• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* pngwutil.c - utilities to write a PNG file
3  *
4  * Copyright (c) 2018 Cosmin Truta
5  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6  * Copyright (c) 1996-1997 Andreas Dilger
7  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 #ifdef PNG_WRITE_SUPPORTED
17 
18 #ifdef PNG_WRITE_INT_FUNCTIONS_SUPPORTED
19 /* Place a 32-bit number into a buffer in PNG byte order.  We work
20  * with unsigned numbers for convenience, although one supported
21  * ancillary chunk uses signed (two's complement) numbers.
22  */
23 void PNGAPI
png_save_uint_32(png_bytep buf,png_uint_32 i)24 png_save_uint_32(png_bytep buf, png_uint_32 i)
25 {
26    buf[0] = (png_byte)((i >> 24) & 0xffU);
27    buf[1] = (png_byte)((i >> 16) & 0xffU);
28    buf[2] = (png_byte)((i >>  8) & 0xffU);
29    buf[3] = (png_byte)( i        & 0xffU);
30 }
31 
32 /* Place a 16-bit number into a buffer in PNG byte order.
33  * The parameter is declared unsigned int, not png_uint_16,
34  * just to avoid potential problems on pre-ANSI C compilers.
35  */
36 void PNGAPI
png_save_uint_16(png_bytep buf,unsigned int i)37 png_save_uint_16(png_bytep buf, unsigned int i)
38 {
39    buf[0] = (png_byte)((i >> 8) & 0xffU);
40    buf[1] = (png_byte)( i       & 0xffU);
41 }
42 #endif
43 
44 /* Simple function to write the signature.  If we have already written
45  * the magic bytes of the signature, or more likely, the PNG stream is
46  * being embedded into another stream and doesn't need its own signature,
47  * we should call png_set_sig_bytes() to tell libpng how many of the
48  * bytes have already been written.
49  */
50 void PNGAPI
png_write_sig(png_structrp png_ptr)51 png_write_sig(png_structrp png_ptr)
52 {
53    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
54 
55 #ifdef PNG_IO_STATE_SUPPORTED
56    /* Inform the I/O callback that the signature is being written */
57    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_SIGNATURE;
58 #endif
59 
60    /* Write the rest of the 8 byte signature */
61    png_write_data(png_ptr, &png_signature[png_ptr->sig_bytes],
62        (size_t)(8 - png_ptr->sig_bytes));
63 
64    if (png_ptr->sig_bytes < 3)
65       png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
66 }
67 
68 /* Write the start of a PNG chunk.  The type is the chunk type.
69  * The total_length is the sum of the lengths of all the data you will be
70  * passing in png_write_chunk_data().
71  */
72 static void
png_write_chunk_header(png_structrp png_ptr,png_uint_32 chunk_name,png_uint_32 length)73 png_write_chunk_header(png_structrp png_ptr, png_uint_32 chunk_name,
74     png_uint_32 length)
75 {
76    png_byte buf[8];
77 
78 #if defined(PNG_DEBUG) && (PNG_DEBUG > 0)
79    PNG_CSTRING_FROM_CHUNK(buf, chunk_name);
80    png_debug2(0, "Writing %s chunk, length = %lu", buf, (unsigned long)length);
81 #endif
82 
83    if (png_ptr == NULL)
84       return;
85 
86 #ifdef PNG_IO_STATE_SUPPORTED
87    /* Inform the I/O callback that the chunk header is being written.
88     * PNG_IO_CHUNK_HDR requires a single I/O call.
89     */
90    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_HDR;
91 #endif
92 
93    /* Write the length and the chunk name */
94    png_save_uint_32(buf, length);
95    png_save_uint_32(buf + 4, chunk_name);
96    png_write_data(png_ptr, buf, 8);
97 
98    /* Put the chunk name into png_ptr->chunk_name */
99    png_ptr->chunk_name = chunk_name;
100 
101    /* Reset the crc and run it over the chunk name */
102    png_reset_crc(png_ptr);
103 
104    png_calculate_crc(png_ptr, buf + 4, 4);
105 
106 #ifdef PNG_IO_STATE_SUPPORTED
107    /* Inform the I/O callback that chunk data will (possibly) be written.
108     * PNG_IO_CHUNK_DATA does NOT require a specific number of I/O calls.
109     */
110    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_DATA;
111 #endif
112 }
113 
114 void PNGAPI
png_write_chunk_start(png_structrp png_ptr,png_const_bytep chunk_string,png_uint_32 length)115 png_write_chunk_start(png_structrp png_ptr, png_const_bytep chunk_string,
116     png_uint_32 length)
117 {
118    png_write_chunk_header(png_ptr, PNG_CHUNK_FROM_STRING(chunk_string), length);
119 }
120 
121 /* Write the data of a PNG chunk started with png_write_chunk_header().
122  * Note that multiple calls to this function are allowed, and that the
123  * sum of the lengths from these calls *must* add up to the total_length
124  * given to png_write_chunk_header().
125  */
126 void PNGAPI
png_write_chunk_data(png_structrp png_ptr,png_const_bytep data,size_t length)127 png_write_chunk_data(png_structrp png_ptr, png_const_bytep data, size_t length)
128 {
129    /* Write the data, and run the CRC over it */
130    if (png_ptr == NULL)
131       return;
132 
133    if (data != NULL && length > 0)
134    {
135       png_write_data(png_ptr, data, length);
136 
137       /* Update the CRC after writing the data,
138        * in case the user I/O routine alters it.
139        */
140       png_calculate_crc(png_ptr, data, length);
141    }
142 }
143 
144 /* Finish a chunk started with png_write_chunk_header(). */
145 void PNGAPI
png_write_chunk_end(png_structrp png_ptr)146 png_write_chunk_end(png_structrp png_ptr)
147 {
148    png_byte buf[4];
149 
150    if (png_ptr == NULL) return;
151 
152 #ifdef PNG_IO_STATE_SUPPORTED
153    /* Inform the I/O callback that the chunk CRC is being written.
154     * PNG_IO_CHUNK_CRC requires a single I/O function call.
155     */
156    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_CRC;
157 #endif
158 
159    /* Write the crc in a single operation */
160    png_save_uint_32(buf, png_ptr->crc);
161 
162    png_write_data(png_ptr, buf, 4);
163 }
164 
165 /* Write a PNG chunk all at once.  The type is an array of ASCII characters
166  * representing the chunk name.  The array must be at least 4 bytes in
167  * length, and does not need to be null terminated.  To be safe, pass the
168  * pre-defined chunk names here, and if you need a new one, define it
169  * where the others are defined.  The length is the length of the data.
170  * All the data must be present.  If that is not possible, use the
171  * png_write_chunk_start(), png_write_chunk_data(), and png_write_chunk_end()
172  * functions instead.
173  */
174 static void
png_write_complete_chunk(png_structrp png_ptr,png_uint_32 chunk_name,png_const_bytep data,size_t length)175 png_write_complete_chunk(png_structrp png_ptr, png_uint_32 chunk_name,
176     png_const_bytep data, size_t length)
177 {
178    if (png_ptr == NULL)
179       return;
180 
181    /* On 64-bit architectures 'length' may not fit in a png_uint_32. */
182    if (length > PNG_UINT_31_MAX)
183       png_error(png_ptr, "length exceeds PNG maximum");
184 
185    png_write_chunk_header(png_ptr, chunk_name, (png_uint_32)length);
186    png_write_chunk_data(png_ptr, data, length);
187    png_write_chunk_end(png_ptr);
188 }
189 
190 /* This is the API that calls the internal function above. */
191 void PNGAPI
png_write_chunk(png_structrp png_ptr,png_const_bytep chunk_string,png_const_bytep data,size_t length)192 png_write_chunk(png_structrp png_ptr, png_const_bytep chunk_string,
193     png_const_bytep data, size_t length)
194 {
195    png_write_complete_chunk(png_ptr, PNG_CHUNK_FROM_STRING(chunk_string), data,
196        length);
197 }
198 
199 /* This is used below to find the size of an image to pass to png_deflate_claim,
200  * so it only needs to be accurate if the size is less than 16384 bytes (the
201  * point at which a lower LZ window size can be used.)
202  */
203 static png_alloc_size_t
png_image_size(png_structrp png_ptr)204 png_image_size(png_structrp png_ptr)
205 {
206    /* Only return sizes up to the maximum of a png_uint_32; do this by limiting
207     * the width and height used to 15 bits.
208     */
209    png_uint_32 h = png_ptr->height;
210 
211    if (png_ptr->rowbytes < 32768 && h < 32768)
212    {
213       if (png_ptr->interlaced != 0)
214       {
215          /* Interlacing makes the image larger because of the replication of
216           * both the filter byte and the padding to a byte boundary.
217           */
218          png_uint_32 w = png_ptr->width;
219          unsigned int pd = png_ptr->pixel_depth;
220          png_alloc_size_t cb_base;
221          int pass;
222 
223          for (cb_base=0, pass=0; pass<=6; ++pass)
224          {
225             png_uint_32 pw = PNG_PASS_COLS(w, pass);
226 
227             if (pw > 0)
228                cb_base += (PNG_ROWBYTES(pd, pw)+1) * PNG_PASS_ROWS(h, pass);
229          }
230 
231          return cb_base;
232       }
233 
234       else
235          return (png_ptr->rowbytes+1) * h;
236    }
237 
238    else
239       return 0xffffffffU;
240 }
241 
242 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
243    /* This is the code to hack the first two bytes of the deflate stream (the
244     * deflate header) to correct the windowBits value to match the actual data
245     * size.  Note that the second argument is the *uncompressed* size but the
246     * first argument is the *compressed* data (and it must be deflate
247     * compressed.)
248     */
249 static void
optimize_cmf(png_bytep data,png_alloc_size_t data_size)250 optimize_cmf(png_bytep data, png_alloc_size_t data_size)
251 {
252    /* Optimize the CMF field in the zlib stream.  The resultant zlib stream is
253     * still compliant to the stream specification.
254     */
255    if (data_size <= 16384) /* else windowBits must be 15 */
256    {
257       unsigned int z_cmf = data[0];  /* zlib compression method and flags */
258 
259       if ((z_cmf & 0x0f) == 8 && (z_cmf & 0xf0) <= 0x70)
260       {
261          unsigned int z_cinfo;
262          unsigned int half_z_window_size;
263 
264          z_cinfo = z_cmf >> 4;
265          half_z_window_size = 1U << (z_cinfo + 7);
266 
267          if (data_size <= half_z_window_size) /* else no change */
268          {
269             unsigned int tmp;
270 
271             do
272             {
273                half_z_window_size >>= 1;
274                --z_cinfo;
275             }
276             while (z_cinfo > 0 && data_size <= half_z_window_size);
277 
278             z_cmf = (z_cmf & 0x0f) | (z_cinfo << 4);
279 
280             data[0] = (png_byte)z_cmf;
281             tmp = data[1] & 0xe0;
282             tmp += 0x1f - ((z_cmf << 8) + tmp) % 0x1f;
283             data[1] = (png_byte)tmp;
284          }
285       }
286    }
287 }
288 #endif /* WRITE_OPTIMIZE_CMF */
289 
290 /* Initialize the compressor for the appropriate type of compression. */
291 static int
png_deflate_claim(png_structrp png_ptr,png_uint_32 owner,png_alloc_size_t data_size)292 png_deflate_claim(png_structrp png_ptr, png_uint_32 owner,
293     png_alloc_size_t data_size)
294 {
295    if (png_ptr->zowner != 0)
296    {
297 #if defined(PNG_WARNINGS_SUPPORTED) || defined(PNG_ERROR_TEXT_SUPPORTED)
298       char msg[64];
299 
300       PNG_STRING_FROM_CHUNK(msg, owner);
301       msg[4] = ':';
302       msg[5] = ' ';
303       PNG_STRING_FROM_CHUNK(msg+6, png_ptr->zowner);
304       /* So the message that results is "<chunk> using zstream"; this is an
305        * internal error, but is very useful for debugging.  i18n requirements
306        * are minimal.
307        */
308       (void)png_safecat(msg, (sizeof msg), 10, " using zstream");
309 #endif
310 #if PNG_RELEASE_BUILD
311          png_warning(png_ptr, msg);
312 
313          /* Attempt sane error recovery */
314          if (png_ptr->zowner == png_IDAT) /* don't steal from IDAT */
315          {
316             png_ptr->zstream.msg = PNGZ_MSG_CAST("in use by IDAT");
317             return Z_STREAM_ERROR;
318          }
319 
320          png_ptr->zowner = 0;
321 #else
322          png_error(png_ptr, msg);
323 #endif
324    }
325 
326    {
327       int level = png_ptr->zlib_level;
328       int method = png_ptr->zlib_method;
329       int windowBits = png_ptr->zlib_window_bits;
330       int memLevel = png_ptr->zlib_mem_level;
331       int strategy; /* set below */
332       int ret; /* zlib return code */
333 
334       if (owner == png_IDAT)
335       {
336          if ((png_ptr->flags & PNG_FLAG_ZLIB_CUSTOM_STRATEGY) != 0)
337             strategy = png_ptr->zlib_strategy;
338 
339          else if (png_ptr->do_filter != PNG_FILTER_NONE)
340             strategy = PNG_Z_DEFAULT_STRATEGY;
341 
342          else
343             strategy = PNG_Z_DEFAULT_NOFILTER_STRATEGY;
344       }
345 
346       else
347       {
348 #ifdef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED
349             level = png_ptr->zlib_text_level;
350             method = png_ptr->zlib_text_method;
351             windowBits = png_ptr->zlib_text_window_bits;
352             memLevel = png_ptr->zlib_text_mem_level;
353             strategy = png_ptr->zlib_text_strategy;
354 #else
355             /* If customization is not supported the values all come from the
356              * IDAT values except for the strategy, which is fixed to the
357              * default.  (This is the pre-1.6.0 behavior too, although it was
358              * implemented in a very different way.)
