free(png_ptr, new_palette.entries);
1799	}
1800	#endif /* READ_sPLT */
1801
1802	#ifdef PNG_READ_tRNS_SUPPORTED
1803	void / PRIVATE /
1804	png_handle_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1805	{
1806	png_byte readbuf[PNG_MAX_PALETTE_LENGTH];
1807
1808	png_debug(`1`, "in png_handle_tRNS");
1809
1810	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1811	png_chunk_error(png_ptr, "missing IHDR");
1812
1813	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
1814	{
1815	png_crc_finish(png_ptr, length);
1816	png_chunk_benign_error(png_ptr, "out of place");
1817	return;
1818	}
1819
1820	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tRNS) != `0`)
1821	{
1822	png_crc_finish(png_ptr, length);
1823	png_chunk_benign_error(png_ptr, "duplicate");
1824	return;
1825	}
1826
1827	if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
1828	{
1829	png_byte buf[`2`];
1830
1831	if (length != `2`)
1832	{
1833	png_crc_finish(png_ptr, length);
1834	png_chunk_benign_error(png_ptr, "invalid");
1835	return;
1836	}
1837
1838	png_crc_read(png_ptr, buf, `2`);
1839	png_ptr->num_trans = `1`;
1840	png_ptr->trans_color.gray = png_get_uint_16(buf);
1841	}
1842
1843	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
1844	{
1845	png_byte buf[`6`];
1846
1847	if (length != `6`)
1848	{
1849	png_crc_finish(png_ptr, length);
1850	png_chunk_benign_error(png_ptr, "invalid");
1851	return;
1852	}
1853
1854	png_crc_read(png_ptr, buf, length);
1855	png_ptr->num_trans = `1`;
1856	png_ptr->trans_color.red = png_get_uint_16(buf);
1857	png_ptr->trans_color.green = png_get_uint_16(buf + `2`);
1858	png_ptr->trans_color.blue = png_get_uint_16(buf + `4`);
1859	}
1860
1861	else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1862	{
1863	if ((png_ptr->mode & PNG_HAVE_PLTE) == `0`)
1864	{
1865	/ TODO: is this actually an error in the ISO spec? /
1866	png_crc_finish(png_ptr, length);
1867	png_chunk_benign_error(png_ptr, "out of place");
1868	return;
1869	}
1870
1871	if (length > (unsigned int) png_ptr->num_palette \|\|
1872	length > (unsigned int) PNG_MAX_PALETTE_LENGTH \|\|
1873	length == `0`)
1874	{
1875	png_crc_finish(png_ptr, length);
1876	png_chunk_benign_error(png_ptr, "invalid");
1877	return;
1878	}
1879
1880	png_crc_read(png_ptr, readbuf, length);
1881	png_ptr->num_trans = (png_uint_16)length;
1882	}
1883
1884	else
1885	{
1886	png_crc_finish(png_ptr, length);
1887	png_chunk_benign_error(png_ptr, "invalid with alpha channel");
1888	return;
1889	}
1890
1891	if (png_crc_finish(png_ptr, `0`) != `0`)
1892	{
1893	png_ptr->num_trans = `0`;
1894	return;
1895	}
1896
1897	/ TODO: this is a horrible side effect in the palette case because the*
1898	* png_struct ends up with a pointer to the tRNS buffer owned by the
1899	* png_info. Fix this.
1900	*/
1901	png_set_tRNS(png_ptr, info_ptr, readbuf, png_ptr->num_trans,
1902	&(png_ptr->trans_color));
1903	}
1904	#endif
1905
1906	#ifdef PNG_READ_bKGD_SUPPORTED
1907	void / PRIVATE /
1908	png_handle_bKGD(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
1909	{
1910	unsigned int truelen;
1911	png_byte buf[`6`];
1912	png_color_16 background;
1913
1914	png_debug(`1`, "in png_handle_bKGD");
1915
1916	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
1917	png_chunk_error(png_ptr, "missing IHDR");
1918
1919	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0` \|\|
1920	(png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
1921	(png_ptr->mode & PNG_HAVE_PLTE) == `0`))
1922	{
1923	png_crc_finish(png_ptr, length);
1924	png_chunk_benign_error(png_ptr, "out of place");
1925	return;
1926	}
1927
1928	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_bKGD) != `0`)
1929	{
1930	png_crc_finish(png_ptr, length);
1931	png_chunk_benign_error(png_ptr, "duplicate");
1932	return;
1933	}
1934
1935	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1936	truelen = `1`;
1937
1938	else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != `0`)
1939	truelen = `6`;
1940
1941	else
1942	truelen = `2`;
1943
1944	if (length != truelen)
1945	{
1946	png_crc_finish(png_ptr, length);
1947	png_chunk_benign_error(png_ptr, "invalid");
1948	return;
1949	}
1950
1951	png_crc_read(png_ptr, buf, truelen);
1952
1953	if (png_crc_finish(png_ptr, `0`) != `0`)
1954	return;
1955
1956	/ We convert the index value into RGB components so that we can allow*
1957	* arbitrary RGB values for background when we have transparency, and
1958	* so it is easy to determine the RGB values of the background color
1959	* from the info_ptr struct.
1960	*/
1961	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
1962	{
1963	background.index = buf[`0`];
1964
1965	if (info_ptr != NULL && info_ptr->num_palette != `0`)
1966	{
1967	if (buf[`0`] >= info_ptr->num_palette)
1968	{
1969	png_chunk_benign_error(png_ptr, "invalid index");
1970	return;
1971	}
1972
1973	background.red = (png_uint_16)png_ptr->palette[buf[`0`]].red;
1974	background.green = (png_uint_16)png_ptr->palette[buf[`0`]].green;
1975	background.blue = (png_uint_16)png_ptr->palette[buf[`0`]].blue;
1976	}
1977
1978	else
1979	background.red = background.green = background.blue = `0`;
1980
1981	background.gray = `0`;
1982	}
1983
1984	else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == `0`) / GRAY /
1985	{
1986	background.index = `0`;
1987	background.red =
1988	background.green =
1989	background.blue =
1990	background.gray = png_get_uint_16(buf);
1991	}
1992
1993	else
1994	{
1995	background.index = `0`;
1996	background.red = png_get_uint_16(buf);
1997	background.green = png_get_uint_16(buf + `2`);
1998	background.blue = png_get_uint_16(buf + `4`);
1999	background.gray = `0`;
2000	}
2001
2002	png_set_bKGD(png_ptr, info_ptr, &background);
2003	}
2004	#endif
2005
2006	#ifdef PNG_READ_hIST_SUPPORTED
2007	void / PRIVATE /
2008	png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2009	{
2010	unsigned int num, i;
2011	png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
2012
2013	png_debug(`1`, "in png_handle_hIST");
2014
2015	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2016	png_chunk_error(png_ptr, "missing IHDR");
2017
2018	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0` \|\|
2019	(png_ptr->mode & PNG_HAVE_PLTE) == `0`)
2020	{
2021	png_crc_finish(png_ptr, length);
2022	png_chunk_benign_error(png_ptr, "out of place");
2023	return;
2024	}
2025
2026	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_hIST) != `0`)
2027	{
2028	png_crc_finish(png_ptr, length);
2029	png_chunk_benign_error(png_ptr, "duplicate");
2030	return;
2031	}
2032
2033	num = length / `2` ;
2034
2035	if (num != (unsigned int) png_ptr->num_palette \|\|
2036	num > (unsigned int) PNG_MAX_PALETTE_LENGTH)
2037	{
2038	png_crc_finish(png_ptr, length);
2039	png_chunk_benign_error(png_ptr, "invalid");
2040	return;
2041	}
2042
2043	for (i = `0`; i < num; i++)
2044	{
2045	png_byte buf[`2`];
2046
2047	png_crc_read(png_ptr, buf, `2`);
2048	readbuf[i] = png_get_uint_16(buf);
2049	}
2050
2051	if (png_crc_finish(png_ptr, `0`) != `0`)
2052	return;
2053
2054	png_set_hIST(png_ptr, info_ptr, readbuf);
2055	}
2056	#endif
2057
2058	#ifdef PNG_READ_pHYs_SUPPORTED
2059	void / PRIVATE /
2060	png_handle_pHYs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2061	{
2062	png_byte buf[`9`];
2063	png_uint_32 res_x, res_y;
2064	int unit_type;
2065
2066	png_debug(`1`, "in png_handle_pHYs");
2067
2068	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2069	png_chunk_error(png_ptr, "missing IHDR");
2070
2071	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2072	{
2073	png_crc_finish(png_ptr, length);
2074	png_chunk_benign_error(png_ptr, "out of place");
2075	return;
2076	}
2077
2078	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pHYs) != `0`)
2079	{
2080	png_crc_finish(png_ptr, length);
2081	png_chunk_benign_error(png_ptr, "duplicate");
2082	return;
2083	}
2084
2085	if (length != `9`)
2086	{
2087	png_crc_finish(png_ptr, length);
2088	png_chunk_benign_error(png_ptr, "invalid");
2089	return;
2090	}
2091
2092	png_crc_read(png_ptr, buf, `9`);
2093
2094	if (png_crc_finish(png_ptr, `0`) != `0`)
2095	return;
2096
2097	res_x = png_get_uint_32(buf);
2098	res_y = png_get_uint_32(buf + `4`);
2099	unit_type = buf[`8`];
2100	png_set_pHYs(png_ptr, info_ptr, res_x, res_y, unit_type);
2101	}
2102	#endif
2103
2104	#ifdef PNG_READ_oFFs_SUPPORTED
2105	void / PRIVATE /
2106	png_handle_oFFs(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2107	{
2108	png_byte buf[`9`];
2109	png_int_32 offset_x, offset_y;
2110	int unit_type;
2111
2112	png_debug(`1`, "in png_handle_oFFs");
2113
2114	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2115	png_chunk_error(png_ptr, "missing IHDR");
2116
2117	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2118	{
2119	png_crc_finish(png_ptr, length);
2120	png_chunk_benign_error(png_ptr, "out of place");
2121	return;
2122	}
2123
2124	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_oFFs) != `0`)
2125	{
2126	png_crc_finish(png_ptr, length);
2127	png_chunk_benign_error(png_ptr, "duplicate");
2128	return;
2129	}
2130
2131	if (length != `9`)
2132	{
2133	png_crc_finish(png_ptr, length);
2134	png_chunk_benign_error(png_ptr, "invalid");
2135	return;
2136	}
2137
2138	png_crc_read(png_ptr, buf, `9`);
2139
2140	if (png_crc_finish(png_ptr, `0`) != `0`)
2141	return;
2142
2143	offset_x = png_get_int_32(buf);
2144	offset_y = png_get_int_32(buf + `4`);
2145	unit_type = buf[`8`];
2146	png_set_oFFs(png_ptr, info_ptr, offset_x, offset_y, unit_type);
2147	}
2148	#endif
2149
2150	#ifdef PNG_READ_pCAL_SUPPORTED
2151	/ Read the pCAL chunk (described in the PNG Extensions document) /
2152	void / PRIVATE /
2153	png_handle_pCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2154	{
2155	png_int_32 X0, X1;
2156	png_byte type, nparams;
2157	png_bytep buffer, buf, units, endptr;
2158	png_charpp params;
2159	int i;
2160
2161	png_debug(`1`, "in png_handle_pCAL");
2162
2163	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2164	png_chunk_error(png_ptr, "missing IHDR");
2165
2166	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2167	{
2168	png_crc_finish(png_ptr, length);
2169	png_chunk_benign_error(png_ptr, "out of place");
2170	return;
2171	}
2172
2173	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_pCAL) != `0`)
2174	{
2175	png_crc_finish(png_ptr, length);
2176	png_chunk_benign_error(png_ptr, "duplicate");
2177	return;
2178	}
2179
2180	png_debug1(`2`, "Allocating and reading pCAL chunk data (%u bytes)",
2181	length + `1`);
2182
2183	buffer = png_read_buffer(png_ptr, length+`1`, `2`/silent/);
2184
2185	if (buffer == NULL)
2186	{
2187	png_crc_finish(png_ptr, length);
2188	png_chunk_benign_error(png_ptr, "out of memory");
2189	return;
2190	}
2191
2192	png_crc_read(png_ptr, buffer, length);
2193
2194	if (png_crc_finish(png_ptr, `0`) != `0`)
2195	return;
2196
2197	buffer[length] = `0`; / Null terminate the last string /
2198
2199	png_debug(`3`, "Finding end of pCAL purpose string");
2200	for (buf = buffer; *buf; buf++)
2201	/ Empty loop / ;
2202
2203	endptr = buffer + length;
2204
2205	/ We need to have at least 12 bytes after the purpose string*
2206	* in order to get the parameter information.
