• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* pngset.c - storage of image information into info struct
3  *
4  * Copyright (c) 2018-2022 Cosmin Truta
5  * Copyright (c) 1998-2018 Glenn Randers-Pehrson
6  * Copyright (c) 1996-1997 Andreas Dilger
7  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  *
13  * The functions here are used during reads to store data from the file
14  * into the info struct, and during writes to store application data
15  * into the info struct for writing into the file.  This abstracts the
16  * info struct and allows us to change the structure in the future.
17  */
18 
19 #include "pngpriv.h"
20 
21 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
22 
23 #ifdef PNG_bKGD_SUPPORTED
24 void PNGAPI
png_set_bKGD(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_16p background)25 png_set_bKGD(png_const_structrp png_ptr, png_inforp info_ptr,
26     png_const_color_16p background)
27 {
28    png_debug1(1, "in %s storage function", "bKGD");
29 
30    if (png_ptr == NULL || info_ptr == NULL || background == NULL)
31       return;
32 
33    info_ptr->background = *background;
34    info_ptr->valid |= PNG_INFO_bKGD;
35 }
36 #endif
37 
38 #ifdef PNG_cHRM_SUPPORTED
39 void PNGFAPI
png_set_cHRM_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point white_x,png_fixed_point white_y,png_fixed_point red_x,png_fixed_point red_y,png_fixed_point green_x,png_fixed_point green_y,png_fixed_point blue_x,png_fixed_point blue_y)40 png_set_cHRM_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
41     png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
42     png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
43     png_fixed_point blue_x, png_fixed_point blue_y)
44 {
45    png_xy xy;
46 
47    png_debug1(1, "in %s storage function", "cHRM fixed");
48 
49    if (png_ptr == NULL || info_ptr == NULL)
50       return;
51 
52    xy.redx = red_x;
53    xy.redy = red_y;
54    xy.greenx = green_x;
55    xy.greeny = green_y;
56    xy.bluex = blue_x;
57    xy.bluey = blue_y;
58    xy.whitex = white_x;
59    xy.whitey = white_y;
60 
61    if (png_colorspace_set_chromaticities(png_ptr, &info_ptr->colorspace, &xy,
62        2/* override with app values*/) != 0)
63       info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
64 
65    png_colorspace_sync_info(png_ptr, info_ptr);
66 }
67 
68 void PNGFAPI
png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point int_red_X,png_fixed_point int_red_Y,png_fixed_point int_red_Z,png_fixed_point int_green_X,png_fixed_point int_green_Y,png_fixed_point int_green_Z,png_fixed_point int_blue_X,png_fixed_point int_blue_Y,png_fixed_point int_blue_Z)69 png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
70     png_fixed_point int_red_X, png_fixed_point int_red_Y,
71     png_fixed_point int_red_Z, png_fixed_point int_green_X,
72     png_fixed_point int_green_Y, png_fixed_point int_green_Z,
73     png_fixed_point int_blue_X, png_fixed_point int_blue_Y,
74     png_fixed_point int_blue_Z)
75 {
76    png_XYZ XYZ;
77 
78    png_debug1(1, "in %s storage function", "cHRM XYZ fixed");
79 
80    if (png_ptr == NULL || info_ptr == NULL)
81       return;
82 
83    XYZ.red_X = int_red_X;
84    XYZ.red_Y = int_red_Y;
85    XYZ.red_Z = int_red_Z;
86    XYZ.green_X = int_green_X;
87    XYZ.green_Y = int_green_Y;
88    XYZ.green_Z = int_green_Z;
89    XYZ.blue_X = int_blue_X;
90    XYZ.blue_Y = int_blue_Y;
91    XYZ.blue_Z = int_blue_Z;
92 
93    if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace,
94        &XYZ, 2) != 0)
95       info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
96 
97    png_colorspace_sync_info(png_ptr, info_ptr);
98 }
99 
100 #  ifdef PNG_FLOATING_POINT_SUPPORTED
101 void PNGAPI
png_set_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,double white_x,double white_y,double red_x,double red_y,double green_x,double green_y,double blue_x,double blue_y)102 png_set_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
103     double white_x, double white_y, double red_x, double red_y,
104     double green_x, double green_y, double blue_x, double blue_y)
105 {
106    png_set_cHRM_fixed(png_ptr, info_ptr,
107        png_fixed(png_ptr, white_x, "cHRM White X"),
108        png_fixed(png_ptr, white_y, "cHRM White Y"),
109        png_fixed(png_ptr, red_x, "cHRM Red X"),
110        png_fixed(png_ptr, red_y, "cHRM Red Y"),
111        png_fixed(png_ptr, green_x, "cHRM Green X"),
112        png_fixed(png_ptr, green_y, "cHRM Green Y"),
113        png_fixed(png_ptr, blue_x, "cHRM Blue X"),
114        png_fixed(png_ptr, blue_y, "cHRM Blue Y"));
115 }
116 
117 void PNGAPI
png_set_cHRM_XYZ(png_const_structrp png_ptr,png_inforp info_ptr,double red_X,double red_Y,double red_Z,double green_X,double green_Y,double green_Z,double blue_X,double blue_Y,double blue_Z)118 png_set_cHRM_XYZ(png_const_structrp png_ptr, png_inforp info_ptr, double red_X,
119     double red_Y, double red_Z, double green_X, double green_Y, double green_Z,
120     double blue_X, double blue_Y, double blue_Z)
121 {
122    png_set_cHRM_XYZ_fixed(png_ptr, info_ptr,
123        png_fixed(png_ptr, red_X, "cHRM Red X"),
124        png_fixed(png_ptr, red_Y, "cHRM Red Y"),
125        png_fixed(png_ptr, red_Z, "cHRM Red Z"),
126        png_fixed(png_ptr, green_X, "cHRM Green X"),
127        png_fixed(png_ptr, green_Y, "cHRM Green Y"),
128        png_fixed(png_ptr, green_Z, "cHRM Green Z"),
129        png_fixed(png_ptr, blue_X, "cHRM Blue X"),
130        png_fixed(png_ptr, blue_Y, "cHRM Blue Y"),
131        png_fixed(png_ptr, blue_Z, "cHRM Blue Z"));
132 }
133 #  endif /* FLOATING_POINT */
134 
135 #endif /* cHRM */
136 
137 #ifdef PNG_eXIf_SUPPORTED
138 void PNGAPI
png_set_eXIf(png_const_structrp png_ptr,png_inforp info_ptr,png_bytep eXIf_buf)139 png_set_eXIf(png_const_structrp png_ptr, png_inforp info_ptr,
140     png_bytep eXIf_buf)
141 {
142   png_warning(png_ptr, "png_set_eXIf does not work; use png_set_eXIf_1");
143   PNG_UNUSED(info_ptr)
144   PNG_UNUSED(eXIf_buf)
145 }
146 
147 void PNGAPI
png_set_eXIf_1(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 num_exif,png_bytep eXIf_buf)148 png_set_eXIf_1(png_const_structrp png_ptr, png_inforp info_ptr,
149     png_uint_32 num_exif, png_bytep eXIf_buf)
150 {
151    int i;
152 
153    png_debug1(1, "in %s storage function", "eXIf");
154 
155    if (png_ptr == NULL || info_ptr == NULL)
156       return;
157 
158    if (info_ptr->exif)
159    {
160       png_free(png_ptr, info_ptr->exif);
161       info_ptr->exif = NULL;
162    }
163 
164    info_ptr->num_exif = num_exif;
165 
166    info_ptr->exif = png_voidcast(png_bytep, png_malloc_warn(png_ptr,
167        info_ptr->num_exif));
168 
169    if (info_ptr->exif == NULL)
170    {
171       png_warning(png_ptr, "Insufficient memory for eXIf chunk data");
172       return;
173    }
174 
175    info_ptr->free_me |= PNG_FREE_EXIF;
176 
177    for (i = 0; i < (int) info_ptr->num_exif; i++)
178       info_ptr->exif[i] = eXIf_buf[i];
179 
180    info_ptr->valid |= PNG_INFO_eXIf;
181 }
182 #endif /* eXIf */
183 
184 #ifdef PNG_gAMA_SUPPORTED
185 void PNGFAPI
png_set_gAMA_fixed(png_const_structrp png_ptr,png_inforp info_ptr,png_fixed_point file_gamma)186 png_set_gAMA_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
187     png_fixed_point file_gamma)
188 {
189    png_debug1(1, "in %s storage function", "gAMA");
190 
191    if (png_ptr == NULL || info_ptr == NULL)
192       return;
193 
194    png_colorspace_set_gamma(png_ptr, &info_ptr->colorspace, file_gamma);
195    png_colorspace_sync_info(png_ptr, info_ptr);
196 }
197 
198 #  ifdef PNG_FLOATING_POINT_SUPPORTED
199 void PNGAPI
png_set_gAMA(png_const_structrp png_ptr,png_inforp info_ptr,double file_gamma)200 png_set_gAMA(png_const_structrp png_ptr, png_inforp info_ptr, double file_gamma)
201 {