359              */
360             strategy = Z_DEFAULT_STRATEGY;
361 #endif
362       }
363 
364       /* Adjust 'windowBits' down if larger than 'data_size'; to stop this
365        * happening just pass 32768 as the data_size parameter.  Notice that zlib
366        * requires an extra 262 bytes in the window in addition to the data to be
367        * able to see the whole of the data, so if data_size+262 takes us to the
368        * next windowBits size we need to fix up the value later.  (Because even
369        * though deflate needs the extra window, inflate does not!)
370        */
371       if (data_size <= 16384)
372       {
373          /* IMPLEMENTATION NOTE: this 'half_window_size' stuff is only here to
374           * work round a Microsoft Visual C misbehavior which, contrary to C-90,
375           * widens the result of the following shift to 64-bits if (and,
376           * apparently, only if) it is used in a test.
377           */
378          unsigned int half_window_size = 1U << (windowBits-1);
379 
380          while (data_size + 262 <= half_window_size)
381          {
382             half_window_size >>= 1;
383             --windowBits;
384          }
385       }
386 
387       /* Check against the previous initialized values, if any. */
388       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0 &&
389          (png_ptr->zlib_set_level != level ||
390          png_ptr->zlib_set_method != method ||
391          png_ptr->zlib_set_window_bits != windowBits ||
392          png_ptr->zlib_set_mem_level != memLevel ||
393          png_ptr->zlib_set_strategy != strategy))
394       {
395          if (deflateEnd(&png_ptr->zstream) != Z_OK)
396             png_warning(png_ptr, "deflateEnd failed (ignored)");
397 
398          png_ptr->flags &= ~PNG_FLAG_ZSTREAM_INITIALIZED;
399       }
400 
401       /* For safety clear out the input and output pointers (currently zlib
402        * doesn't use them on Init, but it might in the future).
403        */
404       png_ptr->zstream.next_in = NULL;
405       png_ptr->zstream.avail_in = 0;
406       png_ptr->zstream.next_out = NULL;
407       png_ptr->zstream.avail_out = 0;
408 
409       /* Now initialize if required, setting the new parameters, otherwise just
410        * do a simple reset to the previous parameters.
411        */
412       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
413          ret = deflateReset(&png_ptr->zstream);
414 
415       else
416       {
417          ret = deflateInit2(&png_ptr->zstream, level, method, windowBits,
418              memLevel, strategy);
419 
420          if (ret == Z_OK)
421             png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
422       }
423 
424       /* The return code is from either deflateReset or deflateInit2; they have
425        * pretty much the same set of error codes.
426        */
427       if (ret == Z_OK)
428          png_ptr->zowner = owner;
429 
430       else
431          png_zstream_error(png_ptr, ret);
432 
433       return ret;
434    }
435 }
436 
437 /* Clean up (or trim) a linked list of compression buffers. */
438 void /* PRIVATE */
png_free_buffer_list(png_structrp png_ptr,png_compression_bufferp * listp)439 png_free_buffer_list(png_structrp png_ptr, png_compression_bufferp *listp)
440 {
441    png_compression_bufferp list = *listp;
442 
443    if (list != NULL)
444    {
445       *listp = NULL;
446 
447       do
448       {
449          png_compression_bufferp next = list->next;
450 
451          png_free(png_ptr, list);
452          list = next;
453       }
454       while (list != NULL);
455    }
456 }
457 
458 #ifdef PNG_WRITE_COMPRESSED_TEXT_SUPPORTED
459 /* This pair of functions encapsulates the operation of (a) compressing a
460  * text string, and (b) issuing it later as a series of chunk data writes.
461  * The compression_state structure is shared context for these functions
462  * set up by the caller to allow access to the relevant local variables.
463  *
464  * compression_buffer (new in 1.6.0) is just a linked list of zbuffer_size
465  * temporary buffers.  From 1.6.0 it is retained in png_struct so that it will
466  * be correctly freed in the event of a write error (previous implementations
467  * just leaked memory.)
468  */
469 typedef struct
470 {
471    png_const_bytep      input;        /* The uncompressed input data */
472    png_alloc_size_t     input_len;    /* Its length */
473    png_uint_32          output_len;   /* Final compressed length */
474    png_byte             output[1024]; /* First block of output */
475 } compression_state;
476 
477 static void
png_text_compress_init(compression_state * comp,png_const_bytep input,png_alloc_size_t input_len)478 png_text_compress_init(compression_state *comp, png_const_bytep input,
479     png_alloc_size_t input_len)
480 {
481    comp->input = input;
482    comp->input_len = input_len;
483    comp->output_len = 0;
484 }
485 
486 /* Compress the data in the compression state input */
487 static int
png_text_compress(png_structrp png_ptr,png_uint_32 chunk_name,compression_state * comp,png_uint_32 prefix_len)488 png_text_compress(png_structrp png_ptr, png_uint_32 chunk_name,
489     compression_state *comp, png_uint_32 prefix_len)
490 {
491    int ret;
492 
493    /* To find the length of the output it is necessary to first compress the
494     * input. The result is buffered rather than using the two-pass algorithm
495     * that is used on the inflate side; deflate is assumed to be slower and a
496     * PNG writer is assumed to have more memory available than a PNG reader.
497     *
498     * IMPLEMENTATION NOTE: the zlib API deflateBound() can be used to find an
499     * upper limit on the output size, but it is always bigger than the input
500     * size so it is likely to be more efficient to use this linked-list
501     * approach.
502     */
503    ret = png_deflate_claim(png_ptr, chunk_name, comp->input_len);
504 
505    if (ret != Z_OK)
506       return ret;
507 
508    /* Set up the compression buffers, we need a loop here to avoid overflowing a
509     * uInt.  Use ZLIB_IO_MAX to limit the input.  The output is always limited
510     * by the output buffer size, so there is no need to check that.  Since this
511     * is ANSI-C we know that an 'int', hence a uInt, is always at least 16 bits
512     * in size.
513     */
514    {
515       png_compression_bufferp *end = &png_ptr->zbuffer_list;
516       png_alloc_size_t input_len = comp->input_len; /* may be zero! */
517       png_uint_32 output_len;
518 
519       /* zlib updates these for us: */
520       png_ptr->zstream.next_in = PNGZ_INPUT_CAST(comp->input);
521       png_ptr->zstream.avail_in = 0; /* Set below */
522       png_ptr->zstream.next_out = comp->output;
523       png_ptr->zstream.avail_out = (sizeof comp->output);
524 
525       output_len = png_ptr->zstream.avail_out;
526 
527       do
528       {
529          uInt avail_in = ZLIB_IO_MAX;
530 
531          if (avail_in > input_len)
532             avail_in = (uInt)input_len;
533 
534          input_len -= avail_in;
535 
536          png_ptr->zstream.avail_in = avail_in;
537 
538          if (png_ptr->zstream.avail_out == 0)
539          {
540             png_compression_buffer *next;
541 
542             /* Chunk data is limited to 2^31 bytes in length, so the prefix
543              * length must be counted here.
544              */
545             if (output_len + prefix_len > PNG_UINT_31_MAX)
546             {
547                ret = Z_MEM_ERROR;
548                break;
549             }
550 
551             /* Need a new (malloc'ed) buffer, but there may be one present
552              * already.
553              */
554             next = *end;
555             if (next == NULL)
556             {
557                next = png_voidcast(png_compression_bufferp, png_malloc_base
558                   (png_ptr, PNG_COMPRESSION_BUFFER_SIZE(png_ptr)));
559 
560                if (next == NULL)
561                {
562                   ret = Z_MEM_ERROR;
563                   break;
564                }
565 
566                /* Link in this buffer (so that it will be freed later) */
567                next->next = NULL;
568                *end = next;
569             }
570 
571             png_ptr->zstream.next_out = next->output;
572             png_ptr->zstream.avail_out = png_ptr->zbuffer_size;
573             output_len += png_ptr->zstream.avail_out;
574 
575             /* Move 'end' to the next buffer pointer. */
576             end = &next->next;
577          }
578 
579          /* Compress the data */
580          ret = deflate(&png_ptr->zstream,
581              input_len > 0 ? Z_NO_FLUSH : Z_FINISH);
582 
583          /* Claw back input data that was not consumed (because avail_in is
584           * reset above every time round the loop).
585           */
586          input_len += png_ptr->zstream.avail_in;
587          png_ptr->zstream.avail_in = 0; /* safety */
588       }
589       while (ret == Z_OK);
590 
591       /* There may be some space left in the last output buffer. This needs to
592        * be subtracted from output_len.
593        */
594       output_len -= png_ptr->zstream.avail_out;
595       png_ptr->zstream.avail_out = 0; /* safety */
596       comp->output_len = output_len;
597 
598       /* Now double check the output length, put in a custom message if it is
599        * too long.  Otherwise ensure the z_stream::msg pointer is set to
600        * something.
601        */
602       if (output_len + prefix_len >= PNG_UINT_31_MAX)
603       {
604          png_ptr->zstream.msg = PNGZ_MSG_CAST("compressed data too long");
605          ret = Z_MEM_ERROR;
606       }
607 
608       else
609          png_zstream_error(png_ptr, ret);
610 
611       /* Reset zlib for another zTXt/iTXt or image data */
612       png_ptr->zowner = 0;
613 
614       /* The only success case is Z_STREAM_END, input_len must be 0; if not this
615        * is an internal error.
616        */
617       if (ret == Z_STREAM_END && input_len == 0)
618       {
619 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
620          /* Fix up the deflate header, if required */
621          optimize_cmf(comp->output, comp->input_len);
622 #endif
623          /* But Z_OK is returned, not Z_STREAM_END; this allows the claim
624           * function above to return Z_STREAM_END on an error (though it never
625           * does in the current versions of zlib.)
626           */
627          return Z_OK;
628       }
629 
630       else
631          return ret;
632    }
633 }
634 
635 /* Ship the compressed text out via chunk writes */
636 static void
png_write_compressed_data_out(png_structrp png_ptr,compression_state * comp)637 png_write_compressed_data_out(png_structrp png_ptr, compression_state *comp)
638 {
639    png_uint_32 output_len = comp->output_len;
640    png_const_bytep output = comp->output;
641    png_uint_32 avail = (sizeof comp->output);
642    png_compression_buffer *next = png_ptr->zbuffer_list;
643 
644    for (;;)
645    {
646       if (avail > output_len)
647          avail = output_len;
648 
649       png_write_chunk_data(png_ptr, output, avail);
650 
651       output_len -= avail;
652 
653       if (output_len == 0 || next == NULL)
654          break;
655 
656       avail = png_ptr->zbuffer_size;
657       output = next->output;
658       next = next->next;
659    }
660 
661    /* This is an internal error; 'next' must have been NULL! */
662    if (output_len > 0)
663       png_error(png_ptr, "error writing ancillary chunked compressed data");
664 }
665 #endif /* WRITE_COMPRESSED_TEXT */
666 
667 /* Write the IHDR chunk, and update the png_struct with the necessary
668  * information.  Note that the rest of this code depends upon this
669  * information being correct.