2207	*/
2208	if (endptr - buf <= `12`)
2209	{
2210	png_chunk_benign_error(png_ptr, "invalid");
2211	return;
2212	}
2213
2214	png_debug(`3`, "Reading pCAL X0, X1, type, nparams, and units");
2215	X0 = png_get_int_32((png_bytep)buf+`1`);
2216	X1 = png_get_int_32((png_bytep)buf+`5`);
2217	type = buf[`9`];
2218	nparams = buf[`10`];
2219	units = buf + `11`;
2220
2221	png_debug(`3`, "Checking pCAL equation type and number of parameters");
2222	/ Check that we have the right number of parameters for known*
2223	* equation types.
2224	*/
2225	if ((type == PNG_EQUATION_LINEAR && nparams != `2`) \|\|
2226	(type == PNG_EQUATION_BASE_E && nparams != `3`) \|\|
2227	(type == PNG_EQUATION_ARBITRARY && nparams != `3`) \|\|
2228	(type == PNG_EQUATION_HYPERBOLIC && nparams != `4`))
2229	{
2230	png_chunk_benign_error(png_ptr, "invalid parameter count");
2231	return;
2232	}
2233
2234	else if (type >= PNG_EQUATION_LAST)
2235	{
2236	png_chunk_benign_error(png_ptr, "unrecognized equation type");
2237	}
2238
2239	for (buf = units; *buf; buf++)
2240	/ Empty loop to move past the units string. / ;
2241
2242	png_debug(`3`, "Allocating pCAL parameters array");
2243
2244	params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
2245	nparams * (sizeof (png_charp))));
2246
2247	if (params == NULL)
2248	{
2249	png_chunk_benign_error(png_ptr, "out of memory");
2250	return;
2251	}
2252
2253	/ Get pointers to the start of each parameter string. /
2254	for (i = `0`; i < nparams; i++)
2255	{
2256	buf++; / Skip the null string terminator from previous parameter. /
2257
2258	png_debug1(`3`, "Reading pCAL parameter %d", i);
2259
2260	for (params[i] = (png_charp)buf; buf <= endptr && *buf != `0`; buf++)
2261	/ Empty loop to move past each parameter string / ;
2262
2263	/ Make sure we haven't run out of data yet /
2264	if (buf > endptr)
2265	{
2266	png_free(png_ptr, params);
2267	png_chunk_benign_error(png_ptr, "invalid data");
2268	return;
2269	}
2270	}
2271
2272	png_set_pCAL(png_ptr, info_ptr, (png_charp)buffer, X0, X1, type, nparams,
2273	(png_charp)units, params);
2274
2275	png_free(png_ptr, params);
2276	}
2277	#endif
2278
2279	#ifdef PNG_READ_sCAL_SUPPORTED
2280	/ Read the sCAL chunk /
2281	void / PRIVATE /
2282	png_handle_sCAL(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2283	{
2284	png_bytep buffer;
2285	png_size_t i;
2286	int state;
2287
2288	png_debug(`1`, "in png_handle_sCAL");
2289
2290	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2291	png_chunk_error(png_ptr, "missing IHDR");
2292
2293	else if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2294	{
2295	png_crc_finish(png_ptr, length);
2296	png_chunk_benign_error(png_ptr, "out of place");
2297	return;
2298	}
2299
2300	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sCAL) != `0`)
2301	{
2302	png_crc_finish(png_ptr, length);
2303	png_chunk_benign_error(png_ptr, "duplicate");
2304	return;
2305	}
2306
2307	/ Need unit type, width, \0, height: minimum 4 bytes /
2308	else if (length < `4`)
2309	{
2310	png_crc_finish(png_ptr, length);
2311	png_chunk_benign_error(png_ptr, "invalid");
2312	return;
2313	}
2314
2315	png_debug1(`2`, "Allocating and reading sCAL chunk data (%u bytes)",
2316	length + `1`);
2317
2318	buffer = png_read_buffer(png_ptr, length+`1`, `2`/silent/);
2319
2320	if (buffer == NULL)
2321	{
2322	png_chunk_benign_error(png_ptr, "out of memory");
2323	png_crc_finish(png_ptr, length);
2324	return;
2325	}
2326
2327	png_crc_read(png_ptr, buffer, length);
2328	buffer[length] = `0`; / Null terminate the last string /
2329
2330	if (png_crc_finish(png_ptr, `0`) != `0`)
2331	return;
2332
2333	/ Validate the unit. /
2334	if (buffer[`0`] != `1` && buffer[`0`] != `2`)
2335	{
2336	png_chunk_benign_error(png_ptr, "invalid unit");
2337	return;
2338	}
2339
2340	/ Validate the ASCII numbers, need two ASCII numbers separated by*
2341	* a '\0' and they need to fit exactly in the chunk data.
2342	*/
2343	i = `1`;
2344	state = `0`;
2345
2346	if (png_check_fp_number((png_const_charp)buffer, length, &state, &i) == `0` \|\|
2347	i >= length \|\| buffer[i++] != `0`)
2348	png_chunk_benign_error(png_ptr, "bad width format");
2349
2350	else if (PNG_FP_IS_POSITIVE(state) == `0`)
2351	png_chunk_benign_error(png_ptr, "non-positive width");
2352
2353	else
2354	{
2355	png_size_t heighti = i;
2356
2357	state = `0`;
2358	if (png_check_fp_number((png_const_charp)buffer, length,
2359	&state, &i) == `0` \|\| i != length)
2360	png_chunk_benign_error(png_ptr, "bad height format");
2361
2362	else if (PNG_FP_IS_POSITIVE(state) == `0`)
2363	png_chunk_benign_error(png_ptr, "non-positive height");
2364
2365	else
2366	/ This is the (only) success case. /
2367	png_set_sCAL_s(png_ptr, info_ptr, buffer[`0`],
2368	(png_charp)buffer+`1`, (png_charp)buffer+heighti);
2369	}
2370	}
2371	#endif
2372
2373	#ifdef PNG_READ_tIME_SUPPORTED
2374	void / PRIVATE /
2375	png_handle_tIME(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2376	{
2377	png_byte buf[`7`];
2378	png_time mod_time;
2379
2380	png_debug(`1`, "in png_handle_tIME");
2381
2382	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2383	png_chunk_error(png_ptr, "missing IHDR");
2384
2385	else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_tIME) != `0`)
2386	{
2387	png_crc_finish(png_ptr, length);
2388	png_chunk_benign_error(png_ptr, "duplicate");
2389	return;
2390	}
2391
2392	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2393	png_ptr->mode \|= PNG_AFTER_IDAT;
2394
2395	if (length != `7`)
2396	{
2397	png_crc_finish(png_ptr, length);
2398	png_chunk_benign_error(png_ptr, "invalid");
2399	return;
2400	}
2401
2402	png_crc_read(png_ptr, buf, `7`);
2403
2404	if (png_crc_finish(png_ptr, `0`) != `0`)
2405	return;
2406
2407	mod_time.second = buf[`6`];
2408	mod_time.minute = buf[`5`];
2409	mod_time.hour = buf[`4`];
2410	mod_time.day = buf[`3`];
2411	mod_time.month = buf[`2`];
2412	mod_time.year = png_get_uint_16(buf);
2413
2414	png_set_tIME(png_ptr, info_ptr, &mod_time);
2415	}
2416	#endif
2417
2418	#ifdef PNG_READ_tEXt_SUPPORTED
2419	/ Note: this does not properly handle chunks that are > 64K under DOS /
2420	void / PRIVATE /
2421	png_handle_tEXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2422	{
2423	png_text text_info;
2424	png_bytep buffer;
2425	png_charp key;
2426	png_charp text;
2427	png_uint_32 skip = `0`;
2428
2429	png_debug(`1`, "in png_handle_tEXt");
2430
2431	#ifdef PNG_USER_LIMITS_SUPPORTED
2432	if (png_ptr->user_chunk_cache_max != `0`)
2433	{
2434	if (png_ptr->user_chunk_cache_max == `1`)
2435	{
2436	png_crc_finish(png_ptr, length);
2437	return;
2438	}
2439
2440	if (--png_ptr->user_chunk_cache_max == `1`)
2441	{
2442	png_crc_finish(png_ptr, length);
2443	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2444	return;
2445	}
2446	}
2447	#endif
2448
2449	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2450	png_chunk_error(png_ptr, "missing IHDR");
2451
2452	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2453	png_ptr->mode \|= PNG_AFTER_IDAT;
2454
2455	#ifdef PNG_MAX_MALLOC_64K
2456	if (length > `65535U`)
2457	{
2458	png_crc_finish(png_ptr, length);
2459	png_chunk_benign_error(png_ptr, "too large to fit in memory");
2460	return;
2461	}
2462	#endif
2463
2464	buffer = png_read_buffer(png_ptr, length+`1`, `1`/warn/);
2465
2466	if (buffer == NULL)
2467	{
2468	png_chunk_benign_error(png_ptr, "out of memory");
2469	return;
2470	}
2471
2472	png_crc_read(png_ptr, buffer, length);
2473
2474	if (png_crc_finish(png_ptr, skip) != `0`)
2475	return;
2476
2477	key = (png_charp)buffer;
2478	key[length] = `0`;
2479
2480	for (text = key; *text; text++)
2481	/ Empty loop to find end of key / ;
2482
2483	if (text != key + length)
2484	text++;
2485
2486	text_info.compression = PNG_TEXT_COMPRESSION_NONE;
2487	text_info.key = key;
2488	text_info.lang = NULL;
2489	text_info.lang_key = NULL;
2490	text_info.itxt_length = `0`;
2491	text_info.text = text;
2492	text_info.text_length = strlen(text);
2493
2494	if (png_set_text_2(png_ptr, info_ptr, &text_info, `1`) != `0`)
2495	png_warning(png_ptr, "Insufficient memory to process text chunk");
2496	}
2497	#endif
2498
2499	#ifdef PNG_READ_zTXt_SUPPORTED
2500	/ Note: this does not correctly handle chunks that are > 64K under DOS /
2501	void / PRIVATE /
2502	png_handle_zTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2503	{
2504	png_const_charp errmsg = NULL;
2505	png_bytep buffer;
2506	png_uint_32 keyword_length;
2507
2508	png_debug(`1`, "in png_handle_zTXt");
2509
2510	#ifdef PNG_USER_LIMITS_SUPPORTED
2511	if (png_ptr->user_chunk_cache_max != `0`)
2512	{
2513	if (png_ptr->user_chunk_cache_max == `1`)
2514	{
2515	png_crc_finish(png_ptr, length);
2516	return;
2517	}
2518
2519	if (--png_ptr->user_chunk_cache_max == `1`)
2520	{
2521	png_crc_finish(png_ptr, length);
2522	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2523	return;
2524	}
2525	}
2526	#endif
2527
2528	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2529	png_chunk_error(png_ptr, "missing IHDR");
2530
2531	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2532	png_ptr->mode \|= PNG_AFTER_IDAT;
2533
2534	buffer = png_read_buffer(png_ptr, length, `2`/silent/);
2535
2536	if (buffer == NULL)
2537	{
2538	png_crc_finish(png_ptr, length);
2539	png_chunk_benign_error(png_ptr, "out of memory");
2540	return;
2541	}
2542
2543	png_crc_read(png_ptr, buffer, length);
2544
2545	if (png_crc_finish(png_ptr, `0`) != `0`)
2546	return;
2547
2548	/ TODO: also check that the keyword contents match the spec! /
2549	for (keyword_length = `0`;
2550	keyword_length < length && buffer[keyword_length] != `0`;
2551	++keyword_length)
2552	/ Empty loop to find end of name / ;
2553
2554	if (keyword_length > `79` \|\| keyword_length < `1`)
2555	errmsg = "bad keyword";
2556
2557	/ zTXt must have some LZ data after the keyword, although it may expand to*
2558	* zero bytes; we need a '\0' at the end of the keyword, the compression type
2559	* then the LZ data:
2560	*/
2561	else if (keyword_length + `3` > length)
2562	errmsg = "truncated";
2563
2564	else if (buffer[keyword_length+`1`] != PNG_COMPRESSION_TYPE_BASE)
2565	errmsg = "unknown compression type";
2566
2567	else
2568	{
2569	png_alloc_size_t uncompressed_length = PNG_SIZE_MAX;
2570
2571	/ TODO: at present png_decompress_chunk imposes a single application*
2572	* level memory limit, this should be split to different values for iCCP
2573	* and text chunks.
2574	*/
2575	if (png_decompress_chunk(png_ptr, length, keyword_length+`2`,
2576	&uncompressed_length, `1`/terminate/) == Z_STREAM_END)
2577	{
2578	png_text text;
2579
2580	/ It worked; png_ptr->read_buffer now looks like a tEXt chunk except*
2581	* for the extra compression type byte and the fact that it isn't
2582	* necessarily '\0' terminated.