202    png_set_gAMA_fixed(png_ptr, info_ptr, png_fixed(png_ptr, file_gamma,
203        "png_set_gAMA"));
204 }
205 #  endif
206 #endif
207 
208 #ifdef PNG_hIST_SUPPORTED
209 void PNGAPI
png_set_hIST(png_const_structrp png_ptr,png_inforp info_ptr,png_const_uint_16p hist)210 png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
211     png_const_uint_16p hist)
212 {
213    int i;
214 
215    png_debug1(1, "in %s storage function", "hIST");
216 
217    if (png_ptr == NULL || info_ptr == NULL)
218       return;
219 
220    if (info_ptr->num_palette == 0 || info_ptr->num_palette
221        > PNG_MAX_PALETTE_LENGTH)
222    {
223       png_warning(png_ptr,
224           "Invalid palette size, hIST allocation skipped");
225 
226       return;
227    }
228 
229    png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
230 
231    /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
232     * version 1.2.1
233     */
234    info_ptr->hist = png_voidcast(png_uint_16p, png_malloc_warn(png_ptr,
235        PNG_MAX_PALETTE_LENGTH * (sizeof (png_uint_16))));
236 
237    if (info_ptr->hist == NULL)
238    {
239       png_warning(png_ptr, "Insufficient memory for hIST chunk data");
240 
241       return;
242    }
243 
244    info_ptr->free_me |= PNG_FREE_HIST;
245 
246    for (i = 0; i < info_ptr->num_palette; i++)
247       info_ptr->hist[i] = hist[i];
248 
249    info_ptr->valid |= PNG_INFO_hIST;
250 }
251 #endif
252 
253 void PNGAPI
png_set_IHDR(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int interlace_type,int compression_type,int filter_type)254 png_set_IHDR(png_const_structrp png_ptr, png_inforp info_ptr,
255     png_uint_32 width, png_uint_32 height, int bit_depth,
256     int color_type, int interlace_type, int compression_type,
257     int filter_type)
258 {
259    png_debug1(1, "in %s storage function", "IHDR");
260 
261    if (png_ptr == NULL || info_ptr == NULL)
262       return;
263 
264    info_ptr->width = width;
265    info_ptr->height = height;
266    info_ptr->bit_depth = (png_byte)bit_depth;
267    info_ptr->color_type = (png_byte)color_type;
268    info_ptr->compression_type = (png_byte)compression_type;
269    info_ptr->filter_type = (png_byte)filter_type;
270    info_ptr->interlace_type = (png_byte)interlace_type;
271 
272    png_check_IHDR (png_ptr, info_ptr->width, info_ptr->height,
273        info_ptr->bit_depth, info_ptr->color_type, info_ptr->interlace_type,
274        info_ptr->compression_type, info_ptr->filter_type);
275 
276    if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
277       info_ptr->channels = 1;
278 
279    else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
280       info_ptr->channels = 3;
281 
282    else
283       info_ptr->channels = 1;
284 
285    if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
286       info_ptr->channels++;
287 
288    info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
289 
290    info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
291 }
292 
293 #ifdef PNG_oFFs_SUPPORTED
294 void PNGAPI
png_set_oFFs(png_const_structrp png_ptr,png_inforp info_ptr,png_int_32 offset_x,png_int_32 offset_y,int unit_type)295 png_set_oFFs(png_const_structrp png_ptr, png_inforp info_ptr,
296     png_int_32 offset_x, png_int_32 offset_y, int unit_type)
297 {
298    png_debug1(1, "in %s storage function", "oFFs");
299 
300    if (png_ptr == NULL || info_ptr == NULL)
301       return;
302 
303    info_ptr->x_offset = offset_x;
304    info_ptr->y_offset = offset_y;
305    info_ptr->offset_unit_type = (png_byte)unit_type;
306    info_ptr->valid |= PNG_INFO_oFFs;
307 }
308 #endif
309 
310 #ifdef PNG_pCAL_SUPPORTED
311 void PNGAPI
png_set_pCAL(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)312 png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
313     png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
314     int nparams, png_const_charp units, png_charpp params)
315 {
316    size_t length;
317    int i;
318 
319    png_debug1(1, "in %s storage function", "pCAL");
320 
321    if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
322        || (nparams > 0 && params == NULL))
323       return;
324 
325    length = strlen(purpose) + 1;
326    png_debug1(3, "allocating purpose for info (%lu bytes)",
327        (unsigned long)length);
328 
329    /* TODO: validate format of calibration name and unit name */
330 
331    /* Check that the type matches the specification. */
332    if (type < 0 || type > 3)
333    {
334       png_chunk_report(png_ptr, "Invalid pCAL equation type",
335             PNG_CHUNK_WRITE_ERROR);
336       return;
337    }
338 
339    if (nparams < 0 || nparams > 255)
340    {
341       png_chunk_report(png_ptr, "Invalid pCAL parameter count",
342             PNG_CHUNK_WRITE_ERROR);
343       return;
344    }
345 
346    /* Validate params[nparams] */
347    for (i=0; i<nparams; ++i)
348    {
349       if (params[i] == NULL ||
350           !png_check_fp_string(params[i], strlen(params[i])))
351       {
352          png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
353                PNG_CHUNK_WRITE_ERROR);
354          return;
355       }
356    }
357 
358    info_ptr->pcal_purpose = png_voidcast(png_charp,
359        png_malloc_warn(png_ptr, length));
360 
361    if (info_ptr->pcal_purpose == NULL)
362    {
363       png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
364             PNG_CHUNK_WRITE_ERROR);
365       return;
366    }
367 
368    memcpy(info_ptr->pcal_purpose, purpose, length);
369 
370    png_debug(3, "storing X0, X1, type, and nparams in info");
371    info_ptr->pcal_X0 = X0;
372    info_ptr->pcal_X1 = X1;
373    info_ptr->pcal_type = (png_byte)type;
374    info_ptr->pcal_nparams = (png_byte)nparams;
375 
376    length = strlen(units) + 1;
377    png_debug1(3, "allocating units for info (%lu bytes)",
378        (unsigned long)length);
379 
380    info_ptr->pcal_units = png_voidcast(png_charp,
381        png_malloc_warn(png_ptr, length));
382 
383    if (info_ptr->pcal_units == NULL)
384    {
385       png_warning(png_ptr, "Insufficient memory for pCAL units");
386 
387       return;
388    }
389 
390    memcpy(info_ptr->pcal_units, units, length);
391 
392    info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
393        (size_t)(((unsigned int)nparams + 1) * (sizeof (png_charp)))));
394 
395    if (info_ptr->pcal_params == NULL)
396    {
397       png_warning(png_ptr, "Insufficient memory for pCAL params");
398 
399       return;
400    }
401 
402    memset(info_ptr->pcal_params, 0, ((unsigned int)nparams + 1) *
403        (sizeof (png_charp)));
404 
405    for (i = 0; i < nparams; i++)
406    {
407       length = strlen(params[i]) + 1;
408       png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
409           (unsigned long)length);
410 
411       info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
412 
413       if (info_ptr->pcal_params[i] == NULL)
414       {
415          png_warning(png_ptr, "Insufficient memory for pCAL parameter");
416 
417          return;
418       }
419 
420       memcpy(info_ptr->pcal_params[i], params[i], length);
421    }
422 
423    info_ptr->valid |= PNG_INFO_pCAL;
424    info_ptr->free_me |= PNG_FREE_PCAL;
425 }
426 #endif
427 
428 #ifdef PNG_sCAL_SUPPORTED
429 void PNGAPI
png_set_sCAL_s(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_const_charp swidth,png_const_charp sheight)430 png_set_sCAL_s(png_const_structrp png_ptr, png_inforp info_ptr,
431     int unit, png_const_charp swidth, png_const_charp sheight)
432 {
433    size_t lengthw = 0, lengthh = 0;
434 
435    png_debug1(1, "in %s storage function", "sCAL");
436 
437    if (png_ptr == NULL || info_ptr == NULL)
438       return;
439 
440    /* Double check the unit (should never get here with an invalid
441     * unit unless this is an API call.)