670  */
671 void /* PRIVATE */
png_write_IHDR(png_structrp png_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int compression_type,int filter_type,int interlace_type)672 png_write_IHDR(png_structrp png_ptr, png_uint_32 width, png_uint_32 height,
673     int bit_depth, int color_type, int compression_type, int filter_type,
674     int interlace_type)
675 {
676    png_byte buf[13]; /* Buffer to store the IHDR info */
677    int is_invalid_depth;
678 
679    png_debug(1, "in png_write_IHDR");
680 
681    /* Check that we have valid input data from the application info */
682    switch (color_type)
683    {
684       case PNG_COLOR_TYPE_GRAY:
685          switch (bit_depth)
686          {
687             case 1:
688             case 2:
689             case 4:
690             case 8:
691 #ifdef PNG_WRITE_16BIT_SUPPORTED
692             case 16:
693 #endif
694                png_ptr->channels = 1; break;
695 
696             default:
697                png_error(png_ptr,
698                    "Invalid bit depth for grayscale image");
699          }
700          break;
701 
702       case PNG_COLOR_TYPE_RGB:
703          is_invalid_depth = (bit_depth != 8);
704 #ifdef PNG_WRITE_16BIT_SUPPORTED
705          is_invalid_depth = (is_invalid_depth && bit_depth != 16);
706 #endif
707          if (is_invalid_depth)
708             png_error(png_ptr, "Invalid bit depth for RGB image");
709 
710          png_ptr->channels = 3;
711          break;
712 
713       case PNG_COLOR_TYPE_PALETTE:
714          switch (bit_depth)
715          {
716             case 1:
717             case 2:
718             case 4:
719             case 8:
720                png_ptr->channels = 1;
721                break;
722 
723             default:
724                png_error(png_ptr, "Invalid bit depth for paletted image");
725          }
726          break;
727 
728       case PNG_COLOR_TYPE_GRAY_ALPHA:
729          is_invalid_depth = (bit_depth != 8);
730 #ifdef PNG_WRITE_16BIT_SUPPORTED
731          is_invalid_depth = (is_invalid_depth && bit_depth != 16);
732 #endif
733          if (is_invalid_depth)
734             png_error(png_ptr, "Invalid bit depth for grayscale+alpha image");
735 
736          png_ptr->channels = 2;
737          break;
738 
739       case PNG_COLOR_TYPE_RGB_ALPHA:
740          is_invalid_depth = (bit_depth != 8);
741 #ifdef PNG_WRITE_16BIT_SUPPORTED
742          is_invalid_depth = (is_invalid_depth && bit_depth != 16);
743 #endif
744          if (is_invalid_depth)
745             png_error(png_ptr, "Invalid bit depth for RGBA image");
746 
747          png_ptr->channels = 4;
748          break;
749 
750       default:
751          png_error(png_ptr, "Invalid image color type specified");
752    }
753 
754    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
755    {
756       png_warning(png_ptr, "Invalid compression type specified");
757       compression_type = PNG_COMPRESSION_TYPE_BASE;
758    }
759 
760    /* Write filter_method 64 (intrapixel differencing) only if
761     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
762     * 2. Libpng did not write a PNG signature (this filter_method is only
763     *    used in PNG datastreams that are embedded in MNG datastreams) and
764     * 3. The application called png_permit_mng_features with a mask that
765     *    included PNG_FLAG_MNG_FILTER_64 and
766     * 4. The filter_method is 64 and
767     * 5. The color_type is RGB or RGBA
768     */
769    if (
770 #ifdef PNG_MNG_FEATURES_SUPPORTED
771        !((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
772        ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
773        (color_type == PNG_COLOR_TYPE_RGB ||
774         color_type == PNG_COLOR_TYPE_RGB_ALPHA) &&
775        (filter_type == PNG_INTRAPIXEL_DIFFERENCING)) &&
776 #endif
777        filter_type != PNG_FILTER_TYPE_BASE)
778    {
779       png_warning(png_ptr, "Invalid filter type specified");
780       filter_type = PNG_FILTER_TYPE_BASE;
781    }
782 
783 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
784    if (interlace_type != PNG_INTERLACE_NONE &&
785        interlace_type != PNG_INTERLACE_ADAM7)
786    {
787       png_warning(png_ptr, "Invalid interlace type specified");
788       interlace_type = PNG_INTERLACE_ADAM7;
789    }
790 #else
791    interlace_type=PNG_INTERLACE_NONE;
792 #endif
793 
794    /* Save the relevant information */
795    png_ptr->bit_depth = (png_byte)bit_depth;
796    png_ptr->color_type = (png_byte)color_type;
797    png_ptr->interlaced = (png_byte)interlace_type;
798 #ifdef PNG_MNG_FEATURES_SUPPORTED
799    png_ptr->filter_type = (png_byte)filter_type;
800 #endif
801    png_ptr->compression_type = (png_byte)compression_type;
802    png_ptr->width = width;
803    png_ptr->height = height;
804 
805    png_ptr->pixel_depth = (png_byte)(bit_depth * png_ptr->channels);
806    png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, width);
807    /* Set the usr info, so any transformations can modify it */
808    png_ptr->usr_width = png_ptr->width;
809    png_ptr->usr_bit_depth = png_ptr->bit_depth;
810    png_ptr->usr_channels = png_ptr->channels;
811 
812    /* Pack the header information into the buffer */
813    png_save_uint_32(buf, width);
814    png_save_uint_32(buf + 4, height);
815    buf[8] = (png_byte)bit_depth;
816    buf[9] = (png_byte)color_type;
817    buf[10] = (png_byte)compression_type;
818    buf[11] = (png_byte)filter_type;
819    buf[12] = (png_byte)interlace_type;
820 
821    /* Write the chunk */
822    png_write_complete_chunk(png_ptr, png_IHDR, buf, 13);
823 
824    if ((png_ptr->do_filter) == PNG_NO_FILTERS)
825    {
826       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE ||
827           png_ptr->bit_depth < 8)
828          png_ptr->do_filter = PNG_FILTER_NONE;
829 
830       else
831          png_ptr->do_filter = PNG_ALL_FILTERS;
832    }
833 
834    png_ptr->mode = PNG_HAVE_IHDR; /* not READY_FOR_ZTXT */
835 }
836 
837 /* Write the palette.  We are careful not to trust png_color to be in the
838  * correct order for PNG, so people can redefine it to any convenient
839  * structure.
840  */
841 void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr,png_const_colorp palette,png_uint_32 num_pal)842 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
843     png_uint_32 num_pal)
844 {
845    png_uint_32 max_palette_length, i;
846    png_const_colorp pal_ptr;
847    png_byte buf[3];
848 
849    png_debug(1, "in png_write_PLTE");
850 
851    max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
852       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
853 
854    if ((
855 #ifdef PNG_MNG_FEATURES_SUPPORTED
856        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
857 #endif
858        num_pal == 0) || num_pal > max_palette_length)
859    {
860       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
861       {
862          png_error(png_ptr, "Invalid number of colors in palette");
863       }
864 
865       else
866       {
867          png_warning(png_ptr, "Invalid number of colors in palette");
868          return;
869       }
870    }
871 
872    if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
873    {
874       png_warning(png_ptr,
875           "Ignoring request to write a PLTE chunk in grayscale PNG");
876 
877       return;
878    }
879 
880    png_ptr->num_palette = (png_uint_16)num_pal;
881    png_debug1(3, "num_palette = %d", png_ptr->num_palette);
882 
883    png_write_chunk_header(png_ptr, png_PLTE, (png_uint_32)(num_pal * 3));
884 #ifdef PNG_POINTER_INDEXING_SUPPORTED
885 
886    for (i = 0, pal_ptr = palette; i < num_pal; i++, pal_ptr++)
887    {
888       buf[0] = pal_ptr->red;
889       buf[1] = pal_ptr->green;
890       buf[2] = pal_ptr->blue;
891       png_write_chunk_data(png_ptr, buf, 3);
892    }
893 
894 #else
895    /* This is a little slower but some buggy compilers need to do this
896     * instead
897     */
898    pal_ptr=palette;
899 
900    for (i = 0; i < num_pal; i++)
901    {
902       buf[0] = pal_ptr[i].red;
903       buf[1] = pal_ptr[i].green;
904       buf[2] = pal_ptr[i].blue;
905       png_write_chunk_data(png_ptr, buf, 3);
906    }
907 
908 #endif
909    png_write_chunk_end(png_ptr);
910    png_ptr->mode |= PNG_HAVE_PLTE;
911 }
912 
913 /* This is similar to png_text_compress, above, except that it does not require
914  * all of the data at once and, instead of buffering the compressed result,
915  * writes it as IDAT chunks.  Unlike png_text_compress it *can* png_error out
916  * because it calls the write interface.  As a result it does its own error
917  * reporting and does not return an error code.  In the event of error it will
918  * just call png_error.  The input data length may exceed 32-bits.  The 'flush'
919  * parameter is exactly the same as that to deflate, with the following
920  * meanings:
921  *
922  * Z_NO_FLUSH: normal incremental output of compressed data
923  * Z_SYNC_FLUSH: do a SYNC_FLUSH, used by png_write_flush
924  * Z_FINISH: this is the end of the input, do a Z_FINISH and clean up
925  *
926  * The routine manages the acquire and release of the png_ptr->zstream by
927  * checking and (at the end) clearing png_ptr->zowner; it does some sanity
928  * checks on the 'mode' flags while doing this.
929  */
930 void /* PRIVATE */
png_compress_IDAT(png_structrp png_ptr,png_const_bytep input,png_alloc_size_t input_len,int flush)931 png_compress_IDAT(png_structrp png_ptr, png_const_bytep input,
932     png_alloc_size_t input_len, int flush)
933 {
934    if (png_ptr->zowner != png_IDAT)
935    {
936       /* First time.   Ensure we have a temporary buffer for compression and
937        * trim the buffer list if it has more than one entry to free memory.
938        * If 'WRITE_COMPRESSED_TEXT' is not set the list will never have been
939        * created at this point, but the check here is quick and safe.
940        */
941       if (png_ptr->zbuffer_list == NULL)
942       {
943          png_ptr->zbuffer_list = png_voidcast(png_compression_bufferp,
944              png_malloc(png_ptr, PNG_COMPRESSION_BUFFER_SIZE(png_ptr)));
945          png_ptr->zbuffer_list->next = NULL;
946       }
947 
948       else
949          png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list->next);
950 
951       /* It is a terminal error if we can't claim the zstream. */
952       if (png_deflate_claim(png_ptr, png_IDAT, png_image_size(png_ptr)) != Z_OK)
953          png_error(png_ptr, png_ptr->zstream.msg);
954 
955       /* The output state is maintained in png_ptr->zstream, so it must be
956        * initialized here after the claim.
957        */
958       png_ptr->zstream.next_out = png_ptr->zbuffer_list->output;
959       png_ptr->zstream.avail_out = png_ptr->zbuffer_size;
960    }
961 
962    /* Now loop reading and writing until all the input is consumed or an error
963     * terminates the operation.  The _out values are maintained across calls to
964     * this function, but the input must be reset each time.
965     */
966    png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
967    png_ptr->zstream.avail_in = 0; /* set below */
968    for (;;)
969    {
970       int ret;
971 
972       /* INPUT: from the row data */
973       uInt avail = ZLIB_IO_MAX;
974 
975       if (avail > input_len)
976          avail = (uInt)input_len; /* safe because of the check */
977 
978       png_ptr->zstream.avail_in = avail;
979       input_len -= avail;
980 
981       ret = deflate(&png_ptr->zstream, input_len > 0 ? Z_NO_FLUSH : flush);
982 
983       /* Include as-yet unconsumed input */
984       input_len += png_ptr->zstream.avail_in;
985       png_ptr->zstream.avail_in = 0;
986 
987       /* OUTPUT: write complete IDAT chunks when avail_out drops to zero. Note
988        * that these two zstream fields are preserved across the calls, therefore
989        * there is no need to set these up on entry to the loop.
990        */
991       if (png_ptr->zstream.avail_out == 0)
992       {
993          png_bytep data = png_ptr->zbuffer_list->output;
994          uInt size = png_ptr->zbuffer_size;
995 
996          /* Write an IDAT containing the data then reset the buffer.  The
997           * first IDAT may need deflate header optimization.
998           */
999 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
1000             if ((png_ptr->mode & PNG_HAVE_IDAT) == 0 &&
1001                 png_ptr->compression_type == PNG_COMPRESSION_TYPE_BASE)
1002                optimize_cmf(data, png_image_size(png_ptr));
1003 #endif
1004 
1005          if (size > 0)
1006             png_write_complete_chunk(png_ptr, png_IDAT, data, size);
1007          png_ptr->mode |= PNG_HAVE_IDAT;
1008 
1009          png_ptr->zstream.next_out = data;
1010          png_ptr->zstream.avail_out = size;
1011 
1012          /* For SYNC_FLUSH or FINISH it is essential to keep calling zlib with
1013           * the same flush parameter until it has finished output, for NO_FLUSH
1014           * it doesn't matter.
1015           */
1016          if (ret == Z_OK && flush != Z_NO_FLUSH)
1017             continue;
1018       }
1019 
1020       /* The order of these checks doesn't matter much; it just affects which
1021        * possible error might be detected if multiple things go wrong at once.
1022        */
1023       if (ret == Z_OK) /* most likely return code! */
1024       {
1025          /* If all the input has been consumed then just return.  If Z_FINISH
1026           * was used as the flush parameter something has gone wrong if we get
1027           * here.
1028           */
1029          if (input_len == 0)
1030          {
1031             if (flush == Z_FINISH)
1032                png_error(png_ptr, "Z_OK on Z_FINISH with output space");
1033 
1034             return;
1035          }
1036       }
1037 
1038       else if (ret == Z_STREAM_END && flush == Z_FINISH)
1039       {
1040          /* This is the end of the IDAT data; any pending output must be
1041           * flushed.  For small PNG files we may still be at the beginning.
