• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* png.c - location for general purpose libpng functions
3  *
4  * Copyright (c) 2018-2022 Cosmin Truta
5  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6  * Copyright (c) 1996-1997 Andreas Dilger
7  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 /* Generate a compiler error if there is an old png.h in the search path. */
17 typedef png_libpng_version_1_6_39 Your_png_h_is_not_version_1_6_39;
18 
19 #ifdef __GNUC__
20 /* The version tests may need to be added to, but the problem warning has
21  * consistently been fixed in GCC versions which obtain wide-spread release.
22  * The problem is that many versions of GCC rearrange comparison expressions in
23  * the optimizer in such a way that the results of the comparison will change
24  * if signed integer overflow occurs.  Such comparisons are not permitted in
25  * ANSI C90, however GCC isn't clever enough to work out that that do not occur
26  * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
27  * -Wextra.  Unfortunately this is highly dependent on the optimizer and the
28  * machine architecture so the warning comes and goes unpredictably and is
29  * impossible to "fix", even were that a good idea.
30  */
31 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1
32 #define GCC_STRICT_OVERFLOW 1
33 #endif /* GNU 7.1.x */
34 #endif /* GNU */
35 #ifndef GCC_STRICT_OVERFLOW
36 #define GCC_STRICT_OVERFLOW 0
37 #endif
38 
39 /* Tells libpng that we have already handled the first "num_bytes" bytes
40  * of the PNG file signature.  If the PNG data is embedded into another
41  * stream we can set num_bytes = 8 so that libpng will not attempt to read
42  * or write any of the magic bytes before it starts on the IHDR.
43  */
44 
45 #ifdef PNG_READ_SUPPORTED
46 void PNGAPI
png_set_sig_bytes(png_structrp png_ptr,int num_bytes)47 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
48 {
49    unsigned int nb = (unsigned int)num_bytes;
50 
51    png_debug(1, "in png_set_sig_bytes");
52 
53    if (png_ptr == NULL)
54       return;
55 
56    if (num_bytes < 0)
57       nb = 0;
58 
59    if (nb > 8)
60       png_error(png_ptr, "Too many bytes for PNG signature");
61 
62    png_ptr->sig_bytes = (png_byte)nb;
63 }
64 
65 /* Checks whether the supplied bytes match the PNG signature.  We allow
66  * checking less than the full 8-byte signature so that those apps that
67  * already read the first few bytes of a file to determine the file type
68  * can simply check the remaining bytes for extra assurance.  Returns
69  * an integer less than, equal to, or greater than zero if sig is found,
70  * respectively, to be less than, to match, or be greater than the correct
71  * PNG signature (this is the same behavior as strcmp, memcmp, etc).
72  */
73 int PNGAPI
png_sig_cmp(png_const_bytep sig,size_t start,size_t num_to_check)74 png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
75 {
76    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
77 
78    if (num_to_check > 8)
79       num_to_check = 8;
80 
81    else if (num_to_check < 1)
82       return (-1);
83 
84    if (start > 7)
85       return (-1);
86 
87    if (start + num_to_check > 8)
88       num_to_check = 8 - start;
89 
90    return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
91 }
92 
93 #endif /* READ */
94 
95 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
96 /* Function to allocate memory for zlib */
97 PNG_FUNCTION(voidpf /* PRIVATE */,
98 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
99 {
100    png_alloc_size_t num_bytes = size;
101 
102    if (png_ptr == NULL)
103       return NULL;
104 
105    if (items >= (~(png_alloc_size_t)0)/size)
106    {
107       png_warning (png_voidcast(png_structrp, png_ptr),
108           "Potential overflow in png_zalloc()");
109       return NULL;
110    }
111 
112    num_bytes *= items;
113    return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
114 }
115 
116 /* Function to free memory for zlib */
117 void /* PRIVATE */
png_zfree(voidpf png_ptr,voidpf ptr)118 png_zfree(voidpf png_ptr, voidpf ptr)
119 {
120    png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
121 }
122 
123 /* Reset the CRC variable to 32 bits of 1's.  Care must be taken
124  * in case CRC is > 32 bits to leave the top bits 0.
125  */
126 void /* PRIVATE */
png_reset_crc(png_structrp png_ptr)127 png_reset_crc(png_structrp png_ptr)
128 {
129    /* The cast is safe because the crc is a 32-bit value. */
130    png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
131 }
132 
133 /* Calculate the CRC over a section of data.  We can only pass as
134  * much data to this routine as the largest single buffer size.  We
135  * also check that this data will actually be used before going to the
136  * trouble of calculating it.
137  */
138 void /* PRIVATE */
png_calculate_crc(png_structrp png_ptr,png_const_bytep ptr,size_t length)139 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
140 {
141    int need_crc = 1;
142 
143    if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
144    {
145       if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
146           (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
147          need_crc = 0;
148    }
149 
150    else /* critical */
151    {
152       if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
153          need_crc = 0;
154    }
155 
156    /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
157     * systems it is a 64-bit value.  crc32, however, returns 32 bits so the
158     * following cast is safe.  'uInt' may be no more than 16 bits, so it is
159     * necessary to perform a loop here.
160     */
161    if (need_crc != 0 && length > 0)
162    {
163       uLong crc = png_ptr->crc; /* Should never issue a warning */
164 
165       do
166       {
167          uInt safe_length = (uInt)length;
168 #ifndef __COVERITY__
169          if (safe_length == 0)
170             safe_length = (uInt)-1; /* evil, but safe */
171 #endif
172 
173          crc = crc32(crc, ptr, safe_length);
174 
175          /* The following should never issue compiler warnings; if they do the
176           * target system has characteristics that will probably violate other
177           * assumptions within the libpng code.
178           */
179          ptr += safe_length;
180          length -= safe_length;
181       }
182       while (length > 0);
183 
184       /* And the following is always safe because the crc is only 32 bits. */
185       png_ptr->crc = (png_uint_32)crc;
186    }
187 }
188 
189 /* Check a user supplied version number, called from both read and write
190  * functions that create a png_struct.
191  */
192 int
png_user_version_check(png_structrp png_ptr,png_const_charp user_png_ver)193 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
194 {
195    /* Libpng versions 1.0.0 and later are binary compatible if the version
196     * string matches through the second '.'; we must recompile any
197     * applications that use any older library version.
198     */
199 
200    if (user_png_ver != NULL)
201    {
202       int i = -1;
203       int found_dots = 0;
204 
205       do
206       {
207          i++;
208          if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
209             png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
210          if (user_png_ver[i] == '.')
211             found_dots++;
212       } while (found_dots < 2 && user_png_ver[i] != 0 &&
213             PNG_LIBPNG_VER_STRING[i] != 0);
214    }
215 
216    else
217       png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
218 
219    if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
220    {
221 #ifdef PNG_WARNINGS_SUPPORTED
222       size_t pos = 0;
223       char m[128];
224 
225       pos = png_safecat(m, (sizeof m), pos,
226           "Application built with libpng-");
227       pos = png_safecat(m, (sizeof m), pos, user_png_ver);
228       pos = png_safecat(m, (sizeof m), pos, " but running with ");
229       pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
230       PNG_UNUSED(pos)
231 
232       png_warning(png_ptr, m);
233 #endif
234 
235 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
236       png_ptr->flags = 0;
237 #endif
238 
239       return 0;
240    }
241 
242    /* Success return. */
243    return 1;
244 }
245 
246 /* Generic function to create a png_struct for either read or write - this
247  * contains the common initialization.
248  */
249 PNG_FUNCTION(png_structp /* PRIVATE */,
250 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
251     png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
252     png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
253 {
254    png_struct create_struct;
255 #  ifdef PNG_SETJMP_SUPPORTED
256       jmp_buf create_jmp_buf;
257 #  endif
258 
259    /* This temporary stack-allocated structure is used to provide a place to
260     * build enough context to allow the user provided memory allocator (if any)
261     * to be called.
262     */
263    memset(&create_struct, 0, (sizeof create_struct));
264 
265    /* Added at libpng-1.2.6 */
266 #  ifdef PNG_USER_LIMITS_SUPPORTED
267       create_struct.user_width_max = PNG_USER_WIDTH_MAX;
268       create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
269 
270 #     ifdef PNG_USER_CHUNK_CACHE_MAX
271       /* Added at libpng-1.2.43 and 1.4.0 */
272       create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
273 #     endif
274 
275 #     ifdef PNG_USER_CHUNK_MALLOC_MAX
276       /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
277        * in png_struct regardless.
278        */
279       create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
280 #     endif
281 #  endif
282 
283    /* The following two API calls simply set fields in png_struct, so it is safe
284     * to do them now even though error handling is not yet set up.
285     */
286 #  ifdef PNG_USER_MEM_SUPPORTED
287       png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
288 #  else
289       PNG_UNUSED(mem_ptr)
290       PNG_UNUSED(malloc_fn)
291       PNG_UNUSED(free_fn)
292 #  endif
293 
294    /* (*error_fn) can return control to the caller after the error_ptr is set,
295     * this will result in a memory leak unless the error_fn does something
296     * extremely sophisticated.  The design lacks merit but is implicit in the
297     * API.
298     */
299    png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
300 
301 #  ifdef PNG_SETJMP_SUPPORTED
302       if (!setjmp(create_jmp_buf))
303 #  endif
304       {
305 #  ifdef PNG_SETJMP_SUPPORTED
306          /* Temporarily fake out the longjmp information until we have
307           * successfully completed this function.  This only works if we have
308           * setjmp() support compiled in, but it is safe - this stuff should
309           * never happen.
310           */
311          create_struct.jmp_buf_ptr = &create_jmp_buf;
312          create_struct.jmp_buf_size = 0; /*stack allocation*/
313          create_struct.longjmp_fn = longjmp;
314 #  endif
315          /* Call the general version checker (shared with read and write code):
316           */
317          if (png_user_version_check(&create_struct, user_png_ver) != 0)
318          {
319             png_structrp png_ptr = png_voidcast(png_structrp,
320                 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
321 
322             if (png_ptr != NULL)
323             {
324                /* png_ptr->zstream holds a back-pointer to the png_struct, so
325                 * this can only be done now:
326                 */
327                create_struct.zstream.zalloc = png_zalloc;
328                create_struct.zstream.zfree = png_zfree;
329                create_struct.zstream.opaque = png_ptr;
330 
331 #              ifdef PNG_SETJMP_SUPPORTED
332                /* Eliminate the local error handling: */
333                create_struct.jmp_buf_ptr = NULL;
334                create_struct.jmp_buf_size = 0;
335                create_struct.longjmp_fn = 0;
336 #              endif
337 
338                *png_ptr = create_struct;
339 
340                /* This is the successful return point */
341                return png_ptr;
342             }
343          }
344       }
345 
346    /* A longjmp because of a bug in the application storage allocator or a
347     * simple failure to allocate the png_struct.
348     */
349    return NULL;
350 }
351 
352 /* Allocate the memory for an info_struct for the application. */
353 PNG_FUNCTION(png_infop,PNGAPI
354 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
355 {
356    png_inforp info_ptr;
357 
358    png_debug(1, "in png_create_info_struct");
359 
360    if (png_ptr == NULL)
361       return NULL;
362 
363    /* Use the internal API that does not (or at least should not) error out, so
364     * that this call always returns ok.  The application typically sets up the
365     * error handling *after* creating the info_struct because this is the way it
366     * has always been done in 'example.c'.
367     */
368    info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
369        (sizeof *info_ptr)));
370 
371    if (info_ptr != NULL)
372       memset(info_ptr, 0, (sizeof *info_ptr));
373 
374    return info_ptr;
375 }
376 
377 /* This function frees the memory associated with a single info struct.
378  * Normally, one would use either png_destroy_read_struct() or
379  * png_destroy_write_struct() to free an info struct, but this may be
380  * useful for some applications.  From libpng 1.6.0 this function is also used
381  * internally to implement the png_info release part of the 'struct' destroy
382  * APIs.  This ensures that all possible approaches free the same data (all of
383  * it).
384  */
385 void PNGAPI
png_destroy_info_struct(png_const_structrp png_ptr,png_infopp info_ptr_ptr)386 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
387 {
388    png_inforp info_ptr = NULL;
389 
390    png_debug(1, "in png_destroy_info_struct");
391 
392    if (png_ptr == NULL)
393       return;
394 
395    if (info_ptr_ptr != NULL)
396       info_ptr = *info_ptr_ptr;
397 
398    if (info_ptr != NULL)
399    {
400       /* Do this first in case of an error below; if the app implements its own
401        * memory management this can lead to png_free calling png_error, which
402        * will abort this routine and return control to the app error handler.
403        * An infinite loop may result if it then tries to free the same info
404        * ptr.
405        */
406       *info_ptr_ptr = NULL;
407 
408       png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
409       memset(info_ptr, 0, (sizeof *info_ptr));
410       png_free(png_ptr, info_ptr);
411    }
412 }
413 
414 /* Initialize the info structure.  This is now an internal function (0.89)
415  * and applications using it are urged to use png_create_info_struct()
416  * instead.  Use deprecated in 1.6.0, internal use removed (used internally it
417  * is just a memset).
418  *
419  * NOTE: it is almost inconceivable that this API is used because it bypasses
420  * the user-memory mechanism and the user error handling/warning mechanisms in
421  * those cases where it does anything other than a memset.
422  */
423 PNG_FUNCTION(void,PNGAPI
424 png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
425     PNG_DEPRECATED)
426 {
427    png_inforp info_ptr = *ptr_ptr;
428 
429    png_debug(1, "in png_info_init_3");
430 
431    if (info_ptr == NULL)
432       return;
433 
434    if ((sizeof (png_info)) > png_info_struct_size)
435    {
436       *ptr_ptr = NULL;
437       /* The following line is why this API should not be used: */
438       free(info_ptr);
439       info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
440           (sizeof *info_ptr)));
441       if (info_ptr == NULL)
442          return;
443       *ptr_ptr = info_ptr;
444    }
445 
446    /* Set everything to 0 */
447    memset(info_ptr, 0, (sizeof *info_ptr));
448 }
449 
450 /* The following API is not called internally */
451 void PNGAPI
png_data_freer(png_const_structrp png_ptr,png_inforp info_ptr,int freer,png_uint_32 mask)452 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
453     int freer, png_uint_32 mask)
454 {
455    png_debug(1, "in png_data_freer");
456 
457    if (png_ptr == NULL || info_ptr == NULL)
458       return;
459 
460    if (freer == PNG_DESTROY_WILL_FREE_DATA)
461       info_ptr->free_me |= mask;
462 
463    else if (freer == PNG_USER_WILL_FREE_DATA)
464       info_ptr->free_me &= ~mask;
465 
466    else
467       png_error(png_ptr, "Unknown freer parameter in png_data_freer");
468 }
469 
470 void PNGAPI
png_free_data(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 mask,int num)471 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
472     int num)
473 {
474    png_debug(1, "in png_free_data");
475 
476    if (png_ptr == NULL || info_ptr == NULL)
477       return;
478 
479 #ifdef PNG_TEXT_SUPPORTED
480    /* Free text item num or (if num == -1) all text items */
481    if (info_ptr->text != NULL &&
482        ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
483    {
484       if (num != -1)
485       {
486          png_free(png_ptr, info_ptr->text[num].key);
487          info_ptr->text[num].key = NULL;
488       }
489 
490       else
491       {
492          int i;
493 
494          for (i = 0; i < info_ptr->num_text; i++)
495             png_free(png_ptr, info_ptr->text[i].key);
496 
497          png_free(png_ptr, info_ptr->text);
498          info_ptr->text = NULL;
499          info_ptr->num_text = 0;
500          info_ptr->max_text = 0;
501       }
502    }
503 #endif
504 
505 #ifdef PNG_tRNS_SUPPORTED
506    /* Free any tRNS entry */
507    if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
508    {
509       info_ptr->valid &= ~PNG_INFO_tRNS;
510       png_free(png_ptr, info_ptr->trans_alpha);
511       info_ptr->trans_alpha = NULL;
512       info_ptr->num_trans = 0;
513    }
514 #endif
515 
516 #ifdef PNG_sCAL_SUPPORTED
517    /* Free any sCAL entry */
518    if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
519    {
520       png_free(png_ptr, info_ptr->scal_s_width);
521       png_free(png_ptr, info_ptr->scal_s_height);
522       info_ptr->scal_s_width = NULL;
523       info_ptr->scal_s_height = NULL;
524       info_ptr->valid &= ~PNG_INFO_sCAL;
525    }
526 #endif
527 
528 #ifdef PNG_pCAL_SUPPORTED
529    /* Free any pCAL entry */
530    if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
531    {
532       png_free(png_ptr, info_ptr->pcal_purpose);
533       png_free(png_ptr, info_ptr->pcal_units);
534       info_ptr->pcal_purpose = NULL;
535       info_ptr->pcal_units = NULL;
536 
537       if (info_ptr->pcal_params != NULL)
538          {
539             int i;
540 
541             for (i = 0; i < info_ptr->pcal_nparams; i++)
542                png_free(png_ptr, info_ptr->pcal_params[i]);
543 
544             png_free(png_ptr, info_ptr->pcal_params);
545             info_ptr->pcal_params = NULL;
546          }
547       info_ptr->valid &= ~PNG_INFO_pCAL;
548    }
549 #endif
550 
551 #ifdef PNG_iCCP_SUPPORTED
552    /* Free any profile entry */
553    if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
554    {
555       png_free(png_ptr, info_ptr->iccp_name);
556       png_free(png_ptr, info_ptr->iccp_profile);
557       info_ptr->iccp_name = NULL;
558       info_ptr->iccp_profile = NULL;
559       info_ptr->valid &= ~PNG_INFO_iCCP;
560    }
561 #endif
562 
563 #ifdef PNG_sPLT_SUPPORTED
564    /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
565    if (info_ptr->splt_palettes != NULL &&
566        ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
567    {
568       if (num != -1)
569       {
570          png_free(png_ptr, info_ptr->splt_palettes[num].name);
571          png_free(png_ptr, info_ptr->splt_palettes[num].entries);
572          info_ptr->splt_palettes[num].name = NULL;
573          info_ptr->splt_palettes[num].entries = NULL;
574       }
575 
576       else
577       {
578          int i;
579 
580          for (i = 0; i < info_ptr->splt_palettes_num; i++)
581          {
582             png_free(png_ptr, info_ptr->splt_palettes[i].name);
583             png_free(png_ptr, info_ptr->splt_palettes[i].entries);
584          }
585 
586          png_free(png_ptr, info_ptr->splt_palettes);
587          info_ptr->splt_palettes = NULL;
588          info_ptr->splt_palettes_num = 0;
589          info_ptr->valid &= ~PNG_INFO_sPLT;
590       }
591    }
592 #endif
593 
594 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
595    if (info_ptr->unknown_chunks != NULL &&
596        ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
597    {
598       if (num != -1)
599       {
600           png_free(png_ptr, info_ptr->unknown_chunks[num].data);
601           info_ptr->unknown_chunks[num].data = NULL;
602       }
603 
604       else
605       {
606          int i;
607 
608          for (i = 0; i < info_ptr->unknown_chunks_num; i++)
609             png_free(png_ptr, info_ptr->unknown_chunks[i].data);
610 
611          png_free(png_ptr, info_ptr->unknown_chunks);
612          info_ptr->unknown_chunks = NULL;
613          info_ptr->unknown_chunks_num = 0;
614       }
615    }
616 #endif
617 
618 #ifdef PNG_eXIf_SUPPORTED
619    /* Free any eXIf entry */
620    if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != 0)
621    {
622 # ifdef PNG_READ_eXIf_SUPPORTED
623       if (info_ptr->eXIf_buf)
624       {
625          png_free(png_ptr, info_ptr->eXIf_buf);
626          info_ptr->eXIf_buf = NULL;
627       }
628 # endif
629       if (info_ptr->exif)
630       {
631          png_free(png_ptr, info_ptr->exif);
632          info_ptr->exif = NULL;
633       }
634       info_ptr->valid &= ~PNG_INFO_eXIf;
635    }
636 #endif
637 
638 #ifdef PNG_hIST_SUPPORTED
639    /* Free any hIST entry */
640    if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
641    {
642       png_free(png_ptr, info_ptr->hist);
643       info_ptr->hist = NULL;
644       info_ptr->valid &= ~PNG_INFO_hIST;
645    }
646 #endif
647 
648    /* Free any PLTE entry that was internally allocated */
649    if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
650    {
651       png_free(png_ptr, info_ptr->palette);
652       info_ptr->palette = NULL;
653       info_ptr->valid &= ~PNG_INFO_PLTE;
654       info_ptr->num_palette = 0;
655    }
656 
657 #ifdef PNG_INFO_IMAGE_SUPPORTED
658    /* Free any image bits attached to the info structure */
659    if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
660    {
661       if (info_ptr->row_pointers != NULL)
662       {
663          png_uint_32 row;
664          for (row = 0; row < info_ptr->height; row++)
665             png_free(png_ptr, info_ptr->row_pointers[row]);
666 
667          png_free(png_ptr, info_ptr->row_pointers);
668          info_ptr->row_pointers = NULL;
669       }
670       info_ptr->valid &= ~PNG_INFO_IDAT;
671    }
672 #endif
673 
674    if (num != -1)
675       mask &= ~PNG_FREE_MUL;
676 
677    info_ptr->free_me &= ~mask;
678 }
679 #endif /* READ || WRITE */
680 
681 /* This function returns a pointer to the io_ptr associated with the user
682  * functions.  The application should free any memory associated with this
683  * pointer before png_write_destroy() or png_read_destroy() are called.