442     */
443    if (unit != 1 && unit != 2)
444       png_error(png_ptr, "Invalid sCAL unit");
445 
446    if (swidth == NULL || (lengthw = strlen(swidth)) == 0 ||
447        swidth[0] == 45 /* '-' */ || !png_check_fp_string(swidth, lengthw))
448       png_error(png_ptr, "Invalid sCAL width");
449 
450    if (sheight == NULL || (lengthh = strlen(sheight)) == 0 ||
451        sheight[0] == 45 /* '-' */ || !png_check_fp_string(sheight, lengthh))
452       png_error(png_ptr, "Invalid sCAL height");
453 
454    info_ptr->scal_unit = (png_byte)unit;
455 
456    ++lengthw;
457 
458    png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthw);
459 
460    info_ptr->scal_s_width = png_voidcast(png_charp,
461        png_malloc_warn(png_ptr, lengthw));
462 
463    if (info_ptr->scal_s_width == NULL)
464    {
465       png_warning(png_ptr, "Memory allocation failed while processing sCAL");
466 
467       return;
468    }
469 
470    memcpy(info_ptr->scal_s_width, swidth, lengthw);
471 
472    ++lengthh;
473 
474    png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthh);
475 
476    info_ptr->scal_s_height = png_voidcast(png_charp,
477        png_malloc_warn(png_ptr, lengthh));
478 
479    if (info_ptr->scal_s_height == NULL)
480    {
481       png_free (png_ptr, info_ptr->scal_s_width);
482       info_ptr->scal_s_width = NULL;
483 
484       png_warning(png_ptr, "Memory allocation failed while processing sCAL");
485 
486       return;
487    }
488 
489    memcpy(info_ptr->scal_s_height, sheight, lengthh);
490 
491    info_ptr->valid |= PNG_INFO_sCAL;
492    info_ptr->free_me |= PNG_FREE_SCAL;
493 }
494 
495 #  ifdef PNG_FLOATING_POINT_SUPPORTED
496 void PNGAPI
png_set_sCAL(png_const_structrp png_ptr,png_inforp info_ptr,int unit,double width,double height)497 png_set_sCAL(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
498     double width, double height)
499 {
500    png_debug1(1, "in %s storage function", "sCAL");
501 
502    /* Check the arguments. */
503    if (width <= 0)
504       png_warning(png_ptr, "Invalid sCAL width ignored");
505 
506    else if (height <= 0)
507       png_warning(png_ptr, "Invalid sCAL height ignored");
508 
509    else
510    {
511       /* Convert 'width' and 'height' to ASCII. */
512       char swidth[PNG_sCAL_MAX_DIGITS+1];
513       char sheight[PNG_sCAL_MAX_DIGITS+1];
514 
515       png_ascii_from_fp(png_ptr, swidth, (sizeof swidth), width,
516           PNG_sCAL_PRECISION);
517       png_ascii_from_fp(png_ptr, sheight, (sizeof sheight), height,
518           PNG_sCAL_PRECISION);
519 
520       png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
521    }
522 }
523 #  endif
524 
525 #  ifdef PNG_FIXED_POINT_SUPPORTED
526 void PNGAPI
png_set_sCAL_fixed(png_const_structrp png_ptr,png_inforp info_ptr,int unit,png_fixed_point width,png_fixed_point height)527 png_set_sCAL_fixed(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
528     png_fixed_point width, png_fixed_point height)
529 {
530    png_debug1(1, "in %s storage function", "sCAL");
531 
532    /* Check the arguments. */
533    if (width <= 0)
534       png_warning(png_ptr, "Invalid sCAL width ignored");
535 
536    else if (height <= 0)
537       png_warning(png_ptr, "Invalid sCAL height ignored");
538 
539    else
540    {
541       /* Convert 'width' and 'height' to ASCII. */
542       char swidth[PNG_sCAL_MAX_DIGITS+1];
543       char sheight[PNG_sCAL_MAX_DIGITS+1];
544 
545       png_ascii_from_fixed(png_ptr, swidth, (sizeof swidth), width);
546       png_ascii_from_fixed(png_ptr, sheight, (sizeof sheight), height);
547 
548       png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
549    }
550 }
551 #  endif
552 #endif
553 
554 #ifdef PNG_pHYs_SUPPORTED
555 void PNGAPI
png_set_pHYs(png_const_structrp png_ptr,png_inforp info_ptr,png_uint_32 res_x,png_uint_32 res_y,int unit_type)556 png_set_pHYs(png_const_structrp png_ptr, png_inforp info_ptr,
557     png_uint_32 res_x, png_uint_32 res_y, int unit_type)
558 {
559    png_debug1(1, "in %s storage function", "pHYs");
560 
561    if (png_ptr == NULL || info_ptr == NULL)
562       return;
563 
564    info_ptr->x_pixels_per_unit = res_x;
565    info_ptr->y_pixels_per_unit = res_y;
566    info_ptr->phys_unit_type = (png_byte)unit_type;
567    info_ptr->valid |= PNG_INFO_pHYs;
568 }
569 #endif
570 
571 void PNGAPI
png_set_PLTE(png_structrp png_ptr,png_inforp info_ptr,png_const_colorp palette,int num_palette)572 png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
573     png_const_colorp palette, int num_palette)
574 {
575 
576    png_uint_32 max_palette_length;
577 
578    png_debug1(1, "in %s storage function", "PLTE");
579 
580    if (png_ptr == NULL || info_ptr == NULL)
581       return;
582 
583    max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
584       (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
585 
586    if (num_palette < 0 || num_palette > (int) max_palette_length)
587    {
588       if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
589          png_error(png_ptr, "Invalid palette length");
590 
591       else
592       {
593          png_warning(png_ptr, "Invalid palette length");
594 
595          return;
596       }
597    }
598 
599    if ((num_palette > 0 && palette == NULL) ||
600       (num_palette == 0
601 #        ifdef PNG_MNG_FEATURES_SUPPORTED
602             && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
603 #        endif
604       ))
605    {
606       png_error(png_ptr, "Invalid palette");
607    }
608 
609    /* It may not actually be necessary to set png_ptr->palette here;
610     * we do it for backward compatibility with the way the png_handle_tRNS
611     * function used to do the allocation.
612     *
613     * 1.6.0: the above statement appears to be incorrect; something has to set
614     * the palette inside png_struct on read.
615     */
616    png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
617 
618    /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
619     * of num_palette entries, in case of an invalid PNG file or incorrect
620     * call to png_set_PLTE() with too-large sample values.