2583	*/
2584	buffer = png_ptr->read_buffer;
2585	buffer[uncompressed_length+(keyword_length+`2`)] = `0`;
2586
2587	text.compression = PNG_TEXT_COMPRESSION_zTXt;
2588	text.key = (png_charp)buffer;
2589	text.text = (png_charp)(buffer + keyword_length+`2`);
2590	text.text_length = uncompressed_length;
2591	text.itxt_length = `0`;
2592	text.lang = NULL;
2593	text.lang_key = NULL;
2594
2595	if (png_set_text_2(png_ptr, info_ptr, &text, `1`) != `0`)
2596	errmsg = "insufficient memory";
2597	}
2598
2599	else
2600	errmsg = png_ptr->zstream.msg;
2601	}
2602
2603	if (errmsg != NULL)
2604	png_chunk_benign_error(png_ptr, errmsg);
2605	}
2606	#endif
2607
2608	#ifdef PNG_READ_iTXt_SUPPORTED
2609	/ Note: this does not correctly handle chunks that are > 64K under DOS /
2610	void / PRIVATE /
2611	png_handle_iTXt(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
2612	{
2613	png_const_charp errmsg = NULL;
2614	png_bytep buffer;
2615	png_uint_32 prefix_length;
2616
2617	png_debug(`1`, "in png_handle_iTXt");
2618
2619	#ifdef PNG_USER_LIMITS_SUPPORTED
2620	if (png_ptr->user_chunk_cache_max != `0`)
2621	{
2622	if (png_ptr->user_chunk_cache_max == `1`)
2623	{
2624	png_crc_finish(png_ptr, length);
2625	return;
2626	}
2627
2628	if (--png_ptr->user_chunk_cache_max == `1`)
2629	{
2630	png_crc_finish(png_ptr, length);
2631	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2632	return;
2633	}
2634	}
2635	#endif
2636
2637	if ((png_ptr->mode & PNG_HAVE_IHDR) == `0`)
2638	png_chunk_error(png_ptr, "missing IHDR");
2639
2640	if ((png_ptr->mode & PNG_HAVE_IDAT) != `0`)
2641	png_ptr->mode \|= PNG_AFTER_IDAT;
2642
2643	buffer = png_read_buffer(png_ptr, length+`1`, `1`/warn/);
2644
2645	if (buffer == NULL)
2646	{
2647	png_crc_finish(png_ptr, length);
2648	png_chunk_benign_error(png_ptr, "out of memory");
2649	return;
2650	}
2651
2652	png_crc_read(png_ptr, buffer, length);
2653
2654	if (png_crc_finish(png_ptr, `0`) != `0`)
2655	return;
2656
2657	/ First the keyword. /
2658	for (prefix_length=`0`;
2659	prefix_length < length && buffer[prefix_length] != `0`;
2660	++prefix_length)
2661	/ Empty loop / ;
2662
2663	/ Perform a basic check on the keyword length here. /
2664	if (prefix_length > `79` \|\| prefix_length < `1`)
2665	errmsg = "bad keyword";
2666
2667	/ Expect keyword, compression flag, compression type, language, translated*
2668	* keyword (both may be empty but are 0 terminated) then the text, which may
2669	* be empty.
2670	*/
2671	else if (prefix_length + `5` > length)
2672	errmsg = "truncated";
2673
2674	else if (buffer[prefix_length+`1`] == `0` \|\|
2675	(buffer[prefix_length+`1`] == `1` &&
2676	buffer[prefix_length+`2`] == PNG_COMPRESSION_TYPE_BASE))
2677	{
2678	int compressed = buffer[prefix_length+`1`] != `0`;
2679	png_uint_32 language_offset, translated_keyword_offset;
2680	png_alloc_size_t uncompressed_length = `0`;
2681
2682	/ Now the language tag /
2683	prefix_length += `3`;
2684	language_offset = prefix_length;
2685
2686	for (; prefix_length < length && buffer[prefix_length] != `0`;
2687	++prefix_length)
2688	/ Empty loop / ;
2689
2690	/ WARNING: the length may be invalid here, this is checked below. /
2691	translated_keyword_offset = ++prefix_length;
2692
2693	for (; prefix_length < length && buffer[prefix_length] != `0`;
2694	++prefix_length)
2695	/ Empty loop / ;
2696
2697	/ prefix_length should now be at the trailing '\0' of the translated*
2698	* keyword, but it may already be over the end. None of this arithmetic
2699	* can overflow because chunks are at most 2^31 bytes long, but on 16-bit
2700	* systems the available allocation may overflow.
2701	*/
2702	++prefix_length;
2703
2704	if (compressed == `0` && prefix_length <= length)
2705	uncompressed_length = length - prefix_length;
2706
2707	else if (compressed != `0` && prefix_length < length)
2708	{
2709	uncompressed_length = PNG_SIZE_MAX;
2710
2711	/ TODO: at present png_decompress_chunk imposes a single application*
2712	* level memory limit, this should be split to different values for
2713	* iCCP and text chunks.
2714	*/
2715	if (png_decompress_chunk(png_ptr, length, prefix_length,
2716	&uncompressed_length, `1`/terminate/) == Z_STREAM_END)
2717	buffer = png_ptr->read_buffer;
2718
2719	else
2720	errmsg = png_ptr->zstream.msg;
2721	}
2722
2723	else
2724	errmsg = "truncated";
2725
2726	if (errmsg == NULL)
2727	{
2728	png_text text;
2729
2730	buffer[uncompressed_length+prefix_length] = `0`;
2731
2732	if (compressed == `0`)
2733	text.compression = PNG_ITXT_COMPRESSION_NONE;
2734
2735	else
2736	text.compression = PNG_ITXT_COMPRESSION_zTXt;
2737
2738	text.key = (png_charp)buffer;
2739	text.lang = (png_charp)buffer + language_offset;
2740	text.lang_key = (png_charp)buffer + translated_keyword_offset;
2741	text.text = (png_charp)buffer + prefix_length;
2742	text.text_length = `0`;
2743	text.itxt_length = uncompressed_length;
2744
2745	if (png_set_text_2(png_ptr, info_ptr, &text, `1`) != `0`)
2746	errmsg = "insufficient memory";
2747	}
2748	}
2749
2750	else
2751	errmsg = "bad compression info";
2752
2753	if (errmsg != NULL)
2754	png_chunk_benign_error(png_ptr, errmsg);
2755	}
2756	#endif
2757
2758	#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2759	/ Utility function for png_handle_unknown; set up png_ptr::unknown_chunk /
2760	static int
2761	png_cache_unknown_chunk(png_structrp png_ptr, png_uint_32 length)
2762	{
2763	png_alloc_size_t limit = PNG_SIZE_MAX;
2764
2765	if (png_ptr->unknown_chunk.data != NULL)
2766	{
2767	png_free(png_ptr, png_ptr->unknown_chunk.data);
2768	png_ptr->unknown_chunk.data = NULL;
2769	}
2770
2771	# ifdef PNG_SET_USER_LIMITS_SUPPORTED
2772	if (png_ptr->user_chunk_malloc_max > `0` &&
2773	png_ptr->user_chunk_malloc_max < limit)
2774	limit = png_ptr->user_chunk_malloc_max;
2775
2776	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
2777	if (PNG_USER_CHUNK_MALLOC_MAX < limit)
2778	limit = PNG_USER_CHUNK_MALLOC_MAX;
2779	# endif
2780
2781	if (length <= limit)
2782	{
2783	PNG_CSTRING_FROM_CHUNK(png_ptr->unknown_chunk.name, png_ptr->chunk_name);
2784	/ The following is safe because of the PNG_SIZE_MAX init above /
2785	png_ptr->unknown_chunk.size = (png_size_t)length/SAFE/;
2786	/ 'mode' is a flag array, only the bottom four bits matter here /
2787	png_ptr->unknown_chunk.location = (png_byte)png_ptr->mode/SAFE/;
2788
2789	if (length == `0`)
2790	png_ptr->unknown_chunk.data = NULL;
2791
2792	else
2793	{
2794	/ Do a 'warn' here - it is handled below. /
2795	png_ptr->unknown_chunk.data = png_voidcast(png_bytep,
2796	png_malloc_warn(png_ptr, length));
2797	}
2798	}
2799
2800	if (png_ptr->unknown_chunk.data == NULL && length > `0`)
2801	{
2802	/ This is benign because we clean up correctly /
2803	png_crc_finish(png_ptr, length);
2804	png_chunk_benign_error(png_ptr, "unknown chunk exceeds memory limits");
2805	return `0`;
2806	}
2807
2808	else
2809	{
2810	if (length > `0`)
2811	png_crc_read(png_ptr, png_ptr->unknown_chunk.data, length);
2812	png_crc_finish(png_ptr, `0`);
2813	return `1`;
2814	}
2815	}
2816	#endif /* READ_UNKNOWN_CHUNKS */
2817
2818	/ Handle an unknown, or known but disabled, chunk /
2819	void / PRIVATE /
2820	png_handle_unknown(png_structrp png_ptr, png_inforp info_ptr,
2821	png_uint_32 length, int keep)
2822	{
2823	int handled = `0`; / the chunk was handled /
2824
2825	png_debug(`1`, "in png_handle_unknown");
2826
2827	#ifdef PNG_READ_UNKNOWN_CHUNKS_SUPPORTED
2828	/ NOTE: this code is based on the code in libpng-1.4.12 except for fixing*
2829	* the bug which meant that setting a non-default behavior for a specific
2830	* chunk would be ignored (the default was always used unless a user
2831	* callback was installed).
2832	*
2833	* 'keep' is the value from the png_chunk_unknown_handling, the setting for
2834	* this specific chunk_name, if PNG_HANDLE_AS_UNKNOWN_SUPPORTED, if not it
2835	* will always be PNG_HANDLE_CHUNK_AS_DEFAULT and it needs to be set here.
2836	* This is just an optimization to avoid multiple calls to the lookup
2837	* function.
2838	*/
2839	# ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
2840	# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2841	keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name);
2842	# endif
2843	# endif
2844
2845	/ One of the following methods will read the chunk or skip it (at least one*
2846	* of these is always defined because this is the only way to switch on
2847	* PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
2848	*/
2849	# ifdef PNG_READ_USER_CHUNKS_SUPPORTED
2850	/ The user callback takes precedence over the chunk keep value, but the*
2851	* keep value is still required to validate a save of a critical chunk.
2852	*/
2853	if (png_ptr->read_user_chunk_fn != NULL)
2854	{
2855	if (png_cache_unknown_chunk(png_ptr, length) != `0`)
2856	{
2857	/ Callback to user unknown chunk handler /
2858	int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr,
2859	&png_ptr->unknown_chunk);
2860
2861	/ ret is:*
2862	* negative: An error occurred; png_chunk_error will be called.
2863	* zero: The chunk was not handled, the chunk will be discarded
2864	* unless png_set_keep_unknown_chunks has been used to set
2865	* a 'keep' behavior for this particular chunk, in which
2866	* case that will be used. A critical chunk will cause an
2867	* error at this point unless it is to be saved.
2868	* positive: The chunk was handled, libpng will ignore/discard it.
2869	*/
2870	if (ret < `0`)
2871	png_chunk_error(png_ptr, "error in user chunk");
2872
2873	else if (ret == `0`)
2874	{
2875	/ If the keep value is 'default' or 'never' override it, but*
2876	* still error out on critical chunks unless the keep value is
2877	* 'always' While this is weird it is the behavior in 1.4.12.
2878	* A possible improvement would be to obey the value set for the
2879	* chunk, but this would be an API change that would probably
2880	* damage some applications.
2881	*
2882	* The png_app_warning below catches the case that matters, where
2883	* the application has not set specific save or ignore for this
2884	* chunk or global save or ignore.
2885	*/
2886	if (keep < PNG_HANDLE_CHUNK_IF_SAFE)
2887	{
2888	# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
2889	if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE)
2890	{
2891	png_chunk_warning(png_ptr, "Saving unknown chunk:");
2892	png_app_warning(png_ptr,
2893	"forcing save of an unhandled chunk;"
2894	" please call png_set_keep_unknown_chunks");
2895	/ with keep = PNG_HANDLE_CHUNK_IF_SAFE /
2896	}
2897	# endif
2898	keep = PNG_HANDLE_CHUNK_IF_SAFE;
2899	}
2900	}
2901
2902	else / chunk was handled /
2903	{
2904	handled = `1`;
2905	/ Critical chunks can be safely discarded at this point. /
2906	keep = PNG_HANDLE_CHUNK_NEVER;
2907	}
2908	}
2909
2910	else
2911	keep = PNG_HANDLE_CHUNK_NEVER; / insufficient memory /
2912	}
2913
2914	else
2915	/ Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk /
2916	# endif /* READ_USER_CHUNKS */
2917
2918	# ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
2919	{
2920	/ keep is currently just the per-chunk setting, if there was no*
2921	* setting change it to the global default now (not that this may
2922	* still be AS_DEFAULT) then obtain the cache of the chunk if required,
2923	* if not simply skip the chunk.