684  */
685 png_voidp PNGAPI
png_get_io_ptr(png_const_structrp png_ptr)686 png_get_io_ptr(png_const_structrp png_ptr)
687 {
688    if (png_ptr == NULL)
689       return (NULL);
690 
691    return (png_ptr->io_ptr);
692 }
693 
694 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
695 #  ifdef PNG_STDIO_SUPPORTED
696 /* Initialize the default input/output functions for the PNG file.  If you
697  * use your own read or write routines, you can call either png_set_read_fn()
698  * or png_set_write_fn() instead of png_init_io().  If you have defined
699  * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
700  * function of your own because "FILE *" isn't necessarily available.
701  */
702 void PNGAPI
png_init_io(png_structrp png_ptr,png_FILE_p fp)703 png_init_io(png_structrp png_ptr, png_FILE_p fp)
704 {
705    png_debug(1, "in png_init_io");
706 
707    if (png_ptr == NULL)
708       return;
709 
710    png_ptr->io_ptr = (png_voidp)fp;
711 }
712 #  endif
713 
714 #  ifdef PNG_SAVE_INT_32_SUPPORTED
715 /* PNG signed integers are saved in 32-bit 2's complement format.  ANSI C-90
716  * defines a cast of a signed integer to an unsigned integer either to preserve
717  * the value, if it is positive, or to calculate:
718  *
719  *     (UNSIGNED_MAX+1) + integer
720  *
721  * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
722  * negative integral value is added the result will be an unsigned value
723  * corresponding to the 2's complement representation.
724  */
725 void PNGAPI
png_save_int_32(png_bytep buf,png_int_32 i)726 png_save_int_32(png_bytep buf, png_int_32 i)
727 {
728    png_save_uint_32(buf, (png_uint_32)i);
729 }
730 #  endif
731 
732 #  ifdef PNG_TIME_RFC1123_SUPPORTED
733 /* Convert the supplied time into an RFC 1123 string suitable for use in
734  * a "Creation Time" or other text-based time string.
735  */
736 int PNGAPI
png_convert_to_rfc1123_buffer(char out[29],png_const_timep ptime)737 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
738 {
739    static const char short_months[12][4] =
740         {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
741          "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
742 
743    if (out == NULL)
744       return 0;
745 
746    if (ptime->year > 9999 /* RFC1123 limitation */ ||
747        ptime->month == 0    ||  ptime->month > 12  ||
748        ptime->day   == 0    ||  ptime->day   > 31  ||
749        ptime->hour  > 23    ||  ptime->minute > 59 ||
750        ptime->second > 60)
751       return 0;
752 
753    {
754       size_t pos = 0;
755       char number_buf[5]; /* enough for a four-digit year */
756 
757 #     define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
758 #     define APPEND_NUMBER(format, value)\
759          APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
760 #     define APPEND(ch) if (pos < 28) out[pos++] = (ch)
761 
762       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
763       APPEND(' ');
764       APPEND_STRING(short_months[(ptime->month - 1)]);
765       APPEND(' ');
766       APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
767       APPEND(' ');
768       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
769       APPEND(':');
770       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
771       APPEND(':');
772       APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
773       APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
774       PNG_UNUSED (pos)
775 
776 #     undef APPEND
777 #     undef APPEND_NUMBER
778 #     undef APPEND_STRING
779    }
780 
781    return 1;
782 }
783 
784 #    if PNG_LIBPNG_VER < 10700
785 /* To do: remove the following from libpng-1.7 */
786 /* Original API that uses a private buffer in png_struct.
787  * Deprecated because it causes png_struct to carry a spurious temporary
788  * buffer (png_struct::time_buffer), better to have the caller pass this in.
789  */
790 png_const_charp PNGAPI
png_convert_to_rfc1123(png_structrp png_ptr,png_const_timep ptime)791 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
792 {
793    if (png_ptr != NULL)
794    {
795       /* The only failure above if png_ptr != NULL is from an invalid ptime */
796       if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
797          png_warning(png_ptr, "Ignoring invalid time value");
798 
799       else
800          return png_ptr->time_buffer;
801    }
802 
803    return NULL;
804 }
805 #    endif /* LIBPNG_VER < 10700 */
806 #  endif /* TIME_RFC1123 */
807 
808 #endif /* READ || WRITE */
809 
810 png_const_charp PNGAPI
png_get_copyright(png_const_structrp png_ptr)811 png_get_copyright(png_const_structrp png_ptr)
812 {
813    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
814 #ifdef PNG_STRING_COPYRIGHT
815    return PNG_STRING_COPYRIGHT
816 #else
817    return PNG_STRING_NEWLINE \
818       "libpng version 1.6.39" PNG_STRING_NEWLINE \
819       "Copyright (c) 2018-2022 Cosmin Truta" PNG_STRING_NEWLINE \
820       "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
821       PNG_STRING_NEWLINE \
822       "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
823       "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
824       PNG_STRING_NEWLINE;
825 #endif
826 }
827 
828 /* The following return the library version as a short string in the
829  * format 1.0.0 through 99.99.99zz.  To get the version of *.h files
830  * used with your application, print out PNG_LIBPNG_VER_STRING, which
831  * is defined in png.h.
832  * Note: now there is no difference between png_get_libpng_ver() and
833  * png_get_header_ver().  Due to the version_nn_nn_nn typedef guard,
834  * it is guaranteed that png.c uses the correct version of png.h.
835  */
836 png_const_charp PNGAPI
837 png_get_libpng_ver(png_const_structrp png_ptr)
838 {
839    /* Version of *.c files used when building libpng */
840    return png_get_header_ver(png_ptr);
841 }
842 
843 png_const_charp PNGAPI
844 png_get_header_ver(png_const_structrp png_ptr)
845 {
846    /* Version of *.h files used when building libpng */
847    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
848    return PNG_LIBPNG_VER_STRING;
849 }
850 
851 png_const_charp PNGAPI
852 png_get_header_version(png_const_structrp png_ptr)
853 {
854    /* Returns longer string containing both version and date */
855    PNG_UNUSED(png_ptr)  /* Silence compiler warning about unused png_ptr */
856 #ifdef __STDC__
857    return PNG_HEADER_VERSION_STRING
858 #  ifndef PNG_READ_SUPPORTED
859       " (NO READ SUPPORT)"
860 #  endif
861       PNG_STRING_NEWLINE;
862 #else
863    return PNG_HEADER_VERSION_STRING;
864 #endif
865 }
866 
867 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
868 /* NOTE: this routine is not used internally! */
869 /* Build a grayscale palette.  Palette is assumed to be 1 << bit_depth
870  * large of png_color.  This lets grayscale images be treated as
871  * paletted.  Most useful for gamma correction and simplification
872  * of code.  This API is not used internally.
873  */
874 void PNGAPI
875 png_build_grayscale_palette(int bit_depth, png_colorp palette)
876 {
877    int num_palette;
878    int color_inc;
879    int i;
880    int v;
881 
882    png_debug(1, "in png_do_build_grayscale_palette");
883 
884    if (palette == NULL)
885       return;
886 
887    switch (bit_depth)
888    {
889       case 1:
890          num_palette = 2;
891          color_inc = 0xff;
892          break;
893 
894       case 2:
895          num_palette = 4;
896          color_inc = 0x55;
897          break;
898 
899       case 4:
900          num_palette = 16;
901          color_inc = 0x11;
902          break;
903 
904       case 8:
905          num_palette = 256;
906          color_inc = 1;
907          break;
908 
909       default:
910          num_palette = 0;
911          color_inc = 0;
912          break;
913    }
914 
915    for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
916    {
917       palette[i].red = (png_byte)(v & 0xff);
918       palette[i].green = (png_byte)(v & 0xff);
919       palette[i].blue = (png_byte)(v & 0xff);
920    }
921 }
922 #endif
923 
924 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
925 int PNGAPI
926 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
927 {
928    /* Check chunk_name and return "keep" value if it's on the list, else 0 */
929    png_const_bytep p, p_end;
930 
931    if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
932       return PNG_HANDLE_CHUNK_AS_DEFAULT;
933 
934    p_end = png_ptr->chunk_list;
935    p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
936 
937    /* The code is the fifth byte after each four byte string.  Historically this
938     * code was always searched from the end of the list, this is no longer
939     * necessary because the 'set' routine handles duplicate entries correctly.
940     */
941    do /* num_chunk_list > 0, so at least one */
942    {
943       p -= 5;
944 
945       if (memcmp(chunk_name, p, 4) == 0)
946          return p[4];
947    }
948    while (p > p_end);
949 
950    /* This means that known chunks should be processed and unknown chunks should
951     * be handled according to the value of png_ptr->unknown_default; this can be
952     * confusing because, as a result, there are two levels of defaulting for
953     * unknown chunks.
954     */
955    return PNG_HANDLE_CHUNK_AS_DEFAULT;
956 }
957 
958 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
959    defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
960 int /* PRIVATE */
961 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
962 {
963    png_byte chunk_string[5];
964 
965    PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
966    return png_handle_as_unknown(png_ptr, chunk_string);
967 }
968 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
969 #endif /* SET_UNKNOWN_CHUNKS */
970 
971 #ifdef PNG_READ_SUPPORTED
972 /* This function, added to libpng-1.0.6g, is untested. */
973 int PNGAPI
974 png_reset_zstream(png_structrp png_ptr)
975 {
976    if (png_ptr == NULL)
977       return Z_STREAM_ERROR;
978 
979    /* WARNING: this resets the window bits to the maximum! */
980    return (inflateReset(&png_ptr->zstream));
981 }
982 #endif /* READ */
983 
984 /* This function was added to libpng-1.0.7 */
985 png_uint_32 PNGAPI
986 png_access_version_number(void)
987 {
988    /* Version of *.c files used when building libpng */
989    return((png_uint_32)PNG_LIBPNG_VER);
990 }
991 
992 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
993 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
994  * If it doesn't 'ret' is used to set it to something appropriate, even in cases
995  * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
996  */
997 void /* PRIVATE */
998 png_zstream_error(png_structrp png_ptr, int ret)
999 {
1000    /* Translate 'ret' into an appropriate error string, priority is given to the
1001     * one in zstream if set.  This always returns a string, even in cases like
1002     * Z_OK or Z_STREAM_END where the error code is a success code.
1003     */
1004    if (png_ptr->zstream.msg == NULL) switch (ret)
1005    {
1006       default:
1007       case Z_OK:
1008          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1009          break;
1010 
1011       case Z_STREAM_END:
1012          /* Normal exit */
1013          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1014          break;
1015 
1016       case Z_NEED_DICT:
1017          /* This means the deflate stream did not have a dictionary; this
1018           * indicates a bogus PNG.
1019           */
1020          png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1021          break;
1022 
1023       case Z_ERRNO:
1024          /* gz APIs only: should not happen */
1025          png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1026          break;
1027 
1028       case Z_STREAM_ERROR:
1029          /* internal libpng error */
1030          png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1031          break;
1032 
1033       case Z_DATA_ERROR:
1034          png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1035          break;
1036 
1037       case Z_MEM_ERROR:
1038          png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1039          break;
1040 
1041       case Z_BUF_ERROR:
1042          /* End of input or output; not a problem if the caller is doing
1043           * incremental read or write.
1044           */
1045          png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1046          break;
1047 
1048       case Z_VERSION_ERROR:
1049          png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1050          break;
1051 
1052       case PNG_UNEXPECTED_ZLIB_RETURN:
1053          /* Compile errors here mean that zlib now uses the value co-opted in
1054           * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1055           * and change pngpriv.h.  Note that this message is "... return",
1056           * whereas the default/Z_OK one is "... return code".
1057           */
1058          png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1059          break;
1060    }
1061 }
1062 
1063 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1064  * at libpng 1.5.5!
1065  */
1066 
1067 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1068 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1069 static int
1070 png_colorspace_check_gamma(png_const_structrp png_ptr,
1071     png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1072    /* This is called to check a new gamma value against an existing one.  The
1073     * routine returns false if the new gamma value should not be written.
1074     *
1075     * 'from' says where the new gamma value comes from:
1076     *
1077     *    0: the new gamma value is the libpng estimate for an ICC profile
1078     *    1: the new gamma value comes from a gAMA chunk
1079     *    2: the new gamma value comes from an sRGB chunk
1080     */
1081 {
1082    png_fixed_point gtest;
1083 
1084    if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1085        (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0  ||
1086       png_gamma_significant(gtest) != 0))
1087    {
1088       /* Either this is an sRGB image, in which case the calculated gamma
1089        * approximation should match, or this is an image with a profile and the
1090        * value libpng calculates for the gamma of the profile does not match the
1091        * value recorded in the file.  The former, sRGB, case is an error, the
1092        * latter is just a warning.
1093        */
1094       if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1095       {
1096          png_chunk_report(png_ptr, "gamma value does not match sRGB",
1097              PNG_CHUNK_ERROR);
1098          /* Do not overwrite an sRGB value */
1099          return from == 2;
1100       }
1101 
1102       else /* sRGB tag not involved */
1103       {
1104          png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1105              PNG_CHUNK_WARNING);
1106          return from == 1;
1107       }
1108    }
1109 
1110    return 1;
1111 }
1112 
1113 void /* PRIVATE */
1114 png_colorspace_set_gamma(png_const_structrp png_ptr,
1115     png_colorspacerp colorspace, png_fixed_point gAMA)
1116 {
1117    /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1118     * occur.  Since the fixed point representation is asymmetrical it is
1119     * possible for 1/gamma to overflow the limit of 21474 and this means the
1120     * gamma value must be at least 5/100000 and hence at most 20000.0.  For
1121     * safety the limits here are a little narrower.  The values are 0.00016 to
1122     * 6250.0, which are truly ridiculous gamma values (and will produce
1123     * displays that are all black or all white.)
1124     *
1125     * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1126     * handling code, which only required the value to be >0.
1127     */
1128    png_const_charp errmsg;
1129 
1130    if (gAMA < 16 || gAMA > 625000000)
1131       errmsg = "gamma value out of range";
1132 
1133 #  ifdef PNG_READ_gAMA_SUPPORTED
1134    /* Allow the application to set the gamma value more than once */
1135    else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1136       (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1137       errmsg = "duplicate";
1138 #  endif
1139 
1140    /* Do nothing if the colorspace is already invalid */
1141    else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1142       return;
1143 
1144    else
1145    {
1146       if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1147           1/*from gAMA*/) != 0)
1148       {
1149          /* Store this gamma value. */
1150          colorspace->gamma = gAMA;
1151          colorspace->flags |=
1152             (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1153       }
1154 
1155       /* At present if the check_gamma test fails the gamma of the colorspace is
1156        * not updated however the colorspace is not invalidated.  This
1157        * corresponds to the case where the existing gamma comes from an sRGB
1158        * chunk or profile.  An error message has already been output.
1159        */
1160       return;
1161    }
1162 
1163    /* Error exit - errmsg has been set. */
1164    colorspace->flags |= PNG_COLORSPACE_INVALID;
1165    png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1166 }
1167 
1168 void /* PRIVATE */
1169 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1170 {
1171    if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1172    {
1173       /* Everything is invalid */
1174       info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1175          PNG_INFO_iCCP);
1176 
1177 #     ifdef PNG_COLORSPACE_SUPPORTED
1178       /* Clean up the iCCP profile now if it won't be used. */
1179       png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1180 #     else
1181       PNG_UNUSED(png_ptr)
1182 #     endif
1183    }
1184 
1185    else
1186    {
1187 #     ifdef PNG_COLORSPACE_SUPPORTED
1188       /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1189        * it; this allows a PNG to contain a profile which matches sRGB and
1190        * yet still have that profile retrievable by the application.