621     */
622    png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
623        PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
624 
625    if (num_palette > 0)
626       memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
627           (sizeof (png_color)));
628    info_ptr->palette = png_ptr->palette;
629    info_ptr->num_palette = png_ptr->num_palette = (png_uint_16)num_palette;
630 
631    info_ptr->free_me |= PNG_FREE_PLTE;
632 
633    info_ptr->valid |= PNG_INFO_PLTE;
634 }
635 
636 #ifdef PNG_sBIT_SUPPORTED
637 void PNGAPI
png_set_sBIT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_color_8p sig_bit)638 png_set_sBIT(png_const_structrp png_ptr, png_inforp info_ptr,
639     png_const_color_8p sig_bit)
640 {
641    png_debug1(1, "in %s storage function", "sBIT");
642 
643    if (png_ptr == NULL || info_ptr == NULL || sig_bit == NULL)
644       return;
645 
646    info_ptr->sig_bit = *sig_bit;
647    info_ptr->valid |= PNG_INFO_sBIT;
648 }
649 #endif
650 
651 #ifdef PNG_sRGB_SUPPORTED
652 void PNGAPI
png_set_sRGB(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)653 png_set_sRGB(png_const_structrp png_ptr, png_inforp info_ptr, int srgb_intent)
654 {
655    png_debug1(1, "in %s storage function", "sRGB");
656 
657    if (png_ptr == NULL || info_ptr == NULL)
658       return;
659 
660    (void)png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace, srgb_intent);
661    png_colorspace_sync_info(png_ptr, info_ptr);
662 }
663 
664 void PNGAPI
png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr,png_inforp info_ptr,int srgb_intent)665 png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
666     int srgb_intent)
667 {
668    png_debug1(1, "in %s storage function", "sRGB_gAMA_and_cHRM");
669 
670    if (png_ptr == NULL || info_ptr == NULL)
671       return;
672 
673    if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace,
674        srgb_intent) != 0)
675    {
676       /* This causes the gAMA and cHRM to be written too */
677       info_ptr->colorspace.flags |=
678          PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
679    }
680 
681    png_colorspace_sync_info(png_ptr, info_ptr);
682 }
683 #endif /* sRGB */
684 
685 
686 #ifdef PNG_iCCP_SUPPORTED
687 void PNGAPI
png_set_iCCP(png_const_structrp png_ptr,png_inforp info_ptr,png_const_charp name,int compression_type,png_const_bytep profile,png_uint_32 proflen)688 png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
689     png_const_charp name, int compression_type,
690     png_const_bytep profile, png_uint_32 proflen)
691 {
692    png_charp new_iccp_name;
693    png_bytep new_iccp_profile;
694    size_t length;
695 
696    png_debug1(1, "in %s storage function", "iCCP");
697 
698    if (png_ptr == NULL || info_ptr == NULL || name == NULL || profile == NULL)
699       return;
700 
701    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
702       png_app_error(png_ptr, "Invalid iCCP compression method");
703 
704    /* Set the colorspace first because this validates the profile; do not
705     * override previously set app cHRM or gAMA here (because likely as not the
706     * application knows better than libpng what the correct values are.)  Pass
707     * the info_ptr color_type field to png_colorspace_set_ICC because in the
708     * write case it has not yet been stored in png_ptr.
709     */
710    {
711       int result = png_colorspace_set_ICC(png_ptr, &info_ptr->colorspace, name,
712           proflen, profile, info_ptr->color_type);
713 
714       png_colorspace_sync_info(png_ptr, info_ptr);
715 
716       /* Don't do any of the copying if the profile was bad, or inconsistent. */
717       if (result == 0)
718          return;
719 
720       /* But do write the gAMA and cHRM chunks from the profile. */
721       info_ptr->colorspace.flags |=
722          PNG_COLORSPACE_FROM_gAMA|PNG_COLORSPACE_FROM_cHRM;
723    }
724 
725    length = strlen(name)+1;
726    new_iccp_name = png_voidcast(png_charp, png_malloc_warn(png_ptr, length));
727 
728    if (new_iccp_name == NULL)
729    {
730       png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
731 
732       return;
733    }
734 
735    memcpy(new_iccp_name, name, length);
736    new_iccp_profile = png_voidcast(png_bytep,
737        png_malloc_warn(png_ptr, proflen));
738 
739    if (new_iccp_profile == NULL)
740    {
741       png_free(png_ptr, new_iccp_name);
742       png_benign_error(png_ptr,
743           "Insufficient memory to process iCCP profile");
744 
745       return;
746    }
747 
748    memcpy(new_iccp_profile, profile, proflen);
749 
750    png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, 0);
751 
752    info_ptr->iccp_proflen = proflen;
753    info_ptr->iccp_name = new_iccp_name;
754    info_ptr->iccp_profile = new_iccp_profile;
755    info_ptr->free_me |= PNG_FREE_ICCP;
756    info_ptr->valid |= PNG_INFO_iCCP;
757 }
758 #endif
759 
760 #ifdef PNG_TEXT_SUPPORTED
761 void PNGAPI
png_set_text(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)762 png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
763     png_const_textp text_ptr, int num_text)
764 {
765    int ret;
766    ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
767 
768    if (ret != 0)
769       png_error(png_ptr, "Insufficient memory to store text");
770 }
771 
772 int /* PRIVATE */
png_set_text_2(png_const_structrp png_ptr,png_inforp info_ptr,png_const_textp text_ptr,int num_text)773 png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
774     png_const_textp text_ptr, int num_text)
775 {
776    int i;
777 
778    png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U :
779       (unsigned long)png_ptr->chunk_name);
780 
781    if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
782       return(0);
783 
784    /* Make sure we have enough space in the "text" array in info_struct
785     * to hold all of the incoming text_ptr objects.  This compare can't overflow
786     * because max_text >= num_text (anyway, subtract of two positive integers
787     * can't overflow in any case.)
788     */
789    if (num_text > info_ptr->max_text - info_ptr->num_text)
790    {
791       int old_num_text = info_ptr->num_text;
792       int max_text;
793       png_textp new_text = NULL;
794 
795       /* Calculate an appropriate max_text, checking for overflow. */
796       max_text = old_num_text;
797       if (num_text <= INT_MAX - max_text)
798       {
799          max_text += num_text;
800 
801          /* Round up to a multiple of 8 */
802          if (max_text < INT_MAX-8)
803             max_text = (max_text + 8) & ~0x7;
804 
805          else
806             max_text = INT_MAX;
807 
808          /* Now allocate a new array and copy the old members in; this does all
809           * the overflow checks.