2924	*/
2925	if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT)
2926	keep = png_ptr->unknown_default;
2927
2928	if (keep == PNG_HANDLE_CHUNK_ALWAYS \|\|
2929	(keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2930	PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2931	{
2932	if (png_cache_unknown_chunk(png_ptr, length) == `0`)
2933	keep = PNG_HANDLE_CHUNK_NEVER;
2934	}
2935
2936	else
2937	png_crc_finish(png_ptr, length);
2938	}
2939	# else
2940	# ifndef PNG_READ_USER_CHUNKS_SUPPORTED
2941	# error no method to support READ_UNKNOWN_CHUNKS
2942	# endif
2943
2944	{
2945	/ If here there is no read callback pointer set and no support is*
2946	* compiled in to just save the unknown chunks, so simply skip this
2947	* chunk. If 'keep' is something other than AS_DEFAULT or NEVER then
2948	* the app has erroneously asked for unknown chunk saving when there
2949	* is no support.
2950	*/
2951	if (keep > PNG_HANDLE_CHUNK_NEVER)
2952	png_app_error(png_ptr, "no unknown chunk support available");
2953
2954	png_crc_finish(png_ptr, length);
2955	}
2956	# endif
2957
2958	# ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
2959	/ Now store the chunk in the chunk list if appropriate, and if the limits*
2960	* permit it.
2961	*/
2962	if (keep == PNG_HANDLE_CHUNK_ALWAYS \|\|
2963	(keep == PNG_HANDLE_CHUNK_IF_SAFE &&
2964	PNG_CHUNK_ANCILLARY(png_ptr->chunk_name)))
2965	{
2966	# ifdef PNG_USER_LIMITS_SUPPORTED
2967	switch (png_ptr->user_chunk_cache_max)
2968	{
2969	case `2`:
2970	png_ptr->user_chunk_cache_max = `1`;
2971	png_chunk_benign_error(png_ptr, "no space in chunk cache");
2972	/ FALL THROUGH /
2973	case `1`:
2974	/ NOTE: prior to 1.6.0 this case resulted in an unknown critical*
2975	* chunk being skipped, now there will be a hard error below.
2976	*/
2977	break;
2978
2979	default: / not at limit /
2980	--(png_ptr->user_chunk_cache_max);
2981	/ FALL THROUGH /
2982	case `0`: / no limit /
2983	# endif /* USER_LIMITS */
2984	/ Here when the limit isn't reached or when limits are compiled*
2985	* out; store the chunk.
2986	*/
2987	png_set_unknown_chunks(png_ptr, info_ptr,
2988	&png_ptr->unknown_chunk, `1`);
2989	handled = `1`;
2990	# ifdef PNG_USER_LIMITS_SUPPORTED
2991	break;
2992	}
2993	# endif
2994	}
2995	# else /* no store support: the chunk must be handled by the user callback */
2996	PNG_UNUSED(info_ptr)
2997	# endif
2998
2999	/ Regardless of the error handling below the cached data (if any) can be*
3000	* freed now. Notice that the data is not freed if there is a png_error, but
3001	* it will be freed by destroy_read_struct.
3002	*/
3003	if (png_ptr->unknown_chunk.data != NULL)
3004	png_free(png_ptr, png_ptr->unknown_chunk.data);
3005	png_ptr->unknown_chunk.data = NULL;
3006
3007	#else /* !PNG_READ_UNKNOWN_CHUNKS_SUPPORTED */
3008	/ There is no support to read an unknown chunk, so just skip it. /
3009	png_crc_finish(png_ptr, length);
3010	PNG_UNUSED(info_ptr)
3011	PNG_UNUSED(keep)
3012	#endif /* !READ_UNKNOWN_CHUNKS */
3013
3014	/ Check for unhandled critical chunks /
3015	if (handled == `0` && PNG_CHUNK_CRITICAL(png_ptr->chunk_name))
3016	png_chunk_error(png_ptr, "unhandled critical chunk");
3017	}
3018
3019	/ This function is called to verify that a chunk name is valid.*
3020	* This function can't have the "critical chunk check" incorporated
3021	* into it, since in the future we will need to be able to call user
3022	* functions to handle unknown critical chunks after we check that
3023	* the chunk name itself is valid.
3024	*/
3025
3026	/ Bit hacking: the test for an invalid byte in the 4 byte chunk name is:*
3027	*
3028	* ((c) < 65 \|\| (c) > 122 \|\| ((c) > 90 && (c) < 97))
3029	*/
3030
3031	void / PRIVATE /
3032	png_check_chunk_name(png_structrp png_ptr, png_uint_32 chunk_name)
3033	{
3034	int i;
3035
3036	png_debug(`1`, "in png_check_chunk_name");
3037
3038	for (i=`1`; i<=`4`; ++i)
3039	{
3040	int c = chunk_name & `0xff`;
3041
3042	if (c < `65` \|\| c > `122` \|\| (c > `90` && c < `97`))
3043	png_chunk_error(png_ptr, "invalid chunk type");
3044
3045	chunk_name >>= `8`;
3046	}
3047	}
3048
3049	/ Combines the row recently read in with the existing pixels in the row. This*
3050	* routine takes care of alpha and transparency if requested. This routine also
3051	* handles the two methods of progressive display of interlaced images,
3052	* depending on the 'display' value; if 'display' is true then the whole row
3053	* (dp) is filled from the start by replicating the available pixels. If
3054	* 'display' is false only those pixels present in the pass are filled in.
3055	*/
3056	void / PRIVATE /
3057	png_combine_row(png_const_structrp png_ptr, png_bytep dp, int display)
3058	{
3059	unsigned int pixel_depth = png_ptr->transformed_pixel_depth;
3060	png_const_bytep sp = png_ptr->row_buf + `1`;
3061	png_alloc_size_t row_width = png_ptr->width;
3062	unsigned int pass = png_ptr->pass;
3063	png_bytep end_ptr = `0`;
3064	png_byte end_byte = `0`;
3065	unsigned int end_mask;
3066
3067	png_debug(`1`, "in png_combine_row");
3068
3069	/ Added in 1.5.6: it should not be possible to enter this routine until at*
3070	* least one row has been read from the PNG data and transformed.
3071	*/
3072	if (pixel_depth == `0`)
3073	png_error(png_ptr, "internal row logic error");
3074
3075	/ Added in 1.5.4: the pixel depth should match the information returned by*
3076	* any call to png_read_update_info at this point. Do not continue if we got
3077	* this wrong.
3078	*/
3079	if (png_ptr->info_rowbytes != `0` && png_ptr->info_rowbytes !=
3080	PNG_ROWBYTES(pixel_depth, row_width))
3081	png_error(png_ptr, "internal row size calculation error");
3082
3083	/ Don't expect this to ever happen: /
3084	if (row_width == `0`)
3085	png_error(png_ptr, "internal row width error");
3086
3087	/ Preserve the last byte in cases where only part of it will be overwritten,*
3088	* the multiply below may overflow, we don't care because ANSI-C guarantees
3089	* we get the low bits.
3090	*/
3091	end_mask = (pixel_depth * row_width) & `7`;
3092	if (end_mask != `0`)
3093	{
3094	/ end_ptr == NULL is a flag to say do nothing /
3095	end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - `1`;
3096	end_byte = *end_ptr;
3097	# ifdef PNG_READ_PACKSWAP_SUPPORTED
3098	if ((png_ptr->transformations & PNG_PACKSWAP) != `0`)
3099	/ little-endian byte /
3100	end_mask = `0xff` << end_mask;
3101
3102	else / big-endian byte /
3103	# endif
3104	end_mask = `0xff` >> end_mask;
3105	/ end_mask is now the bits to keep from the destination row /
3106	}
3107
3108	/ For non-interlaced images this reduces to a memcpy(). A memcpy()*
3109	* will also happen if interlacing isn't supported or if the application
3110	* does not call png_set_interlace_handling(). In the latter cases the
3111	* caller just gets a sequence of the unexpanded rows from each interlace
3112	* pass.
3113	*/
3114	#ifdef PNG_READ_INTERLACING_SUPPORTED
3115	if (png_ptr->interlaced != `0` &&
3116	(png_ptr->transformations & PNG_INTERLACE) != `0` &&
3117	pass < `6` && (display == `0` \|\|
3118	/ The following copies everything for 'display' on passes 0, 2 and 4. /
3119	(display == `1` && (pass & `1`) != `0`)))
3120	{
3121	/ Narrow images may have no bits in a pass; the caller should handle*
3122	* this, but this test is cheap:
3123	*/
3124	if (row_width <= PNG_PASS_START_COL(pass))
3125	return;
3126
3127	if (pixel_depth < `8`)
3128	{
3129	/ For pixel depths up to 4 bpp the 8-pixel mask can be expanded to fit*
3130	* into 32 bits, then a single loop over the bytes using the four byte
3131	* values in the 32-bit mask can be used. For the 'display' option the
3132	* expanded mask may also not require any masking within a byte. To
3133	* make this work the PACKSWAP option must be taken into account - it
3134	* simply requires the pixels to be reversed in each byte.
3135	*
3136	* The 'regular' case requires a mask for each of the first 6 passes,
3137	* the 'display' case does a copy for the even passes in the range
3138	* 0..6. This has already been handled in the test above.
3139	*
3140	* The masks are arranged as four bytes with the first byte to use in
3141	* the lowest bits (little-endian) regardless of the order (PACKSWAP or
3142	* not) of the pixels in each byte.
3143	*
3144	* NOTE: the whole of this logic depends on the caller of this function
3145	* only calling it on rows appropriate to the pass. This function only
3146	* understands the 'x' logic; the 'y' logic is handled by the caller.
3147	*
3148	* The following defines allow generation of compile time constant bit
3149	* masks for each pixel depth and each possibility of swapped or not
3150	* swapped bytes. Pass 'p' is in the range 0..6; 'x', a pixel index,
3151	* is in the range 0..7; and the result is 1 if the pixel is to be
3152	* copied in the pass, 0 if not. 'S' is for the sparkle method, 'B'
3153	* for the block method.
3154	*
3155	* With some compilers a compile time expression of the general form:
3156	*
3157	* (shift >= 32) ? (a >> (shift-32)) : (b >> shift)
3158	*
3159	* Produces warnings with values of 'shift' in the range 33 to 63
3160	* because the right hand side of the ?: expression is evaluated by
3161	* the compiler even though it isn't used. Microsoft Visual C (various
3162	* versions) and the Intel C compiler are known to do this. To avoid
3163	* this the following macros are used in 1.5.6. This is a temporary
3164	* solution to avoid destabilizing the code during the release process.
3165	*/
3166	# if PNG_USE_COMPILE_TIME_MASKS
3167	# define PNG_LSR(x,s) ((x)>>((s) & 0x1f))
3168	# define PNG_LSL(x,s) ((x)<<((s) & 0x1f))
3169	# else
3170	# define PNG_LSR(x,s) ((x)>>(s))
3171	# define PNG_LSL(x,s) ((x)<<(s))
3172	# endif
3173	# define S_COPY(p,x) (((p)<4 ? PNG_LSR(0x80088822,(3-(p))*8+(7-(x))) :\
3174	PNG_LSR(0xaa55ff00,(7-(p))*8+(7-(x)))) & 1)
3175	# define B_COPY(p,x) (((p)<4 ? PNG_LSR(0xff0fff33,(3-(p))*8+(7-(x))) :\
3176	PNG_LSR(0xff55ff00,(7-(p))*8+(7-(x)))) & 1)
3177
3178	/ Return a mask for pass 'p' pixel 'x' at depth 'd'. The mask is*
3179	* little endian - the first pixel is at bit 0 - however the extra
3180	* parameter 's' can be set to cause the mask position to be swapped
3181	* within each byte, to match the PNG format. This is done by XOR of
3182	* the shift with 7, 6 or 4 for bit depths 1, 2 and 4.
3183	*/
3184	# define PIXEL_MASK(p,x,d,s) \
3185	(PNG_LSL(((PNG_LSL(1U,(d)))-1),(((x)*(d))^((s)?8-(d):0))))
3186
3187	/ Hence generate the appropriate 'block' or 'sparkle' pixel copy mask.*
3188	*/
3189	# define S_MASKx(p,x,d,s) (S_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3190	# define B_MASKx(p,x,d,s) (B_COPY(p,x)?PIXEL_MASK(p,x,d,s):0)
3191
3192	/ Combine 8 of these to get the full mask. For the 1-bpp and 2-bpp*
3193	* cases the result needs replicating, for the 4-bpp case the above
3194	* generates a full 32 bits.