1191        */
1192       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1193          info_ptr->valid |= PNG_INFO_sRGB;
1194 
1195       else
1196          info_ptr->valid &= ~PNG_INFO_sRGB;
1197 
1198       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1199          info_ptr->valid |= PNG_INFO_cHRM;
1200 
1201       else
1202          info_ptr->valid &= ~PNG_INFO_cHRM;
1203 #     endif
1204 
1205       if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1206          info_ptr->valid |= PNG_INFO_gAMA;
1207 
1208       else
1209          info_ptr->valid &= ~PNG_INFO_gAMA;
1210    }
1211 }
1212 
1213 #ifdef PNG_READ_SUPPORTED
1214 void /* PRIVATE */
1215 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1216 {
1217    if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1218       return;
1219 
1220    info_ptr->colorspace = png_ptr->colorspace;
1221    png_colorspace_sync_info(png_ptr, info_ptr);
1222 }
1223 #endif
1224 #endif /* GAMMA */
1225 
1226 #ifdef PNG_COLORSPACE_SUPPORTED
1227 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1228  * cHRM, as opposed to using chromaticities.  These internal APIs return
1229  * non-zero on a parameter error.  The X, Y and Z values are required to be
1230  * positive and less than 1.0.
1231  */
1232 static int
1233 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1234 {
1235    png_int_32 d, dwhite, whiteX, whiteY;
1236 
1237    d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1238    if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1239       return 1;
1240    if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1241       return 1;
1242    dwhite = d;
1243    whiteX = XYZ->red_X;
1244    whiteY = XYZ->red_Y;
1245 
1246    d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1247    if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1248       return 1;
1249    if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1250       return 1;
1251    dwhite += d;
1252    whiteX += XYZ->green_X;
1253    whiteY += XYZ->green_Y;
1254 
1255    d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1256    if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1257       return 1;
1258    if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1259       return 1;
1260    dwhite += d;
1261    whiteX += XYZ->blue_X;
1262    whiteY += XYZ->blue_Y;
1263 
1264    /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1265     * thus:
1266     */
1267    if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1268       return 1;
1269    if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1270       return 1;
1271 
1272    return 0;
1273 }
1274 
1275 static int
1276 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1277 {
1278    png_fixed_point red_inverse, green_inverse, blue_scale;
1279    png_fixed_point left, right, denominator;
1280 
1281    /* Check xy and, implicitly, z.  Note that wide gamut color spaces typically
1282     * have end points with 0 tristimulus values (these are impossible end
1283     * points, but they are used to cover the possible colors).  We check
1284     * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1285     */
1286    if (xy->redx   < 0 || xy->redx > PNG_FP_1) return 1;
1287    if (xy->redy   < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1288    if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1289    if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1290    if (xy->bluex  < 0 || xy->bluex > PNG_FP_1) return 1;
1291    if (xy->bluey  < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1292    if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1293    if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1294 
1295    /* The reverse calculation is more difficult because the original tristimulus
1296     * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1297     * derived values were recorded in the cHRM chunk;
1298     * (red,green,blue,white)x(x,y).  This loses one degree of freedom and
1299     * therefore an arbitrary ninth value has to be introduced to undo the
1300     * original transformations.
1301     *
1302     * Think of the original end-points as points in (X,Y,Z) space.  The
1303     * chromaticity values (c) have the property:
1304     *
1305     *           C
1306     *   c = ---------
1307     *       X + Y + Z
1308     *
1309     * For each c (x,y,z) from the corresponding original C (X,Y,Z).  Thus the
1310     * three chromaticity values (x,y,z) for each end-point obey the
1311     * relationship:
1312     *
1313     *   x + y + z = 1
1314     *
1315     * This describes the plane in (X,Y,Z) space that intersects each axis at the
1316     * value 1.0; call this the chromaticity plane.  Thus the chromaticity
1317     * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1318     * and chromaticity is the intersection of the vector from the origin to the
1319     * (X,Y,Z) value with the chromaticity plane.
1320     *
1321     * To fully invert the chromaticity calculation we would need the three
1322     * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1323     * were not recorded.  Instead we calculated the reference white (X,Y,Z) and
1324     * recorded the chromaticity of this.  The reference white (X,Y,Z) would have
1325     * given all three of the scale factors since:
1326     *
1327     *    color-C = color-c * color-scale
1328     *    white-C = red-C + green-C + blue-C
1329     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1330     *
1331     * But cHRM records only white-x and white-y, so we have lost the white scale
1332     * factor:
1333     *
1334     *    white-C = white-c*white-scale
1335     *
1336     * To handle this the inverse transformation makes an arbitrary assumption
1337     * about white-scale:
1338     *
1339     *    Assume: white-Y = 1.0
1340     *    Hence:  white-scale = 1/white-y
1341     *    Or:     red-Y + green-Y + blue-Y = 1.0
1342     *
1343     * Notice the last statement of the assumption gives an equation in three of
1344     * the nine values we want to calculate.  8 more equations come from the
1345     * above routine as summarised at the top above (the chromaticity
1346     * calculation):
1347     *
1348     *    Given: color-x = color-X / (color-X + color-Y + color-Z)
1349     *    Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1350     *
1351     * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1352     * solved by Cramer's rule.  Cramer's rule requires calculating 10 9x9 matrix
1353     * determinants, however this is not as bad as it seems because only 28 of
1354     * the total of 90 terms in the various matrices are non-zero.  Nevertheless
1355     * Cramer's rule is notoriously numerically unstable because the determinant
1356     * calculation involves the difference of large, but similar, numbers.  It is
1357     * difficult to be sure that the calculation is stable for real world values
1358     * and it is certain that it becomes unstable where the end points are close
1359     * together.
1360     *
1361     * So this code uses the perhaps slightly less optimal but more
1362     * understandable and totally obvious approach of calculating color-scale.
1363     *
1364     * This algorithm depends on the precision in white-scale and that is
1365     * (1/white-y), so we can immediately see that as white-y approaches 0 the
1366     * accuracy inherent in the cHRM chunk drops off substantially.
1367     *
1368     * libpng arithmetic: a simple inversion of the above equations
1369     * ------------------------------------------------------------
1370     *
1371     *    white_scale = 1/white-y
1372     *    white-X = white-x * white-scale
1373     *    white-Y = 1.0
1374     *    white-Z = (1 - white-x - white-y) * white_scale
1375     *
1376     *    white-C = red-C + green-C + blue-C
1377     *            = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1378     *
1379     * This gives us three equations in (red-scale,green-scale,blue-scale) where
1380     * all the coefficients are now known:
1381     *
1382     *    red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1383     *       = white-x/white-y
1384     *    red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1385     *    red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1386     *       = (1 - white-x - white-y)/white-y
1387     *
1388     * In the last equation color-z is (1 - color-x - color-y) so we can add all
1389     * three equations together to get an alternative third:
1390     *
1391     *    red-scale + green-scale + blue-scale = 1/white-y = white-scale
1392     *
1393     * So now we have a Cramer's rule solution where the determinants are just
1394     * 3x3 - far more tractible.  Unfortunately 3x3 determinants still involve
1395     * multiplication of three coefficients so we can't guarantee to avoid
1396     * overflow in the libpng fixed point representation.  Using Cramer's rule in
1397     * floating point is probably a good choice here, but it's not an option for
1398     * fixed point.  Instead proceed to simplify the first two equations by
1399     * eliminating what is likely to be the largest value, blue-scale:
1400     *
1401     *    blue-scale = white-scale - red-scale - green-scale
1402     *
1403     * Hence:
1404     *
1405     *    (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1406     *                (white-x - blue-x)*white-scale
1407     *
1408     *    (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1409     *                1 - blue-y*white-scale
1410     *
1411     * And now we can trivially solve for (red-scale,green-scale):
1412     *
1413     *    green-scale =
1414     *                (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1415     *                -----------------------------------------------------------
1416     *                                  green-x - blue-x
1417     *
1418     *    red-scale =
1419     *                1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1420     *                ---------------------------------------------------------
1421     *                                  red-y - blue-y
1422     *
1423     * Hence:
1424     *
1425     *    red-scale =
1426     *          ( (green-x - blue-x) * (white-y - blue-y) -
1427     *            (green-y - blue-y) * (white-x - blue-x) ) / white-y
1428     * -------------------------------------------------------------------------
1429     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1430     *
1431     *    green-scale =
1432     *          ( (red-y - blue-y) * (white-x - blue-x) -
1433     *            (red-x - blue-x) * (white-y - blue-y) ) / white-y
1434     * -------------------------------------------------------------------------
1435     *  (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1436     *
1437     * Accuracy:
1438     * The input values have 5 decimal digits of accuracy.  The values are all in
1439     * the range 0 < value < 1, so simple products are in the same range but may
1440     * need up to 10 decimal digits to preserve the original precision and avoid
1441     * underflow.  Because we are using a 32-bit signed representation we cannot
1442     * match this; the best is a little over 9 decimal digits, less than 10.
1443     *
1444     * The approach used here is to preserve the maximum precision within the
1445     * signed representation.  Because the red-scale calculation above uses the
1446     * difference between two products of values that must be in the range -1..+1
1447     * it is sufficient to divide the product by 7; ceil(100,000/32767*2).  The
1448     * factor is irrelevant in the calculation because it is applied to both
1449     * numerator and denominator.
1450     *
1451     * Note that the values of the differences of the products of the
1452     * chromaticities in the above equations tend to be small, for example for
1453     * the sRGB chromaticities they are:
1454     *
1455     * red numerator:    -0.04751
1456     * green numerator:  -0.08788
1457     * denominator:      -0.2241 (without white-y multiplication)
1458     *
1459     *  The resultant Y coefficients from the chromaticities of some widely used
1460     *  color space definitions are (to 15 decimal places):
1461     *
1462     *  sRGB
1463     *    0.212639005871510 0.715168678767756 0.072192315360734
1464     *  Kodak ProPhoto
1465     *    0.288071128229293 0.711843217810102 0.000085653960605
1466     *  Adobe RGB
1467     *    0.297344975250536 0.627363566255466 0.075291458493998
1468     *  Adobe Wide Gamut RGB
1469     *    0.258728243040113 0.724682314948566 0.016589442011321
1470     */
1471    /* By the argument, above overflow should be impossible here. The return
1472     * value of 2 indicates an internal error to the caller.
1473     */
1474    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1475       return 2;
1476    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1477       return 2;
1478    denominator = left - right;
1479 
1480    /* Now find the red numerator. */
1481    if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1482       return 2;
1483    if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1484       return 2;
1485 
1486    /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1487     * chunk values.  This calculation actually returns the reciprocal of the
1488     * scale value because this allows us to delay the multiplication of white-y
1489     * into the denominator, which tends to produce a small number.
1490     */
1491    if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1492        red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1493       return 1;
1494 
1495    /* Similarly for green_inverse: */
1496    if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1497       return 2;
1498    if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1499       return 2;
1500    if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1501        green_inverse <= xy->whitey)
1502       return 1;
1503 
1504    /* And the blue scale, the checks above guarantee this can't overflow but it
1505     * can still produce 0 for extreme cHRM values.
1506     */
1507    blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1508        png_reciprocal(green_inverse);
1509    if (blue_scale <= 0)
1510       return 1;
1511 
1512 
1513    /* And fill in the png_XYZ: */
1514    if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1515       return 1;
1516    if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1517       return 1;
1518    if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1519        red_inverse) == 0)
1520       return 1;
1521 
1522    if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1523       return 1;
1524    if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1525       return 1;
1526    if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1527        green_inverse) == 0)
1528       return 1;
1529 
1530    if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1531       return 1;
1532    if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1533       return 1;
1534    if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1535        PNG_FP_1) == 0)
1536       return 1;
1537 
1538    return 0; /*success*/
1539 }
1540 
1541 static int
1542 png_XYZ_normalize(png_XYZ *XYZ)
1543 {
1544    png_int_32 Y;
1545 
1546    if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1547       XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1548       XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1549       return 1;
1550 
1551    /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1552     * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1553     * relying on addition of two positive values producing a negative one is not
1554     * safe.
1555     */
1556    Y = XYZ->red_Y;
1557    if (0x7fffffff - Y < XYZ->green_X)
1558       return 1;
1559    Y += XYZ->green_Y;
1560    if (0x7fffffff - Y < XYZ->blue_X)
1561       return 1;
1562    Y += XYZ->blue_Y;
1563 
1564    if (Y != PNG_FP_1)
1565    {
1566       if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1567          return 1;
1568       if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1569          return 1;
1570       if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1571          return 1;
1572 
1573       if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1574          return 1;
1575       if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1576          return 1;
1577       if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1578          return 1;
1579 
1580       if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1581          return 1;
1582       if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1583          return 1;
1584       if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1585          return 1;
1586    }
1587 
1588    return 0;
1589 }
1590 
1591 static int
1592 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1593 {
1594    /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1595    if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1596        PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1597        PNG_OUT_OF_RANGE(xy1->redx,   xy2->redx,  delta) ||
1598        PNG_OUT_OF_RANGE(xy1->redy,   xy2->redy,  delta) ||
1599        PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1600        PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1601        PNG_OUT_OF_RANGE(xy1->bluex,  xy2->bluex, delta) ||
1602        PNG_OUT_OF_RANGE(xy1->bluey,  xy2->bluey, delta))
1603       return 0;
1604    return 1;
1605 }
1606 
1607 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1608  * chunk chromaticities.  Earlier checks used to simply look for the overflow
1609  * condition (where the determinant of the matrix to solve for XYZ ends up zero
1610  * because the chromaticity values are not all distinct.)  Despite this it is
1611  * theoretically possible to produce chromaticities that are apparently valid
1612  * but that rapidly degrade to invalid, potentially crashing, sets because of
1613  * arithmetic inaccuracies when calculations are performed on them.  The new
1614  * check is to round-trip xy -> XYZ -> xy and then check that the result is
1615  * within a small percentage of the original.
1616  */
1617 static int
1618 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1619 {
1620    int result;
1621    png_xy xy_test;
1622 
1623    /* As a side-effect this routine also returns the XYZ endpoints. */
1624    result = png_XYZ_from_xy(XYZ, xy);
1625    if (result != 0)
1626       return result;
1627 
1628    result = png_xy_from_XYZ(&xy_test, XYZ);
1629    if (result != 0)
1630       return result;
1631 
1632    if (png_colorspace_endpoints_match(xy, &xy_test,
1633        5/*actually, the math is pretty accurate*/) != 0)
1634       return 0;
1635 
1636    /* Too much slip */
1637    return 1;
1638 }
1639 
1640 /* This is the check going the other way.  The XYZ is modified to normalize it
1641  * (another side-effect) and the xy chromaticities are returned.
1642  */
1643 static int
1644 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1645 {
1646    int result;
1647    png_XYZ XYZtemp;
1648 
1649    result = png_XYZ_normalize(XYZ);
1650    if (result != 0)
1651       return result;
1652 
1653    result = png_xy_from_XYZ(xy, XYZ);
1654    if (result != 0)
1655       return result;
1656 
1657    XYZtemp = *XYZ;
1658    return png_colorspace_check_xy(&XYZtemp, xy);
1659 }
1660 
1661 /* Used to check for an endpoint match against sRGB */
1662 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1663 {
1664    /* color      x       y */
1665    /* red   */ 64000, 33000,
1666    /* green */ 30000, 60000,
1667    /* blue  */ 15000,  6000,
1668    /* white */ 31270, 32900
1669 };
1670 
1671 static int
1672 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1673     png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1674     int preferred)
1675 {
1676    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1677       return 0;
1678 
1679    /* The consistency check is performed on the chromaticities; this factors out
1680     * variations because of the normalization (or not) of the end point Y
1681     * values.
1682     */
1683    if (preferred < 2 &&
1684        (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1685    {
1686       /* The end points must be reasonably close to any we already have.  The
1687        * following allows an error of up to +/-.001
1688        */
1689       if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1690           100) == 0)
1691       {
1692          colorspace->flags |= PNG_COLORSPACE_INVALID;
1693          png_benign_error(png_ptr, "inconsistent chromaticities");
1694          return 0; /* failed */
1695       }
1696 
1697       /* Only overwrite with preferred values */
1698       if (preferred == 0)
1699          return 1; /* ok, but no change */
1700    }
1701 
1702    colorspace->end_points_xy = *xy;
1703    colorspace->end_points_XYZ = *XYZ;
1704    colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1705 
1706    /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1707     * on this test.
1708     */
1709    if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1710       colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1711 
1712    else
1713       colorspace->flags &= PNG_COLORSPACE_CANCEL(
1714          PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1715 
1716    return 2; /* ok and changed */
1717 }
1718 
1719 int /* PRIVATE */
1720 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1721     png_colorspacerp colorspace, const png_xy *xy, int preferred)
1722 {
1723    /* We must check the end points to ensure they are reasonable - in the past
1724     * color management systems have crashed as a result of getting bogus
1725     * colorant values, while this isn't the fault of libpng it is the
1726     * responsibility of libpng because PNG carries the bomb and libpng is in a
1727     * position to protect against it.
1728     */
1729    png_XYZ XYZ;
1730 
1731    switch (png_colorspace_check_xy(&XYZ, xy))
1732    {
1733       case 0: /* success */
1734          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1735              preferred);
1736 
1737       case 1:
1738          /* We can't invert the chromaticities so we can't produce value XYZ
1739           * values.  Likely as not a color management system will fail too.
1740           */
1741          colorspace->flags |= PNG_COLORSPACE_INVALID;
1742          png_benign_error(png_ptr, "invalid chromaticities");
1743          break;
1744 
1745       default:
1746          /* libpng is broken; this should be a warning but if it happens we
1747           * want error reports so for the moment it is an error.