1042           */
1043          png_bytep data = png_ptr->zbuffer_list->output;
1044          uInt size = png_ptr->zbuffer_size - png_ptr->zstream.avail_out;
1045 
1046 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
1047          if ((png_ptr->mode & PNG_HAVE_IDAT) == 0 &&
1048              png_ptr->compression_type == PNG_COMPRESSION_TYPE_BASE)
1049             optimize_cmf(data, png_image_size(png_ptr));
1050 #endif
1051 
1052          if (size > 0)
1053             png_write_complete_chunk(png_ptr, png_IDAT, data, size);
1054          png_ptr->zstream.avail_out = 0;
1055          png_ptr->zstream.next_out = NULL;
1056          png_ptr->mode |= PNG_HAVE_IDAT | PNG_AFTER_IDAT;
1057 
1058          png_ptr->zowner = 0; /* Release the stream */
1059          return;
1060       }
1061 
1062       else
1063       {
1064          /* This is an error condition. */
1065          png_zstream_error(png_ptr, ret);
1066          png_error(png_ptr, png_ptr->zstream.msg);
1067       }
1068    }
1069 }
1070 
1071 /* Write an IEND chunk */
1072 void /* PRIVATE */
png_write_IEND(png_structrp png_ptr)1073 png_write_IEND(png_structrp png_ptr)
1074 {
1075    png_debug(1, "in png_write_IEND");
1076 
1077    png_write_complete_chunk(png_ptr, png_IEND, NULL, 0);
1078    png_ptr->mode |= PNG_HAVE_IEND;
1079 }
1080 
1081 #ifdef PNG_WRITE_gAMA_SUPPORTED
1082 /* Write a gAMA chunk */
1083 void /* PRIVATE */
png_write_gAMA_fixed(png_structrp png_ptr,png_fixed_point file_gamma)1084 png_write_gAMA_fixed(png_structrp png_ptr, png_fixed_point file_gamma)
1085 {
1086    png_byte buf[4];
1087 
1088    png_debug(1, "in png_write_gAMA");
1089 
1090    /* file_gamma is saved in 1/100,000ths */
1091    png_save_uint_32(buf, (png_uint_32)file_gamma);
1092    png_write_complete_chunk(png_ptr, png_gAMA, buf, 4);
1093 }
1094 #endif
1095 
1096 #ifdef PNG_WRITE_sRGB_SUPPORTED
1097 /* Write a sRGB chunk */
1098 void /* PRIVATE */
png_write_sRGB(png_structrp png_ptr,int srgb_intent)1099 png_write_sRGB(png_structrp png_ptr, int srgb_intent)
1100 {
1101    png_byte buf[1];
1102 
1103    png_debug(1, "in png_write_sRGB");
1104 
1105    if (srgb_intent >= PNG_sRGB_INTENT_LAST)
1106       png_warning(png_ptr,
1107           "Invalid sRGB rendering intent specified");
1108 
1109    buf[0]=(png_byte)srgb_intent;
1110    png_write_complete_chunk(png_ptr, png_sRGB, buf, 1);
1111 }
1112 #endif
1113 
1114 #ifdef PNG_WRITE_iCCP_SUPPORTED
1115 /* Write an iCCP chunk */
1116 void /* PRIVATE */
png_write_iCCP(png_structrp png_ptr,png_const_charp name,png_const_bytep profile)1117 png_write_iCCP(png_structrp png_ptr, png_const_charp name,
1118     png_const_bytep profile)
1119 {
1120    png_uint_32 name_len;
1121    png_uint_32 profile_len;
1122    png_byte new_name[81]; /* 1 byte for the compression byte */
1123    compression_state comp;
1124    png_uint_32 temp;
1125 
1126    png_debug(1, "in png_write_iCCP");
1127 
1128    /* These are all internal problems: the profile should have been checked
1129     * before when it was stored.
1130     */
1131    if (profile == NULL)
1132       png_error(png_ptr, "No profile for iCCP chunk"); /* internal error */
1133 
1134    profile_len = png_get_uint_32(profile);
1135 
1136    if (profile_len < 132)
1137       png_error(png_ptr, "ICC profile too short");
1138 
1139    temp = (png_uint_32) (*(profile+8));
1140    if (temp > 3 && (profile_len & 0x03))
1141       png_error(png_ptr, "ICC profile length invalid (not a multiple of 4)");
1142 
1143    {
1144       png_uint_32 embedded_profile_len = png_get_uint_32(profile);
1145 
1146       if (profile_len != embedded_profile_len)
1147          png_error(png_ptr, "Profile length does not match profile");
1148    }
1149 
1150    name_len = png_check_keyword(png_ptr, name, new_name);
1151 
1152    if (name_len == 0)
1153       png_error(png_ptr, "iCCP: invalid keyword");
1154 
1155    new_name[++name_len] = PNG_COMPRESSION_TYPE_BASE;
1156 
1157    /* Make sure we include the NULL after the name and the compression type */
1158    ++name_len;
1159 
1160    png_text_compress_init(&comp, profile, profile_len);
1161 
1162    /* Allow for keyword terminator and compression byte */
1163    if (png_text_compress(png_ptr, png_iCCP, &comp, name_len) != Z_OK)
1164       png_error(png_ptr, png_ptr->zstream.msg);
1165 
1166    png_write_chunk_header(png_ptr, png_iCCP, name_len + comp.output_len);
1167 
1168    png_write_chunk_data(png_ptr, new_name, name_len);
1169 
1170    png_write_compressed_data_out(png_ptr, &comp);
1171 
1172    png_write_chunk_end(png_ptr);
1173 }
1174 #endif
1175 
1176 #ifdef PNG_WRITE_sPLT_SUPPORTED
1177 /* Write a sPLT chunk */
1178 void /* PRIVATE */
png_write_sPLT(png_structrp png_ptr,png_const_sPLT_tp spalette)1179 png_write_sPLT(png_structrp png_ptr, png_const_sPLT_tp spalette)
1180 {
1181    png_uint_32 name_len;
1182    png_byte new_name[80];
1183    png_byte entrybuf[10];
1184    size_t entry_size = (spalette->depth == 8 ? 6 : 10);
1185    size_t palette_size = entry_size * (size_t)spalette->nentries;
1186    png_sPLT_entryp ep;
1187 #ifndef PNG_POINTER_INDEXING_SUPPORTED
1188    int i;
1189 #endif
1190 
1191    png_debug(1, "in png_write_sPLT");
1192 
1193    name_len = png_check_keyword(png_ptr, spalette->name, new_name);
1194 
1195    if (name_len == 0)
1196       png_error(png_ptr, "sPLT: invalid keyword");
1197 
1198    /* Make sure we include the NULL after the name */
1199    png_write_chunk_header(png_ptr, png_sPLT,
1200        (png_uint_32)(name_len + 2 + palette_size));
1201 
1202    png_write_chunk_data(png_ptr, (png_bytep)new_name, (size_t)(name_len + 1));
1203 
1204    png_write_chunk_data(png_ptr, &spalette->depth, 1);
1205 
1206    /* Loop through each palette entry, writing appropriately */
1207 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1208    for (ep = spalette->entries; ep<spalette->entries + spalette->nentries; ep++)
1209    {
1210       if (spalette->depth == 8)
1211       {
1212          entrybuf[0] = (png_byte)ep->red;
1213          entrybuf[1] = (png_byte)ep->green;
1214          entrybuf[2] = (png_byte)ep->blue;
1215          entrybuf[3] = (png_byte)ep->alpha;
1216          png_save_uint_16(entrybuf + 4, ep->frequency);
1217       }
1218 
1219       else
1220       {
1221          png_save_uint_16(entrybuf + 0, ep->red);
1222          png_save_uint_16(entrybuf + 2, ep->green);
1223          png_save_uint_16(entrybuf + 4, ep->blue);
1224          png_save_uint_16(entrybuf + 6, ep->alpha);
1225          png_save_uint_16(entrybuf + 8, ep->frequency);
1226       }
1227 
1228       png_write_chunk_data(png_ptr, entrybuf, entry_size);
1229    }
1230 #else
1231    ep=spalette->entries;
1232    for (i = 0; i>spalette->nentries; i++)
1233    {
1234       if (spalette->depth == 8)
1235       {
1236          entrybuf[0] = (png_byte)ep[i].red;
1237          entrybuf[1] = (png_byte)ep[i].green;
1238          entrybuf[2] = (png_byte)ep[i].blue;
1239          entrybuf[3] = (png_byte)ep[i].alpha;
1240          png_save_uint_16(entrybuf + 4, ep[i].frequency);
1241       }
1242 
1243       else
1244       {
1245          png_save_uint_16(entrybuf + 0, ep[i].red);
1246          png_save_uint_16(entrybuf + 2, ep[i].green);
1247          png_save_uint_16(entrybuf + 4, ep[i].blue);
1248          png_save_uint_16(entrybuf + 6, ep[i].alpha);
1249          png_save_uint_16(entrybuf + 8, ep[i].frequency);
1250       }
1251 
1252       png_write_chunk_data(png_ptr, entrybuf, entry_size);
1253    }
1254 #endif
1255 
1256    png_write_chunk_end(png_ptr);
1257 }
1258 #endif
1259 
1260 #ifdef PNG_WRITE_sBIT_SUPPORTED
1261 /* Write the sBIT chunk */
1262 void /* PRIVATE */
png_write_sBIT(png_structrp png_ptr,png_const_color_8p sbit,int color_type)1263 png_write_sBIT(png_structrp png_ptr, png_const_color_8p sbit, int color_type)
1264 {
1265    png_byte buf[4];
1266    size_t size;
1267 
1268    png_debug(1, "in png_write_sBIT");
1269 
1270    /* Make sure we don't depend upon the order of PNG_COLOR_8 */
1271    if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
1272    {
1273       png_byte maxbits;
1274 
1275       maxbits = (png_byte)(color_type==PNG_COLOR_TYPE_PALETTE ? 8 :
1276           png_ptr->usr_bit_depth);
1277 
1278       if (sbit->red == 0 || sbit->red > maxbits ||
1279           sbit->green == 0 || sbit->green > maxbits ||
1280           sbit->blue == 0 || sbit->blue > maxbits)
1281       {
1282          png_warning(png_ptr, "Invalid sBIT depth specified");
1283          return;
1284       }
1285 
1286       buf[0] = sbit->red;
1287       buf[1] = sbit->green;
1288       buf[2] = sbit->blue;
1289       size = 3;
1290    }
1291 
1292    else
1293    {
1294       if (sbit->gray == 0 || sbit->gray > png_ptr->usr_bit_depth)
1295       {
1296          png_warning(png_ptr, "Invalid sBIT depth specified");
1297          return;
1298       }
1299 
1300       buf[0] = sbit->gray;
1301       size = 1;
1302    }
1303 
1304    if ((color_type & PNG_COLOR_MASK_ALPHA) != 0)
1305    {
1306       if (sbit->alpha == 0 || sbit->alpha > png_ptr->usr_bit_depth)
1307       {
1308          png_warning(png_ptr, "Invalid sBIT depth specified");
1309          return;
1310       }
1311 
1312       buf[size++] = sbit->alpha;
1313    }
1314 
1315    png_write_complete_chunk(png_ptr, png_sBIT, buf, size);
1316 }
1317 #endif
1318 
1319 #ifdef PNG_WRITE_cHRM_SUPPORTED
1320 /* Write the cHRM chunk */
1321 void /* PRIVATE */
png_write_cHRM_fixed(png_structrp png_ptr,const png_xy * xy)1322 png_write_cHRM_fixed(png_structrp png_ptr, const png_xy *xy)
1323 {
1324    png_byte buf[32];
1325 
1326    png_debug(1, "in png_write_cHRM");
1327 
1328    /* Each value is saved in 1/100,000ths */
1329    png_save_int_32(buf,      xy->whitex);
1330    png_save_int_32(buf +  4, xy->whitey);
1331 
1332    png_save_int_32(buf +  8, xy->redx);
1333    png_save_int_32(buf + 12, xy->redy);
1334 
1335    png_save_int_32(buf + 16, xy->greenx);
1336    png_save_int_32(buf + 20, xy->greeny);
1337 
1338    png_save_int_32(buf + 24, xy->bluex);
1339    png_save_int_32(buf + 28, xy->bluey);
1340 
1341    png_write_complete_chunk(png_ptr, png_cHRM, buf, 32);
1342 }
1343 #endif
1344 
1345 #ifdef PNG_WRITE_tRNS_SUPPORTED
1346 /* Write the tRNS chunk */
1347 void /* PRIVATE */
png_write_tRNS(png_structrp png_ptr,png_const_bytep trans_alpha,png_const_color_16p tran,int num_trans,int color_type)1348 png_write_tRNS(png_structrp png_ptr, png_const_bytep trans_alpha,
1349     png_const_color_16p tran, int num_trans, int color_type)
1350 {
1351    png_byte buf[6];
1352 