3195	*/
3196	# define MASK_EXPAND(m,d) ((m)*((d)==1?0x01010101:((d)==2?0x00010001:1)))
3197
3198	# define S_MASK(p,d,s) MASK_EXPAND(S_MASKx(p,0,d,s) + S_MASKx(p,1,d,s) +\
3199	S_MASKx(p,2,d,s) + S_MASKx(p,3,d,s) + S_MASKx(p,4,d,s) +\
3200	S_MASKx(p,5,d,s) + S_MASKx(p,6,d,s) + S_MASKx(p,7,d,s), d)
3201
3202	# define B_MASK(p,d,s) MASK_EXPAND(B_MASKx(p,0,d,s) + B_MASKx(p,1,d,s) +\
3203	B_MASKx(p,2,d,s) + B_MASKx(p,3,d,s) + B_MASKx(p,4,d,s) +\
3204	B_MASKx(p,5,d,s) + B_MASKx(p,6,d,s) + B_MASKx(p,7,d,s), d)
3205
3206	#if PNG_USE_COMPILE_TIME_MASKS
3207	/ Utility macros to construct all the masks for a depth/swap*
3208	* combination. The 's' parameter says whether the format is PNG
3209	* (big endian bytes) or not. Only the three odd-numbered passes are
3210	* required for the display/block algorithm.
3211	*/
3212	# define S_MASKS(d,s) { S_MASK(0,d,s), S_MASK(1,d,s), S_MASK(2,d,s),\
3213	S_MASK(3,d,s), S_MASK(4,d,s), S_MASK(5,d,s) }
3214
3215	# define B_MASKS(d,s) { B_MASK(1,d,s), B_MASK(3,d,s), B_MASK(5,d,s) }
3216
3217	# define DEPTH_INDEX(d) ((d)==1?0:((d)==2?1:2))
3218
3219	/ Hence the pre-compiled masks indexed by PACKSWAP (or not), depth and*
3220	* then pass:
3221	*/
3222	static PNG_CONST png_uint_32 row_mask[`2`/PACKSWAP/][`3`/depth/][`6`] =
3223	{
3224	/ Little-endian byte masks for PACKSWAP /
3225	{ S_MASKS(`1`,`0`), S_MASKS(`2`,`0`), S_MASKS(`4`,`0`) },
3226	/ Normal (big-endian byte) masks - PNG format /
3227	{ S_MASKS(`1`,`1`), S_MASKS(`2`,`1`), S_MASKS(`4`,`1`) }
3228	};
3229
3230	/ display_mask has only three entries for the odd passes, so index by*
3231	* pass>>1.
3232	*/
3233	static PNG_CONST png_uint_32 display_mask[`2`][`3`][`3`] =
3234	{
3235	/ Little-endian byte masks for PACKSWAP /
3236	{ B_MASKS(`1`,`0`), B_MASKS(`2`,`0`), B_MASKS(`4`,`0`) },
3237	/ Normal (big-endian byte) masks - PNG format /
3238	{ B_MASKS(`1`,`1`), B_MASKS(`2`,`1`), B_MASKS(`4`,`1`) }
3239	};
3240
3241	# define MASK(pass,depth,display,png)\
3242	((display)?display_mask[png][DEPTH_INDEX(depth)][pass>>1]:\
3243	row_mask[png][DEPTH_INDEX(depth)][pass])
3244
3245	#else /* !PNG_USE_COMPILE_TIME_MASKS */
3246	/ This is the runtime alternative: it seems unlikely that this will*
3247	* ever be either smaller or faster than the compile time approach.
3248	*/
3249	# define MASK(pass,depth,display,png)\
3250	((display)?B_MASK(pass,depth,png):S_MASK(pass,depth,png))
3251	#endif /* !USE_COMPILE_TIME_MASKS */
3252
3253	/ Use the appropriate mask to copy the required bits. In some cases*
3254	* the byte mask will be 0 or 0xff; optimize these cases. row_width is
3255	* the number of pixels, but the code copies bytes, so it is necessary
3256	* to special case the end.
3257	*/
3258	png_uint_32 pixels_per_byte = `8` / pixel_depth;
3259	png_uint_32 mask;
3260
3261	# ifdef PNG_READ_PACKSWAP_SUPPORTED
3262	if ((png_ptr->transformations & PNG_PACKSWAP) != `0`)
3263	mask = MASK(pass, pixel_depth, display, `0`);
3264
3265	else
3266	# endif
3267	mask = MASK(pass, pixel_depth, display, `1`);
3268
3269	for (;;)
3270	{
3271	png_uint_32 m;
3272
3273	/ It doesn't matter in the following if png_uint_32 has more than*
3274	* 32 bits because the high bits always match those in m<<24; it is,
3275	* however, essential to use OR here, not +, because of this.
3276	*/
3277	m = mask;
3278	mask = (m >> `8`) \| (m << `24`); / rotate right to good compilers /
3279	m &= `0xff`;
3280
3281	if (m != `0`) / something to copy /
3282	{
3283	if (m != `0xff`)
3284	dp = (png_byte)((dp & ~m) \| (*sp & m));
3285	else
3286	dp = sp;
3287	}
3288
3289	/ NOTE: this may overwrite the last byte with garbage if the image*
3290	* is not an exact number of bytes wide; libpng has always done
3291	* this.
3292	*/
3293	if (row_width <= pixels_per_byte)
3294	break; / May need to restore part of the last byte /
3295
3296	row_width -= pixels_per_byte;
3297	++dp;
3298	++sp;
3299	}
3300	}
3301
3302	else / pixel_depth >= 8 /
3303	{
3304	unsigned int bytes_to_copy, bytes_to_jump;
3305
3306	/ Validate the depth - it must be a multiple of 8 /
3307	if (pixel_depth & `7`)
3308	png_error(png_ptr, "invalid user transform pixel depth");
3309
3310	pixel_depth >>= `3`; / now in bytes /
3311	row_width *= pixel_depth;
3312
3313	/ Regardless of pass number the Adam 7 interlace always results in a*
3314	* fixed number of pixels to copy then to skip. There may be a
3315	* different number of pixels to skip at the start though.
3316	*/
3317	{
3318	unsigned int offset = PNG_PASS_START_COL(pass) * pixel_depth;
3319
3320	row_width -= offset;
3321	dp += offset;
3322	sp += offset;
3323	}
3324
3325	/ Work out the bytes to copy. /
3326	if (display != `0`)
3327	{
3328	/ When doing the 'block' algorithm the pixel in the pass gets*
3329	* replicated to adjacent pixels. This is why the even (0,2,4,6)
3330	* passes are skipped above - the entire expanded row is copied.
3331	*/
3332	bytes_to_copy = (`1`<<((`6`-pass)>>`1`)) * pixel_depth;
3333
3334	/ But don't allow this number to exceed the actual row width. /
3335	if (bytes_to_copy > row_width)
3336	bytes_to_copy = (unsigned int)/SAFE/row_width;
3337	}
3338
3339	else / normal row; Adam7 only ever gives us one pixel to copy. /
3340	bytes_to_copy = pixel_depth;
3341
3342	/ In Adam7 there is a constant offset between where the pixels go. /
3343	bytes_to_jump = PNG_PASS_COL_OFFSET(pass) * pixel_depth;
3344
3345	/ And simply copy these bytes. Some optimization is possible here,*
3346	* depending on the value of 'bytes_to_copy'. Special case the low
3347	* byte counts, which we know to be frequent.
3348	*
3349	* Notice that these cases all 'return' rather than 'break' - this
3350	* avoids an unnecessary test on whether to restore the last byte
3351	* below.
3352	*/
3353	switch (bytes_to_copy)
3354	{
3355	case `1`:
3356	for (;;)
3357	{
3358	dp = sp;
3359
3360	if (row_width <= bytes_to_jump)
3361	return;
3362
3363	dp += bytes_to_jump;
3364	sp += bytes_to_jump;
3365	row_width -= bytes_to_jump;
3366	}
3367
3368	case `2`:
3369	/ There is a possibility of a partial copy at the end here; this*
3370	* slows the code down somewhat.
3371	*/
3372	do
3373	{
3374	dp[`0`] = sp[`0`], dp[`1`] = sp[`1`];
3375
3376	if (row_width <= bytes_to_jump)
3377	return;
3378
3379	sp += bytes_to_jump;
3380	dp += bytes_to_jump;
3381	row_width -= bytes_to_jump;
3382	}
3383	while (row_width > `1`);
3384
3385	/ And there can only be one byte left at this point: /
3386	dp = sp;
3387	return;
3388
3389	case `3`:
3390	/ This can only be the RGB case, so each copy is exactly one*
3391	* pixel and it is not necessary to check for a partial copy.
3392	*/
3393	for (;;)
3394	{
3395	dp[`0`] = sp[`0`], dp[`1`] = sp[`1`], dp[`2`] = sp[`2`];
3396
3397	if (row_width <= bytes_to_jump)
3398	return;
3399
3400	sp += bytes_to_jump;
3401	dp += bytes_to_jump;
3402	row_width -= bytes_to_jump;
3403	}
3404
3405	default:
3406	#if PNG_ALIGN_TYPE != PNG_ALIGN_NONE
3407	/ Check for double byte alignment and, if possible, use a*
3408	* 16-bit copy. Don't attempt this for narrow images - ones that
3409	* are less than an interlace panel wide. Don't attempt it for
3410	* wide bytes_to_copy either - use the memcpy there.
3411	*/
3412	if (bytes_to_copy < `16` /else use memcpy/ &&
3413	png_isaligned(dp, png_uint_16) &&
3414	png_isaligned(sp, png_uint_16) &&
3415	bytes_to_copy % (sizeof (png_uint_16)) == `0` &&
3416	bytes_to_jump % (sizeof (png_uint_16)) == `0`)
3417	{
3418	/ Everything is aligned for png_uint_16 copies, but try for*
3419	* png_uint_32 first.
3420	*/
3421	if (png_isaligned(dp, png_uint_32) != `0` &&
3422	png_isaligned(sp, png_uint_32) != `0` &&
3423	bytes_to_copy % (sizeof (png_uint_32)) == `0` &&
3424	bytes_to_jump % (sizeof (png_uint_32)) == `0`)
3425	{
3426	png_uint_32p dp32 = png_aligncast(png_uint_32p,dp);
3427	png_const_uint_32p sp32 = png_aligncastconst(
3428	png_const_uint_32p, sp);
3429	size_t skip = (bytes_to_jump-bytes_to_copy) /
3430	(sizeof (png_uint_32));
3431
3432	do
3433	{
3434	size_t c = bytes_to_copy;
3435	do
3436	{
3437	dp32++ = sp32++;
3438	c -= (sizeof (png_uint_32));
3439	}
3440	while (c > `0`);
3441
3442	if (row_width <= bytes_to_jump)
3443	return;
3444
3445	dp32 += skip;
3446	sp32 += skip;
3447	row_width -= bytes_to_jump;
3448	}
3449	while (bytes_to_copy <= row_width);
3450
3451	/ Get to here when the row_width truncates the final copy.*
3452	* There will be 1-3 bytes left to copy, so don't try the
3453	* 16-bit loop below.
3454	*/
3455	dp = (png_bytep)dp32;
3456	sp = (png_const_bytep)sp32;
3457	do
3458	dp++ = sp++;
3459	while (--row_width > `0`);
3460	return;
3461	}
3462
3463	/ Else do it in 16-bit quantities, but only if the size is*
3464	* not too large.
3465	*/
3466	else
3467	{
3468	png_uint_16p dp16 = png_aligncast(png_uint_16p, dp);
3469	png_const_uint_16p sp16 = png_aligncastconst(
3470	png_const_uint_16p, sp);
3471	size_t skip = (bytes_to_jump-bytes_to_copy) /
3472	(sizeof (png_uint_16));
3473
3474	do
3475	{
3476	size_t c = bytes_to_copy;
3477	do
3478	{
3479	dp16++ = sp16++;
3480	c -= (sizeof (png_uint_16));
3481	}
3482	while (c > `0`);
3483
3484	if (row_width <= bytes_to_jump)
3485	return;
3486
3487	dp16 += skip;
3488	sp16 += skip;
3489	row_width -= bytes_to_jump;
3490	}
3491	while (bytes_to_copy <= row_width);
3492
3493	/ End of row - 1 byte left, bytes_to_copy > row_width: /
3494	dp = (png_bytep)dp16;
3495	sp = (png_const_bytep)sp16;
3496	do
3497	dp++ = sp++;
3498	while (--row_width > `0`);
3499	return;
3500	}
3501	}
3502	#endif /* ALIGN_TYPE code */
3503
3504	/ The true default - use a memcpy: /
3505	for (;;)
3506	{
3507	memcpy(dp, sp, bytes_to_copy);
3508
3509	if (row_width <= bytes_to_jump)
3510	return;
3511
3512	sp += bytes_to_jump;
3513	dp += bytes_to_jump;
3514	row_width -= bytes_to_jump;
3515	if (bytes_to_copy > row_width)
3516	bytes_to_copy = (unsigned int)/SAFE/row_width;
3517	}
3518	}
3519
3520	/ NOT REACHED/
3521	} / pixel_depth >= 8 /
3522
3523	/ Here if pixel_depth < 8 to check 'end_ptr' below. /
3524	}
3525	else
3526	#endif /* READ_INTERLACING */
3527
3528	/ If here then the switch above wasn't used so just memcpy the whole row*
3529	* from the temporary row buffer (notice that this overwrites the end of the
3530	* destination row if it is a partial byte.)