1748           */
1749          colorspace->flags |= PNG_COLORSPACE_INVALID;
1750          png_error(png_ptr, "internal error checking chromaticities");
1751    }
1752 
1753    return 0; /* failed */
1754 }
1755 
1756 int /* PRIVATE */
1757 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1758     png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1759 {
1760    png_XYZ XYZ = *XYZ_in;
1761    png_xy xy;
1762 
1763    switch (png_colorspace_check_XYZ(&xy, &XYZ))
1764    {
1765       case 0:
1766          return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1767              preferred);
1768 
1769       case 1:
1770          /* End points are invalid. */
1771          colorspace->flags |= PNG_COLORSPACE_INVALID;
1772          png_benign_error(png_ptr, "invalid end points");
1773          break;
1774 
1775       default:
1776          colorspace->flags |= PNG_COLORSPACE_INVALID;
1777          png_error(png_ptr, "internal error checking chromaticities");
1778    }
1779 
1780    return 0; /* failed */
1781 }
1782 
1783 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1784 /* Error message generation */
1785 static char
1786 png_icc_tag_char(png_uint_32 byte)
1787 {
1788    byte &= 0xff;
1789    if (byte >= 32 && byte <= 126)
1790       return (char)byte;
1791    else
1792       return '?';
1793 }
1794 
1795 static void
1796 png_icc_tag_name(char *name, png_uint_32 tag)
1797 {
1798    name[0] = '\'';
1799    name[1] = png_icc_tag_char(tag >> 24);
1800    name[2] = png_icc_tag_char(tag >> 16);
1801    name[3] = png_icc_tag_char(tag >>  8);
1802    name[4] = png_icc_tag_char(tag      );
1803    name[5] = '\'';
1804 }
1805 
1806 static int
1807 is_ICC_signature_char(png_alloc_size_t it)
1808 {
1809    return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1810       (it >= 97 && it <= 122);
1811 }
1812 
1813 static int
1814 is_ICC_signature(png_alloc_size_t it)
1815 {
1816    return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1817       is_ICC_signature_char((it >> 16) & 0xff) &&
1818       is_ICC_signature_char((it >> 8) & 0xff) &&
1819       is_ICC_signature_char(it & 0xff);
1820 }
1821 
1822 static int
1823 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1824     png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1825 {
1826    size_t pos;
1827    char message[196]; /* see below for calculation */
1828 
1829    if (colorspace != NULL)
1830       colorspace->flags |= PNG_COLORSPACE_INVALID;
1831 
1832    pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1833    pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1834    pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1835    if (is_ICC_signature(value) != 0)
1836    {
1837       /* So 'value' is at most 4 bytes and the following cast is safe */
1838       png_icc_tag_name(message+pos, (png_uint_32)value);
1839       pos += 6; /* total +8; less than the else clause */
1840       message[pos++] = ':';
1841       message[pos++] = ' ';
1842    }
1843 #  ifdef PNG_WARNINGS_SUPPORTED
1844    else
1845       {
1846          char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114 */
1847 
1848          pos = png_safecat(message, (sizeof message), pos,
1849              png_format_number(number, number+(sizeof number),
1850              PNG_NUMBER_FORMAT_x, value));
1851          pos = png_safecat(message, (sizeof message), pos, "h: "); /* +2 = 116 */
1852       }
1853 #  endif
1854    /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1855    pos = png_safecat(message, (sizeof message), pos, reason);
1856    PNG_UNUSED(pos)
1857 
1858    /* This is recoverable, but make it unconditionally an app_error on write to
1859     * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1860     * on read, with a warning, but on write unless the app turns off
1861     * application errors the PNG won't be written.)
1862     */
1863    png_chunk_report(png_ptr, message,
1864        (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1865 
1866    return 0;
1867 }
1868 #endif /* sRGB || iCCP */
1869 
1870 #ifdef PNG_sRGB_SUPPORTED
1871 int /* PRIVATE */
1872 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1873     int intent)
1874 {
1875    /* sRGB sets known gamma, end points and (from the chunk) intent. */
1876    /* IMPORTANT: these are not necessarily the values found in an ICC profile
1877     * because ICC profiles store values adapted to a D50 environment; it is
1878     * expected that the ICC profile mediaWhitePointTag will be D50; see the
1879     * checks and code elsewhere to understand this better.
1880     *
1881     * These XYZ values, which are accurate to 5dp, produce rgb to gray
1882     * coefficients of (6968,23435,2366), which are reduced (because they add up
1883     * to 32769 not 32768) to (6968,23434,2366).  These are the values that
1884     * libpng has traditionally used (and are the best values given the 15bit
1885     * algorithm used by the rgb to gray code.)
1886     */
1887    static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1888    {
1889       /* color      X      Y      Z */
1890       /* red   */ 41239, 21264,  1933,
1891       /* green */ 35758, 71517, 11919,
1892       /* blue  */ 18048,  7219, 95053
1893    };
1894 
1895    /* Do nothing if the colorspace is already invalidated. */
1896    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1897       return 0;
1898 
1899    /* Check the intent, then check for existing settings.  It is valid for the
1900     * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1901     * be consistent with the correct values.  If, however, this function is
1902     * called below because an iCCP chunk matches sRGB then it is quite
1903     * conceivable that an older app recorded incorrect gAMA and cHRM because of
1904     * an incorrect calculation based on the values in the profile - this does
1905     * *not* invalidate the profile (though it still produces an error, which can
1906     * be ignored.)
1907     */
1908    if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1909       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1910           (png_alloc_size_t)intent, "invalid sRGB rendering intent");
1911 
1912    if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1913        colorspace->rendering_intent != intent)
1914       return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1915          (png_alloc_size_t)intent, "inconsistent rendering intents");
1916 
1917    if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1918    {
1919       png_benign_error(png_ptr, "duplicate sRGB information ignored");
1920       return 0;
1921    }
1922 
1923    /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1924     * warn but overwrite the value with the correct one.
1925     */
1926    if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1927        !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1928        100))
1929       png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1930          PNG_CHUNK_ERROR);
1931 
1932    /* This check is just done for the error reporting - the routine always
1933     * returns true when the 'from' argument corresponds to sRGB (2).
1934     */
1935    (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1936        2/*from sRGB*/);
1937 
1938    /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1939    colorspace->rendering_intent = (png_uint_16)intent;
1940    colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1941 
1942    /* endpoints */
1943    colorspace->end_points_xy = sRGB_xy;
1944    colorspace->end_points_XYZ = sRGB_XYZ;
1945    colorspace->flags |=
1946       (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1947 
1948    /* gamma */
1949    colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1950    colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1951 
1952    /* Finally record that we have an sRGB profile */
1953    colorspace->flags |=
1954       (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1955 
1956    return 1; /* set */
1957 }
1958 #endif /* sRGB */
1959 
1960 #ifdef PNG_iCCP_SUPPORTED
1961 /* Encoded value of D50 as an ICC XYZNumber.  From the ICC 2010 spec the value
1962  * is XYZ(0.9642,1.0,0.8249), which scales to:
1963  *
1964  *    (63189.8112, 65536, 54060.6464)
1965  */
1966 static const png_byte D50_nCIEXYZ[12] =
1967    { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1968 
1969 static int /* bool */
1970 icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1971     png_const_charp name, png_uint_32 profile_length)
1972 {
1973    if (profile_length < 132)
1974       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1975           "too short");
1976    return 1;
1977 }
1978 
1979 #ifdef PNG_READ_iCCP_SUPPORTED
1980 int /* PRIVATE */
1981 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1982     png_const_charp name, png_uint_32 profile_length)
1983 {
1984    if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1985       return 0;
1986 
1987    /* This needs to be here because the 'normal' check is in
1988     * png_decompress_chunk, yet this happens after the attempt to
1989     * png_malloc_base the required data.  We only need this on read; on write
1990     * the caller supplies the profile buffer so libpng doesn't allocate it.  See
1991     * the call to icc_check_length below (the write case).
1992     */
1993 #  ifdef PNG_SET_USER_LIMITS_SUPPORTED
1994       else if (png_ptr->user_chunk_malloc_max > 0 &&
1995                png_ptr->user_chunk_malloc_max < profile_length)
1996          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1997              "exceeds application limits");
1998 #  elif PNG_USER_CHUNK_MALLOC_MAX > 0
1999       else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2000          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2001              "exceeds libpng limits");
2002 #  else /* !SET_USER_LIMITS */
2003       /* This will get compiled out on all 32-bit and better systems. */
2004       else if (PNG_SIZE_MAX < profile_length)
2005          return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2006              "exceeds system limits");
2007 #  endif /* !SET_USER_LIMITS */
2008 
2009    return 1;
2010 }
2011 #endif /* READ_iCCP */
2012 
2013 int /* PRIVATE */
2014 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2015     png_const_charp name, png_uint_32 profile_length,
2016     png_const_bytep profile/* first 132 bytes only */, int color_type)
2017 {
2018    png_uint_32 temp;
2019 
2020    /* Length check; this cannot be ignored in this code because profile_length
2021     * is used later to check the tag table, so even if the profile seems over
2022     * long profile_length from the caller must be correct.  The caller can fix
2023     * this up on read or write by just passing in the profile header length.
2024     */
2025    temp = png_get_uint_32(profile);
2026    if (temp != profile_length)
2027       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2028           "length does not match profile");
2029 
2030    temp = (png_uint_32) (*(profile+8));
2031    if (temp > 3 && (profile_length & 3))
2032       return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2033           "invalid length");
2034 
2035    temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
2036    if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2037       profile_length < 132+12*temp) /* truncated tag table */
2038       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2039           "tag count too large");
2040 
2041    /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2042     * 16 bits.
2043     */
2044    temp = png_get_uint_32(profile+64);
2045    if (temp >= 0xffff) /* The ICC limit */
2046       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2047           "invalid rendering intent");
2048 
2049    /* This is just a warning because the profile may be valid in future
2050     * versions.
2051     */
2052    if (temp >= PNG_sRGB_INTENT_LAST)
2053       (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2054           "intent outside defined range");
2055 
2056    /* At this point the tag table can't be checked because it hasn't necessarily
2057     * been loaded; however, various header fields can be checked.  These checks
2058     * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2059     * restricts the profiles that can be passed in an iCCP chunk (they must be
2060     * appropriate to processing PNG data!)
2061     */
2062 
2063    /* Data checks (could be skipped).  These checks must be independent of the
2064     * version number; however, the version number doesn't accommodate changes in
2065     * the header fields (just the known tags and the interpretation of the
2066     * data.)
2067     */
2068    temp = png_get_uint_32(profile+36); /* signature 'ascp' */
2069    if (temp != 0x61637370)
2070       return png_icc_profile_error(png_ptr, colorspace, name, temp,
2071           "invalid signature");
2072 
2073    /* Currently the PCS illuminant/adopted white point (the computational
2074     * white point) are required to be D50,
2075     * however the profile contains a record of the illuminant so perhaps ICC
2076     * expects to be able to change this in the future (despite the rationale in
2077     * the introduction for using a fixed PCS adopted white.)  Consequently the
2078     * following is just a warning.
2079     */
2080    if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2081       (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2082           "PCS illuminant is not D50");
2083 
2084    /* The PNG spec requires this:
2085     * "If the iCCP chunk is present, the image samples conform to the colour
2086     * space represented by the embedded ICC profile as defined by the
2087     * International Color Consortium [ICC]. The colour space of the ICC profile
2088     * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2089     * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2090     * and 4)."
2091     *
2092     * This checking code ensures the embedded profile (on either read or write)
2093     * conforms to the specification requirements.  Notice that an ICC 'gray'
2094     * color-space profile contains the information to transform the monochrome
2095     * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2096     * should be used in preference to the standard libpng K channel replication
2097     * into R, G and B channels.
2098     *
2099     * Previously it was suggested that an RGB profile on grayscale data could be
2100     * handled.  However it it is clear that using an RGB profile in this context
2101     * must be an error - there is no specification of what it means.  Thus it is
2102     * almost certainly more correct to ignore the profile.
2103     */
2104    temp = png_get_uint_32(profile+16); /* data colour space field */
2105    switch (temp)
2106    {
2107       case 0x52474220: /* 'RGB ' */
2108          if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2109             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2110                 "RGB color space not permitted on grayscale PNG");
2111          break;
2112 
2113       case 0x47524159: /* 'GRAY' */
2114          if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2115             return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116                 "Gray color space not permitted on RGB PNG");
2117          break;
2118 
2119       default:
2120          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2121              "invalid ICC profile color space");
2122    }
2123 
2124    /* It is up to the application to check that the profile class matches the
2125     * application requirements; the spec provides no guidance, but it's pretty
2126     * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2127     * ('prtr') or 'spac' (for generic color spaces).  Issue a warning in these
2128     * cases.  Issue an error for device link or abstract profiles - these don't
2129     * contain the records necessary to transform the color-space to anything
2130     * other than the target device (and not even that for an abstract profile).
2131     * Profiles of these classes may not be embedded in images.
2132     */
2133    temp = png_get_uint_32(profile+12); /* profile/device class */
2134    switch (temp)
2135    {
2136       case 0x73636e72: /* 'scnr' */
2137       case 0x6d6e7472: /* 'mntr' */
2138       case 0x70727472: /* 'prtr' */
2139       case 0x73706163: /* 'spac' */
2140          /* All supported */
2141          break;
2142 
2143       case 0x61627374: /* 'abst' */
2144          /* May not be embedded in an image */
2145          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2146              "invalid embedded Abstract ICC profile");
2147 
2148       case 0x6c696e6b: /* 'link' */
2149          /* DeviceLink profiles cannot be interpreted in a non-device specific
2150           * fashion, if an app uses the AToB0Tag in the profile the results are
2151           * undefined unless the result is sent to the intended device,
2152           * therefore a DeviceLink profile should not be found embedded in a
2153           * PNG.
2154           */
2155          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2156              "unexpected DeviceLink ICC profile class");
2157 
2158       case 0x6e6d636c: /* 'nmcl' */
2159          /* A NamedColor profile is also device specific, however it doesn't
2160           * contain an AToB0 tag that is open to misinterpretation.  Almost
2161           * certainly it will fail the tests below.
2162           */
2163          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2164              "unexpected NamedColor ICC profile class");
2165          break;
2166 
2167       default:
2168          /* To allow for future enhancements to the profile accept unrecognized
2169           * profile classes with a warning, these then hit the test below on the
2170           * tag content to ensure they are backward compatible with one of the
2171           * understood profiles.
2172           */
2173          (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2174              "unrecognized ICC profile class");
2175          break;
2176    }
2177 
2178    /* For any profile other than a device link one the PCS must be encoded
2179     * either in XYZ or Lab.
2180     */
2181    temp = png_get_uint_32(profile+20);
2182    switch (temp)
2183    {
2184       case 0x58595a20: /* 'XYZ ' */
2185       case 0x4c616220: /* 'Lab ' */
2186          break;
2187 
2188       default:
2189          return png_icc_profile_error(png_ptr, colorspace, name, temp,
2190              "unexpected ICC PCS encoding");
2191    }
2192 
2193    return 1;
2194 }
2195 
2196 int /* PRIVATE */
2197 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2198     png_const_charp name, png_uint_32 profile_length,
2199     png_const_bytep profile /* header plus whole tag table */)
2200 {
2201    png_uint_32 tag_count = png_get_uint_32(profile+128);
2202    png_uint_32 itag;
2203    png_const_bytep tag = profile+132; /* The first tag */
2204 
2205    /* First scan all the tags in the table and add bits to the icc_info value
2206     * (temporarily in 'tags').
2207     */
2208    for (itag=0; itag < tag_count; ++itag, tag += 12)
2209    {
2210       png_uint_32 tag_id = png_get_uint_32(tag+0);
2211       png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2212       png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2213 
2214       /* The ICC specification does not exclude zero length tags, therefore the
2215        * start might actually be anywhere if there is no data, but this would be
2216        * a clear abuse of the intent of the standard so the start is checked for
2217        * being in range.  All defined tag types have an 8 byte header - a 4 byte
2218        * type signature then 0.
2219        */
2220 
2221       /* This is a hard error; potentially it can cause read outside the
2222        * profile.
2223        */
2224       if (tag_start > profile_length || tag_length > profile_length - tag_start)
2225          return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2226              "ICC profile tag outside profile");
2227 
2228       if ((tag_start & 3) != 0)
2229       {
2230          /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2231           * only a warning here because libpng does not care about the
2232           * alignment.
2233           */
2234          (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2235              "ICC profile tag start not a multiple of 4");
2236       }
2237    }
2238 
2239    return 1; /* success, maybe with warnings */
2240 }
2241 
2242 #ifdef PNG_sRGB_SUPPORTED
2243 #if PNG_sRGB_PROFILE_CHECKS >= 0
2244 /* Information about the known ICC sRGB profiles */
2245 static const struct
2246 {
2247    png_uint_32 adler, crc, length;
2248    png_uint_32 md5[4];
2249    png_byte    have_md5;
2250    png_byte    is_broken;
2251    png_uint_16 intent;
2252 
2253 #  define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2254 #  define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2255       { adler, crc, length, md5, broke, intent },
2256 
2257 } png_sRGB_checks[] =
2258 {
2259    /* This data comes from contrib/tools/checksum-icc run on downloads of
2260     * all four ICC sRGB profiles from www.color.org.
2261     */
2262    /* adler32, crc32, MD5[4], intent, date, length, file-name */
2263    PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2264        PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2265        "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2266 
2267    /* ICC sRGB v2 perceptual no black-compensation: */
2268    PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2269        PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2270        "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2271 
2272    PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2273        PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2274        "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2275 
2276    /* ICC sRGB v4 perceptual */
2277    PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2278        PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2279        "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2280 
2281    /* The following profiles have no known MD5 checksum. If there is a match
2282     * on the (empty) MD5 the other fields are used to attempt a match and
2283     * a warning is produced.  The first two of these profiles have a 'cprt' tag
2284     * which suggests that they were also made by Hewlett Packard.
2285     */
2286    PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2287        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2288        "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2289 
2290    /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2291     * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2292     * so the white point is recorded as the un-adapted value.)  The profiles
2293     * below only differ in one byte - the intent - and are basically the same as
2294     * the previous profile except for the mediaWhitePointTag error and a missing
2295     * chromaticAdaptationTag.
2296     */
2297    PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2298        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2299        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2300 
2301    PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2302        PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2303        "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2304 };
2305 
2306 static int
2307 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2308     png_const_bytep profile, uLong adler)
2309 {
2310    /* The quick check is to verify just the MD5 signature and trust the
2311     * rest of the data.  Because the profile has already been verified for
2312     * correctness this is safe.  png_colorspace_set_sRGB will check the 'intent'
2313     * field too, so if the profile has been edited with an intent not defined
2314     * by sRGB (but maybe defined by a later ICC specification) the read of
2315     * the profile will fail at that point.
2316     */
2317 
2318    png_uint_32 length = 0;
2319    png_uint_32 intent = 0x10000; /* invalid */
2320 #if PNG_sRGB_PROFILE_CHECKS > 1
2321    uLong crc = 0; /* the value for 0 length data */
2322 #endif
2323    unsigned int i;
2324 
2325 #ifdef PNG_SET_OPTION_SUPPORTED
2326    /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2327    if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2328                PNG_OPTION_ON)
2329       return 0;
2330 #endif
2331 
2332    for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2333    {
2334       if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2335          png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2336          png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2337          png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2338       {
2339          /* This may be one of the old HP profiles without an MD5, in that
2340           * case we can only use the length and Adler32 (note that these
2341           * are not used by default if there is an MD5!)