810           */
811          new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
812              info_ptr->text, old_num_text, max_text-old_num_text,
813              sizeof *new_text));
814       }
815 
816       if (new_text == NULL)
817       {
818          png_chunk_report(png_ptr, "too many text chunks",
819              PNG_CHUNK_WRITE_ERROR);
820 
821          return 1;
822       }
823 
824       png_free(png_ptr, info_ptr->text);
825 
826       info_ptr->text = new_text;
827       info_ptr->free_me |= PNG_FREE_TEXT;
828       info_ptr->max_text = max_text;
829       /* num_text is adjusted below as the entries are copied in */
830 
831       png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
832    }
833 
834    for (i = 0; i < num_text; i++)
835    {
836       size_t text_length, key_len;
837       size_t lang_len, lang_key_len;
838       png_textp textp = &(info_ptr->text[info_ptr->num_text]);
839 
840       if (text_ptr[i].key == NULL)
841           continue;
842 
843       if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
844           text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
845       {
846          png_chunk_report(png_ptr, "text compression mode is out of range",
847              PNG_CHUNK_WRITE_ERROR);
848          continue;
849       }
850 
851       key_len = strlen(text_ptr[i].key);
852 
853       if (text_ptr[i].compression <= 0)
854       {
855          lang_len = 0;
856          lang_key_len = 0;
857       }
858 
859       else
860 #  ifdef PNG_iTXt_SUPPORTED
861       {
862          /* Set iTXt data */
863 
864          if (text_ptr[i].lang != NULL)
865             lang_len = strlen(text_ptr[i].lang);
866 
867          else
868             lang_len = 0;
869 
870          if (text_ptr[i].lang_key != NULL)
871             lang_key_len = strlen(text_ptr[i].lang_key);
872 
873          else
874             lang_key_len = 0;
875       }
876 #  else /* iTXt */
877       {
878          png_chunk_report(png_ptr, "iTXt chunk not supported",
879              PNG_CHUNK_WRITE_ERROR);
880          continue;
881       }
882 #  endif
883 
884       if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
885       {
886          text_length = 0;
887 #  ifdef PNG_iTXt_SUPPORTED
888          if (text_ptr[i].compression > 0)
889             textp->compression = PNG_ITXT_COMPRESSION_NONE;
890 
891          else
892 #  endif
893             textp->compression = PNG_TEXT_COMPRESSION_NONE;
894       }
895 
896       else
897       {
898          text_length = strlen(text_ptr[i].text);
899          textp->compression = text_ptr[i].compression;
900       }
901 
902       textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
903           key_len + text_length + lang_len + lang_key_len + 4));
904 
905       if (textp->key == NULL)
906       {
907          png_chunk_report(png_ptr, "text chunk: out of memory",
908              PNG_CHUNK_WRITE_ERROR);
909 
910          return 1;
911       }
912 
913       png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
914           (unsigned long)(png_uint_32)
915           (key_len + lang_len + lang_key_len + text_length + 4),
916           textp->key);
917 
918       memcpy(textp->key, text_ptr[i].key, key_len);
919       *(textp->key + key_len) = '\0';
920 
921       if (text_ptr[i].compression > 0)
922       {
923          textp->lang = textp->key + key_len + 1;
924          memcpy(textp->lang, text_ptr[i].lang, lang_len);
925          *(textp->lang + lang_len) = '\0';
926          textp->lang_key = textp->lang + lang_len + 1;
927          memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
928          *(textp->lang_key + lang_key_len) = '\0';
929          textp->text = textp->lang_key + lang_key_len + 1;
930       }
931 
932       else
933       {
934          textp->lang=NULL;
935          textp->lang_key=NULL;
936          textp->text = textp->key + key_len + 1;
937       }
938 
939       if (text_length != 0)
940          memcpy(textp->text, text_ptr[i].text, text_length);
941 
942       *(textp->text + text_length) = '\0';
943 
944 #  ifdef PNG_iTXt_SUPPORTED
945       if (textp->compression > 0)
946       {
947          textp->text_length = 0;
948          textp->itxt_length = text_length;
949       }
950 
951       else
952 #  endif
953       {
954          textp->text_length = text_length;
955          textp->itxt_length = 0;
956       }
957 
958       info_ptr->num_text++;
959       png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
960    }
961 
962    return(0);
963 }
964 #endif
965 
966 #ifdef PNG_tIME_SUPPORTED
967 void PNGAPI
png_set_tIME(png_const_structrp png_ptr,png_inforp info_ptr,png_const_timep mod_time)968 png_set_tIME(png_const_structrp png_ptr, png_inforp info_ptr,
969     png_const_timep mod_time)
970 {
971    png_debug1(1, "in %s storage function", "tIME");
972 
973    if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
974        (png_ptr->mode & PNG_WROTE_tIME) != 0)
975       return;
976 
977    if (mod_time->month == 0   || mod_time->month > 12  ||
978        mod_time->day   == 0   || mod_time->day   > 31  ||
979        mod_time->hour  > 23   || mod_time->minute > 59 ||
980        mod_time->second > 60)
981    {
982       png_warning(png_ptr, "Ignoring invalid time value");
983 
984       return;
985    }
986 
987    info_ptr->mod_time = *mod_time;
988    info_ptr->valid |= PNG_INFO_tIME;
989 }
990 #endif
991 
992 #ifdef PNG_tRNS_SUPPORTED
993 void PNGAPI
png_set_tRNS(png_structrp png_ptr,png_inforp info_ptr,png_const_bytep trans_alpha,int num_trans,png_const_color_16p trans_color)994 png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
995     png_const_bytep trans_alpha, int num_trans, png_const_color_16p trans_color)
996 {
997    png_debug1(1, "in %s storage function", "tRNS");
998 
999    if (png_ptr == NULL || info_ptr == NULL)
1000 
1001       return;
1002 
1003    if (trans_alpha != NULL)
1004    {
1005        /* It may not actually be necessary to set png_ptr->trans_alpha here;
1006         * we do it for backward compatibility with the way the png_handle_tRNS
1007         * function used to do the allocation.
1008         *
1009         * 1.6.0: The above statement is incorrect; png_handle_tRNS effectively
1010         * relies on png_set_tRNS storing the information in png_struct
1011         * (otherwise it won't be there for the code in pngrtran.c).
1012         */
1013 
1014        png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
1015 
1016        if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
1017        {
1018          /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */
1019           info_ptr->trans_alpha = png_voidcast(png_bytep,
1020               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
1021           memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
1022 
1023           info_ptr->valid |= PNG_INFO_tRNS;
1024           info_ptr->free_me |= PNG_FREE_TRNS;
1025        }
1026        png_ptr->trans_alpha = info_ptr->trans_alpha;
1027    }
1028 
1029    if (trans_color != NULL)
1030    {
1031 #ifdef PNG_WARNINGS_SUPPORTED
1032       if (info_ptr->bit_depth < 16)
1033       {
1034          int sample_max = (1 << info_ptr->bit_depth) - 1;
1035 
1036          if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
1037              trans_color->gray > sample_max) ||
1038              (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
1039              (trans_color->red > sample_max ||
1040              trans_color->green > sample_max ||
1041              trans_color->blue > sample_max)))
1042             png_warning(png_ptr,
1043                 "tRNS chunk has out-of-range samples for bit_depth");
1044       }
1045 #endif
1046 
1047       info_ptr->trans_color = *trans_color;
1048 
1049       if (num_trans == 0)
1050          num_trans = 1;
1051    }
1052 
1053    info_ptr->num_trans = (png_uint_16)num_trans;
1054 
1055    if (num_trans != 0)
1056    {
1057       info_ptr->valid |= PNG_INFO_tRNS;
1058       info_ptr->free_me |= PNG_FREE_TRNS;
1059    }
1060 }
1061 #endif
1062 
1063 #ifdef PNG_sPLT_SUPPORTED
1064 void PNGAPI
png_set_sPLT(png_const_structrp png_ptr,png_inforp info_ptr,png_const_sPLT_tp entries,int nentries)1065 png_set_sPLT(png_const_structrp png_ptr,
1066     png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
1067 /*
1068  *  entries        - array of png_sPLT_t structures
1069  *                   to be added to the list of palettes
1070  *                   in the info structure.
1071  *
1072  *  nentries       - number of palette structures to be
1073  *                   added.
1074  */
1075 {
1076    png_sPLT_tp np;
1077 
1078    if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
1079       return;
1080 
1081    /* Use the internal realloc function, which checks for all the possible
1082     * overflows.  Notice that the parameters are (int) and (size_t)
1083     */
1084    np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
1085        info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
1086        sizeof *np));
1087 
1088    if (np == NULL)
1089    {
1090       /* Out of memory or too many chunks */
1091       png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
1092 
1093       return;
1094    }
1095 
1096    png_free(png_ptr, info_ptr->splt_palettes);
1097    info_ptr->splt_palettes = np;
1098    info_ptr->free_me |= PNG_FREE_SPLT;
1099 
1100    np += info_ptr->splt_palettes_num;
1101 
1102    do
1103    {
1104       size_t length;
1105 
1106       /* Skip invalid input entries */
1107       if (entries->name == NULL || entries->entries == NULL)
1108       {
1109          /* png_handle_sPLT doesn't do this, so this is an app error */
1110          png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
1111          /* Just skip the invalid entry */
1112          continue;
1113       }
1114 
1115       np->depth = entries->depth;
1116 
1117       /* In the event of out-of-memory just return - there's no point keeping
1118        * on trying to add sPLT chunks.
1119        */
1120       length = strlen(entries->name) + 1;
1121       np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
1122 
1123       if (np->name == NULL)
1124          break;
1125 
1126       memcpy(np->name, entries->name, length);
1127 
1128       /* IMPORTANT: we have memory now that won't get freed if something else
1129        * goes wrong; this code must free it.  png_malloc_array produces no
1130        * warnings; use a png_chunk_report (below) if there is an error.