1353    png_debug(1, "in png_write_tRNS");
1354 
1355    if (color_type == PNG_COLOR_TYPE_PALETTE)
1356    {
1357       if (num_trans <= 0 || num_trans > (int)png_ptr->num_palette)
1358       {
1359          png_app_warning(png_ptr,
1360              "Invalid number of transparent colors specified");
1361          return;
1362       }
1363 
1364       /* Write the chunk out as it is */
1365       png_write_complete_chunk(png_ptr, png_tRNS, trans_alpha,
1366           (size_t)num_trans);
1367    }
1368 
1369    else if (color_type == PNG_COLOR_TYPE_GRAY)
1370    {
1371       /* One 16-bit value */
1372       if (tran->gray >= (1 << png_ptr->bit_depth))
1373       {
1374          png_app_warning(png_ptr,
1375              "Ignoring attempt to write tRNS chunk out-of-range for bit_depth");
1376 
1377          return;
1378       }
1379 
1380       png_save_uint_16(buf, tran->gray);
1381       png_write_complete_chunk(png_ptr, png_tRNS, buf, 2);
1382    }
1383 
1384    else if (color_type == PNG_COLOR_TYPE_RGB)
1385    {
1386       /* Three 16-bit values */
1387       png_save_uint_16(buf, tran->red);
1388       png_save_uint_16(buf + 2, tran->green);
1389       png_save_uint_16(buf + 4, tran->blue);
1390 #ifdef PNG_WRITE_16BIT_SUPPORTED
1391       if (png_ptr->bit_depth == 8 && (buf[0] | buf[2] | buf[4]) != 0)
1392 #else
1393       if ((buf[0] | buf[2] | buf[4]) != 0)
1394 #endif
1395       {
1396          png_app_warning(png_ptr,
1397              "Ignoring attempt to write 16-bit tRNS chunk when bit_depth is 8");
1398          return;
1399       }
1400 
1401       png_write_complete_chunk(png_ptr, png_tRNS, buf, 6);
1402    }
1403 
1404    else
1405    {
1406       png_app_warning(png_ptr, "Can't write tRNS with an alpha channel");
1407    }
1408 }
1409 #endif
1410 
1411 #ifdef PNG_WRITE_bKGD_SUPPORTED
1412 /* Write the background chunk */
1413 void /* PRIVATE */
png_write_bKGD(png_structrp png_ptr,png_const_color_16p back,int color_type)1414 png_write_bKGD(png_structrp png_ptr, png_const_color_16p back, int color_type)
1415 {
1416    png_byte buf[6];
1417 
1418    png_debug(1, "in png_write_bKGD");
1419 
1420    if (color_type == PNG_COLOR_TYPE_PALETTE)
1421    {
1422       if (
1423 #ifdef PNG_MNG_FEATURES_SUPPORTED
1424           (png_ptr->num_palette != 0 ||
1425           (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0) &&
1426 #endif
1427          back->index >= png_ptr->num_palette)
1428       {
1429          png_warning(png_ptr, "Invalid background palette index");
1430          return;
1431       }
1432 
1433       buf[0] = back->index;
1434       png_write_complete_chunk(png_ptr, png_bKGD, buf, 1);
1435    }
1436 
1437    else if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
1438    {
1439       png_save_uint_16(buf, back->red);
1440       png_save_uint_16(buf + 2, back->green);
1441       png_save_uint_16(buf + 4, back->blue);
1442 #ifdef PNG_WRITE_16BIT_SUPPORTED
1443       if (png_ptr->bit_depth == 8 && (buf[0] | buf[2] | buf[4]) != 0)
1444 #else
1445       if ((buf[0] | buf[2] | buf[4]) != 0)
1446 #endif
1447       {
1448          png_warning(png_ptr,
1449              "Ignoring attempt to write 16-bit bKGD chunk "
1450              "when bit_depth is 8");
1451 
1452          return;
1453       }
1454 
1455       png_write_complete_chunk(png_ptr, png_bKGD, buf, 6);
1456    }
1457 
1458    else
1459    {
1460       if (back->gray >= (1 << png_ptr->bit_depth))
1461       {
1462          png_warning(png_ptr,
1463              "Ignoring attempt to write bKGD chunk out-of-range for bit_depth");
1464 
1465          return;
1466       }
1467 
1468       png_save_uint_16(buf, back->gray);
1469       png_write_complete_chunk(png_ptr, png_bKGD, buf, 2);
1470    }
1471 }
1472 #endif
1473 
1474 #ifdef PNG_WRITE_eXIf_SUPPORTED
1475 /* Write the Exif data */
1476 void /* PRIVATE */
png_write_eXIf(png_structrp png_ptr,png_bytep exif,int num_exif)1477 png_write_eXIf(png_structrp png_ptr, png_bytep exif, int num_exif)
1478 {
1479    int i;
1480    png_byte buf[1];
1481 
1482    png_debug(1, "in png_write_eXIf");
1483 
1484    png_write_chunk_header(png_ptr, png_eXIf, (png_uint_32)(num_exif));
1485 
1486    for (i = 0; i < num_exif; i++)
1487    {
1488       buf[0] = exif[i];
1489       png_write_chunk_data(png_ptr, buf, 1);
1490    }
1491 
1492    png_write_chunk_end(png_ptr);
1493 }
1494 #endif
1495 
1496 #ifdef PNG_WRITE_hIST_SUPPORTED
1497 /* Write the histogram */
1498 void /* PRIVATE */
png_write_hIST(png_structrp png_ptr,png_const_uint_16p hist,int num_hist)1499 png_write_hIST(png_structrp png_ptr, png_const_uint_16p hist, int num_hist)
1500 {
1501    int i;
1502    png_byte buf[3];
1503 
1504    png_debug(1, "in png_write_hIST");
1505 
1506    if (num_hist > (int)png_ptr->num_palette)
1507    {
1508       png_debug2(3, "num_hist = %d, num_palette = %d", num_hist,
1509           png_ptr->num_palette);
1510 
1511       png_warning(png_ptr, "Invalid number of histogram entries specified");
1512       return;
1513    }
1514 
1515    png_write_chunk_header(png_ptr, png_hIST, (png_uint_32)(num_hist * 2));
1516 
1517    for (i = 0; i < num_hist; i++)
1518    {
1519       png_save_uint_16(buf, hist[i]);
1520       png_write_chunk_data(png_ptr, buf, 2);
1521    }
1522 
1523    png_write_chunk_end(png_ptr);
1524 }
1525 #endif
1526 
1527 #ifdef PNG_WRITE_tEXt_SUPPORTED
1528 /* Write a tEXt chunk */
1529 void /* PRIVATE */
png_write_tEXt(png_structrp png_ptr,png_const_charp key,png_const_charp text,size_t text_len)1530 png_write_tEXt(png_structrp png_ptr, png_const_charp key, png_const_charp text,
1531     size_t text_len)
1532 {
1533    png_uint_32 key_len;
1534    png_byte new_key[80];
1535 
1536    png_debug(1, "in png_write_tEXt");
1537 
1538    key_len = png_check_keyword(png_ptr, key, new_key);
1539 
1540    if (key_len == 0)
1541       png_error(png_ptr, "tEXt: invalid keyword");
1542 
1543    if (text == NULL || *text == '\0')
1544       text_len = 0;
1545 
1546    else
1547       text_len = strlen(text);
1548 
1549    if (text_len > PNG_UINT_31_MAX - (key_len+1))
1550       png_error(png_ptr, "tEXt: text too long");
1551 
1552    /* Make sure we include the 0 after the key */
1553    png_write_chunk_header(png_ptr, png_tEXt,
1554        (png_uint_32)/*checked above*/(key_len + text_len + 1));
1555    /*
1556     * We leave it to the application to meet PNG-1.0 requirements on the
1557     * contents of the text.  PNG-1.0 through PNG-1.2 discourage the use of
1558     * any non-Latin-1 characters except for NEWLINE.  ISO PNG will forbid them.
1559     * The NUL character is forbidden by PNG-1.0 through PNG-1.2 and ISO PNG.
1560     */
1561    png_write_chunk_data(png_ptr, new_key, key_len + 1);
1562 
1563    if (text_len != 0)
1564       png_write_chunk_data(png_ptr, (png_const_bytep)text, text_len);
1565 
1566    png_write_chunk_end(png_ptr);
1567 }
1568 #endif
1569 
1570 #ifdef PNG_WRITE_zTXt_SUPPORTED
1571 /* Write a compressed text chunk */
1572 void /* PRIVATE */
png_write_zTXt(png_structrp png_ptr,png_const_charp key,png_const_charp text,int compression)1573 png_write_zTXt(png_structrp png_ptr, png_const_charp key, png_const_charp text,
1574     int compression)
1575 {
1576    png_uint_32 key_len;
1577    png_byte new_key[81];
1578    compression_state comp;
1579 
1580    png_debug(1, "in png_write_zTXt");
1581 
1582    if (compression == PNG_TEXT_COMPRESSION_NONE)
1583    {
1584       png_write_tEXt(png_ptr, key, text, 0);
1585       return;
1586    }
1587 
1588    if (compression != PNG_TEXT_COMPRESSION_zTXt)
1589       png_error(png_ptr, "zTXt: invalid compression type");
1590 
1591    key_len = png_check_keyword(png_ptr, key, new_key);
1592 
1593    if (key_len == 0)
1594       png_error(png_ptr, "zTXt: invalid keyword");
1595 
1596    /* Add the compression method and 1 for the keyword separator. */
1597    new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE;
1598    ++key_len;
1599 
1600    /* Compute the compressed data; do it now for the length */
1601    png_text_compress_init(&comp, (png_const_bytep)text,
1602        text == NULL ? 0 : strlen(text));
1603 
1604    if (png_text_compress(png_ptr, png_zTXt, &comp, key_len) != Z_OK)
1605       png_error(png_ptr, png_ptr->zstream.msg);
1606 
1607    /* Write start of chunk */
1608    png_write_chunk_header(png_ptr, png_zTXt, key_len + comp.output_len);
1609 
1610    /* Write key */
1611    png_write_chunk_data(png_ptr, new_key, key_len);
1612 
1613    /* Write the compressed data */
1614    png_write_compressed_data_out(png_ptr, &comp);
1615 
1616    /* Close the chunk */
1617    png_write_chunk_end(png_ptr);
1618 }
1619 #endif
1620 
1621 #ifdef PNG_WRITE_iTXt_SUPPORTED
1622 /* Write an iTXt chunk */
1623 void /* PRIVATE */
png_write_iTXt(png_structrp png_ptr,int compression,png_const_charp key,png_const_charp lang,png_const_charp lang_key,png_const_charp text)1624 png_write_iTXt(png_structrp png_ptr, int compression, png_const_charp key,
1625     png_const_charp lang, png_const_charp lang_key, png_const_charp text)
1626 {
1627    png_uint_32 key_len, prefix_len;
1628    size_t lang_len, lang_key_len;
1629    png_byte new_key[82];
1630    compression_state comp;
1631 
1632    png_debug(1, "in png_write_iTXt");
1633 
1634    key_len = png_check_keyword(png_ptr, key, new_key);
1635 
1636    if (key_len == 0)
1637       png_error(png_ptr, "iTXt: invalid keyword");
1638 
1639    /* Set the compression flag */
1640    switch (compression)
1641    {
1642       case PNG_ITXT_COMPRESSION_NONE:
1643       case PNG_TEXT_COMPRESSION_NONE:
1644          compression = new_key[++key_len] = 0; /* no compression */
1645          break;
1646 
1647       case PNG_TEXT_COMPRESSION_zTXt:
1648       case PNG_ITXT_COMPRESSION_zTXt:
1649          compression = new_key[++key_len] = 1; /* compressed */
1650          break;
1651 
1652       default:
1653          png_error(png_ptr, "iTXt: invalid compression");
1654    }
1655 
1656    new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE;
1657    ++key_len; /* for the keywod separator */
1658 
1659    /* We leave it to the application to meet PNG-1.0 requirements on the
1660     * contents of the text.  PNG-1.0 through PNG-1.2 discourage the use of
1661     * any non-Latin-1 characters except for NEWLINE.  ISO PNG, however,
1662     * specifies that the text is UTF-8 and this really doesn't require any
1663     * checking.
1664     *
1665     * The NUL character is forbidden by PNG-1.0 through PNG-1.2 and ISO PNG.
1666     *
1667     * TODO: validate the language tag correctly (see the spec.)