2342           */
2343 #        if PNG_sRGB_PROFILE_CHECKS == 0
2344             if (png_sRGB_checks[i].have_md5 != 0)
2345                return 1+png_sRGB_checks[i].is_broken;
2346 #        endif
2347 
2348          /* Profile is unsigned or more checks have been configured in. */
2349          if (length == 0)
2350          {
2351             length = png_get_uint_32(profile);
2352             intent = png_get_uint_32(profile+64);
2353          }
2354 
2355          /* Length *and* intent must match */
2356          if (length == (png_uint_32) png_sRGB_checks[i].length &&
2357             intent == (png_uint_32) png_sRGB_checks[i].intent)
2358          {
2359             /* Now calculate the adler32 if not done already. */
2360             if (adler == 0)
2361             {
2362                adler = adler32(0, NULL, 0);
2363                adler = adler32(adler, profile, length);
2364             }
2365 
2366             if (adler == png_sRGB_checks[i].adler)
2367             {
2368                /* These basic checks suggest that the data has not been
2369                 * modified, but if the check level is more than 1 perform
2370                 * our own crc32 checksum on the data.
2371                 */
2372 #              if PNG_sRGB_PROFILE_CHECKS > 1
2373                   if (crc == 0)
2374                   {
2375                      crc = crc32(0, NULL, 0);
2376                      crc = crc32(crc, profile, length);
2377                   }
2378 
2379                   /* So this check must pass for the 'return' below to happen.
2380                    */
2381                   if (crc == png_sRGB_checks[i].crc)
2382 #              endif
2383                {
2384                   if (png_sRGB_checks[i].is_broken != 0)
2385                   {
2386                      /* These profiles are known to have bad data that may cause
2387                       * problems if they are used, therefore attempt to
2388                       * discourage their use, skip the 'have_md5' warning below,
2389                       * which is made irrelevant by this error.
2390                       */
2391                      png_chunk_report(png_ptr, "known incorrect sRGB profile",
2392                          PNG_CHUNK_ERROR);
2393                   }
2394 
2395                   /* Warn that this being done; this isn't even an error since
2396                    * the profile is perfectly valid, but it would be nice if
2397                    * people used the up-to-date ones.
2398                    */
2399                   else if (png_sRGB_checks[i].have_md5 == 0)
2400                   {
2401                      png_chunk_report(png_ptr,
2402                          "out-of-date sRGB profile with no signature",
2403                          PNG_CHUNK_WARNING);
2404                   }
2405 
2406                   return 1+png_sRGB_checks[i].is_broken;
2407                }
2408             }
2409 
2410 # if PNG_sRGB_PROFILE_CHECKS > 0
2411          /* The signature matched, but the profile had been changed in some
2412           * way.  This probably indicates a data error or uninformed hacking.
2413           * Fall through to "no match".
2414           */
2415          png_chunk_report(png_ptr,
2416              "Not recognizing known sRGB profile that has been edited",
2417              PNG_CHUNK_WARNING);
2418          break;
2419 # endif
2420          }
2421       }
2422    }
2423 
2424    return 0; /* no match */
2425 }
2426 
2427 void /* PRIVATE */
2428 png_icc_set_sRGB(png_const_structrp png_ptr,
2429     png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2430 {
2431    /* Is this profile one of the known ICC sRGB profiles?  If it is, just set
2432     * the sRGB information.
2433     */
2434    if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2435       (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2436          (int)/*already checked*/png_get_uint_32(profile+64));
2437 }
2438 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2439 #endif /* sRGB */
2440 
2441 int /* PRIVATE */
2442 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2443     png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2444     int color_type)
2445 {
2446    if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2447       return 0;
2448 
2449    if (icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2450        png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2451            color_type) != 0 &&
2452        png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2453            profile) != 0)
2454    {
2455 #     if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2456          /* If no sRGB support, don't try storing sRGB information */
2457          png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2458 #     endif
2459       return 1;
2460    }
2461 
2462    /* Failure case */
2463    return 0;
2464 }
2465 #endif /* iCCP */
2466 
2467 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2468 void /* PRIVATE */
2469 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2470 {
2471    /* Set the rgb_to_gray coefficients from the colorspace. */
2472    if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2473       (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2474    {
2475       /* png_set_background has not been called, get the coefficients from the Y
2476        * values of the colorspace colorants.
2477        */
2478       png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2479       png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2480       png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2481       png_fixed_point total = r+g+b;
2482 
2483       if (total > 0 &&
2484          r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2485          g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2486          b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2487          r+g+b <= 32769)
2488       {
2489          /* We allow 0 coefficients here.  r+g+b may be 32769 if two or
2490           * all of the coefficients were rounded up.  Handle this by
2491           * reducing the *largest* coefficient by 1; this matches the
2492           * approach used for the default coefficients in pngrtran.c
2493           */
2494          int add = 0;
2495 
2496          if (r+g+b > 32768)
2497             add = -1;
2498          else if (r+g+b < 32768)
2499             add = 1;
2500 
2501          if (add != 0)
2502          {
2503             if (g >= r && g >= b)
2504                g += add;
2505             else if (r >= g && r >= b)
2506                r += add;
2507             else
2508                b += add;
2509          }
2510 
2511          /* Check for an internal error. */
2512          if (r+g+b != 32768)
2513             png_error(png_ptr,
2514                 "internal error handling cHRM coefficients");
2515 
2516          else
2517          {
2518             png_ptr->rgb_to_gray_red_coeff   = (png_uint_16)r;
2519             png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2520          }
2521       }
2522 
2523       /* This is a png_error at present even though it could be ignored -
2524        * it should never happen, but it is important that if it does, the
2525        * bug is fixed.
2526        */
2527       else
2528          png_error(png_ptr, "internal error handling cHRM->XYZ");
2529    }
2530 }
2531 #endif /* READ_RGB_TO_GRAY */
2532 
2533 #endif /* COLORSPACE */
2534 
2535 #ifdef __GNUC__
2536 /* This exists solely to work round a warning from GNU C. */
2537 static int /* PRIVATE */
2538 png_gt(size_t a, size_t b)
2539 {
2540    return a > b;
2541 }
2542 #else
2543 #   define png_gt(a,b) ((a) > (b))
2544 #endif
2545 
2546 void /* PRIVATE */
2547 png_check_IHDR(png_const_structrp png_ptr,
2548     png_uint_32 width, png_uint_32 height, int bit_depth,
2549     int color_type, int interlace_type, int compression_type,
2550     int filter_type)
2551 {
2552    int error = 0;
2553 
2554    /* Check for width and height valid values */
2555    if (width == 0)
2556    {
2557       png_warning(png_ptr, "Image width is zero in IHDR");
2558       error = 1;
2559    }
2560 
2561    if (width > PNG_UINT_31_MAX)
2562    {
2563       png_warning(png_ptr, "Invalid image width in IHDR");
2564       error = 1;
2565    }
2566 
2567    if (png_gt(((width + 7) & (~7U)),
2568        ((PNG_SIZE_MAX
2569            - 48        /* big_row_buf hack */
2570            - 1)        /* filter byte */
2571            / 8)        /* 8-byte RGBA pixels */
2572            - 1))       /* extra max_pixel_depth pad */
2573    {
2574       /* The size of the row must be within the limits of this architecture.
2575        * Because the read code can perform arbitrary transformations the
2576        * maximum size is checked here.  Because the code in png_read_start_row
2577        * adds extra space "for safety's sake" in several places a conservative
2578        * limit is used here.
2579        *
2580        * NOTE: it would be far better to check the size that is actually used,
2581        * but the effect in the real world is minor and the changes are more
2582        * extensive, therefore much more dangerous and much more difficult to
2583        * write in a way that avoids compiler warnings.
2584        */
2585       png_warning(png_ptr, "Image width is too large for this architecture");
2586       error = 1;
2587    }
2588 
2589 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2590    if (width > png_ptr->user_width_max)
2591 #else
2592    if (width > PNG_USER_WIDTH_MAX)
2593 #endif
2594    {
2595       png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2596       error = 1;
2597    }
2598 
2599    if (height == 0)
2600    {
2601       png_warning(png_ptr, "Image height is zero in IHDR");
2602       error = 1;
2603    }
2604 
2605    if (height > PNG_UINT_31_MAX)
2606    {
2607       png_warning(png_ptr, "Invalid image height in IHDR");
2608       error = 1;
2609    }
2610 
2611 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2612    if (height > png_ptr->user_height_max)
2613 #else
2614    if (height > PNG_USER_HEIGHT_MAX)
2615 #endif
2616    {
2617       png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2618       error = 1;
2619    }
2620 
2621    /* Check other values */
2622    if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2623        bit_depth != 8 && bit_depth != 16)
2624    {
2625       png_warning(png_ptr, "Invalid bit depth in IHDR");
2626       error = 1;
2627    }
2628 
2629    if (color_type < 0 || color_type == 1 ||
2630        color_type == 5 || color_type > 6)
2631    {
2632       png_warning(png_ptr, "Invalid color type in IHDR");
2633       error = 1;
2634    }
2635 
2636    if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2637        ((color_type == PNG_COLOR_TYPE_RGB ||
2638          color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2639          color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2640    {
2641       png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2642       error = 1;
2643    }
2644 
2645    if (interlace_type >= PNG_INTERLACE_LAST)
2646    {
2647       png_warning(png_ptr, "Unknown interlace method in IHDR");
2648       error = 1;
2649    }
2650 
2651    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2652    {
2653       png_warning(png_ptr, "Unknown compression method in IHDR");
2654       error = 1;
2655    }
2656 
2657 #ifdef PNG_MNG_FEATURES_SUPPORTED
2658    /* Accept filter_method 64 (intrapixel differencing) only if
2659     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2660     * 2. Libpng did not read a PNG signature (this filter_method is only
2661     *    used in PNG datastreams that are embedded in MNG datastreams) and
2662     * 3. The application called png_permit_mng_features with a mask that
2663     *    included PNG_FLAG_MNG_FILTER_64 and
2664     * 4. The filter_method is 64 and
2665     * 5. The color_type is RGB or RGBA
2666     */
2667    if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2668        png_ptr->mng_features_permitted != 0)
2669       png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2670 
2671    if (filter_type != PNG_FILTER_TYPE_BASE)
2672    {
2673       if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2674           (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2675           ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2676           (color_type == PNG_COLOR_TYPE_RGB ||
2677           color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2678       {
2679          png_warning(png_ptr, "Unknown filter method in IHDR");
2680          error = 1;
2681       }
2682 
2683       if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2684       {
2685          png_warning(png_ptr, "Invalid filter method in IHDR");
2686          error = 1;
2687       }
2688    }
2689 
2690 #else
2691    if (filter_type != PNG_FILTER_TYPE_BASE)
2692    {
2693       png_warning(png_ptr, "Unknown filter method in IHDR");
2694       error = 1;
2695    }
2696 #endif
2697 
2698    if (error == 1)
2699       png_error(png_ptr, "Invalid IHDR data");
2700 }
2701 
2702 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2703 /* ASCII to fp functions */
2704 /* Check an ASCII formatted floating point value, see the more detailed
2705  * comments in pngpriv.h
2706  */
2707 /* The following is used internally to preserve the sticky flags */
2708 #define png_fp_add(state, flags) ((state) |= (flags))
2709 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2710 
2711 int /* PRIVATE */
2712 png_check_fp_number(png_const_charp string, size_t size, int *statep,
2713     size_t *whereami)
2714 {
2715    int state = *statep;
2716    size_t i = *whereami;
2717 
2718    while (i < size)
2719    {
2720       int type;
2721       /* First find the type of the next character */
2722       switch (string[i])
2723       {
2724       case 43:  type = PNG_FP_SAW_SIGN;                   break;
2725       case 45:  type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2726       case 46:  type = PNG_FP_SAW_DOT;                    break;
2727       case 48:  type = PNG_FP_SAW_DIGIT;                  break;
2728       case 49: case 50: case 51: case 52:
2729       case 53: case 54: case 55: case 56:
2730       case 57:  type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2731       case 69:
2732       case 101: type = PNG_FP_SAW_E;                      break;
2733       default:  goto PNG_FP_End;
2734       }
2735 
2736       /* Now deal with this type according to the current
2737        * state, the type is arranged to not overlap the
2738        * bits of the PNG_FP_STATE.
2739        */
2740       switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2741       {
2742       case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2743          if ((state & PNG_FP_SAW_ANY) != 0)
2744             goto PNG_FP_End; /* not a part of the number */
2745 
2746          png_fp_add(state, type);
2747          break;
2748 
2749       case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2750          /* Ok as trailer, ok as lead of fraction. */
2751          if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2752             goto PNG_FP_End;
2753 
2754          else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2755             png_fp_add(state, type);
2756 
2757          else
2758             png_fp_set(state, PNG_FP_FRACTION | type);
2759 
2760          break;
2761 
2762       case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2763          if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2764             png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2765 
2766          png_fp_add(state, type | PNG_FP_WAS_VALID);
2767 
2768          break;
2769 
2770       case PNG_FP_INTEGER + PNG_FP_SAW_E:
2771          if ((state & PNG_FP_SAW_DIGIT) == 0)
2772             goto PNG_FP_End;
2773 
2774          png_fp_set(state, PNG_FP_EXPONENT);
2775 
2776          break;
2777 
2778    /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2779          goto PNG_FP_End; ** no sign in fraction */
2780 
2781    /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2782          goto PNG_FP_End; ** Because SAW_DOT is always set */
2783 
2784       case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2785          png_fp_add(state, type | PNG_FP_WAS_VALID);
2786          break;
2787 
2788       case PNG_FP_FRACTION + PNG_FP_SAW_E:
2789          /* This is correct because the trailing '.' on an
2790           * integer is handled above - so we can only get here
2791           * with the sequence ".E" (with no preceding digits).
2792           */
2793          if ((state & PNG_FP_SAW_DIGIT) == 0)
2794             goto PNG_FP_End;
2795 
2796          png_fp_set(state, PNG_FP_EXPONENT);
2797 
2798          break;
2799 
2800       case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2801          if ((state & PNG_FP_SAW_ANY) != 0)
2802             goto PNG_FP_End; /* not a part of the number */
2803 
2804          png_fp_add(state, PNG_FP_SAW_SIGN);
2805 
2806          break;
2807 
2808    /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2809          goto PNG_FP_End; */
2810 
2811       case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2812          png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2813 
2814          break;
2815 
2816    /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2817          goto PNG_FP_End; */
2818 
2819       default: goto PNG_FP_End; /* I.e. break 2 */
2820       }
2821 
2822       /* The character seems ok, continue. */
2823       ++i;
2824    }
2825 
2826 PNG_FP_End:
2827    /* Here at the end, update the state and return the correct
2828     * return code.
2829     */
2830    *statep = state;
2831    *whereami = i;
2832 
2833    return (state & PNG_FP_SAW_DIGIT) != 0;
2834 }
2835 
2836 
2837 /* The same but for a complete string. */
2838 int
2839 png_check_fp_string(png_const_charp string, size_t size)
2840 {
2841    int        state=0;
2842    size_t char_index=0;
2843 
2844    if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2845       (char_index == size || string[char_index] == 0))
2846       return state /* must be non-zero - see above */;
2847 
2848    return 0; /* i.e. fail */
2849 }
2850 #endif /* pCAL || sCAL */
2851 
2852 #ifdef PNG_sCAL_SUPPORTED
2853 #  ifdef PNG_FLOATING_POINT_SUPPORTED
2854 /* Utility used below - a simple accurate power of ten from an integral
2855  * exponent.
2856  */
2857 static double
2858 png_pow10(int power)
2859 {
2860    int recip = 0;
2861    double d = 1;
2862 
2863    /* Handle negative exponent with a reciprocal at the end because
2864     * 10 is exact whereas .1 is inexact in base 2
2865     */
2866    if (power < 0)
2867    {
2868       if (power < DBL_MIN_10_EXP) return 0;
2869       recip = 1; power = -power;
2870    }
2871 
2872    if (power > 0)
2873    {
2874       /* Decompose power bitwise. */
2875       double mult = 10;
2876       do
2877       {
2878          if (power & 1) d *= mult;
2879          mult *= mult;
2880          power >>= 1;
2881       }
2882       while (power > 0);
2883 
2884       if (recip != 0) d = 1/d;
2885    }
2886    /* else power is 0 and d is 1 */
2887 
2888    return d;
2889 }
2890 
2891 /* Function to format a floating point value in ASCII with a given
2892  * precision.
2893  */
2894 #if GCC_STRICT_OVERFLOW
2895 #pragma GCC diagnostic push
2896 /* The problem arises below with exp_b10, which can never overflow because it
2897  * comes, originally, from frexp and is therefore limited to a range which is
2898  * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2899  */
2900 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
2901 #endif /* GCC_STRICT_OVERFLOW */
2902 void /* PRIVATE */
2903 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2904     double fp, unsigned int precision)
2905 {
2906    /* We use standard functions from math.h, but not printf because
2907     * that would require stdio.  The caller must supply a buffer of
2908     * sufficient size or we will png_error.  The tests on size and
2909     * the space in ascii[] consumed are indicated below.
2910     */
2911    if (precision < 1)
2912       precision = DBL_DIG;
2913 
2914    /* Enforce the limit of the implementation precision too. */
2915    if (precision > DBL_DIG+1)
2916       precision = DBL_DIG+1;
2917 
2918    /* Basic sanity checks */
2919    if (size >= precision+5) /* See the requirements below. */
2920    {
2921       if (fp < 0)
2922       {
2923          fp = -fp;
2924          *ascii++ = 45; /* '-'  PLUS 1 TOTAL 1 */
2925          --size;
2926       }
2927 
2928       if (fp >= DBL_MIN && fp <= DBL_MAX)
2929       {
2930          int exp_b10;   /* A base 10 exponent */
2931          double base;   /* 10^exp_b10 */
2932 
2933          /* First extract a base 10 exponent of the number,
2934           * the calculation below rounds down when converting
2935           * from base 2 to base 10 (multiply by log10(2) -
2936           * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2937           * be increased.  Note that the arithmetic shift
2938           * performs a floor() unlike C arithmetic - using a
2939           * C multiply would break the following for negative
2940           * exponents.