1131        */
1132       np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
1133           entries->nentries, sizeof (png_sPLT_entry)));
1134 
1135       if (np->entries == NULL)
1136       {
1137          png_free(png_ptr, np->name);
1138          np->name = NULL;
1139          break;
1140       }
1141 
1142       np->nentries = entries->nentries;
1143       /* This multiply can't overflow because png_malloc_array has already
1144        * checked it when doing the allocation.
1145        */
1146       memcpy(np->entries, entries->entries,
1147           (unsigned int)entries->nentries * sizeof (png_sPLT_entry));
1148 
1149       /* Note that 'continue' skips the advance of the out pointer and out
1150        * count, so an invalid entry is not added.
1151        */
1152       info_ptr->valid |= PNG_INFO_sPLT;
1153       ++(info_ptr->splt_palettes_num);
1154       ++np;
1155       ++entries;
1156    }
1157    while (--nentries);
1158 
1159    if (nentries > 0)
1160       png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
1161 }
1162 #endif /* sPLT */
1163 
1164 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
1165 static png_byte
check_location(png_const_structrp png_ptr,int location)1166 check_location(png_const_structrp png_ptr, int location)
1167 {
1168    location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
1169 
1170    /* New in 1.6.0; copy the location and check it.  This is an API
1171     * change; previously the app had to use the
1172     * png_set_unknown_chunk_location API below for each chunk.
1173     */
1174    if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1175    {
1176       /* Write struct, so unknown chunks come from the app */
1177       png_app_warning(png_ptr,
1178           "png_set_unknown_chunks now expects a valid location");
1179       /* Use the old behavior */
1180       location = (png_byte)(png_ptr->mode &
1181           (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT));
1182    }
1183 
1184    /* This need not be an internal error - if the app calls
1185     * png_set_unknown_chunks on a read pointer it must get the location right.
1186     */
1187    if (location == 0)
1188       png_error(png_ptr, "invalid location in png_set_unknown_chunks");
1189 
1190    /* Now reduce the location to the top-most set bit by removing each least
1191     * significant bit in turn.
1192     */
1193    while (location != (location & -location))
1194       location &= ~(location & -location);
1195 
1196    /* The cast is safe because 'location' is a bit mask and only the low four
1197     * bits are significant.
1198     */
1199    return (png_byte)location;
1200 }
1201 
1202 void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr,png_inforp info_ptr,png_const_unknown_chunkp unknowns,int num_unknowns)1203 png_set_unknown_chunks(png_const_structrp png_ptr,
1204     png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
1205 {
1206    png_unknown_chunkp np;
1207 
1208    if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
1209        unknowns == NULL)
1210       return;
1211 
1212    /* Check for the failure cases where support has been disabled at compile
1213     * time.  This code is hardly ever compiled - it's here because
1214     * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
1215     * code) but may be meaningless if the read or write handling of unknown
1216     * chunks is not compiled in.
1217     */
1218 #  if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
1219       defined(PNG_READ_SUPPORTED)
1220       if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1221       {
1222          png_app_error(png_ptr, "no unknown chunk support on read");
1223 
1224          return;
1225       }
1226 #  endif
1227 #  if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
1228       defined(PNG_WRITE_SUPPORTED)
1229       if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1230       {
1231          png_app_error(png_ptr, "no unknown chunk support on write");
1232 
1233          return;
1234       }
1235 #  endif
1236 
1237    /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
1238     * unknown critical chunks could be lost with just a warning resulting in
1239     * undefined behavior.  Now png_chunk_report is used to provide behavior
1240     * appropriate to read or write.
1241     */
1242    np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
1243        info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
1244        sizeof *np));
1245 
1246    if (np == NULL)
1247    {
1248       png_chunk_report(png_ptr, "too many unknown chunks",
1249           PNG_CHUNK_WRITE_ERROR);
1250 
1251       return;
1252    }
1253 
1254    png_free(png_ptr, info_ptr->unknown_chunks);
1255    info_ptr->unknown_chunks = np; /* safe because it is initialized */
1256    info_ptr->free_me |= PNG_FREE_UNKN;
1257 
1258    np += info_ptr->unknown_chunks_num;
1259 
1260    /* Increment unknown_chunks_num each time round the loop to protect the
1261     * just-allocated chunk data.
1262     */
1263    for (; num_unknowns > 0; --num_unknowns, ++unknowns)
1264    {
1265       memcpy(np->name, unknowns->name, (sizeof np->name));
1266       np->name[(sizeof np->name)-1] = '\0';
1267       np->location = check_location(png_ptr, unknowns->location);
1268 
1269       if (unknowns->size == 0)
1270       {
1271          np->data = NULL;
1272          np->size = 0;
1273       }
1274 
1275       else
1276       {
1277          np->data = png_voidcast(png_bytep,
1278              png_malloc_base(png_ptr, unknowns->size));
1279 
1280          if (np->data == NULL)
1281          {
1282             png_chunk_report(png_ptr, "unknown chunk: out of memory",
1283                 PNG_CHUNK_WRITE_ERROR);
1284             /* But just skip storing the unknown chunk */
1285             continue;
1286          }
1287 
1288          memcpy(np->data, unknowns->data, unknowns->size);
1289          np->size = unknowns->size;
1290       }
1291 
1292       /* These increments are skipped on out-of-memory for the data - the
1293        * unknown chunk entry gets overwritten if the png_chunk_report returns.
1294        * This is correct in the read case (the chunk is just dropped.)
1295        */
1296       ++np;
1297       ++(info_ptr->unknown_chunks_num);
1298    }
1299 }
1300 
1301 void PNGAPI
png_set_unknown_chunk_location(png_const_structrp png_ptr,png_inforp info_ptr,int chunk,int location)1302 png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr,
1303     int chunk, int location)
1304 {
1305    /* This API is pretty pointless in 1.6.0 because the location can be set
1306     * before the call to png_set_unknown_chunks.
1307     *
1308     * TODO: add a png_app_warning in 1.7
1309     */
1310    if (png_ptr != NULL && info_ptr != NULL && chunk >= 0 &&
1311       chunk < info_ptr->unknown_chunks_num)
1312    {
1313       if ((location & (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT)) == 0)
1314       {
1315          png_app_error(png_ptr, "invalid unknown chunk location");
1316          /* Fake out the pre 1.6.0 behavior: */
1317          if (((unsigned int)location & PNG_HAVE_IDAT) != 0) /* undocumented! */
1318             location = PNG_AFTER_IDAT;
1319 
1320          else
1321             location = PNG_HAVE_IHDR; /* also undocumented */
1322       }
1323 
1324       info_ptr->unknown_chunks[chunk].location =
1325          check_location(png_ptr, location);
1326    }
1327 }
1328 #endif /* STORE_UNKNOWN_CHUNKS */
1329 
1330 #ifdef PNG_MNG_FEATURES_SUPPORTED
1331 png_uint_32 PNGAPI
png_permit_mng_features(png_structrp png_ptr,png_uint_32 mng_features)1332 png_permit_mng_features(png_structrp png_ptr, png_uint_32 mng_features)
1333 {
1334    png_debug(1, "in png_permit_mng_features");
1335 
1336    if (png_ptr == NULL)
1337       return 0;
1338 
1339    png_ptr->mng_features_permitted = mng_features & PNG_ALL_MNG_FEATURES;
1340 
1341    return png_ptr->mng_features_permitted;
1342 }
1343 #endif
1344 
1345 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
1346 static unsigned int
add_one_chunk(png_bytep list,unsigned int count,png_const_bytep add,int keep)1347 add_one_chunk(png_bytep list, unsigned int count, png_const_bytep add, int keep)
1348 {
1349    unsigned int i;
1350 
1351    /* Utility function: update the 'keep' state of a chunk if it is already in
1352     * the list, otherwise add it to the list.