3531	*/
3532	memcpy(dp, sp, PNG_ROWBYTES(pixel_depth, row_width));
3533
3534	/ Restore the overwritten bits from the last byte if necessary. /
3535	if (end_ptr != NULL)
3536	end_ptr = (png_byte)((end_byte & end_mask) \| (end_ptr & ~end_mask));
3537	}
3538
3539	#ifdef PNG_READ_INTERLACING_SUPPORTED
3540	void / PRIVATE /
3541	png_do_read_interlace(png_row_infop row_info, png_bytep row, int pass,
3542	png_uint_32 transformations / Because these may affect the byte layout /)
3543	{
3544	/ Arrays to facilitate easy interlacing - use pass (0 - 6) as index /
3545	/ Offset to next interlace block /
3546	static PNG_CONST int png_pass_inc[`7`] = {`8`, `8`, `4`, `4`, `2`, `2`, `1`};
3547
3548	png_debug(`1`, "in png_do_read_interlace");
3549	if (row != NULL && row_info != NULL)
3550	{
3551	png_uint_32 final_width;
3552
3553	final_width = row_info->width * png_pass_inc[pass];
3554
3555	switch (row_info->pixel_depth)
3556	{
3557	case `1`:
3558	{
3559	png_bytep sp = row + (png_size_t)((row_info->width - `1`) >> `3`);
3560	png_bytep dp = row + (png_size_t)((final_width - `1`) >> `3`);
3561	int sshift, dshift;
3562	int s_start, s_end, s_inc;
3563	int jstop = png_pass_inc[pass];
3564	png_byte v;
3565	png_uint_32 i;
3566	int j;
3567
3568	#ifdef PNG_READ_PACKSWAP_SUPPORTED
3569	if ((transformations & PNG_PACKSWAP) != `0`)
3570	{
3571	sshift = (int)((row_info->width + `7`) & `0x07`);
3572	dshift = (int)((final_width + `7`) & `0x07`);
3573	s_start = `7`;
3574	s_end = `0`;
3575	s_inc = -`1`;
3576	}
3577
3578	else
3579	#endif
3580	{
3581	sshift = `7` - (int)((row_info->width + `7`) & `0x07`);
3582	dshift = `7` - (int)((final_width + `7`) & `0x07`);
3583	s_start = `0`;
3584	s_end = `7`;
3585	s_inc = `1`;
3586	}
3587
3588	for (i = `0`; i < row_info->width; i++)
3589	{
3590	v = (png_byte)((*sp >> sshift) & `0x01`);
3591	for (j = `0`; j < jstop; j++)
3592	{
3593	unsigned int tmp = *dp & (`0x7f7f` >> (`7` - dshift));
3594	tmp \|= v << dshift;
3595	*dp = (png_byte)(tmp & `0xff`);
3596
3597	if (dshift == s_end)
3598	{
3599	dshift = s_start;
3600	dp--;
3601	}
3602
3603	else
3604	dshift += s_inc;
3605	}
3606
3607	if (sshift == s_end)
3608	{
3609	sshift = s_start;
3610	sp--;
3611	}
3612
3613	else
3614	sshift += s_inc;
3615	}
3616	break;
3617	}
3618
3619	case `2`:
3620	{
3621	png_bytep sp = row + (png_uint_32)((row_info->width - `1`) >> `2`);
3622	png_bytep dp = row + (png_uint_32)((final_width - `1`) >> `2`);
3623	int sshift, dshift;
3624	int s_start, s_end, s_inc;
3625	int jstop = png_pass_inc[pass];
3626	png_uint_32 i;
3627
3628	#ifdef PNG_READ_PACKSWAP_SUPPORTED
3629	if ((transformations & PNG_PACKSWAP) != `0`)
3630	{
3631	sshift = (int)(((row_info->width + `3`) & `0x03`) << `1`);
3632	dshift = (int)(((final_width + `3`) & `0x03`) << `1`);
3633	s_start = `6`;
3634	s_end = `0`;
3635	s_inc = -`2`;
3636	}
3637
3638	else
3639	#endif
3640	{
3641	sshift = (int)((`3` - ((row_info->width + `3`) & `0x03`)) << `1`);
3642	dshift = (int)((`3` - ((final_width + `3`) & `0x03`)) << `1`);
3643	s_start = `0`;
3644	s_end = `6`;
3645	s_inc = `2`;
3646	}
3647
3648	for (i = `0`; i < row_info->width; i++)
3649	{
3650	png_byte v;
3651	int j;
3652
3653	v = (png_byte)((*sp >> sshift) & `0x03`);
3654	for (j = `0`; j < jstop; j++)
3655	{
3656	unsigned int tmp = *dp & (`0x3f3f` >> (`6` - dshift));
3657	tmp \|= v << dshift;
3658	*dp = (png_byte)(tmp & `0xff`);
3659
3660	if (dshift == s_end)
3661	{
3662	dshift = s_start;
3663	dp--;
3664	}
3665
3666	else
3667	dshift += s_inc;
3668	}
3669
3670	if (sshift == s_end)
3671	{
3672	sshift = s_start;
3673	sp--;
3674	}
3675
3676	else
3677	sshift += s_inc;
3678	}
3679	break;
3680	}
3681
3682	case `4`:
3683	{
3684	png_bytep sp = row + (png_size_t)((row_info->width - `1`) >> `1`);
3685	png_bytep dp = row + (png_size_t)((final_width - `1`) >> `1`);
3686	int sshift, dshift;
3687	int s_start, s_end, s_inc;
3688	png_uint_32 i;
3689	int jstop = png_pass_inc[pass];
3690
3691	#ifdef PNG_READ_PACKSWAP_SUPPORTED
3692	if ((transformations & PNG_PACKSWAP) != `0`)
3693	{
3694	sshift = (int)(((row_info->width + `1`) & `0x01`) << `2`);
3695	dshift = (int)(((final_width + `1`) & `0x01`) << `2`);
3696	s_start = `4`;
3697	s_end = `0`;
3698	s_inc = -`4`;
3699	}
3700
3701	else
3702	#endif
3703	{
3704	sshift = (int)((`1` - ((row_info->width + `1`) & `0x01`)) << `2`);
3705	dshift = (int)((`1` - ((final_width + `1`) & `0x01`)) << `2`);
3706	s_start = `0`;
3707	s_end = `4`;
3708	s_inc = `4`;
3709	}
3710
3711	for (i = `0`; i < row_info->width; i++)
3712	{
3713	png_byte v = (png_byte)((*sp >> sshift) & `0x0f`);
3714	int j;
3715
3716	for (j = `0`; j < jstop; j++)
3717	{
3718	unsigned int tmp = *dp & (`0xf0f` >> (`4` - dshift));
3719	tmp \|= v << dshift;
3720	*dp = (png_byte)(tmp & `0xff`);
3721
3722	if (dshift == s_end)
3723	{
3724	dshift = s_start;
3725	dp--;
3726	}
3727
3728	else
3729	dshift += s_inc;
3730	}
3731
3732	if (sshift == s_end)
3733	{
3734	sshift = s_start;
3735	sp--;
3736	}
3737
3738	else
3739	sshift += s_inc;
3740	}
3741	break;
3742	}
3743
3744	default:
3745	{
3746	png_size_t pixel_bytes = (row_info->pixel_depth >> `3`);
3747
3748	png_bytep sp = row + (png_size_t)(row_info->width - `1`)
3749	* pixel_bytes;
3750
3751	png_bytep dp = row + (png_size_t)(final_width - `1`) * pixel_bytes;
3752
3753	int jstop = png_pass_inc[pass];
3754	png_uint_32 i;
3755
3756	for (i = `0`; i < row_info->width; i++)
3757	{
3758	png_byte v[`8`]; / SAFE; pixel_depth does not exceed 64 /
3759	int j;
3760
3761	memcpy(v, sp, pixel_bytes);
3762
3763	for (j = `0`; j < jstop; j++)
3764	{
3765	memcpy(dp, v, pixel_bytes);
3766	dp -= pixel_bytes;
3767	}
3768
3769	sp -= pixel_bytes;
3770	}
3771	break;
3772	}
3773	}
3774
3775	row_info->width = final_width;
3776	row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth, final_width);
3777	}
3778	#ifndef PNG_READ_PACKSWAP_SUPPORTED
3779	PNG_UNUSED(transformations) / Silence compiler warning /
3780	#endif
3781	}
3782	#endif /* READ_INTERLACING */
3783
3784	static void
3785	png_read_filter_row_sub(png_row_infop row_info, png_bytep row,
3786	png_const_bytep prev_row)
3787	{
3788	png_size_t i;
3789	png_size_t istop = row_info->rowbytes;
3790	unsigned int bpp = (row_info->pixel_depth + `7`) >> `3`;
3791	png_bytep rp = row + bpp;
3792
3793	PNG_UNUSED(prev_row)
3794
3795	for (i = bpp; i < istop; i++)
3796	{
3797	rp = (png_byte)(((int)(rp) + (int)(*(rp-bpp))) & `0xff`);
3798	rp++;
3799	}
3800	}
3801
3802	static void
3803	png_read_filter_row_up(png_row_infop row_info, png_bytep row,
3804	png_const_bytep prev_row)
3805	{
3806	png_size_t i;
3807	png_size_t istop = row_info->rowbytes;
3808	png_bytep rp = row;
3809	png_const_bytep pp = prev_row;
3810
3811	for (i = `0`; i < istop; i++)
3812	{
3813	rp = (png_byte)(((int)(rp) + (int)(*pp++)) & `0xff`);
3814	rp++;
3815	}
3816	}
3817
3818	static void
3819	png_read_filter_row_avg(png_row_infop row_info, png_bytep row,
3820	png_const_bytep prev_row)
3821	{
3822	png_size_t i;
3823	png_bytep rp = row;
3824	png_const_bytep pp = prev_row;
3825	unsigned int bpp = (row_info->pixel_depth + `7`) >> `3`;
3826	png_size_t istop = row_info->rowbytes - bpp;
3827
3828	for (i = `0`; i < bpp; i++)
3829	{
3830	rp = (png_byte)(((int)(rp) +
3831	((int)(*pp++) / `2` )) & `0xff`);
3832
3833	rp++;
3834	}
3835
3836	for (i = `0`; i < istop; i++)
3837	{
3838	rp = (png_byte)(((int)(rp) +
3839	(int)(pp++ + (rp-bpp)) / `2` ) & `0xff`);
3840
3841	rp++;
3842	}
3843	}
3844
3845	static void
3846	png_read_filter_row_paeth_1byte_pixel(png_row_infop row_info, png_bytep row,
3847	png_const_bytep prev_row)
3848	{
3849	png_bytep rp_end = row + row_info->rowbytes;
3850	int a, c;
3851
3852	/ First pixel/byte /
3853	c = *prev_row++;
3854	a = *row + c;
3855	*row++ = (png_byte)a;
3856
3857	/ Remainder /
3858	while (row < rp_end)
3859	{
3860	int b, pa, pb, pc, p;
3861
3862	a &= `0xff`; / From previous iteration or start /
3863	b = *prev_row++;
3864
3865	p = b - c;
3866	pc = a - c;
3867
3868	#ifdef PNG_USE_ABS
3869	pa = abs(p);
3870	pb = abs(pc);
3871	pc = abs(p + pc);
3872	#else
3873	pa = p < `0` ? -p : p;
3874	pb = pc < `0` ? -pc : pc;
3875	pc = (p + pc) < `0` ? -(p + pc) : p + pc;
3876	#endif
3877
3878	/ Find the best predictor, the least of pa, pb, pc favoring the earlier*
3879	* ones in the case of a tie.