2941           */
2942          (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2943 
2944          exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2945 
2946          /* Avoid underflow here. */
2947          base = png_pow10(exp_b10); /* May underflow */
2948 
2949          while (base < DBL_MIN || base < fp)
2950          {
2951             /* And this may overflow. */
2952             double test = png_pow10(exp_b10+1);
2953 
2954             if (test <= DBL_MAX)
2955             {
2956                ++exp_b10; base = test;
2957             }
2958 
2959             else
2960                break;
2961          }
2962 
2963          /* Normalize fp and correct exp_b10, after this fp is in the
2964           * range [.1,1) and exp_b10 is both the exponent and the digit
2965           * *before* which the decimal point should be inserted
2966           * (starting with 0 for the first digit).  Note that this
2967           * works even if 10^exp_b10 is out of range because of the
2968           * test on DBL_MAX above.
2969           */
2970          fp /= base;
2971          while (fp >= 1)
2972          {
2973             fp /= 10; ++exp_b10;
2974          }
2975 
2976          /* Because of the code above fp may, at this point, be
2977           * less than .1, this is ok because the code below can
2978           * handle the leading zeros this generates, so no attempt
2979           * is made to correct that here.
2980           */
2981 
2982          {
2983             unsigned int czero, clead, cdigits;
2984             char exponent[10];
2985 
2986             /* Allow up to two leading zeros - this will not lengthen
2987              * the number compared to using E-n.
2988              */
2989             if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2990             {
2991                czero = 0U-exp_b10; /* PLUS 2 digits: TOTAL 3 */
2992                exp_b10 = 0;      /* Dot added below before first output. */
2993             }
2994             else
2995                czero = 0;    /* No zeros to add */
2996 
2997             /* Generate the digit list, stripping trailing zeros and
2998              * inserting a '.' before a digit if the exponent is 0.
2999              */
3000             clead = czero; /* Count of leading zeros */
3001             cdigits = 0;   /* Count of digits in list. */
3002 
3003             do
3004             {
3005                double d;
3006 
3007                fp *= 10;
3008                /* Use modf here, not floor and subtract, so that
3009                 * the separation is done in one step.  At the end
3010                 * of the loop don't break the number into parts so
3011                 * that the final digit is rounded.
3012                 */
3013                if (cdigits+czero+1 < precision+clead)
3014                   fp = modf(fp, &d);
3015 
3016                else
3017                {
3018                   d = floor(fp + .5);
3019 
3020                   if (d > 9)
3021                   {
3022                      /* Rounding up to 10, handle that here. */
3023                      if (czero > 0)
3024                      {
3025                         --czero; d = 1;
3026                         if (cdigits == 0) --clead;
3027                      }
3028                      else
3029                      {
3030                         while (cdigits > 0 && d > 9)
3031                         {
3032                            int ch = *--ascii;
3033 
3034                            if (exp_b10 != (-1))
3035                               ++exp_b10;
3036 
3037                            else if (ch == 46)
3038                            {
3039                               ch = *--ascii; ++size;
3040                               /* Advance exp_b10 to '1', so that the
3041                                * decimal point happens after the
3042                                * previous digit.
3043                                */
3044                               exp_b10 = 1;
3045                            }
3046 
3047                            --cdigits;
3048                            d = ch - 47;  /* I.e. 1+(ch-48) */
3049                         }
3050 
3051                         /* Did we reach the beginning? If so adjust the
3052                          * exponent but take into account the leading
3053                          * decimal point.
3054                          */
3055                         if (d > 9)  /* cdigits == 0 */
3056                         {
3057                            if (exp_b10 == (-1))
3058                            {
3059                               /* Leading decimal point (plus zeros?), if
3060                                * we lose the decimal point here it must
3061                                * be reentered below.
3062                                */
3063                               int ch = *--ascii;
3064 
3065                               if (ch == 46)
3066                               {
3067                                  ++size; exp_b10 = 1;
3068                               }
3069 
3070                               /* Else lost a leading zero, so 'exp_b10' is
3071                                * still ok at (-1)
3072                                */
3073                            }
3074                            else
3075                               ++exp_b10;
3076 
3077                            /* In all cases we output a '1' */
3078                            d = 1;
3079                         }
3080                      }
3081                   }
3082                   fp = 0; /* Guarantees termination below. */
3083                }
3084 
3085                if (d == 0)
3086                {
3087                   ++czero;
3088                   if (cdigits == 0) ++clead;
3089                }
3090                else
3091                {
3092                   /* Included embedded zeros in the digit count. */
3093                   cdigits += czero - clead;
3094                   clead = 0;
3095 
3096                   while (czero > 0)
3097                   {
3098                      /* exp_b10 == (-1) means we just output the decimal
3099                       * place - after the DP don't adjust 'exp_b10' any
3100                       * more!
3101                       */
3102                      if (exp_b10 != (-1))
3103                      {
3104                         if (exp_b10 == 0)
3105                         {
3106                            *ascii++ = 46; --size;
3107                         }
3108                         /* PLUS 1: TOTAL 4 */
3109                         --exp_b10;
3110                      }
3111                      *ascii++ = 48; --czero;
3112                   }
3113 
3114                   if (exp_b10 != (-1))
3115                   {
3116                      if (exp_b10 == 0)
3117                      {
3118                         *ascii++ = 46; --size; /* counted above */
3119                      }
3120 
3121                      --exp_b10;
3122                   }
3123                   *ascii++ = (char)(48 + (int)d); ++cdigits;
3124                }
3125             }
3126             while (cdigits+czero < precision+clead && fp > DBL_MIN);
3127 
3128             /* The total output count (max) is now 4+precision */
3129 
3130             /* Check for an exponent, if we don't need one we are
3131              * done and just need to terminate the string.  At this
3132              * point, exp_b10==(-1) is effectively a flag: it got
3133              * to '-1' because of the decrement, after outputting
3134              * the decimal point above. (The exponent required is
3135              * *not* -1.)
3136              */
3137             if (exp_b10 >= (-1) && exp_b10 <= 2)
3138             {
3139                /* The following only happens if we didn't output the
3140                 * leading zeros above for negative exponent, so this
3141                 * doesn't add to the digit requirement.  Note that the
3142                 * two zeros here can only be output if the two leading
3143                 * zeros were *not* output, so this doesn't increase
3144                 * the output count.
3145                 */
3146                while (exp_b10-- > 0) *ascii++ = 48;
3147 
3148                *ascii = 0;
3149 
3150                /* Total buffer requirement (including the '\0') is
3151                 * 5+precision - see check at the start.
3152                 */
3153                return;
3154             }
3155 
3156             /* Here if an exponent is required, adjust size for
3157              * the digits we output but did not count.  The total
3158              * digit output here so far is at most 1+precision - no
3159              * decimal point and no leading or trailing zeros have
3160              * been output.
3161              */
3162             size -= cdigits;
3163 
3164             *ascii++ = 69; --size;    /* 'E': PLUS 1 TOTAL 2+precision */
3165 
3166             /* The following use of an unsigned temporary avoids ambiguities in
3167              * the signed arithmetic on exp_b10 and permits GCC at least to do
3168              * better optimization.
3169              */
3170             {
3171                unsigned int uexp_b10;
3172 
3173                if (exp_b10 < 0)
3174                {
3175                   *ascii++ = 45; --size; /* '-': PLUS 1 TOTAL 3+precision */
3176                   uexp_b10 = 0U-exp_b10;
3177                }
3178 
3179                else
3180                   uexp_b10 = 0U+exp_b10;
3181 
3182                cdigits = 0;
3183 
3184                while (uexp_b10 > 0)
3185                {
3186                   exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3187                   uexp_b10 /= 10;
3188                }
3189             }
3190 
3191             /* Need another size check here for the exponent digits, so
3192              * this need not be considered above.
3193              */
3194             if (size > cdigits)
3195             {
3196                while (cdigits > 0) *ascii++ = exponent[--cdigits];
3197 
3198                *ascii = 0;
3199 
3200                return;
3201             }
3202          }
3203       }
3204       else if (!(fp >= DBL_MIN))
3205       {
3206          *ascii++ = 48; /* '0' */
3207          *ascii = 0;
3208          return;
3209       }
3210       else
3211       {
3212          *ascii++ = 105; /* 'i' */
3213          *ascii++ = 110; /* 'n' */
3214          *ascii++ = 102; /* 'f' */
3215          *ascii = 0;
3216          return;
3217       }
3218    }
3219 
3220    /* Here on buffer too small. */
3221    png_error(png_ptr, "ASCII conversion buffer too small");
3222 }
3223 #if GCC_STRICT_OVERFLOW
3224 #pragma GCC diagnostic pop
3225 #endif /* GCC_STRICT_OVERFLOW */
3226 
3227 #  endif /* FLOATING_POINT */
3228 
3229 #  ifdef PNG_FIXED_POINT_SUPPORTED
3230 /* Function to format a fixed point value in ASCII.
3231  */
3232 void /* PRIVATE */
3233 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3234     size_t size, png_fixed_point fp)
3235 {
3236    /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3237     * trailing \0, 13 characters:
3238     */
3239    if (size > 12)
3240    {
3241       png_uint_32 num;
3242 
3243       /* Avoid overflow here on the minimum integer. */
3244       if (fp < 0)
3245       {
3246          *ascii++ = 45; num = (png_uint_32)(-fp);
3247       }
3248       else
3249          num = (png_uint_32)fp;
3250 
3251       if (num <= 0x80000000) /* else overflowed */
3252       {
3253          unsigned int ndigits = 0, first = 16 /* flag value */;
3254          char digits[10];
3255 
3256          while (num)
3257          {
3258             /* Split the low digit off num: */
3259             unsigned int tmp = num/10;
3260             num -= tmp*10;
3261             digits[ndigits++] = (char)(48 + num);
3262             /* Record the first non-zero digit, note that this is a number
3263              * starting at 1, it's not actually the array index.
3264              */
3265             if (first == 16 && num > 0)
3266                first = ndigits;
3267             num = tmp;
3268          }
3269 
3270          if (ndigits > 0)
3271          {
3272             while (ndigits > 5) *ascii++ = digits[--ndigits];
3273             /* The remaining digits are fractional digits, ndigits is '5' or
3274              * smaller at this point.  It is certainly not zero.  Check for a
3275              * non-zero fractional digit:
3276              */
3277             if (first <= 5)
3278             {
3279                unsigned int i;
3280                *ascii++ = 46; /* decimal point */
3281                /* ndigits may be <5 for small numbers, output leading zeros
3282                 * then ndigits digits to first:
3283                 */
3284                i = 5;
3285                while (ndigits < i)
3286                {
3287                   *ascii++ = 48; --i;
3288                }
3289                while (ndigits >= first) *ascii++ = digits[--ndigits];
3290                /* Don't output the trailing zeros! */
3291             }
3292          }
3293          else
3294             *ascii++ = 48;
3295 
3296          /* And null terminate the string: */
3297          *ascii = 0;
3298          return;
3299       }
3300    }
3301 
3302    /* Here on buffer too small. */
3303    png_error(png_ptr, "ASCII conversion buffer too small");
3304 }
3305 #   endif /* FIXED_POINT */
3306 #endif /* SCAL */
3307 
3308 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3309    !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3310    (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3311    defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3312    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3313    (defined(PNG_sCAL_SUPPORTED) && \
3314    defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3315 png_fixed_point
3316 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3317 {
3318    double r = floor(100000 * fp + .5);
3319 
3320    if (r > 2147483647. || r < -2147483648.)
3321       png_fixed_error(png_ptr, text);
3322 
3323 #  ifndef PNG_ERROR_TEXT_SUPPORTED
3324    PNG_UNUSED(text)
3325 #  endif
3326 
3327    return (png_fixed_point)r;
3328 }
3329 #endif
3330 
3331 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3332     defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3333 /* muldiv functions */
3334 /* This API takes signed arguments and rounds the result to the nearest
3335  * integer (or, for a fixed point number - the standard argument - to
3336  * the nearest .00001).  Overflow and divide by zero are signalled in
3337  * the result, a boolean - true on success, false on overflow.
3338  */
3339 #if GCC_STRICT_OVERFLOW /* from above */
3340 /* It is not obvious which comparison below gets optimized in such a way that
3341  * signed overflow would change the result; looking through the code does not
3342  * reveal any tests which have the form GCC complains about, so presumably the
3343  * optimizer is moving an add or subtract into the 'if' somewhere.
3344  */
3345 #pragma GCC diagnostic push
3346 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
3347 #endif /* GCC_STRICT_OVERFLOW */
3348 int
3349 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3350     png_int_32 divisor)
3351 {
3352    /* Return a * times / divisor, rounded. */
3353    if (divisor != 0)
3354    {
3355       if (a == 0 || times == 0)
3356       {
3357          *res = 0;
3358          return 1;
3359       }
3360       else
3361       {
3362 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3363          double r = a;
3364          r *= times;
3365          r /= divisor;
3366          r = floor(r+.5);
3367 
3368          /* A png_fixed_point is a 32-bit integer. */
3369          if (r <= 2147483647. && r >= -2147483648.)
3370          {
3371             *res = (png_fixed_point)r;
3372             return 1;
3373          }
3374 #else
3375          int negative = 0;
3376          png_uint_32 A, T, D;
3377          png_uint_32 s16, s32, s00;
3378 
3379          if (a < 0)
3380             negative = 1, A = -a;
3381          else
3382             A = a;
3383 
3384          if (times < 0)
3385             negative = !negative, T = -times;
3386          else
3387             T = times;
3388 
3389          if (divisor < 0)
3390             negative = !negative, D = -divisor;
3391          else
3392             D = divisor;
3393 
3394          /* Following can't overflow because the arguments only
3395           * have 31 bits each, however the result may be 32 bits.
3396           */
3397          s16 = (A >> 16) * (T & 0xffff) +
3398                            (A & 0xffff) * (T >> 16);
3399          /* Can't overflow because the a*times bit is only 30
3400           * bits at most.
3401           */
3402          s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3403          s00 = (A & 0xffff) * (T & 0xffff);
3404 
3405          s16 = (s16 & 0xffff) << 16;
3406          s00 += s16;
3407 
3408          if (s00 < s16)
3409             ++s32; /* carry */
3410 
3411          if (s32 < D) /* else overflow */
3412          {
3413             /* s32.s00 is now the 64-bit product, do a standard
3414              * division, we know that s32 < D, so the maximum
3415              * required shift is 31.
3416              */
3417             int bitshift = 32;
3418             png_fixed_point result = 0; /* NOTE: signed */
3419 
3420             while (--bitshift >= 0)
3421             {
3422                png_uint_32 d32, d00;
3423 
3424                if (bitshift > 0)
3425                   d32 = D >> (32-bitshift), d00 = D << bitshift;
3426 
3427                else
3428                   d32 = 0, d00 = D;
3429 
3430                if (s32 > d32)
3431                {
3432                   if (s00 < d00) --s32; /* carry */
3433                   s32 -= d32, s00 -= d00, result += 1<<bitshift;
3434                }
3435 
3436                else
3437                   if (s32 == d32 && s00 >= d00)
3438                      s32 = 0, s00 -= d00, result += 1<<bitshift;
3439             }
3440 
3441             /* Handle the rounding. */
3442             if (s00 >= (D >> 1))
3443                ++result;
3444 
3445             if (negative != 0)
3446                result = -result;
3447 
3448             /* Check for overflow. */
3449             if ((negative != 0 && result <= 0) ||
3450                 (negative == 0 && result >= 0))
3451             {
3452                *res = result;
3453                return 1;
3454             }
3455          }
3456 #endif
3457       }
3458    }
3459 
3460    return 0;
3461 }
3462 #if GCC_STRICT_OVERFLOW
3463 #pragma GCC diagnostic pop
3464 #endif /* GCC_STRICT_OVERFLOW */
3465 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3466 
3467 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3468 /* The following is for when the caller doesn't much care about the
3469  * result.
3470  */
3471 png_fixed_point
3472 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3473     png_int_32 divisor)
3474 {
3475    png_fixed_point result;
3476 
3477    if (png_muldiv(&result, a, times, divisor) != 0)
3478       return result;
3479 
3480    png_warning(png_ptr, "fixed point overflow ignored");
3481    return 0;
3482 }
3483 #endif
3484 
3485 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3486 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3487 png_fixed_point
3488 png_reciprocal(png_fixed_point a)
3489 {
3490 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3491    double r = floor(1E10/a+.5);
3492 
3493    if (r <= 2147483647. && r >= -2147483648.)
3494       return (png_fixed_point)r;
3495 #else
3496    png_fixed_point res;
3497 
3498    if (png_muldiv(&res, 100000, 100000, a) != 0)
3499       return res;
3500 #endif
3501 
3502    return 0; /* error/overflow */
3503 }
3504 
3505 /* This is the shared test on whether a gamma value is 'significant' - whether
3506  * it is worth doing gamma correction.
3507  */
3508 int /* PRIVATE */
3509 png_gamma_significant(png_fixed_point gamma_val)
3510 {
3511    return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3512        gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3513 }
3514 #endif
3515 
3516 #ifdef PNG_READ_GAMMA_SUPPORTED
3517 #ifdef PNG_16BIT_SUPPORTED
3518 /* A local convenience routine. */
3519 static png_fixed_point
3520 png_product2(png_fixed_point a, png_fixed_point b)
3521 {
3522    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3523 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3524    double r = a * 1E-5;
3525    r *= b;
3526    r = floor(r+.5);
3527 
3528    if (r <= 2147483647. && r >= -2147483648.)
3529       return (png_fixed_point)r;
3530 #else
3531    png_fixed_point res;
3532 
3533    if (png_muldiv(&res, a, b, 100000) != 0)
3534       return res;
3535 #endif
3536 
3537    return 0; /* overflow */
3538 }
3539 #endif /* 16BIT */
3540 
3541 /* The inverse of the above. */
3542 png_fixed_point
3543 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3544 {
3545    /* The required result is 1/a * 1/b; the following preserves accuracy. */
3546 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3547    if (a != 0 && b != 0)
3548    {
3549       double r = 1E15/a;
3550       r /= b;
3551       r = floor(r+.5);
3552 
3553       if (r <= 2147483647. && r >= -2147483648.)
3554          return (png_fixed_point)r;
3555    }
3556 #else
3557    /* This may overflow because the range of png_fixed_point isn't symmetric,
3558     * but this API is only used for the product of file and screen gamma so it
3559     * doesn't matter that the smallest number it can produce is 1/21474, not
3560     * 1/100000
3561     */
3562    png_fixed_point res = png_product2(a, b);
3563 
3564    if (res != 0)
3565       return png_reciprocal(res);
3566 #endif
3567 
3568    return 0; /* overflow */
3569 }
3570 #endif /* READ_GAMMA */
3571 
3572 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3573 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3574 /* Fixed point gamma.