1668     */
1669    if (lang == NULL) lang = ""; /* empty language is valid */
1670    lang_len = strlen(lang)+1;
1671    if (lang_key == NULL) lang_key = ""; /* may be empty */
1672    lang_key_len = strlen(lang_key)+1;
1673    if (text == NULL) text = ""; /* may be empty */
1674 
1675    prefix_len = key_len;
1676    if (lang_len > PNG_UINT_31_MAX-prefix_len)
1677       prefix_len = PNG_UINT_31_MAX;
1678    else
1679       prefix_len = (png_uint_32)(prefix_len + lang_len);
1680 
1681    if (lang_key_len > PNG_UINT_31_MAX-prefix_len)
1682       prefix_len = PNG_UINT_31_MAX;
1683    else
1684       prefix_len = (png_uint_32)(prefix_len + lang_key_len);
1685 
1686    png_text_compress_init(&comp, (png_const_bytep)text, strlen(text));
1687 
1688    if (compression != 0)
1689    {
1690       if (png_text_compress(png_ptr, png_iTXt, &comp, prefix_len) != Z_OK)
1691          png_error(png_ptr, png_ptr->zstream.msg);
1692    }
1693 
1694    else
1695    {
1696       if (comp.input_len > PNG_UINT_31_MAX-prefix_len)
1697          png_error(png_ptr, "iTXt: uncompressed text too long");
1698 
1699       /* So the string will fit in a chunk: */
1700       comp.output_len = (png_uint_32)/*SAFE*/comp.input_len;
1701    }
1702 
1703    png_write_chunk_header(png_ptr, png_iTXt, comp.output_len + prefix_len);
1704 
1705    png_write_chunk_data(png_ptr, new_key, key_len);
1706 
1707    png_write_chunk_data(png_ptr, (png_const_bytep)lang, lang_len);
1708 
1709    png_write_chunk_data(png_ptr, (png_const_bytep)lang_key, lang_key_len);
1710 
1711    if (compression != 0)
1712       png_write_compressed_data_out(png_ptr, &comp);
1713 
1714    else
1715       png_write_chunk_data(png_ptr, (png_const_bytep)text, comp.output_len);
1716 
1717    png_write_chunk_end(png_ptr);
1718 }
1719 #endif
1720 
1721 #ifdef PNG_WRITE_oFFs_SUPPORTED
1722 /* Write the oFFs chunk */
1723 void /* PRIVATE */
png_write_oFFs(png_structrp png_ptr,png_int_32 x_offset,png_int_32 y_offset,int unit_type)1724 png_write_oFFs(png_structrp png_ptr, png_int_32 x_offset, png_int_32 y_offset,
1725     int unit_type)
1726 {
1727    png_byte buf[9];
1728 
1729    png_debug(1, "in png_write_oFFs");
1730 
1731    if (unit_type >= PNG_OFFSET_LAST)
1732       png_warning(png_ptr, "Unrecognized unit type for oFFs chunk");
1733 
1734    png_save_int_32(buf, x_offset);
1735    png_save_int_32(buf + 4, y_offset);
1736    buf[8] = (png_byte)unit_type;
1737 
1738    png_write_complete_chunk(png_ptr, png_oFFs, buf, 9);
1739 }
1740 #endif
1741 #ifdef PNG_WRITE_pCAL_SUPPORTED
1742 /* Write the pCAL chunk (described in the PNG extensions document) */
1743 void /* PRIVATE */
png_write_pCAL(png_structrp png_ptr,png_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)1744 png_write_pCAL(png_structrp png_ptr, png_charp purpose, png_int_32 X0,
1745     png_int_32 X1, int type, int nparams, png_const_charp units,
1746     png_charpp params)
1747 {
1748    png_uint_32 purpose_len;
1749    size_t units_len, total_len;
1750    png_size_tp params_len;
1751    png_byte buf[10];
1752    png_byte new_purpose[80];
1753    int i;
1754 
1755    png_debug1(1, "in png_write_pCAL (%d parameters)", nparams);
1756 
1757    if (type >= PNG_EQUATION_LAST)
1758       png_error(png_ptr, "Unrecognized equation type for pCAL chunk");
1759 
1760    purpose_len = png_check_keyword(png_ptr, purpose, new_purpose);
1761 
1762    if (purpose_len == 0)
1763       png_error(png_ptr, "pCAL: invalid keyword");
1764 
1765    ++purpose_len; /* terminator */
1766 
1767    png_debug1(3, "pCAL purpose length = %d", (int)purpose_len);
1768    units_len = strlen(units) + (nparams == 0 ? 0 : 1);
1769    png_debug1(3, "pCAL units length = %d", (int)units_len);
1770    total_len = purpose_len + units_len + 10;
1771 
1772    params_len = (png_size_tp)png_malloc(png_ptr,
1773        (png_alloc_size_t)((png_alloc_size_t)nparams * (sizeof (size_t))));
1774 
1775    /* Find the length of each parameter, making sure we don't count the
1776     * null terminator for the last parameter.
1777     */
1778    for (i = 0; i < nparams; i++)
1779    {
1780       params_len[i] = strlen(params[i]) + (i == nparams - 1 ? 0 : 1);
1781       png_debug2(3, "pCAL parameter %d length = %lu", i,
1782           (unsigned long)params_len[i]);
1783       total_len += params_len[i];
1784    }
1785 
1786    png_debug1(3, "pCAL total length = %d", (int)total_len);
1787    png_write_chunk_header(png_ptr, png_pCAL, (png_uint_32)total_len);
1788    png_write_chunk_data(png_ptr, new_purpose, purpose_len);
1789    png_save_int_32(buf, X0);
1790    png_save_int_32(buf + 4, X1);
1791    buf[8] = (png_byte)type;
1792    buf[9] = (png_byte)nparams;
1793    png_write_chunk_data(png_ptr, buf, 10);
1794    png_write_chunk_data(png_ptr, (png_const_bytep)units, (size_t)units_len);
1795 
1796    for (i = 0; i < nparams; i++)
1797    {
1798       png_write_chunk_data(png_ptr, (png_const_bytep)params[i], params_len[i]);
1799    }
1800 
1801    png_free(png_ptr, params_len);
1802    png_write_chunk_end(png_ptr);
1803 }
1804 #endif
1805 
1806 #ifdef PNG_WRITE_sCAL_SUPPORTED
1807 /* Write the sCAL chunk */
1808 void /* PRIVATE */
png_write_sCAL_s(png_structrp png_ptr,int unit,png_const_charp width,png_const_charp height)1809 png_write_sCAL_s(png_structrp png_ptr, int unit, png_const_charp width,
1810     png_const_charp height)
1811 {
1812    png_byte buf[64];
1813    size_t wlen, hlen, total_len;
1814 
1815    png_debug(1, "in png_write_sCAL_s");
1816 
1817    wlen = strlen(width);
1818    hlen = strlen(height);
1819    total_len = wlen + hlen + 2;
1820 
1821    if (total_len > 64)
1822    {
1823       png_warning(png_ptr, "Can't write sCAL (buffer too small)");
1824       return;
1825    }
1826 
1827    buf[0] = (png_byte)unit;
1828    memcpy(buf + 1, width, wlen + 1);      /* Append the '\0' here */
1829    memcpy(buf + wlen + 2, height, hlen);  /* Do NOT append the '\0' here */
1830 
1831    png_debug1(3, "sCAL total length = %u", (unsigned int)total_len);
1832    png_write_complete_chunk(png_ptr, png_sCAL, buf, total_len);
1833 }
1834 #endif
1835 
1836 #ifdef PNG_WRITE_pHYs_SUPPORTED
1837 /* Write the pHYs chunk */
1838 void /* PRIVATE */
png_write_pHYs(png_structrp png_ptr,png_uint_32 x_pixels_per_unit,png_uint_32 y_pixels_per_unit,int unit_type)1839 png_write_pHYs(png_structrp png_ptr, png_uint_32 x_pixels_per_unit,
1840     png_uint_32 y_pixels_per_unit,
1841     int unit_type)
1842 {
1843    png_byte buf[9];
1844 
1845    png_debug(1, "in png_write_pHYs");
1846 
1847    if (unit_type >= PNG_RESOLUTION_LAST)
1848       png_warning(png_ptr, "Unrecognized unit type for pHYs chunk");
1849 
1850    png_save_uint_32(buf, x_pixels_per_unit);
1851    png_save_uint_32(buf + 4, y_pixels_per_unit);
1852    buf[8] = (png_byte)unit_type;
1853 
1854    png_write_complete_chunk(png_ptr, png_pHYs, buf, 9);
1855 }
1856 #endif
1857 
1858 #ifdef PNG_WRITE_tIME_SUPPORTED
1859 /* Write the tIME chunk.  Use either png_convert_from_struct_tm()
1860  * or png_convert_from_time_t(), or fill in the structure yourself.
1861  */
1862 void /* PRIVATE */
png_write_tIME(png_structrp png_ptr,png_const_timep mod_time)1863 png_write_tIME(png_structrp png_ptr, png_const_timep mod_time)
1864 {
1865    png_byte buf[7];
1866 
1867    png_debug(1, "in png_write_tIME");
1868 
1869    if (mod_time->month  > 12 || mod_time->month  < 1 ||
1870        mod_time->day    > 31 || mod_time->day    < 1 ||
1871        mod_time->hour   > 23 || mod_time->second > 60)
1872    {
1873       png_warning(png_ptr, "Invalid time specified for tIME chunk");
1874       return;
1875    }
1876 
1877    png_save_uint_16(buf, mod_time->year);
1878    buf[2] = mod_time->month;
1879    buf[3] = mod_time->day;
1880    buf[4] = mod_time->hour;
1881    buf[5] = mod_time->minute;
1882    buf[6] = mod_time->second;
1883 
1884    png_write_complete_chunk(png_ptr, png_tIME, buf, 7);
1885 }
1886 #endif
1887 
1888 /* Initializes the row writing capability of libpng */
1889 void /* PRIVATE */
png_write_start_row(png_structrp png_ptr)1890 png_write_start_row(png_structrp png_ptr)
1891 {
1892 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
1893    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1894 
1895    /* Start of interlace block */
1896    static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
1897 
1898    /* Offset to next interlace block */
1899    static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
1900 
1901    /* Start of interlace block in the y direction */
1902    static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
1903 
1904    /* Offset to next interlace block in the y direction */
1905    static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
1906 #endif
1907 
1908    png_alloc_size_t buf_size;
1909    int usr_pixel_depth;
1910 
1911 #ifdef PNG_WRITE_FILTER_SUPPORTED
1912    png_byte filters;
1913 #endif
1914 
1915    png_debug(1, "in png_write_start_row");
1916 
1917    usr_pixel_depth = png_ptr->usr_channels * png_ptr->usr_bit_depth;
1918    buf_size = PNG_ROWBYTES(usr_pixel_depth, png_ptr->width) + 1;
1919 
1920    /* 1.5.6: added to allow checking in the row write code. */
1921    png_ptr->transformed_pixel_depth = png_ptr->pixel_depth;
1922    png_ptr->maximum_pixel_depth = (png_byte)usr_pixel_depth;
1923 
1924    /* Set up row buffer */
1925    png_ptr->row_buf = png_voidcast(png_bytep, png_malloc(png_ptr, buf_size));
1926 
1927    png_ptr->row_buf[0] = PNG_FILTER_VALUE_NONE;
1928 
1929 #ifdef PNG_WRITE_FILTER_SUPPORTED
1930    filters = png_ptr->do_filter;
1931 
1932    if (png_ptr->height == 1)
1933       filters &= 0xff & ~(PNG_FILTER_UP|PNG_FILTER_AVG|PNG_FILTER_PAETH);
1934 
1935    if (png_ptr->width == 1)
1936       filters &= 0xff & ~(PNG_FILTER_SUB|PNG_FILTER_AVG|PNG_FILTER_PAETH);
1937 
1938    if (filters == 0)
1939       filters = PNG_FILTER_NONE;
1940 
1941    png_ptr->do_filter = filters;
1942 
1943    if (((filters & (PNG_FILTER_SUB | PNG_FILTER_UP | PNG_FILTER_AVG |
1944        PNG_FILTER_PAETH)) != 0) && png_ptr->try_row == NULL)
1945    {
1946       int num_filters = 0;
1947 
1948       png_ptr->try_row = png_voidcast(png_bytep, png_malloc(png_ptr, buf_size));
1949 
1950       if (filters & PNG_FILTER_SUB)
1951          num_filters++;
1952 
1953       if (filters & PNG_FILTER_UP)
1954          num_filters++;
1955 
1956       if (filters & PNG_FILTER_AVG)
1957          num_filters++;
1958 
1959       if (filters & PNG_FILTER_PAETH)
1960          num_filters++;
1961 
1962       if (num_filters > 1)
1963          png_ptr->tst_row = png_voidcast(png_bytep, png_malloc(png_ptr,
1964              buf_size));
1965    }
1966 
1967    /* We only need to keep the previous row if we are using one of the following
1968     * filters.