1353     */
1354    for (i=0; i<count; ++i, list += 5)
1355    {
1356       if (memcmp(list, add, 4) == 0)
1357       {
1358          list[4] = (png_byte)keep;
1359 
1360          return count;
1361       }
1362    }
1363 
1364    if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
1365    {
1366       ++count;
1367       memcpy(list, add, 4);
1368       list[4] = (png_byte)keep;
1369    }
1370 
1371    return count;
1372 }
1373 
1374 void PNGAPI
png_set_keep_unknown_chunks(png_structrp png_ptr,int keep,png_const_bytep chunk_list,int num_chunks_in)1375 png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
1376     png_const_bytep chunk_list, int num_chunks_in)
1377 {
1378    png_bytep new_list;
1379    unsigned int num_chunks, old_num_chunks;
1380 
1381    if (png_ptr == NULL)
1382       return;
1383 
1384    if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
1385    {
1386       png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
1387 
1388       return;
1389    }
1390 
1391    if (num_chunks_in <= 0)
1392    {
1393       png_ptr->unknown_default = keep;
1394 
1395       /* '0' means just set the flags, so stop here */
1396       if (num_chunks_in == 0)
1397         return;
1398    }
1399 
1400    if (num_chunks_in < 0)
1401    {
1402       /* Ignore all unknown chunks and all chunks recognized by
1403        * libpng except for IHDR, PLTE, tRNS, IDAT, and IEND
1404        */
1405       static const png_byte chunks_to_ignore[] = {
1406          98,  75,  71,  68, '\0',  /* bKGD */
1407          99,  72,  82,  77, '\0',  /* cHRM */
1408         101,  88,  73, 102, '\0',  /* eXIf */
1409         103,  65,  77,  65, '\0',  /* gAMA */
1410         104,  73,  83,  84, '\0',  /* hIST */
1411         105,  67,  67,  80, '\0',  /* iCCP */
1412         105,  84,  88, 116, '\0',  /* iTXt */
1413         111,  70,  70, 115, '\0',  /* oFFs */
1414         112,  67,  65,  76, '\0',  /* pCAL */
1415         112,  72,  89, 115, '\0',  /* pHYs */
1416         115,  66,  73,  84, '\0',  /* sBIT */
1417         115,  67,  65,  76, '\0',  /* sCAL */
1418         115,  80,  76,  84, '\0',  /* sPLT */
1419         115,  84,  69,  82, '\0',  /* sTER */
1420         115,  82,  71,  66, '\0',  /* sRGB */
1421         116,  69,  88, 116, '\0',  /* tEXt */
1422         116,  73,  77,  69, '\0',  /* tIME */
1423         122,  84,  88, 116, '\0'   /* zTXt */
1424       };
1425 
1426       chunk_list = chunks_to_ignore;
1427       num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
1428    }
1429 
1430    else /* num_chunks_in > 0 */
1431    {
1432       if (chunk_list == NULL)
1433       {
1434          /* Prior to 1.6.0 this was silently ignored, now it is an app_error
1435           * which can be switched off.
1436           */
1437          png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
1438 
1439          return;
1440       }
1441 
1442       num_chunks = (unsigned int)num_chunks_in;
1443    }
1444 
1445    old_num_chunks = png_ptr->num_chunk_list;
1446    if (png_ptr->chunk_list == NULL)
1447       old_num_chunks = 0;
1448 
1449    /* Since num_chunks is always restricted to UINT_MAX/5 this can't overflow.
1450     */
1451    if (num_chunks + old_num_chunks > UINT_MAX/5)
1452    {
1453       png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
1454 
1455       return;
1456    }
1457 
1458    /* If these chunks are being reset to the default then no more memory is
1459     * required because add_one_chunk above doesn't extend the list if the 'keep'
1460     * parameter is the default.
1461     */
1462    if (keep != 0)
1463    {
1464       new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
1465           5 * (num_chunks + old_num_chunks)));
1466 
1467       if (old_num_chunks > 0)
1468          memcpy(new_list, png_ptr->chunk_list, 5*old_num_chunks);
1469    }
1470 
1471    else if (old_num_chunks > 0)
1472       new_list = png_ptr->chunk_list;
1473 
1474    else
1475       new_list = NULL;
1476 
1477    /* Add the new chunks together with each one's handling code.  If the chunk
1478     * already exists the code is updated, otherwise the chunk is added to the
1479     * end.  (In libpng 1.6.0 order no longer matters because this code enforces
1480     * the earlier convention that the last setting is the one that is used.)
1481     */
1482    if (new_list != NULL)
1483    {
1484       png_const_bytep inlist;
1485       png_bytep outlist;
1486       unsigned int i;
1487 
1488       for (i=0; i<num_chunks; ++i)
1489       {
1490          old_num_chunks = add_one_chunk(new_list, old_num_chunks,
1491              chunk_list+5*i, keep);
1492       }
1493 
1494       /* Now remove any spurious 'default' entries. */
1495       num_chunks = 0;
1496       for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
1497       {
1498          if (inlist[4])
1499          {
1500             if (outlist != inlist)
1501                memcpy(outlist, inlist, 5);
1502             outlist += 5;
1503             ++num_chunks;
1504          }
1505       }
1506 
1507       /* This means the application has removed all the specialized handling. */
1508       if (num_chunks == 0)
1509       {
1510          if (png_ptr->chunk_list != new_list)
1511             png_free(png_ptr, new_list);
1512 
1513          new_list = NULL;
1514       }
1515    }
1516 
1517    else
1518       num_chunks = 0;
1519 
1520    png_ptr->num_chunk_list = num_chunks;
1521 
1522    if (png_ptr->chunk_list != new_list)
1523    {
1524       if (png_ptr->chunk_list != NULL)
1525          png_free(png_ptr, png_ptr->chunk_list);
1526 
1527       png_ptr->chunk_list = new_list;
1528    }
1529 }
1530 #endif
1531 
1532 #ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1533 void PNGAPI
png_set_read_user_chunk_fn(png_structrp png_ptr,png_voidp user_chunk_ptr,png_user_chunk_ptr read_user_chunk_fn)1534 png_set_read_user_chunk_fn(png_structrp png_ptr, png_voidp user_chunk_ptr,
1535     png_user_chunk_ptr read_user_chunk_fn)
1536 {
1537    png_debug(1, "in png_set_read_user_chunk_fn");
1538 
1539    if (png_ptr == NULL)
1540       return;
1541 
1542    png_ptr->read_user_chunk_fn = read_user_chunk_fn;
1543    png_ptr->user_chunk_ptr = user_chunk_ptr;
1544 }
1545 #endif
1546 
1547 #ifdef PNG_INFO_IMAGE_SUPPORTED
1548 void PNGAPI
png_set_rows(png_const_structrp png_ptr,png_inforp info_ptr,png_bytepp row_pointers)1549 png_set_rows(png_const_structrp png_ptr, png_inforp info_ptr,
1550     png_bytepp row_pointers)
1551 {
1552    png_debug1(1, "in %s storage function", "rows");
1553 
1554    if (png_ptr == NULL || info_ptr == NULL)
1555       return;
1556 
1557    if (info_ptr->row_pointers != NULL &&
1558        (info_ptr->row_pointers != row_pointers))
1559       png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
1560 
1561    info_ptr->row_pointers = row_pointers;
1562 
1563    if (row_pointers != NULL)
1564       info_ptr->valid |= PNG_INFO_IDAT;
1565 }
1566 #endif
1567 
1568 void PNGAPI
png_set_compression_buffer_size(png_structrp png_ptr,size_t size)1569 png_set_compression_buffer_size(png_structrp png_ptr, size_t size)
1570 {
1571    if (png_ptr == NULL)
1572       return;
1573 
1574    if (size == 0 || size > PNG_UINT_31_MAX)
1575       png_error(png_ptr, "invalid compression buffer size");
1576 
1577 #  ifdef PNG_SEQUENTIAL_READ_SUPPORTED
1578    if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1579    {
1580       png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
1581       return;
1582    }
1583 #  endif
1584 
1585 #  ifdef PNG_WRITE_SUPPORTED
1586    if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1587    {
1588       if (png_ptr->zowner != 0)
1589       {
1590          png_warning(png_ptr,
1591              "Compression buffer size cannot be changed because it is in use");
1592 
1593          return;
1594       }
1595 
1596 #ifndef __COVERITY__
1597       /* Some compilers complain that this is always false.  However, it
1598        * can be true when integer overflow happens.