3575  *
3576  * The code to calculate the tables used below can be found in the shell script
3577  * contrib/tools/intgamma.sh
3578  *
3579  * To calculate gamma this code implements fast log() and exp() calls using only
3580  * fixed point arithmetic.  This code has sufficient precision for either 8-bit
3581  * or 16-bit sample values.
3582  *
3583  * The tables used here were calculated using simple 'bc' programs, but C double
3584  * precision floating point arithmetic would work fine.
3585  *
3586  * 8-bit log table
3587  *   This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3588  *   255, so it's the base 2 logarithm of a normalized 8-bit floating point
3589  *   mantissa.  The numbers are 32-bit fractions.
3590  */
3591 static const png_uint_32
3592 png_8bit_l2[128] =
3593 {
3594    4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3595    3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3596    3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3597    3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3598    3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3599    2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3600    2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3601    2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3602    2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3603    2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3604    1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3605    1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3606    1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3607    1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3608    1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3609    971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3610    803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3611    639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3612    479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3613    324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3614    172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3615    24347096U, 0U
3616 
3617 #if 0
3618    /* The following are the values for 16-bit tables - these work fine for the
3619     * 8-bit conversions but produce very slightly larger errors in the 16-bit
3620     * log (about 1.2 as opposed to 0.7 absolute error in the final value).  To
3621     * use these all the shifts below must be adjusted appropriately.
3622     */
3623    65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3624    57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3625    50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3626    43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3627    37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3628    31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3629    25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3630    20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3631    15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3632    10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3633    6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3634    1119, 744, 372
3635 #endif
3636 };
3637 
3638 static png_int_32
3639 png_log8bit(unsigned int x)
3640 {
3641    unsigned int lg2 = 0;
3642    /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3643     * because the log is actually negate that means adding 1.  The final
3644     * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3645     * input), return -1 for the overflow (log 0) case, - so the result is
3646     * always at most 19 bits.
3647     */
3648    if ((x &= 0xff) == 0)
3649       return -1;
3650 
3651    if ((x & 0xf0) == 0)
3652       lg2  = 4, x <<= 4;
3653 
3654    if ((x & 0xc0) == 0)
3655       lg2 += 2, x <<= 2;
3656 
3657    if ((x & 0x80) == 0)
3658       lg2 += 1, x <<= 1;
3659 
3660    /* result is at most 19 bits, so this cast is safe: */
3661    return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3662 }
3663 
3664 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3665  * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3666  * get an approximation then multiply the approximation by a correction factor
3667  * determined by the remaining up to 8 bits.  This requires an additional step
3668  * in the 16-bit case.
3669  *
3670  * We want log2(value/65535), we have log2(v'/255), where:
3671  *
3672  *    value = v' * 256 + v''
3673  *          = v' * f
3674  *
3675  * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3676  * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3677  * than 258.  The final factor also needs to correct for the fact that our 8-bit
3678  * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3679  *
3680  * This gives a final formula using a calculated value 'x' which is value/v' and
3681  * scaling by 65536 to match the above table:
3682  *
3683  *   log2(x/257) * 65536
3684  *
3685  * Since these numbers are so close to '1' we can use simple linear
3686  * interpolation between the two end values 256/257 (result -368.61) and 258/257
3687  * (result 367.179).  The values used below are scaled by a further 64 to give
3688  * 16-bit precision in the interpolation:
3689  *
3690  * Start (256): -23591
3691  * Zero  (257):      0
3692  * End   (258):  23499
3693  */
3694 #ifdef PNG_16BIT_SUPPORTED
3695 static png_int_32
3696 png_log16bit(png_uint_32 x)
3697 {
3698    unsigned int lg2 = 0;
3699 
3700    /* As above, but now the input has 16 bits. */
3701    if ((x &= 0xffff) == 0)
3702       return -1;
3703 
3704    if ((x & 0xff00) == 0)
3705       lg2  = 8, x <<= 8;
3706 
3707    if ((x & 0xf000) == 0)
3708       lg2 += 4, x <<= 4;
3709 
3710    if ((x & 0xc000) == 0)
3711       lg2 += 2, x <<= 2;
3712 
3713    if ((x & 0x8000) == 0)
3714       lg2 += 1, x <<= 1;
3715 
3716    /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3717     * value.
3718     */
3719    lg2 <<= 28;
3720    lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3721 
3722    /* Now we need to interpolate the factor, this requires a division by the top
3723     * 8 bits.  Do this with maximum precision.
3724     */
3725    x = ((x << 16) + (x >> 9)) / (x >> 8);
3726 
3727    /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3728     * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3729     * 16 bits to interpolate to get the low bits of the result.  Round the
3730     * answer.  Note that the end point values are scaled by 64 to retain overall
3731     * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3732     * the overall scaling by 6-12.  Round at every step.
3733     */
3734    x -= 1U << 24;
3735 
3736    if (x <= 65536U) /* <= '257' */
3737       lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3738 
3739    else
3740       lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3741 
3742    /* Safe, because the result can't have more than 20 bits: */
3743    return (png_int_32)((lg2 + 2048) >> 12);
3744 }
3745 #endif /* 16BIT */
3746 
3747 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3748  * logarithmic value and returning a 16 or 8-bit number as appropriate.  In
3749  * each case only the low 16 bits are relevant - the fraction - since the
3750  * integer bits (the top 4) simply determine a shift.
3751  *
3752  * The worst case is the 16-bit distinction between 65535 and 65534. This
3753  * requires perhaps spurious accuracy in the decoding of the logarithm to
3754  * distinguish log2(65535/65534.5) - 10^-5 or 17 bits.  There is little chance
3755  * of getting this accuracy in practice.
3756  *
3757  * To deal with this the following exp() function works out the exponent of the
3758  * fractional part of the logarithm by using an accurate 32-bit value from the
3759  * top four fractional bits then multiplying in the remaining bits.
3760  */
3761 static const png_uint_32
3762 png_32bit_exp[16] =
3763 {
3764    /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3765    4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3766    3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3767    2553802834U, 2445529972U, 2341847524U, 2242560872U
3768 };
3769 
3770 /* Adjustment table; provided to explain the numbers in the code below. */
3771 #if 0
3772 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3773    11 44937.64284865548751208448
3774    10 45180.98734845585101160448
3775     9 45303.31936980687359311872
3776     8 45364.65110595323018870784
3777     7 45395.35850361789624614912
3778     6 45410.72259715102037508096
3779     5 45418.40724413220722311168
3780     4 45422.25021786898173001728
3781     3 45424.17186732298419044352
3782     2 45425.13273269940811464704
3783     1 45425.61317555035558641664
3784     0 45425.85339951654943850496
3785 #endif
3786 
3787 static png_uint_32
3788 png_exp(png_fixed_point x)
3789 {
3790    if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3791    {
3792       /* Obtain a 4-bit approximation */
3793       png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f];
3794 
3795       /* Incorporate the low 12 bits - these decrease the returned value by
3796        * multiplying by a number less than 1 if the bit is set.  The multiplier
3797        * is determined by the above table and the shift. Notice that the values
3798        * converge on 45426 and this is used to allow linear interpolation of the
3799        * low bits.
3800        */
3801       if (x & 0x800)
3802          e -= (((e >> 16) * 44938U) +  16U) >> 5;
3803 
3804       if (x & 0x400)
3805          e -= (((e >> 16) * 45181U) +  32U) >> 6;
3806 
3807       if (x & 0x200)
3808          e -= (((e >> 16) * 45303U) +  64U) >> 7;
3809 
3810       if (x & 0x100)
3811          e -= (((e >> 16) * 45365U) + 128U) >> 8;
3812 
3813       if (x & 0x080)
3814          e -= (((e >> 16) * 45395U) + 256U) >> 9;
3815 
3816       if (x & 0x040)
3817          e -= (((e >> 16) * 45410U) + 512U) >> 10;
3818 
3819       /* And handle the low 6 bits in a single block. */
3820       e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3821 
3822       /* Handle the upper bits of x. */
3823       e >>= x >> 16;
3824       return e;
3825    }
3826 
3827    /* Check for overflow */
3828    if (x <= 0)
3829       return png_32bit_exp[0];
3830 
3831    /* Else underflow */
3832    return 0;
3833 }
3834 
3835 static png_byte
3836 png_exp8bit(png_fixed_point lg2)
3837 {
3838    /* Get a 32-bit value: */
3839    png_uint_32 x = png_exp(lg2);
3840 
3841    /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3842     * second, rounding, step can't overflow because of the first, subtraction,
3843     * step.
3844     */
3845    x -= x >> 8;
3846    return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff);
3847 }
3848 
3849 #ifdef PNG_16BIT_SUPPORTED
3850 static png_uint_16
3851 png_exp16bit(png_fixed_point lg2)
3852 {
3853    /* Get a 32-bit value: */
3854    png_uint_32 x = png_exp(lg2);
3855 
3856    /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3857    x -= x >> 16;
3858    return (png_uint_16)((x + 32767U) >> 16);
3859 }
3860 #endif /* 16BIT */
3861 #endif /* FLOATING_ARITHMETIC */
3862 
3863 png_byte
3864 png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3865 {
3866    if (value > 0 && value < 255)
3867    {
3868 #     ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3869          /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3870           * convert this to a floating point value.  This includes values that
3871           * would overflow if 'value' were to be converted to 'int'.
3872           *
3873           * Apparently GCC, however, does an intermediate conversion to (int)
3874           * on some (ARM) but not all (x86) platforms, possibly because of
3875           * hardware FP limitations.  (E.g. if the hardware conversion always
3876           * assumes the integer register contains a signed value.)  This results
3877           * in ANSI-C undefined behavior for large values.
3878           *
3879           * Other implementations on the same machine might actually be ANSI-C90
3880           * conformant and therefore compile spurious extra code for the large
3881           * values.
3882           *
3883           * We can be reasonably sure that an unsigned to float conversion
3884           * won't be faster than an int to float one.  Therefore this code
3885           * assumes responsibility for the undefined behavior, which it knows
3886           * can't happen because of the check above.
3887           *
3888           * Note the argument to this routine is an (unsigned int) because, on
3889           * 16-bit platforms, it is assigned a value which might be out of
3890           * range for an (int); that would result in undefined behavior in the
3891           * caller if the *argument* ('value') were to be declared (int).
3892           */
3893          double r = floor(255*pow((int)/*SAFE*/value/255.,gamma_val*.00001)+.5);
3894          return (png_byte)r;
3895 #     else
3896          png_int_32 lg2 = png_log8bit(value);
3897          png_fixed_point res;
3898 
3899          if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3900             return png_exp8bit(res);
3901 
3902          /* Overflow. */
3903          value = 0;
3904 #     endif
3905    }
3906 
3907    return (png_byte)(value & 0xff);
3908 }
3909 
3910 #ifdef PNG_16BIT_SUPPORTED
3911 png_uint_16
3912 png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3913 {
3914    if (value > 0 && value < 65535)
3915    {
3916 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3917       /* The same (unsigned int)->(double) constraints apply here as above,
3918        * however in this case the (unsigned int) to (int) conversion can
3919        * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3920        * that this is not possible.
3921        */
3922       double r = floor(65535*pow((png_int_32)value/65535.,
3923           gamma_val*.00001)+.5);
3924       return (png_uint_16)r;
3925 # else
3926       png_int_32 lg2 = png_log16bit(value);
3927       png_fixed_point res;
3928 
3929       if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != 0)
3930          return png_exp16bit(res);
3931 
3932       /* Overflow. */
3933       value = 0;
3934 # endif
3935    }
3936 
3937    return (png_uint_16)value;
3938 }
3939 #endif /* 16BIT */
3940 
3941 /* This does the right thing based on the bit_depth field of the
3942  * png_struct, interpreting values as 8-bit or 16-bit.  While the result
3943  * is nominally a 16-bit value if bit depth is 8 then the result is
3944  * 8-bit (as are the arguments.)
3945  */
3946 png_uint_16 /* PRIVATE */
3947 png_gamma_correct(png_structrp png_ptr, unsigned int value,
3948     png_fixed_point gamma_val)
3949 {
3950    if (png_ptr->bit_depth == 8)
3951       return png_gamma_8bit_correct(value, gamma_val);
3952 
3953 #ifdef PNG_16BIT_SUPPORTED
3954    else
3955       return png_gamma_16bit_correct(value, gamma_val);
3956 #else
3957       /* should not reach this */
3958       return 0;
3959 #endif /* 16BIT */
3960 }
3961 
3962 #ifdef PNG_16BIT_SUPPORTED
3963 /* Internal function to build a single 16-bit table - the table consists of
3964  * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3965  * to shift the input values right (or 16-number_of_signifiant_bits).
3966  *
3967  * The caller is responsible for ensuring that the table gets cleaned up on
3968  * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3969  * should be somewhere that will be cleaned.
3970  */
3971 static void
3972 png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3973     unsigned int shift, png_fixed_point gamma_val)
3974 {
3975    /* Various values derived from 'shift': */
3976    unsigned int num = 1U << (8U - shift);
3977 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3978    /* CSE the division and work round wacky GCC warnings (see the comments
3979     * in png_gamma_8bit_correct for where these come from.)
3980     */
3981    double fmax = 1.0 / (((png_int_32)1 << (16U - shift)) - 1);
3982 #endif
3983    unsigned int max = (1U << (16U - shift)) - 1U;
3984    unsigned int max_by_2 = 1U << (15U - shift);
3985    unsigned int i;
3986 
3987    png_uint_16pp table = *ptable =
3988        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3989 
3990    for (i = 0; i < num; i++)
3991    {
3992       png_uint_16p sub_table = table[i] =
3993           (png_uint_16p)png_malloc(png_ptr, 256 * (sizeof (png_uint_16)));
3994 
3995       /* The 'threshold' test is repeated here because it can arise for one of
3996        * the 16-bit tables even if the others don't hit it.
3997        */
3998       if (png_gamma_significant(gamma_val) != 0)
3999       {
4000          /* The old code would overflow at the end and this would cause the
4001           * 'pow' function to return a result >1, resulting in an
4002           * arithmetic error.  This code follows the spec exactly; ig is
4003           * the recovered input sample, it always has 8-16 bits.
4004           *
4005           * We want input * 65535/max, rounded, the arithmetic fits in 32
4006           * bits (unsigned) so long as max <= 32767.
4007           */
4008          unsigned int j;
4009          for (j = 0; j < 256; j++)
4010          {
4011             png_uint_32 ig = (j << (8-shift)) + i;
4012 #           ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4013                /* Inline the 'max' scaling operation: */
4014                /* See png_gamma_8bit_correct for why the cast to (int) is
4015                 * required here.
4016                 */
4017                double d = floor(65535.*pow(ig*fmax, gamma_val*.00001)+.5);
4018                sub_table[j] = (png_uint_16)d;
4019 #           else
4020                if (shift != 0)
4021                   ig = (ig * 65535U + max_by_2)/max;
4022 
4023                sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4024 #           endif
4025          }
4026       }
4027       else
4028       {
4029          /* We must still build a table, but do it the fast way. */
4030          unsigned int j;
4031 
4032          for (j = 0; j < 256; j++)
4033          {
4034             png_uint_32 ig = (j << (8-shift)) + i;
4035 
4036             if (shift != 0)
4037                ig = (ig * 65535U + max_by_2)/max;
4038 
4039             sub_table[j] = (png_uint_16)ig;
4040          }
4041       }
4042    }
4043 }
4044 
4045 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4046  * required.
4047  */
4048 static void
4049 png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4050     unsigned int shift, png_fixed_point gamma_val)
4051 {
4052    unsigned int num = 1U << (8U - shift);
4053    unsigned int max = (1U << (16U - shift))-1U;
4054    unsigned int i;
4055    png_uint_32 last;
4056 
4057    png_uint_16pp table = *ptable =
4058        (png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4059 
4060    /* 'num' is the number of tables and also the number of low bits of low
4061     * bits of the input 16-bit value used to select a table.  Each table is
4062     * itself indexed by the high 8 bits of the value.
4063     */
4064    for (i = 0; i < num; i++)
4065       table[i] = (png_uint_16p)png_malloc(png_ptr,
4066           256 * (sizeof (png_uint_16)));
4067 
4068    /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4069     * pow(out,g) is an *input* value.  'last' is the last input value set.
4070     *
4071     * In the loop 'i' is used to find output values.  Since the output is
4072     * 8-bit there are only 256 possible values.  The tables are set up to
4073     * select the closest possible output value for each input by finding
4074     * the input value at the boundary between each pair of output values
4075     * and filling the table up to that boundary with the lower output
4076     * value.
4077     *
4078     * The boundary values are 0.5,1.5..253.5,254.5.  Since these are 9-bit
4079     * values the code below uses a 16-bit value in i; the values start at
4080     * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4081     * entries are filled with 255).  Start i at 128 and fill all 'last'
4082     * table entries <= 'max'
4083     */
4084    last = 0;
4085    for (i = 0; i < 255; ++i) /* 8-bit output value */
4086    {
4087       /* Find the corresponding maximum input value */
4088       png_uint_16 out = (png_uint_16)(i * 257U); /* 16-bit output value */
4089 
4090       /* Find the boundary value in 16 bits: */
4091       png_uint_32 bound = png_gamma_16bit_correct(out+128U, gamma_val);
4092 
4093       /* Adjust (round) to (16-shift) bits: */
4094       bound = (bound * max + 32768U)/65535U + 1U;
4095 
4096       while (last < bound)
4097       {
4098          table[last & (0xffU >> shift)][last >> (8U - shift)] = out;
4099          last++;
4100       }
4101    }
4102 
4103    /* And fill in the final entries. */
4104    while (last < (num << 8))
4105    {
4106       table[last & (0xff >> shift)][last >> (8U - shift)] = 65535U;
4107       last++;
4108    }
4109 }
4110 #endif /* 16BIT */
4111 
4112 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4113  * typically much faster).  Note that libpng currently does no sBIT processing
4114  * (apparently contrary to the spec) so a 256-entry table is always generated.
4115  */
4116 static void
4117 png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4118     png_fixed_point gamma_val)
4119 {
4120    unsigned int i;
4121    png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, 256);
4122 
4123    if (png_gamma_significant(gamma_val) != 0)
4124       for (i=0; i<256; i++)
4125          table[i] = png_gamma_8bit_correct(i, gamma_val);
4126 
4127    else
4128       for (i=0; i<256; ++i)
4129          table[i] = (png_byte)(i & 0xff);
4130 }
4131 
4132 /* Used from png_read_destroy and below to release the memory used by the gamma
4133  * tables.