1969     */
1970    if ((filters & (PNG_FILTER_AVG | PNG_FILTER_UP | PNG_FILTER_PAETH)) != 0)
1971       png_ptr->prev_row = png_voidcast(png_bytep,
1972           png_calloc(png_ptr, buf_size));
1973 #endif /* WRITE_FILTER */
1974 
1975 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
1976    /* If interlaced, we need to set up width and height of pass */
1977    if (png_ptr->interlaced != 0)
1978    {
1979       if ((png_ptr->transformations & PNG_INTERLACE) == 0)
1980       {
1981          png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
1982              png_pass_ystart[0]) / png_pass_yinc[0];
1983 
1984          png_ptr->usr_width = (png_ptr->width + png_pass_inc[0] - 1 -
1985              png_pass_start[0]) / png_pass_inc[0];
1986       }
1987 
1988       else
1989       {
1990          png_ptr->num_rows = png_ptr->height;
1991          png_ptr->usr_width = png_ptr->width;
1992       }
1993    }
1994 
1995    else
1996 #endif
1997    {
1998       png_ptr->num_rows = png_ptr->height;
1999       png_ptr->usr_width = png_ptr->width;
2000    }
2001 }
2002 
2003 /* Internal use only.  Called when finished processing a row of data. */
2004 void /* PRIVATE */
png_write_finish_row(png_structrp png_ptr)2005 png_write_finish_row(png_structrp png_ptr)
2006 {
2007 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2008    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2009 
2010    /* Start of interlace block */
2011    static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
2012 
2013    /* Offset to next interlace block */
2014    static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2015 
2016    /* Start of interlace block in the y direction */
2017    static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
2018 
2019    /* Offset to next interlace block in the y direction */
2020    static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
2021 #endif
2022 
2023    png_debug(1, "in png_write_finish_row");
2024 
2025    /* Next row */
2026    png_ptr->row_number++;
2027 
2028    /* See if we are done */
2029    if (png_ptr->row_number < png_ptr->num_rows)
2030       return;
2031 
2032 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2033    /* If interlaced, go to next pass */
2034    if (png_ptr->interlaced != 0)
2035    {
2036       png_ptr->row_number = 0;
2037       if ((png_ptr->transformations & PNG_INTERLACE) != 0)
2038       {
2039          png_ptr->pass++;
2040       }
2041 
2042       else
2043       {
2044          /* Loop until we find a non-zero width or height pass */
2045          do
2046          {
2047             png_ptr->pass++;
2048 
2049             if (png_ptr->pass >= 7)
2050                break;
2051 
2052             png_ptr->usr_width = (png_ptr->width +
2053                 png_pass_inc[png_ptr->pass] - 1 -
2054                 png_pass_start[png_ptr->pass]) /
2055                 png_pass_inc[png_ptr->pass];
2056 
2057             png_ptr->num_rows = (png_ptr->height +
2058                 png_pass_yinc[png_ptr->pass] - 1 -
2059                 png_pass_ystart[png_ptr->pass]) /
2060                 png_pass_yinc[png_ptr->pass];
2061 
2062             if ((png_ptr->transformations & PNG_INTERLACE) != 0)
2063                break;
2064 
2065          } while (png_ptr->usr_width == 0 || png_ptr->num_rows == 0);
2066 
2067       }
2068 
2069       /* Reset the row above the image for the next pass */
2070       if (png_ptr->pass < 7)
2071       {
2072          if (png_ptr->prev_row != NULL)
2073             memset(png_ptr->prev_row, 0,
2074                 PNG_ROWBYTES(png_ptr->usr_channels *
2075                 png_ptr->usr_bit_depth, png_ptr->width) + 1);
2076 
2077          return;
2078       }
2079    }
2080 #endif
2081 
2082    /* If we get here, we've just written the last row, so we need
2083       to flush the compressor */
2084    png_compress_IDAT(png_ptr, NULL, 0, Z_FINISH);
2085 }
2086 
2087 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2088 /* Pick out the correct pixels for the interlace pass.
2089  * The basic idea here is to go through the row with a source
2090  * pointer and a destination pointer (sp and dp), and copy the
2091  * correct pixels for the pass.  As the row gets compacted,
2092  * sp will always be >= dp, so we should never overwrite anything.
2093  * See the default: case for the easiest code to understand.
2094  */
2095 void /* PRIVATE */
png_do_write_interlace(png_row_infop row_info,png_bytep row,int pass)2096 png_do_write_interlace(png_row_infop row_info, png_bytep row, int pass)
2097 {
2098    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2099 
2100    /* Start of interlace block */
2101    static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
2102 
2103    /* Offset to next interlace block */
2104    static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2105 
2106    png_debug(1, "in png_do_write_interlace");
2107 
2108    /* We don't have to do anything on the last pass (6) */
2109    if (pass < 6)
2110    {
2111       /* Each pixel depth is handled separately */
2112       switch (row_info->pixel_depth)
2113       {
2114          case 1:
2115          {
2116             png_bytep sp;
2117             png_bytep dp;
2118             unsigned int shift;
2119             int d;
2120             int value;
2121             png_uint_32 i;
2122             png_uint_32 row_width = row_info->width;
2123 
2124             dp = row;
2125             d = 0;
2126             shift = 7;
2127 
2128             for (i = png_pass_start[pass]; i < row_width;
2129                i += png_pass_inc[pass])
2130             {
2131                sp = row + (size_t)(i >> 3);
2132                value = (int)(*sp >> (7 - (int)(i & 0x07))) & 0x01;
2133                d |= (value << shift);
2134 
2135                if (shift == 0)
2136                {
2137                   shift = 7;
2138                   *dp++ = (png_byte)d;
2139                   d = 0;
2140                }
2141 
2142                else
2143                   shift--;
2144 
2145             }
2146             if (shift != 7)
2147                *dp = (png_byte)d;
2148 
2149             break;
2150          }
2151 
2152          case 2:
2153          {
2154             png_bytep sp;
2155             png_bytep dp;
2156             unsigned int shift;
2157             int d;
2158             int value;
2159             png_uint_32 i;
2160             png_uint_32 row_width = row_info->width;
2161 
2162             dp = row;
2163             shift = 6;
2164             d = 0;
2165 
2166             for (i = png_pass_start[pass]; i < row_width;
2167                i += png_pass_inc[pass])
2168             {
2169                sp = row + (size_t)(i >> 2);
2170                value = (*sp >> ((3 - (int)(i & 0x03)) << 1)) & 0x03;
2171                d |= (value << shift);
2172 
2173                if (shift == 0)
2174                {
2175                   shift = 6;
2176                   *dp++ = (png_byte)d;
2177                   d = 0;
2178                }
2179 
2180                else
2181                   shift -= 2;
2182             }
2183             if (shift != 6)
2184                *dp = (png_byte)d;
2185 
2186             break;
2187          }
2188 
2189          case 4:
2190          {
2191             png_bytep sp;
2192             png_bytep dp;
2193             unsigned int shift;
2194             int d;
2195             int value;
2196             png_uint_32 i;
2197             png_uint_32 row_width = row_info->width;
2198 
2199             dp = row;
2200             shift = 4;
2201             d = 0;
2202             for (i = png_pass_start[pass]; i < row_width;
2203                 i += png_pass_inc[pass])
2204             {
2205                sp = row + (size_t)(i >> 1);
2206                value = (*sp >> ((1 - (int)(i & 0x01)) << 2)) & 0x0f;
2207                d |= (value << shift);
2208 
2209                if (shift == 0)
2210                {
2211                   shift = 4;
2212                   *dp++ = (png_byte)d;
2213                   d = 0;
2214                }
2215 
2216                else
2217                   shift -= 4;
2218             }
2219             if (shift != 4)
2220                *dp = (png_byte)d;
2221 
2222             break;
2223          }
2224 
2225          default:
2226          {
2227             png_bytep sp;
2228             png_bytep dp;
2229             png_uint_32 i;
2230             png_uint_32 row_width = row_info->width;
2231             size_t pixel_bytes;
2232 
2233             /* Start at the beginning */
2234             dp = row;
2235 
2236             /* Find out how many bytes each pixel takes up */
2237             pixel_bytes = (row_info->pixel_depth >> 3);
2238 
2239             /* Loop through the row, only looking at the pixels that matter */
2240             for (i = png_pass_start[pass]; i < row_width;
2241                i += png_pass_inc[pass])
2242             {
2243                /* Find out where the original pixel is */
2244                sp = row + (size_t)i * pixel_bytes;
2245 
2246                /* Move the pixel */
2247                if (dp != sp)
2248                   memcpy(dp, sp, pixel_bytes);
2249 
2250                /* Next pixel */
2251                dp += pixel_bytes;
2252             }
2253             break;
2254          }
2255       }
2256       /* Set new row width */
2257       row_info->width = (row_info->width +
2258           png_pass_inc[pass] - 1 -
2259           png_pass_start[pass]) /
2260           png_pass_inc[pass];
2261 
2262       row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth,
2263           row_info->width);
2264    }
2265 }
2266 #endif
2267 
2268 
2269 /* This filters the row, chooses which filter to use, if it has not already
2270  * been specified by the application, and then writes the row out with the
2271  * chosen filter.
2272  */
2273 static void /* PRIVATE */
2274 png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row,
2275     size_t row_bytes);
2276 
2277 #ifdef PNG_WRITE_FILTER_SUPPORTED
2278 static size_t /* PRIVATE */
png_setup_sub_row(png_structrp png_ptr,png_uint_32 bpp,size_t row_bytes,size_t lmins)2279 png_setup_sub_row(png_structrp png_ptr, png_uint_32 bpp,
2280     size_t row_bytes, size_t lmins)
2281 {
2282    png_bytep rp, dp, lp;
2283    size_t i;
2284    size_t sum = 0;
2285    unsigned int v;
2286 
2287    png_ptr->try_row[0] = PNG_FILTER_VALUE_SUB;
2288 
2289    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1; i < bpp;
2290         i++, rp++, dp++)
2291    {
2292       v = *dp = *rp;
2293 #ifdef PNG_USE_ABS
2294       sum += 128 - abs((int)v - 128);
2295 #else
2296       sum += (v < 128) ? v : 256 - v;
2297 #endif
2298    }
2299 
2300    for (lp = png_ptr->row_buf + 1; i < row_bytes;
2301       i++, rp++, lp++, dp++)
2302    {
2303       v = *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff);
2304 #ifdef PNG_USE_ABS
2305       sum += 128 - abs((int)v - 128);
2306 #else
2307       sum += (v < 128) ? v : 256 - v;
2308 #endif
2309 
2310       if (sum > lmins)  /* We are already worse, don't continue. */
2311         break;
2312    }
2313 
2314    return (sum);
2315 }
2316 
2317 static void /* PRIVATE */
png_setup_sub_row_only(png_structrp png_ptr,png_uint_32 bpp,size_t row_bytes)2318 png_setup_sub_row_only(png_structrp png_ptr, png_uint_32 bpp,
2319     size_t row_bytes)
2320 {
2321    png_bytep rp, dp, lp;
2322    size_t i;
2323 
2324    png_ptr->try_row[0] = PNG_FILTER_VALUE_SUB;
2325 
2326    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1; i < bpp;
2327         i++, rp++, dp++)
2328    {
2329       *dp = *rp;
2330    }
2331 
2332    for (lp = png_ptr->row_buf + 1; i < row_bytes;
2333       i++, rp++, lp++, dp++)
2334    {
2335       *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff);
2336    }
2337 }
2338 
2339 static size_t /* PRIVATE */
png_setup_up_row(png_structrp png_ptr,size_t row_bytes,size_t lmins)2340 png_setup_up_row(png_structrp png_ptr, size_t row_bytes, size_t lmins)
2341 {
2342    png_bytep rp, dp, pp;
2343    size_t i;
2344    size_t sum = 0;
2345    unsigned int v;
2346 
2347    png_ptr->try_row[0] = PNG_FILTER_VALUE_UP;
2348 
2349    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2350        pp = png_ptr->prev_row + 1; i < row_bytes;
2351        i++, rp++, pp++, dp++)
2352    {
2353       v = *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff);
2354 #ifdef PNG_USE_ABS
2355       sum += 128 - abs((int)v - 128);
2356 #else
2357       sum += (v < 128) ? v : 256 - v;
2358 #endif
2359 
2360       if (sum > lmins)  /* We are already worse, don't continue. */
2361         break;
2362    }
2363 
2364    return (sum);
2365 }
2366 static void /* PRIVATE */
png_setup_up_row_only(png_structrp png_ptr,size_t row_bytes)2367 png_setup_up_row_only(png_structrp png_ptr, size_t row_bytes)
2368 {