3880	*/
3881	if (pb < pa) pa = pb, a = b;
3882	if (pc < pa) a = c;
3883
3884	/ Calculate the current pixel in a, and move the previous row pixel to c*
3885	* for the next time round the loop
3886	*/
3887	c = b;
3888	a += *row;
3889	*row++ = (png_byte)a;
3890	}
3891	}
3892
3893	static void
3894	png_read_filter_row_paeth_multibyte_pixel(png_row_infop row_info, png_bytep row,
3895	png_const_bytep prev_row)
3896	{
3897	int bpp = (row_info->pixel_depth + `7`) >> `3`;
3898	png_bytep rp_end = row + bpp;
3899
3900	/ Process the first pixel in the row completely (this is the same as 'up'*
3901	* because there is only one candidate predictor for the first row).
3902	*/
3903	while (row < rp_end)
3904	{
3905	int a = row + prev_row++;
3906	*row++ = (png_byte)a;
3907	}
3908
3909	/ Remainder /
3910	rp_end += row_info->rowbytes - bpp;
3911
3912	while (row < rp_end)
3913	{
3914	int a, b, c, pa, pb, pc, p;
3915
3916	c = *(prev_row - bpp);
3917	a = *(row - bpp);
3918	b = *prev_row++;
3919
3920	p = b - c;
3921	pc = a - c;
3922
3923	#ifdef PNG_USE_ABS
3924	pa = abs(p);
3925	pb = abs(pc);
3926	pc = abs(p + pc);
3927	#else
3928	pa = p < `0` ? -p : p;
3929	pb = pc < `0` ? -pc : pc;
3930	pc = (p + pc) < `0` ? -(p + pc) : p + pc;
3931	#endif
3932
3933	if (pb < pa) pa = pb, a = b;
3934	if (pc < pa) a = c;
3935
3936	a += *row;
3937	*row++ = (png_byte)a;
3938	}
3939	}
3940
3941	static void
3942	png_init_filter_functions(png_structrp pp)
3943	/ This function is called once for every PNG image (except for PNG images*
3944	* that only use PNG_FILTER_VALUE_NONE for all rows) to set the
3945	* implementations required to reverse the filtering of PNG rows. Reversing
3946	* the filter is the first transformation performed on the row data. It is
3947	* performed in place, therefore an implementation can be selected based on
3948	* the image pixel format. If the implementation depends on image width then
3949	* take care to ensure that it works correctly if the image is interlaced -
3950	* interlacing causes the actual row width to vary.
3951	*/
3952	{
3953	unsigned int bpp = (pp->pixel_depth + `7`) >> `3`;
3954
3955	pp->read_filter[PNG_FILTER_VALUE_SUB-`1`] = png_read_filter_row_sub;
3956	pp->read_filter[PNG_FILTER_VALUE_UP-`1`] = png_read_filter_row_up;
3957	pp->read_filter[PNG_FILTER_VALUE_AVG-`1`] = png_read_filter_row_avg;
3958	if (bpp == `1`)
3959	pp->read_filter[PNG_FILTER_VALUE_PAETH-`1`] =
3960	png_read_filter_row_paeth_1byte_pixel;
3961	else
3962	pp->read_filter[PNG_FILTER_VALUE_PAETH-`1`] =
3963	png_read_filter_row_paeth_multibyte_pixel;
3964
3965	#ifdef PNG_FILTER_OPTIMIZATIONS
3966	/ To use this define PNG_FILTER_OPTIMIZATIONS as the name of a function to*
3967	* call to install hardware optimizations for the above functions; simply
3968	* replace whatever elements of the pp->read_filter[] array with a hardware
3969	* specific (or, for that matter, generic) optimization.
3970	*
3971	* To see an example of this examine what configure.ac does when
3972	* --enable-arm-neon is specified on the command line.
3973	*/
3974	PNG_FILTER_OPTIMIZATIONS(pp, bpp);
3975	#endif
3976	}
3977
3978	void / PRIVATE /
3979	png_read_filter_row(png_structrp pp, png_row_infop row_info, png_bytep row,
3980	png_const_bytep prev_row, int filter)
3981	{
3982	/ OPTIMIZATION: DO NOT MODIFY THIS FUNCTION, instead #define*
3983	* PNG_FILTER_OPTIMIZATIONS to a function that overrides the generic
3984	* implementations. See png_init_filter_functions above.
3985	*/
3986	if (filter > PNG_FILTER_VALUE_NONE && filter < PNG_FILTER_VALUE_LAST)
3987	{
3988	if (pp->read_filter[`0`] == NULL)
3989	png_init_filter_functions(pp);
3990
3991	pp->read_filter[filter-`1`](row_info, row, prev_row);
3992	}
3993	}
3994
3995	#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
3996	void / PRIVATE /
3997	png_read_IDAT_data(png_structrp png_ptr, png_bytep output,
3998	png_alloc_size_t avail_out)
3999	{
4000	/ Loop reading IDATs and decompressing the result into output[avail_out] /
4001	png_ptr->zstream.next_out = output;
4002	png_ptr->zstream.avail_out = `0`; / safety: set below /
4003
4004	if (output == NULL)
4005	avail_out = `0`;
4006
4007	do
4008	{
4009	int ret;
4010	png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];
4011
4012	if (png_ptr->zstream.avail_in == `0`)
4013	{
4014	uInt avail_in;
4015	png_bytep buffer;
4016
4017	while (png_ptr->idat_size == `0`)
4018	{
4019	png_crc_finish(png_ptr, `0`);
4020
4021	png_ptr->idat_size = png_read_chunk_header(png_ptr);
4022	/ This is an error even in the 'check' case because the code just*
4023	* consumed a non-IDAT header.
4024	*/
4025	if (png_ptr->chunk_name != png_IDAT)
4026	png_error(png_ptr, "Not enough image data");
4027	}
4028
4029	avail_in = png_ptr->IDAT_read_size;
4030
4031	if (avail_in > png_ptr->idat_size)
4032	avail_in = (uInt)png_ptr->idat_size;
4033
4034	/ A PNG with a gradually increasing IDAT size will defeat this attempt*
4035	* to minimize memory usage by causing lots of re-allocs, but
4036	* realistically doing IDAT_read_size re-allocs is not likely to be a
4037	* big problem.
4038	*/
4039	buffer = png_read_buffer(png_ptr, avail_in, `0`/error/);
4040
4041	png_crc_read(png_ptr, buffer, avail_in);
4042	png_ptr->idat_size -= avail_in;
4043
4044	png_ptr->zstream.next_in = buffer;
4045	png_ptr->zstream.avail_in = avail_in;
4046	}
4047
4048	/ And set up the output side. /
4049	if (output != NULL) / standard read /
4050	{
4051	uInt out = ZLIB_IO_MAX;
4052
4053	if (out > avail_out)
4054	out = (uInt)avail_out;
4055
4056	avail_out -= out;
4057	png_ptr->zstream.avail_out = out;
4058	}
4059
4060	else / after last row, checking for end /
4061	{
4062	png_ptr->zstream.next_out = tmpbuf;
4063	png_ptr->zstream.avail_out = (sizeof tmpbuf);
4064	}
4065
4066	/ Use NO_FLUSH; this gives zlib the maximum opportunity to optimize the*
4067	* process. If the LZ stream is truncated the sequential reader will
4068	* terminally damage the stream, above, by reading the chunk header of the
4069	* following chunk (it then exits with png_error).
4070	*
4071	* TODO: deal more elegantly with truncated IDAT lists.
4072	*/
4073	ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH);
4074
4075	/ Take the unconsumed output back. /
4076	if (output != NULL)
4077	avail_out += png_ptr->zstream.avail_out;
4078
4079	else / avail_out counts the extra bytes /
4080	avail_out += (sizeof tmpbuf) - png_ptr->zstream.avail_out;
4081
4082	png_ptr->zstream.avail_out = `0`;
4083
4084	if (ret == Z_STREAM_END)
4085	{
4086	/ Do this for safety; we won't read any more into this row. /
4087	png_ptr->zstream.next_out = NULL;
4088
4089	png_ptr->mode \|= PNG_AFTER_IDAT;
4090	png_ptr->flags \|= PNG_FLAG_ZSTREAM_ENDED;
4091
4092	if (png_ptr->zstream.avail_in > `0` \|\| png_ptr->idat_size > `0`)
4093	png_chunk_benign_error(png_ptr, "Extra compressed data");
4094	break;
4095	}
4096
4097	if (ret != Z_OK)
4098	{
4099	png_zstream_error(png_ptr, ret);
4100
4101	if (output != NULL)
4102	png_chunk_error(png_ptr, png_ptr->zstream.msg);
4103
4104	else / checking /
4105	{
4106	png_chunk_benign_error(png_ptr, png_ptr->zstream.msg);
4107	return;
4108	}
4109	}
4110	} while (avail_out > `0`);
4111
4112	if (avail_out > `0`)
4113	{
4114	/ The stream ended before the image; this is the same as too few IDATs so*
4115	* should be handled the same way.
4116	*/
4117	if (output != NULL)
4118	png_error(png_ptr, "Not enough image data");
4119
4120	else / the deflate stream contained extra data /
4121	png_chunk_benign_error(png_ptr, "Too much image data");
4122	}
4123	}
4124
4125	void / PRIVATE /
4126	png_read_finish_IDAT(png_structrp png_ptr)
4127	{
4128	/ We don't need any more data and the stream should have ended, however the*
4129	* LZ end code may actually not have been processed. In this case we must
4130	* read it otherwise stray unread IDAT data or, more likely, an IDAT chunk
4131	* may still remain to be consumed.
4132	*/
4133	if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == `0`)
4134	{
4135	/ The NULL causes png_read_IDAT_data to swallow any remaining bytes in*
4136	* the compressed stream, but the stream may be damaged too, so even after
4137	* this call we may need to terminate the zstream ownership.
4138	*/
4139	png_read_IDAT_data(png_ptr, NULL, `0`);
4140	png_ptr->zstream.next_out = NULL; / safety /
4141
4142	/ Now clear everything out for safety; the following may not have been*
4143	* done.
4144	*/
4145	if ((png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == `0`)
4146	{
4147	png_ptr->mode \|= PNG_AFTER_IDAT;
4148	png_ptr->flags \|= PNG_FLAG_ZSTREAM_ENDED;
4149	}
4150	}
4151
4152	/ If the zstream has not been released do it now and terminate the reading*
4153	* of the final IDAT chunk.
4154	*/
4155	if (png_ptr->zowner == png_IDAT)
4156	{
4157	/ Always do this; the pointers otherwise point into the read buffer. /
4158	png_ptr->zstream.next_in = NULL;
4159	png_ptr->zstream.avail_in = `0`;
4160
4161	/ Now we no longer own the zstream. /
4162	png_ptr->zowner = `0`;
4163
4164	/ The slightly weird semantics of the sequential IDAT reading is that we*
4165	* are always in or at the end of an IDAT chunk, so we always need to do a
4166	* crc_finish here. If idat_size is non-zero we also need to read the
4167	* spurious bytes at the end of the chunk now.
4168	*/
4169	(void)png_crc_finish(png_ptr, png_ptr->idat_size);
4170	}
4171	}
4172
4173	void / PRIVATE /
4174	png_read_finish_row(png_structrp png_ptr)
4175	{
4176	/ Arrays to facilitate easy interlacing - use pass (0 - 6) as index /
4177
4178	/ Start of interlace block /
4179	static PNG_CONST png_byte png_pass_start[`7`] = {`0`, `4`, `0`, `2`, `0`, `1`, `0`};
4180
4181	/ Offset to next interlace block /
4182	static PNG_CONST png_byte png_pass_inc[`7`] = {`8`, `8`, `4`, `4`, `2`, `2`, `1`};
4183
4184	/ Start of interlace block in the y direction /
4185	static PNG_CONST png_byte png_pass_ystart[`7`] = {`0`, `0`, `4`, `0`, `2`, `0`, `1`};
4186
4187	/ Offset to next interlace block in the y direction /
4188	static PNG_CONST png_byte png_pass_yinc[`7`] = {`8`, `8`, `8`, `4`, `4`, `2`, `2`};
4189
4190	png_debug(`1`, "in png_read_finish_row");
4191	png_ptr->row_number++;
4192	if (png_ptr->row_number < png_ptr->num_rows)
4193	return;
4194
4195	if (png_ptr->interlaced != `0`)
4196	{
4197	png_ptr->row_number = `0`;
4198
4199	/ TO DO: don't do this if prev_row isn't needed (requires*
4200	* read-ahead of the next row's filter byte.