4134  */
4135 void /* PRIVATE */
4136 png_destroy_gamma_table(png_structrp png_ptr)
4137 {
4138    png_free(png_ptr, png_ptr->gamma_table);
4139    png_ptr->gamma_table = NULL;
4140 
4141 #ifdef PNG_16BIT_SUPPORTED
4142    if (png_ptr->gamma_16_table != NULL)
4143    {
4144       int i;
4145       int istop = (1 << (8 - png_ptr->gamma_shift));
4146       for (i = 0; i < istop; i++)
4147       {
4148          png_free(png_ptr, png_ptr->gamma_16_table[i]);
4149       }
4150    png_free(png_ptr, png_ptr->gamma_16_table);
4151    png_ptr->gamma_16_table = NULL;
4152    }
4153 #endif /* 16BIT */
4154 
4155 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4156    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4157    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4158    png_free(png_ptr, png_ptr->gamma_from_1);
4159    png_ptr->gamma_from_1 = NULL;
4160    png_free(png_ptr, png_ptr->gamma_to_1);
4161    png_ptr->gamma_to_1 = NULL;
4162 
4163 #ifdef PNG_16BIT_SUPPORTED
4164    if (png_ptr->gamma_16_from_1 != NULL)
4165    {
4166       int i;
4167       int istop = (1 << (8 - png_ptr->gamma_shift));
4168       for (i = 0; i < istop; i++)
4169       {
4170          png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4171       }
4172    png_free(png_ptr, png_ptr->gamma_16_from_1);
4173    png_ptr->gamma_16_from_1 = NULL;
4174    }
4175    if (png_ptr->gamma_16_to_1 != NULL)
4176    {
4177       int i;
4178       int istop = (1 << (8 - png_ptr->gamma_shift));
4179       for (i = 0; i < istop; i++)
4180       {
4181          png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4182       }
4183    png_free(png_ptr, png_ptr->gamma_16_to_1);
4184    png_ptr->gamma_16_to_1 = NULL;
4185    }
4186 #endif /* 16BIT */
4187 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4188 }
4189 
4190 /* We build the 8- or 16-bit gamma tables here.  Note that for 16-bit
4191  * tables, we don't make a full table if we are reducing to 8-bit in
4192  * the future.  Note also how the gamma_16 tables are segmented so that
4193  * we don't need to allocate > 64K chunks for a full 16-bit table.
4194  */
4195 void /* PRIVATE */
4196 png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4197 {
4198    png_debug(1, "in png_build_gamma_table");
4199 
4200    /* Remove any existing table; this copes with multiple calls to
4201     * png_read_update_info. The warning is because building the gamma tables
4202     * multiple times is a performance hit - it's harmless but the ability to
4203     * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4204     * sensible to warn if the app introduces such a hit.
4205     */
4206    if (png_ptr->gamma_table != NULL || png_ptr->gamma_16_table != NULL)
4207    {
4208       png_warning(png_ptr, "gamma table being rebuilt");
4209       png_destroy_gamma_table(png_ptr);
4210    }
4211 
4212    if (bit_depth <= 8)
4213    {
4214       png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4215           png_ptr->screen_gamma > 0 ?
4216           png_reciprocal2(png_ptr->colorspace.gamma,
4217           png_ptr->screen_gamma) : PNG_FP_1);
4218 
4219 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4220    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4221    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4222       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4223       {
4224          png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4225              png_reciprocal(png_ptr->colorspace.gamma));
4226 
4227          png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4228              png_ptr->screen_gamma > 0 ?
4229              png_reciprocal(png_ptr->screen_gamma) :
4230              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4231       }
4232 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4233    }
4234 #ifdef PNG_16BIT_SUPPORTED
4235    else
4236    {
4237       png_byte shift, sig_bit;
4238 
4239       if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
4240       {
4241          sig_bit = png_ptr->sig_bit.red;
4242 
4243          if (png_ptr->sig_bit.green > sig_bit)
4244             sig_bit = png_ptr->sig_bit.green;
4245 
4246          if (png_ptr->sig_bit.blue > sig_bit)
4247             sig_bit = png_ptr->sig_bit.blue;
4248       }
4249       else
4250          sig_bit = png_ptr->sig_bit.gray;
4251 
4252       /* 16-bit gamma code uses this equation:
4253        *
4254        *   ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4255        *
4256        * Where 'iv' is the input color value and 'ov' is the output value -
4257        * pow(iv, gamma).
4258        *
4259        * Thus the gamma table consists of up to 256 256-entry tables.  The table
4260        * is selected by the (8-gamma_shift) most significant of the low 8 bits
4261        * of the color value then indexed by the upper 8 bits:
4262        *
4263        *   table[low bits][high 8 bits]
4264        *
4265        * So the table 'n' corresponds to all those 'iv' of:
4266        *
4267        *   <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4268        *
4269        */
4270       if (sig_bit > 0 && sig_bit < 16U)
4271          /* shift == insignificant bits */
4272          shift = (png_byte)((16U - sig_bit) & 0xff);
4273 
4274       else
4275          shift = 0; /* keep all 16 bits */
4276 
4277       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4278       {
4279          /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4280           * the significant bits in the *input* when the output will
4281           * eventually be 8 bits.  By default it is 11.
4282           */
4283          if (shift < (16U - PNG_MAX_GAMMA_8))
4284             shift = (16U - PNG_MAX_GAMMA_8);
4285       }
4286 
4287       if (shift > 8U)
4288          shift = 8U; /* Guarantees at least one table! */
4289 
4290       png_ptr->gamma_shift = shift;
4291 
4292       /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4293        * PNG_COMPOSE).  This effectively smashed the background calculation for
4294        * 16-bit output because the 8-bit table assumes the result will be
4295        * reduced to 8 bits.
4296        */
4297       if ((png_ptr->transformations & (PNG_16_TO_8 | PNG_SCALE_16_TO_8)) != 0)
4298           png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4299           png_ptr->screen_gamma > 0 ? png_product2(png_ptr->colorspace.gamma,
4300           png_ptr->screen_gamma) : PNG_FP_1);
4301 
4302       else
4303           png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4304           png_ptr->screen_gamma > 0 ? png_reciprocal2(png_ptr->colorspace.gamma,
4305           png_ptr->screen_gamma) : PNG_FP_1);
4306 
4307 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4308    defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4309    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4310       if ((png_ptr->transformations & (PNG_COMPOSE | PNG_RGB_TO_GRAY)) != 0)
4311       {
4312          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4313              png_reciprocal(png_ptr->colorspace.gamma));
4314 
4315          /* Notice that the '16 from 1' table should be full precision, however
4316           * the lookup on this table still uses gamma_shift, so it can't be.
4317           * TODO: fix this.
4318           */
4319          png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4320              png_ptr->screen_gamma > 0 ? png_reciprocal(png_ptr->screen_gamma) :
4321              png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4322       }
4323 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4324    }
4325 #endif /* 16BIT */
4326 }
4327 #endif /* READ_GAMMA */
4328 
4329 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4330 #ifdef PNG_SET_OPTION_SUPPORTED
4331 int PNGAPI
4332 png_set_option(png_structrp png_ptr, int option, int onoff)
4333 {
4334    if (png_ptr != NULL && option >= 0 && option < PNG_OPTION_NEXT &&
4335       (option & 1) == 0)
4336    {
4337       png_uint_32 mask = 3U << option;
4338       png_uint_32 setting = (2U + (onoff != 0)) << option;
4339       png_uint_32 current = png_ptr->options;
4340 
4341       png_ptr->options = (png_uint_32)((current & ~mask) | setting);
4342 
4343       return (int)(current & mask) >> option;
4344    }
4345 
4346    return PNG_OPTION_INVALID;
4347 }
4348 #endif
4349 
4350 /* sRGB support */
4351 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4352    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4353 /* sRGB conversion tables; these are machine generated with the code in
4354  * contrib/tools/makesRGB.c.  The actual sRGB transfer curve defined in the
4355  * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4356  * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4357  * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4358  * The inverse (linear to sRGB) table has accuracies as follows:
4359  *
4360  * For all possible (255*65535+1) input values:
4361  *
4362  *    error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4363  *
4364  * For the input values corresponding to the 65536 16-bit values:
4365  *
4366  *    error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4367  *
4368  * In all cases the inexact readings are only off by one.
4369  */
4370 
4371 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4372 /* The convert-to-sRGB table is only currently required for read. */
4373 const png_uint_16 png_sRGB_table[256] =
4374 {
4375    0,20,40,60,80,99,119,139,
4376    159,179,199,219,241,264,288,313,
4377    340,367,396,427,458,491,526,562,
4378    599,637,677,718,761,805,851,898,
4379    947,997,1048,1101,1156,1212,1270,1330,
4380    1391,1453,1517,1583,1651,1720,1790,1863,
4381    1937,2013,2090,2170,2250,2333,2418,2504,
4382    2592,2681,2773,2866,2961,3058,3157,3258,
4383    3360,3464,3570,3678,3788,3900,4014,4129,
4384    4247,4366,4488,4611,4736,4864,4993,5124,
4385    5257,5392,5530,5669,5810,5953,6099,6246,
4386    6395,6547,6700,6856,7014,7174,7335,7500,
4387    7666,7834,8004,8177,8352,8528,8708,8889,
4388    9072,9258,9445,9635,9828,10022,10219,10417,
4389    10619,10822,11028,11235,11446,11658,11873,12090,
4390    12309,12530,12754,12980,13209,13440,13673,13909,
4391    14146,14387,14629,14874,15122,15371,15623,15878,
4392    16135,16394,16656,16920,17187,17456,17727,18001,
4393    18277,18556,18837,19121,19407,19696,19987,20281,
4394    20577,20876,21177,21481,21787,22096,22407,22721,
4395    23038,23357,23678,24002,24329,24658,24990,25325,
4396    25662,26001,26344,26688,27036,27386,27739,28094,
4397    28452,28813,29176,29542,29911,30282,30656,31033,
4398    31412,31794,32179,32567,32957,33350,33745,34143,
4399    34544,34948,35355,35764,36176,36591,37008,37429,
4400    37852,38278,38706,39138,39572,40009,40449,40891,
4401    41337,41785,42236,42690,43147,43606,44069,44534,
4402    45002,45473,45947,46423,46903,47385,47871,48359,
4403    48850,49344,49841,50341,50844,51349,51858,52369,
4404    52884,53401,53921,54445,54971,55500,56032,56567,
4405    57105,57646,58190,58737,59287,59840,60396,60955,
4406    61517,62082,62650,63221,63795,64372,64952,65535
4407 };
4408 #endif /* SIMPLIFIED_READ */
4409 
4410 /* The base/delta tables are required for both read and write (but currently
4411  * only the simplified versions.)
4412  */
4413 const png_uint_16 png_sRGB_base[512] =
4414 {
4415    128,1782,3383,4644,5675,6564,7357,8074,
4416    8732,9346,9921,10463,10977,11466,11935,12384,
4417    12816,13233,13634,14024,14402,14769,15125,15473,
4418    15812,16142,16466,16781,17090,17393,17690,17981,
4419    18266,18546,18822,19093,19359,19621,19879,20133,
4420    20383,20630,20873,21113,21349,21583,21813,22041,
4421    22265,22487,22707,22923,23138,23350,23559,23767,
4422    23972,24175,24376,24575,24772,24967,25160,25352,
4423    25542,25730,25916,26101,26284,26465,26645,26823,
4424    27000,27176,27350,27523,27695,27865,28034,28201,
4425    28368,28533,28697,28860,29021,29182,29341,29500,
4426    29657,29813,29969,30123,30276,30429,30580,30730,
4427    30880,31028,31176,31323,31469,31614,31758,31902,
4428    32045,32186,32327,32468,32607,32746,32884,33021,
4429    33158,33294,33429,33564,33697,33831,33963,34095,
4430    34226,34357,34486,34616,34744,34873,35000,35127,
4431    35253,35379,35504,35629,35753,35876,35999,36122,
4432    36244,36365,36486,36606,36726,36845,36964,37083,
4433    37201,37318,37435,37551,37668,37783,37898,38013,
4434    38127,38241,38354,38467,38580,38692,38803,38915,
4435    39026,39136,39246,39356,39465,39574,39682,39790,
4436    39898,40005,40112,40219,40325,40431,40537,40642,
4437    40747,40851,40955,41059,41163,41266,41369,41471,
4438    41573,41675,41777,41878,41979,42079,42179,42279,
4439    42379,42478,42577,42676,42775,42873,42971,43068,
4440    43165,43262,43359,43456,43552,43648,43743,43839,
4441    43934,44028,44123,44217,44311,44405,44499,44592,
4442    44685,44778,44870,44962,45054,45146,45238,45329,
4443    45420,45511,45601,45692,45782,45872,45961,46051,
4444    46140,46229,46318,46406,46494,46583,46670,46758,
4445    46846,46933,47020,47107,47193,47280,47366,47452,
4446    47538,47623,47709,47794,47879,47964,48048,48133,
4447    48217,48301,48385,48468,48552,48635,48718,48801,
4448    48884,48966,49048,49131,49213,49294,49376,49458,
4449    49539,49620,49701,49782,49862,49943,50023,50103,
4450    50183,50263,50342,50422,50501,50580,50659,50738,
4451    50816,50895,50973,51051,51129,51207,51285,51362,
4452    51439,51517,51594,51671,51747,51824,51900,51977,
4453    52053,52129,52205,52280,52356,52432,52507,52582,
4454    52657,52732,52807,52881,52956,53030,53104,53178,
4455    53252,53326,53400,53473,53546,53620,53693,53766,
4456    53839,53911,53984,54056,54129,54201,54273,54345,
4457    54417,54489,54560,54632,54703,54774,54845,54916,
4458    54987,55058,55129,55199,55269,55340,55410,55480,
4459    55550,55620,55689,55759,55828,55898,55967,56036,
4460    56105,56174,56243,56311,56380,56448,56517,56585,
4461    56653,56721,56789,56857,56924,56992,57059,57127,
4462    57194,57261,57328,57395,57462,57529,57595,57662,
4463    57728,57795,57861,57927,57993,58059,58125,58191,
4464    58256,58322,58387,58453,58518,58583,58648,58713,
4465    58778,58843,58908,58972,59037,59101,59165,59230,
4466    59294,59358,59422,59486,59549,59613,59677,59740,
4467    59804,59867,59930,59993,60056,60119,60182,60245,
4468    60308,60370,60433,60495,60558,60620,60682,60744,
4469    60806,60868,60930,60992,61054,61115,61177,61238,
4470    61300,61361,61422,61483,61544,61605,61666,61727,
4471    61788,61848,61909,61969,62030,62090,62150,62211,
4472    62271,62331,62391,62450,62510,62570,62630,62689,
4473    62749,62808,62867,62927,62986,63045,63104,63163,
4474    63222,63281,63340,63398,63457,63515,63574,63632,
4475    63691,63749,63807,63865,63923,63981,64039,64097,
4476    64155,64212,64270,64328,64385,64443,64500,64557,
4477    64614,64672,64729,64786,64843,64900,64956,65013,
4478    65070,65126,65183,65239,65296,65352,65409,65465
4479 };
4480 
4481 const png_byte png_sRGB_delta[512] =
4482 {
4483    207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4484    52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4485    35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4486    28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4487    23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4488    21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4489    19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4490    17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4491    16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4492    15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4493    14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4494    13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4495    12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4496    12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4497    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4498    11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4499    11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4500    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4501    10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4502    10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4503    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4504    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4505    9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4506    9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4507    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4508    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4509    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4510    8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4511    8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4512    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4513    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4514    7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4515 };
4516 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4517 
4518 /* SIMPLIFIED READ/WRITE SUPPORT */
4519 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4520    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4521 static int
4522 png_image_free_function(png_voidp argument)
4523 {
4524    png_imagep image = png_voidcast(png_imagep, argument);
4525    png_controlp cp = image->opaque;
4526    png_control c;
4527 
4528    /* Double check that we have a png_ptr - it should be impossible to get here
4529     * without one.
4530     */
4531    if (cp->png_ptr == NULL)
4532       return 0;
4533 
4534    /* First free any data held in the control structure. */
4535 #  ifdef PNG_STDIO_SUPPORTED
4536       if (cp->owned_file != 0)
4537       {
4538          FILE *fp = png_voidcast(FILE*, cp->png_ptr->io_ptr);
4539          cp->owned_file = 0;
4540 
4541          /* Ignore errors here. */
4542          if (fp != NULL)
4543          {
4544             cp->png_ptr->io_ptr = NULL;
4545             (void)fclose(fp);
4546          }
4547       }
4548 #  endif
4549 
4550    /* Copy the control structure so that the original, allocated, version can be
4551     * safely freed.  Notice that a png_error here stops the remainder of the
4552     * cleanup, but this is probably fine because that would indicate bad memory
4553     * problems anyway.
4554     */
4555    c = *cp;
4556    image->opaque = &c;
4557    png_free(c.png_ptr, cp);
4558 
4559    /* Then the structures, calling the correct API. */
4560    if (c.for_write != 0)
4561    {
4562 #     ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4563          png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4564 #     else
4565          png_error(c.png_ptr, "simplified write not supported");
4566 #     endif
4567    }
4568    else
4569    {
4570 #     ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4571          png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4572 #     else
4573          png_error(c.png_ptr, "simplified read not supported");
4574 #     endif
4575    }
4576 
4577    /* Success. */
4578    return 1;
4579 }
4580 
4581 void PNGAPI
4582 png_image_free(png_imagep image)
4583 {
4584    /* Safely call the real function, but only if doing so is safe at this point
4585     * (if not inside an error handling context).  Otherwise assume
4586     * png_safe_execute will call this API after the return.
4587     */
4588    if (image != NULL && image->opaque != NULL &&
4589       image->opaque->error_buf == NULL)
4590    {
4591       png_image_free_function(image);
4592       image->opaque = NULL;
4593    }
4594 }
4595 
4596 int /* PRIVATE */
4597 png_image_error(png_imagep image, png_const_charp error_message)
4598 {
4599    /* Utility to log an error. */
4600    png_safecat(image->message, (sizeof image->message), 0, error_message);
4601    image->warning_or_error |= PNG_IMAGE_ERROR;
4602    png_image_free(image);
4603    return 0;
4604 }
4605 
4606 #endif /* SIMPLIFIED READ/WRITE */
4607 #endif /* READ || WRITE */
4608