2369    png_bytep rp, dp, pp;
2370    size_t i;
2371 
2372    png_ptr->try_row[0] = PNG_FILTER_VALUE_UP;
2373 
2374    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2375        pp = png_ptr->prev_row + 1; i < row_bytes;
2376        i++, rp++, pp++, dp++)
2377    {
2378       *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff);
2379    }
2380 }
2381 
2382 static size_t /* PRIVATE */
png_setup_avg_row(png_structrp png_ptr,png_uint_32 bpp,size_t row_bytes,size_t lmins)2383 png_setup_avg_row(png_structrp png_ptr, png_uint_32 bpp,
2384     size_t row_bytes, size_t lmins)
2385 {
2386    png_bytep rp, dp, pp, lp;
2387    png_uint_32 i;
2388    size_t sum = 0;
2389    unsigned int v;
2390 
2391    png_ptr->try_row[0] = PNG_FILTER_VALUE_AVG;
2392 
2393    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2394        pp = png_ptr->prev_row + 1; i < bpp; i++)
2395    {
2396       v = *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff);
2397 
2398 #ifdef PNG_USE_ABS
2399       sum += 128 - abs((int)v - 128);
2400 #else
2401       sum += (v < 128) ? v : 256 - v;
2402 #endif
2403    }
2404 
2405    for (lp = png_ptr->row_buf + 1; i < row_bytes; i++)
2406    {
2407       v = *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2))
2408           & 0xff);
2409 
2410 #ifdef PNG_USE_ABS
2411       sum += 128 - abs((int)v - 128);
2412 #else
2413       sum += (v < 128) ? v : 256 - v;
2414 #endif
2415 
2416       if (sum > lmins)  /* We are already worse, don't continue. */
2417         break;
2418    }
2419 
2420    return (sum);
2421 }
2422 static void /* PRIVATE */
png_setup_avg_row_only(png_structrp png_ptr,png_uint_32 bpp,size_t row_bytes)2423 png_setup_avg_row_only(png_structrp png_ptr, png_uint_32 bpp,
2424     size_t row_bytes)
2425 {
2426    png_bytep rp, dp, pp, lp;
2427    png_uint_32 i;
2428 
2429    png_ptr->try_row[0] = PNG_FILTER_VALUE_AVG;
2430 
2431    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2432        pp = png_ptr->prev_row + 1; i < bpp; i++)
2433    {
2434       *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff);
2435    }
2436 
2437    for (lp = png_ptr->row_buf + 1; i < row_bytes; i++)
2438    {
2439       *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2))
2440           & 0xff);
2441    }
2442 }
2443 
2444 static size_t /* PRIVATE */
png_setup_paeth_row(png_structrp png_ptr,png_uint_32 bpp,size_t row_bytes,size_t lmins)2445 png_setup_paeth_row(png_structrp png_ptr, png_uint_32 bpp,
2446     size_t row_bytes, size_t lmins)
2447 {
2448    png_bytep rp, dp, pp, cp, lp;
2449    size_t i;
2450    size_t sum = 0;
2451    unsigned int v;
2452 
2453    png_ptr->try_row[0] = PNG_FILTER_VALUE_PAETH;
2454 
2455    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2456        pp = png_ptr->prev_row + 1; i < bpp; i++)
2457    {
2458       v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2459 
2460 #ifdef PNG_USE_ABS
2461       sum += 128 - abs((int)v - 128);
2462 #else
2463       sum += (v < 128) ? v : 256 - v;
2464 #endif
2465    }
2466 
2467    for (lp = png_ptr->row_buf + 1, cp = png_ptr->prev_row + 1; i < row_bytes;
2468         i++)
2469    {
2470       int a, b, c, pa, pb, pc, p;
2471 
2472       b = *pp++;
2473       c = *cp++;
2474       a = *lp++;
2475 
2476       p = b - c;
2477       pc = a - c;
2478 
2479 #ifdef PNG_USE_ABS
2480       pa = abs(p);
2481       pb = abs(pc);
2482       pc = abs(p + pc);
2483 #else
2484       pa = p < 0 ? -p : p;
2485       pb = pc < 0 ? -pc : pc;
2486       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
2487 #endif
2488 
2489       p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c;
2490 
2491       v = *dp++ = (png_byte)(((int)*rp++ - p) & 0xff);
2492 
2493 #ifdef PNG_USE_ABS
2494       sum += 128 - abs((int)v - 128);
2495 #else
2496       sum += (v < 128) ? v : 256 - v;
2497 #endif
2498 
2499       if (sum > lmins)  /* We are already worse, don't continue. */
2500         break;
2501    }
2502 
2503    return (sum);
2504 }
2505 static void /* PRIVATE */
png_setup_paeth_row_only(png_structrp png_ptr,png_uint_32 bpp,size_t row_bytes)2506 png_setup_paeth_row_only(png_structrp png_ptr, png_uint_32 bpp,
2507     size_t row_bytes)
2508 {
2509    png_bytep rp, dp, pp, cp, lp;
2510    size_t i;
2511 
2512    png_ptr->try_row[0] = PNG_FILTER_VALUE_PAETH;
2513 
2514    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2515        pp = png_ptr->prev_row + 1; i < bpp; i++)
2516    {
2517       *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2518    }
2519 
2520    for (lp = png_ptr->row_buf + 1, cp = png_ptr->prev_row + 1; i < row_bytes;
2521         i++)
2522    {
2523       int a, b, c, pa, pb, pc, p;
2524 
2525       b = *pp++;
2526       c = *cp++;
2527       a = *lp++;
2528 
2529       p = b - c;
2530       pc = a - c;
2531 
2532 #ifdef PNG_USE_ABS
2533       pa = abs(p);
2534       pb = abs(pc);
2535       pc = abs(p + pc);
2536 #else
2537       pa = p < 0 ? -p : p;
2538       pb = pc < 0 ? -pc : pc;
2539       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
2540 #endif
2541 
2542       p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c;
2543 
2544       *dp++ = (png_byte)(((int)*rp++ - p) & 0xff);
2545    }
2546 }
2547 #endif /* WRITE_FILTER */
2548 
2549 void /* PRIVATE */
png_write_find_filter(png_structrp png_ptr,png_row_infop row_info)2550 png_write_find_filter(png_structrp png_ptr, png_row_infop row_info)
2551 {
2552 #ifndef PNG_WRITE_FILTER_SUPPORTED
2553    png_write_filtered_row(png_ptr, png_ptr->row_buf, row_info->rowbytes+1);
2554 #else
2555    unsigned int filter_to_do = png_ptr->do_filter;
2556    png_bytep row_buf;
2557    png_bytep best_row;
2558    png_uint_32 bpp;
2559    size_t mins;
2560    size_t row_bytes = row_info->rowbytes;
2561 
2562    png_debug(1, "in png_write_find_filter");
2563 
2564    /* Find out how many bytes offset each pixel is */
2565    bpp = (row_info->pixel_depth + 7) >> 3;
2566 
2567    row_buf = png_ptr->row_buf;
2568    mins = PNG_SIZE_MAX - 256/* so we can detect potential overflow of the
2569                                running sum */;
2570 
2571    /* The prediction method we use is to find which method provides the
2572     * smallest value when summing the absolute values of the distances
2573     * from zero, using anything >= 128 as negative numbers.  This is known
2574     * as the "minimum sum of absolute differences" heuristic.  Other
2575     * heuristics are the "weighted minimum sum of absolute differences"
2576     * (experimental and can in theory improve compression), and the "zlib
2577     * predictive" method (not implemented yet), which does test compressions
2578     * of lines using different filter methods, and then chooses the
2579     * (series of) filter(s) that give minimum compressed data size (VERY
2580     * computationally expensive).
2581     *
2582     * GRR 980525:  consider also
2583     *
2584     *   (1) minimum sum of absolute differences from running average (i.e.,
2585     *       keep running sum of non-absolute differences & count of bytes)
2586     *       [track dispersion, too?  restart average if dispersion too large?]
2587     *
2588     *  (1b) minimum sum of absolute differences from sliding average, probably
2589     *       with window size <= deflate window (usually 32K)
2590     *
2591     *   (2) minimum sum of squared differences from zero or running average
2592     *       (i.e., ~ root-mean-square approach)
2593     */
2594 
2595 
2596    /* We don't need to test the 'no filter' case if this is the only filter
2597     * that has been chosen, as it doesn't actually do anything to the data.
2598     */
2599    best_row = png_ptr->row_buf;
2600 
2601    if (PNG_SIZE_MAX/128 <= row_bytes)
2602    {
2603       /* Overflow can occur in the calculation, just select the lowest set
2604        * filter.
2605        */
2606       filter_to_do &= 0U-filter_to_do;
2607    }
2608    else if ((filter_to_do & PNG_FILTER_NONE) != 0 &&
2609          filter_to_do != PNG_FILTER_NONE)
2610    {
2611       /* Overflow not possible and multiple filters in the list, including the
2612        * 'none' filter.
2613        */
2614       png_bytep rp;
2615       size_t sum = 0;
2616       size_t i;
2617       unsigned int v;
2618 
2619       {
2620          for (i = 0, rp = row_buf + 1; i < row_bytes; i++, rp++)
2621          {
2622             v = *rp;
2623 #ifdef PNG_USE_ABS
2624             sum += 128 - abs((int)v - 128);
2625 #else
2626             sum += (v < 128) ? v : 256 - v;
2627 #endif
2628          }
2629       }
2630 
2631       mins = sum;
2632    }
2633 
2634    /* Sub filter */
2635    if (filter_to_do == PNG_FILTER_SUB)
2636    /* It's the only filter so no testing is needed */
2637    {
2638       png_setup_sub_row_only(png_ptr, bpp, row_bytes);
2639       best_row = png_ptr->try_row;
2640    }
2641 
2642    else if ((filter_to_do & PNG_FILTER_SUB) != 0)
2643    {
2644       size_t sum;
2645       size_t lmins = mins;
2646 
2647       sum = png_setup_sub_row(png_ptr, bpp, row_bytes, lmins);
2648 
2649       if (sum < mins)
2650       {
2651          mins = sum;
2652          best_row = png_ptr->try_row;
2653          if (png_ptr->tst_row != NULL)
2654          {
2655             png_ptr->try_row = png_ptr->tst_row;
2656             png_ptr->tst_row = best_row;
2657          }
2658       }
2659    }
2660 
2661    /* Up filter */
2662    if (filter_to_do == PNG_FILTER_UP)
2663    {
2664       png_setup_up_row_only(png_ptr, row_bytes);
2665       best_row = png_ptr->try_row;
2666    }
2667 
2668    else if ((filter_to_do & PNG_FILTER_UP) != 0)
2669    {
2670       size_t sum;
2671       size_t lmins = mins;
2672 
2673       sum = png_setup_up_row(png_ptr, row_bytes, lmins);
2674 
2675       if (sum < mins)
2676       {
2677          mins = sum;
2678          best_row = png_ptr->try_row;
2679          if (png_ptr->tst_row != NULL)
2680          {
2681             png_ptr->try_row = png_ptr->tst_row;
2682             png_ptr->tst_row = best_row;
2683          }
2684       }
2685    }
2686 
2687    /* Avg filter */
2688    if (filter_to_do == PNG_FILTER_AVG)
2689    {
2690       png_setup_avg_row_only(png_ptr, bpp, row_bytes);
2691       best_row = png_ptr->try_row;
2692    }
2693 
2694    else if ((filter_to_do & PNG_FILTER_AVG) != 0)
2695    {
2696       size_t sum;
2697       size_t lmins = mins;
2698 
2699       sum= png_setup_avg_row(png_ptr, bpp, row_bytes, lmins);
2700 
2701       if (sum < mins)
2702       {
2703          mins = sum;
2704          best_row = png_ptr->try_row;
2705          if (png_ptr->tst_row != NULL)
2706          {
2707             png_ptr->try_row = png_ptr->tst_row;
2708             png_ptr->tst_row = best_row;
2709          }
2710       }
2711    }
2712 
2713    /* Paeth filter */
2714    if (filter_to_do == PNG_FILTER_PAETH)
2715    {
2716       png_setup_paeth_row_only(png_ptr, bpp, row_bytes);
2717       best_row = png_ptr->try_row;
2718    }
2719 
2720    else if ((filter_to_do & PNG_FILTER_PAETH) != 0)
2721    {
2722       size_t sum;
2723       size_t lmins = mins;
2724 
2725       sum = png_setup_paeth_row(png_ptr, bpp, row_bytes, lmins);
2726 
2727       if (sum < mins)
2728       {
2729          best_row = png_ptr->try_row;
2730          if (png_ptr->tst_row != NULL)
2731          {
2732             png_ptr->try_row = png_ptr->tst_row;
2733             png_ptr->tst_row = best_row;
2734          }
2735       }
2736    }
2737 
2738    /* Do the actual writing of the filtered row data from the chosen filter. */
2739    png_write_filtered_row(png_ptr, best_row, row_info->rowbytes+1);
2740 
2741 #endif /* WRITE_FILTER */
2742 }
2743 
2744 
2745 /* Do the actual writing of a previously filtered row. */
2746 static void
png_write_filtered_row(png_structrp png_ptr,png_bytep filtered_row,size_t full_row_length)2747 png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row,
2748     size_t full_row_length/*includes filter byte*/)
2749 {
2750    png_debug(1, "in png_write_filtered_row");
2751 
2752    png_debug1(2, "filter = %d", filtered_row[0]);
2753 
2754    png_compress_IDAT(png_ptr, filtered_row, full_row_length, Z_NO_FLUSH);
2755 
2756 #ifdef PNG_WRITE_FILTER_SUPPORTED
2757    /* Swap the current and previous rows */
2758    if (png_ptr->prev_row != NULL)
2759    {
2760       png_bytep tptr;
2761 
2762       tptr = png_ptr->prev_row;
2763       png_ptr->prev_row = png_ptr->row_buf;
2764       png_ptr->row_buf = tptr;
2765    }
2766 #endif /* WRITE_FILTER */
2767 
2768    /* Finish row - updates counters and flushes zlib if last row */
2769    png_write_finish_row(png_ptr);
2770 
2771 #ifdef PNG_WRITE_FLUSH_SUPPORTED
2772    png_ptr->flush_rows++;
2773 
2774    if (png_ptr->flush_dist > 0 &&
2775        png_ptr->flush_rows >= png_ptr->flush_dist)
2776    {
2777       png_write_flush(png_ptr);
2778    }
2779 #endif /* WRITE_FLUSH */
2780 }
2781 #endif /* WRITE */
2782