4201	*/
4202	memset(png_ptr->prev_row, `0`, png_ptr->rowbytes + `1`);
4203
4204	do
4205	{
4206	png_ptr->pass++;
4207
4208	if (png_ptr->pass >= `7`)
4209	break;
4210
4211	png_ptr->iwidth = (png_ptr->width +
4212	png_pass_inc[png_ptr->pass] - `1` -
4213	png_pass_start[png_ptr->pass]) /
4214	png_pass_inc[png_ptr->pass];
4215
4216	if ((png_ptr->transformations & PNG_INTERLACE) == `0`)
4217	{
4218	png_ptr->num_rows = (png_ptr->height +
4219	png_pass_yinc[png_ptr->pass] - `1` -
4220	png_pass_ystart[png_ptr->pass]) /
4221	png_pass_yinc[png_ptr->pass];
4222	}
4223
4224	else / if (png_ptr->transformations & PNG_INTERLACE) /
4225	break; / libpng deinterlacing sees every row /
4226
4227	} while (png_ptr->num_rows == `0` \|\| png_ptr->iwidth == `0`);
4228
4229	if (png_ptr->pass < `7`)
4230	return;
4231	}
4232
4233	/ Here after at the end of the last row of the last pass. /
4234	png_read_finish_IDAT(png_ptr);
4235	}
4236	#endif /* SEQUENTIAL_READ */
4237
4238	void / PRIVATE /
4239	png_read_start_row(png_structrp png_ptr)
4240	{
4241	/ Arrays to facilitate easy interlacing - use pass (0 - 6) as index /
4242
4243	/ Start of interlace block /
4244	static PNG_CONST png_byte png_pass_start[`7`] = {`0`, `4`, `0`, `2`, `0`, `1`, `0`};
4245
4246	/ Offset to next interlace block /
4247	static PNG_CONST png_byte png_pass_inc[`7`] = {`8`, `8`, `4`, `4`, `2`, `2`, `1`};
4248
4249	/ Start of interlace block in the y direction /
4250	static PNG_CONST png_byte png_pass_ystart[`7`] = {`0`, `0`, `4`, `0`, `2`, `0`, `1`};
4251
4252	/ Offset to next interlace block in the y direction /
4253	static PNG_CONST png_byte png_pass_yinc[`7`] = {`8`, `8`, `8`, `4`, `4`, `2`, `2`};
4254
4255	int max_pixel_depth;
4256	png_size_t row_bytes;
4257
4258	png_debug(`1`, "in png_read_start_row");
4259
4260	#ifdef PNG_READ_TRANSFORMS_SUPPORTED
4261	png_init_read_transformations(png_ptr);
4262	#endif
4263	if (png_ptr->interlaced != `0`)
4264	{
4265	if ((png_ptr->transformations & PNG_INTERLACE) == `0`)
4266	png_ptr->num_rows = (png_ptr->height + png_pass_yinc[`0`] - `1` -
4267	png_pass_ystart[`0`]) / png_pass_yinc[`0`];
4268
4269	else
4270	png_ptr->num_rows = png_ptr->height;
4271
4272	png_ptr->iwidth = (png_ptr->width +
4273	png_pass_inc[png_ptr->pass] - `1` -
4274	png_pass_start[png_ptr->pass]) /
4275	png_pass_inc[png_ptr->pass];
4276	}
4277
4278	else
4279	{
4280	png_ptr->num_rows = png_ptr->height;
4281	png_ptr->iwidth = png_ptr->width;
4282	}
4283
4284	max_pixel_depth = png_ptr->pixel_depth;
4285
4286	/ WARNING: * png_read_transform_info (pngrtran.c) performs a simpler set of*
4287	* calculations to calculate the final pixel depth, then
4288	* png_do_read_transforms actually does the transforms. This means that the
4289	* code which effectively calculates this value is actually repeated in three
4290	* separate places. They must all match. Innocent changes to the order of
4291	* transformations can and will break libpng in a way that causes memory
4292	* overwrites.
4293	*
4294	* TODO: fix this.
4295	*/
4296	#ifdef PNG_READ_PACK_SUPPORTED
4297	if ((png_ptr->transformations & PNG_PACK) != `0` && png_ptr->bit_depth < `8`)
4298	max_pixel_depth = `8`;
4299	#endif
4300
4301	#ifdef PNG_READ_EXPAND_SUPPORTED
4302	if ((png_ptr->transformations & PNG_EXPAND) != `0`)
4303	{
4304	if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4305	{
4306	if (png_ptr->num_trans != `0`)
4307	max_pixel_depth = `32`;
4308
4309	else
4310	max_pixel_depth = `24`;
4311	}
4312
4313	else if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4314	{
4315	if (max_pixel_depth < `8`)
4316	max_pixel_depth = `8`;
4317
4318	if (png_ptr->num_trans != `0`)
4319	max_pixel_depth *= `2`;
4320	}
4321
4322	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB)
4323	{
4324	if (png_ptr->num_trans != `0`)
4325	{
4326	max_pixel_depth *= `4`;
4327	max_pixel_depth /= `3`;
4328	}
4329	}
4330	}
4331	#endif
4332
4333	#ifdef PNG_READ_EXPAND_16_SUPPORTED
4334	if ((png_ptr->transformations & PNG_EXPAND_16) != `0`)
4335	{
4336	# ifdef PNG_READ_EXPAND_SUPPORTED
4337	/ In fact it is an error if it isn't supported, but checking is*
4338	* the safe way.
4339	*/
4340	if ((png_ptr->transformations & PNG_EXPAND) != `0`)
4341	{
4342	if (png_ptr->bit_depth < `16`)
4343	max_pixel_depth *= `2`;
4344	}
4345	else
4346	# endif
4347	png_ptr->transformations &= ~PNG_EXPAND_16;
4348	}
4349	#endif
4350
4351	#ifdef PNG_READ_FILLER_SUPPORTED
4352	if ((png_ptr->transformations & (PNG_FILLER)) != `0`)
4353	{
4354	if (png_ptr->color_type == PNG_COLOR_TYPE_GRAY)
4355	{
4356	if (max_pixel_depth <= `8`)
4357	max_pixel_depth = `16`;
4358
4359	else
4360	max_pixel_depth = `32`;
4361	}
4362
4363	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB \|\|
4364	png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
4365	{
4366	if (max_pixel_depth <= `32`)
4367	max_pixel_depth = `32`;
4368
4369	else
4370	max_pixel_depth = `64`;
4371	}
4372	}
4373	#endif
4374
4375	#ifdef PNG_READ_GRAY_TO_RGB_SUPPORTED
4376	if ((png_ptr->transformations & PNG_GRAY_TO_RGB) != `0`)
4377	{
4378	if (
4379	#ifdef PNG_READ_EXPAND_SUPPORTED
4380	(png_ptr->num_trans != `0` &&
4381	(png_ptr->transformations & PNG_EXPAND) != `0`) \|\|
4382	#endif
4383	#ifdef PNG_READ_FILLER_SUPPORTED
4384	(png_ptr->transformations & (PNG_FILLER)) != `0` \|\|
4385	#endif
4386	png_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
4387	{
4388	if (max_pixel_depth <= `16`)
4389	max_pixel_depth = `32`;
4390
4391	else
4392	max_pixel_depth = `64`;
4393	}
4394
4395	else
4396	{
4397	if (max_pixel_depth <= `8`)
4398	{
4399	if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4400	max_pixel_depth = `32`;
4401
4402	else
4403	max_pixel_depth = `24`;
4404	}
4405
4406	else if (png_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA)
4407	max_pixel_depth = `64`;
4408
4409	else
4410	max_pixel_depth = `48`;
4411	}
4412	}
4413	#endif
4414
4415	#if defined(PNG_READ_USER_TRANSFORM_SUPPORTED) && \
4416	defined(PNG_USER_TRANSFORM_PTR_SUPPORTED)
4417	if ((png_ptr->transformations & PNG_USER_TRANSFORM) != `0`)
4418	{
4419	int user_pixel_depth = png_ptr->user_transform_depth *
4420	png_ptr->user_transform_channels;
4421
4422	if (user_pixel_depth > max_pixel_depth)
4423	max_pixel_depth = user_pixel_depth;
4424	}
4425	#endif
4426
4427	/ This value is stored in png_struct and double checked in the row read*
4428	* code.
4429	*/
4430	png_ptr->maximum_pixel_depth = (png_byte)max_pixel_depth;
4431	png_ptr->transformed_pixel_depth = `0`; / calculated on demand /
4432
4433	/ Align the width on the next larger 8 pixels. Mainly used*
4434	* for interlacing
4435	*/
4436	row_bytes = ((png_ptr->width + `7`) & ~((png_uint_32)`7`));
4437	/ Calculate the maximum bytes needed, adding a byte and a pixel*
4438	* for safety's sake
4439	*/
4440	row_bytes = PNG_ROWBYTES(max_pixel_depth, row_bytes) +
4441	`1` + ((max_pixel_depth + `7`) >> `3`);
4442
4443	#ifdef PNG_MAX_MALLOC_64K
4444	if (row_bytes > (png_uint_32)`65536L`)
4445	png_error(png_ptr, "This image requires a row greater than 64KB");
4446	#endif
4447
4448	if (row_bytes + `48` > png_ptr->old_big_row_buf_size)
4449	{
4450	png_free(png_ptr, png_ptr->big_row_buf);
4451	png_free(png_ptr, png_ptr->big_prev_row);
4452
4453	if (png_ptr->interlaced != `0`)
4454	png_ptr->big_row_buf = (png_bytep)png_calloc(png_ptr,
4455	row_bytes + `48`);
4456
4457	else
4458	png_ptr->big_row_buf = (png_bytep)png_malloc(png_ptr, row_bytes + `48`);
4459
4460	png_ptr->big_prev_row = (png_bytep)png_malloc(png_ptr, row_bytes + `48`);
4461
4462	#ifdef PNG_ALIGNED_MEMORY_SUPPORTED
4463	/ Use 16-byte aligned memory for row_buf with at least 16 bytes*
4464	* of padding before and after row_buf; treat prev_row similarly.
4465	* NOTE: the alignment is to the start of the pixels, one beyond the start
4466	* of the buffer, because of the filter byte. Prior to libpng 1.5.6 this
4467	* was incorrect; the filter byte was aligned, which had the exact
4468	* opposite effect of that intended.
4469	*/
4470	{
4471	png_bytep temp = png_ptr->big_row_buf + `32`;
4472	int extra = (int)((temp - (png_bytep)`0`) & `0x0f`);
4473	png_ptr->row_buf = temp - extra - `1`/filter byte/;
4474
4475	temp = png_ptr->big_prev_row + `32`;
4476	extra = (int)((temp - (png_bytep)`0`) & `0x0f`);
4477	png_ptr->prev_row = temp - extra - `1`/filter byte/;
4478	}
4479
4480	#else
4481	/ Use 31 bytes of padding before and 17 bytes after row_buf. /
4482	png_ptr->row_buf = png_ptr->big_row_buf + `31`;
4483	png_ptr->prev_row = png_ptr->big_prev_row + `31`;
4484	#endif
4485	png_ptr->old_big_row_buf_size = row_bytes + `48`;
4486	}
4487
4488	#ifdef PNG_MAX_MALLOC_64K
4489	if (png_ptr->rowbytes > `65535`)
4490	png_error(png_ptr, "This image requires a row greater than 64KB");
4491
4492	#endif
4493	if (png_ptr->rowbytes > (PNG_SIZE_MAX - `1`))
4494	png_error(png_ptr, "Row has too many bytes to allocate in memory");
4495
4496	memset(png_ptr->prev_row, `0`, png_ptr->rowbytes + `1`);
4497
4498	png_debug1(`3`, "width = %u,", png_ptr->width);
4499	png_debug1(`3`, "height = %u,", png_ptr->height);
4500	png_debug1(`3`, "iwidth = %u,", png_ptr->iwidth);
4501	png_debug1(`3`, "num_rows = %u,", png_ptr->num_rows);
4502	png_debug1(`3`, "rowbytes = %lu,", (unsigned long)png_ptr->rowbytes);
4503	png_debug1(`3`, "irowbytes = %lu",
4504	(unsigned long)PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + `1`);
4505
4506	/ The sequential reader needs a buffer for IDAT, but the progressive reader*
4507	* does not, so free the read buffer now regardless; the sequential reader
4508	* reallocates it on demand.
4509	*/
4510	if (png_ptr->read_buffer != `0`)
4511	{
4512	png_bytep buffer = png_ptr->read_buffer;
4513
4514	png_ptr->read_buffer_size = `0`;
4515	png_ptr->read_buffer = NULL;
4516	png_free(png_ptr, buffer);
4517	}
4518
4519	/ Finally claim the zstream for the inflate of the IDAT data, use the bits*
4520	* value from the stream (note that this will result in a fatal error if the
4521	* IDAT stream has a bogus deflate header window_bits value, but this should
4522	* not be happening any longer!)
4523	*/
4524	if (png_inflate_claim(png_ptr, png_IDAT) != Z_OK)
4525	png_error(png_ptr, png_ptr->zstream.msg);
4526
4527	png_ptr->flags \|= PNG_FLAG_ROW_INIT;
4528	}
4529	#endif /* READ */
4530

Browse the source code of engine/third_party/libpng/pngrutil.c