1599        */
1600       if (size > ZLIB_IO_MAX)
1601       {
1602          png_warning(png_ptr,
1603              "Compression buffer size limited to system maximum");
1604          size = ZLIB_IO_MAX; /* must fit */
1605       }
1606 #endif
1607 
1608       if (size < 6)
1609       {
1610          /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
1611           * if this is permitted.
1612           */
1613          png_warning(png_ptr,
1614              "Compression buffer size cannot be reduced below 6");
1615 
1616          return;
1617       }
1618 
1619       if (png_ptr->zbuffer_size != size)
1620       {
1621          png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
1622          png_ptr->zbuffer_size = (uInt)size;
1623       }
1624    }
1625 #  endif
1626 }
1627 
1628 void PNGAPI
png_set_invalid(png_const_structrp png_ptr,png_inforp info_ptr,int mask)1629 png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
1630 {
1631    if (png_ptr != NULL && info_ptr != NULL)
1632       info_ptr->valid &= (unsigned int)(~mask);
1633 }
1634 
1635 
1636 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
1637 /* This function was added to libpng 1.2.6 */
1638 void PNGAPI
png_set_user_limits(png_structrp png_ptr,png_uint_32 user_width_max,png_uint_32 user_height_max)1639 png_set_user_limits(png_structrp png_ptr, png_uint_32 user_width_max,
1640     png_uint_32 user_height_max)
1641 {
1642    /* Images with dimensions larger than these limits will be
1643     * rejected by png_set_IHDR().  To accept any PNG datastream
1644     * regardless of dimensions, set both limits to 0x7fffffff.
1645     */
1646    if (png_ptr == NULL)
1647       return;
1648 
1649    png_ptr->user_width_max = user_width_max;
1650    png_ptr->user_height_max = user_height_max;
1651 }
1652 
1653 /* This function was added to libpng 1.4.0 */
1654 void PNGAPI
png_set_chunk_cache_max(png_structrp png_ptr,png_uint_32 user_chunk_cache_max)1655 png_set_chunk_cache_max(png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
1656 {
1657    if (png_ptr != NULL)
1658       png_ptr->user_chunk_cache_max = user_chunk_cache_max;
1659 }
1660 
1661 /* This function was added to libpng 1.4.1 */
1662 void PNGAPI
png_set_chunk_malloc_max(png_structrp png_ptr,png_alloc_size_t user_chunk_malloc_max)1663 png_set_chunk_malloc_max(png_structrp png_ptr,
1664     png_alloc_size_t user_chunk_malloc_max)
1665 {
1666    if (png_ptr != NULL)
1667       png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
1668 }
1669 #endif /* ?SET_USER_LIMITS */
1670 
1671 
1672 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
1673 void PNGAPI
png_set_benign_errors(png_structrp png_ptr,int allowed)1674 png_set_benign_errors(png_structrp png_ptr, int allowed)
1675 {
1676    png_debug(1, "in png_set_benign_errors");
1677 
1678    /* If allowed is 1, png_benign_error() is treated as a warning.
1679     *
1680     * If allowed is 0, png_benign_error() is treated as an error (which
1681     * is the default behavior if png_set_benign_errors() is not called).
1682     */
1683 
1684    if (allowed != 0)
1685       png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
1686          PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
1687 
1688    else
1689       png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
1690          PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
1691 }
1692 #endif /* BENIGN_ERRORS */
1693 
1694 #ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
1695    /* Whether to report invalid palette index; added at libng-1.5.10.
1696     * It is possible for an indexed (color-type==3) PNG file to contain
1697     * pixels with invalid (out-of-range) indexes if the PLTE chunk has
1698     * fewer entries than the image's bit-depth would allow. We recover
1699     * from this gracefully by filling any incomplete palette with zeros
1700     * (opaque black).  By default, when this occurs libpng will issue
1701     * a benign error.  This API can be used to override that behavior.
1702     */
1703 void PNGAPI
png_set_check_for_invalid_index(png_structrp png_ptr,int allowed)1704 png_set_check_for_invalid_index(png_structrp png_ptr, int allowed)
1705 {
1706    png_debug(1, "in png_set_check_for_invalid_index");
1707 
1708    if (allowed > 0)
1709       png_ptr->num_palette_max = 0;
1710 
1711    else
1712       png_ptr->num_palette_max = -1;
1713 }
1714 #endif
1715 
1716 #if defined(PNG_TEXT_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) || \
1717     defined(PNG_iCCP_SUPPORTED) || defined(PNG_sPLT_SUPPORTED)
1718 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
1719  * and if invalid, correct the keyword rather than discarding the entire
1720  * chunk.  The PNG 1.0 specification requires keywords 1-79 characters in
1721  * length, forbids leading or trailing whitespace, multiple internal spaces,
1722  * and the non-break space (0x80) from ISO 8859-1.  Returns keyword length.
1723  *
1724  * The 'new_key' buffer must be 80 characters in size (for the keyword plus a
1725  * trailing '\0').  If this routine returns 0 then there was no keyword, or a
1726  * valid one could not be generated, and the caller must png_error.
1727  */
1728 png_uint_32 /* PRIVATE */
png_check_keyword(png_structrp png_ptr,png_const_charp key,png_bytep new_key)1729 png_check_keyword(png_structrp png_ptr, png_const_charp key, png_bytep new_key)
1730 {
1731 #ifdef PNG_WARNINGS_SUPPORTED
1732    png_const_charp orig_key = key;
1733 #endif
1734    png_uint_32 key_len = 0;
1735    int bad_character = 0;
1736    int space = 1;
1737 
1738    png_debug(1, "in png_check_keyword");
1739 
1740    if (key == NULL)
1741    {
1742       *new_key = 0;
1743       return 0;
1744    }
1745 
1746    while (*key && key_len < 79)
1747    {
1748       png_byte ch = (png_byte)*key++;
1749 
1750       if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/))
1751       {
1752          *new_key++ = ch; ++key_len; space = 0;
1753       }
1754 
1755       else if (space == 0)
1756       {
1757          /* A space or an invalid character when one wasn't seen immediately
1758           * before; output just a space.
1759           */
1760          *new_key++ = 32; ++key_len; space = 1;
1761 
1762          /* If the character was not a space then it is invalid. */
1763          if (ch != 32)
1764             bad_character = ch;
1765       }
1766 
1767       else if (bad_character == 0)
1768          bad_character = ch; /* just skip it, record the first error */
1769    }
1770 
1771    if (key_len > 0 && space != 0) /* trailing space */
1772    {
1773       --key_len; --new_key;
1774       if (bad_character == 0)
1775          bad_character = 32;
1776    }
1777 
1778    /* Terminate the keyword */
1779    *new_key = 0;
1780 
1781    if (key_len == 0)
1782       return 0;
1783 
1784 #ifdef PNG_WARNINGS_SUPPORTED
1785    /* Try to only output one warning per keyword: */
1786    if (*key != 0) /* keyword too long */
1787       png_warning(png_ptr, "keyword truncated");
1788 
1789    else if (bad_character != 0)
1790    {
1791       PNG_WARNING_PARAMETERS(p)
1792 
1793       png_warning_parameter(p, 1, orig_key);
1794       png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_02x, bad_character);
1795 
1796       png_formatted_warning(png_ptr, p, "keyword \"@1\": bad character '0x@2'");
1797    }
1798 #else /* !WARNINGS */
1799    PNG_UNUSED(png_ptr)
1800 #endif /* !WARNINGS */
1801 
1802    return key_len;
1803 }
1804 #endif /* TEXT || pCAL || iCCP || sPLT */
1805 #endif /* READ || WRITE */
1806