• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* pngwutil.c - utilities to write a PNG file
3  *
4  * Last changed in libpng 1.6.2 [April 25, 2013]
5  * Copyright (c) 1998-2013 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 #ifdef PNG_WRITE_SUPPORTED
17 
18 #ifdef PNG_WRITE_INT_FUNCTIONS_SUPPORTED
19 /* Place a 32-bit number into a buffer in PNG byte order.  We work
20  * with unsigned numbers for convenience, although one supported
21  * ancillary chunk uses signed (two's complement) numbers.
22  */
23 void PNGAPI
png_save_uint_32(png_bytep buf,png_uint_32 i)24 png_save_uint_32(png_bytep buf, png_uint_32 i)
25 {
26    buf[0] = (png_byte)((i >> 24) & 0xff);
27    buf[1] = (png_byte)((i >> 16) & 0xff);
28    buf[2] = (png_byte)((i >> 8) & 0xff);
29    buf[3] = (png_byte)(i & 0xff);
30 }
31 
32 /* Place a 16-bit number into a buffer in PNG byte order.
33  * The parameter is declared unsigned int, not png_uint_16,
34  * just to avoid potential problems on pre-ANSI C compilers.
35  */
36 void PNGAPI
png_save_uint_16(png_bytep buf,unsigned int i)37 png_save_uint_16(png_bytep buf, unsigned int i)
38 {
39    buf[0] = (png_byte)((i >> 8) & 0xff);
40    buf[1] = (png_byte)(i & 0xff);
41 }
42 #endif
43 
44 /* Simple function to write the signature.  If we have already written
45  * the magic bytes of the signature, or more likely, the PNG stream is
46  * being embedded into another stream and doesn't need its own signature,
47  * we should call png_set_sig_bytes() to tell libpng how many of the
48  * bytes have already been written.
49  */
50 void PNGAPI
png_write_sig(png_structrp png_ptr)51 png_write_sig(png_structrp png_ptr)
52 {
53    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
54 
55 #ifdef PNG_IO_STATE_SUPPORTED
56    /* Inform the I/O callback that the signature is being written */
57    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_SIGNATURE;
58 #endif
59 
60    /* Write the rest of the 8 byte signature */
61    png_write_data(png_ptr, &png_signature[png_ptr->sig_bytes],
62       (png_size_t)(8 - png_ptr->sig_bytes));
63 
64    if (png_ptr->sig_bytes < 3)
65       png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
66 }
67 
68 /* Write the start of a PNG chunk.  The type is the chunk type.
69  * The total_length is the sum of the lengths of all the data you will be
70  * passing in png_write_chunk_data().
71  */
72 static void
png_write_chunk_header(png_structrp png_ptr,png_uint_32 chunk_name,png_uint_32 length)73 png_write_chunk_header(png_structrp png_ptr, png_uint_32 chunk_name,
74     png_uint_32 length)
75 {
76    png_byte buf[8];
77 
78 #if defined(PNG_DEBUG) && (PNG_DEBUG > 0)
79    PNG_CSTRING_FROM_CHUNK(buf, chunk_name);
80    png_debug2(0, "Writing %s chunk, length = %lu", buf, (unsigned long)length);
81 #endif
82 
83    if (png_ptr == NULL)
84       return;
85 
86 #ifdef PNG_IO_STATE_SUPPORTED
87    /* Inform the I/O callback that the chunk header is being written.
88     * PNG_IO_CHUNK_HDR requires a single I/O call.
89     */
90    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_HDR;
91 #endif
92 
93    /* Write the length and the chunk name */
94    png_save_uint_32(buf, length);
95    png_save_uint_32(buf + 4, chunk_name);
96    png_write_data(png_ptr, buf, 8);
97 
98    /* Put the chunk name into png_ptr->chunk_name */
99    png_ptr->chunk_name = chunk_name;
100 
101    /* Reset the crc and run it over the chunk name */
102    png_reset_crc(png_ptr);
103 
104    png_calculate_crc(png_ptr, buf + 4, 4);
105 
106 #ifdef PNG_IO_STATE_SUPPORTED
107    /* Inform the I/O callback that chunk data will (possibly) be written.
108     * PNG_IO_CHUNK_DATA does NOT require a specific number of I/O calls.
109     */
110    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_DATA;
111 #endif
112 }
113 
114 void PNGAPI
png_write_chunk_start(png_structrp png_ptr,png_const_bytep chunk_string,png_uint_32 length)115 png_write_chunk_start(png_structrp png_ptr, png_const_bytep chunk_string,
116     png_uint_32 length)
117 {
118    png_write_chunk_header(png_ptr, PNG_CHUNK_FROM_STRING(chunk_string), length);
119 }
120 
121 /* Write the data of a PNG chunk started with png_write_chunk_header().
122  * Note that multiple calls to this function are allowed, and that the
123  * sum of the lengths from these calls *must* add up to the total_length
124  * given to png_write_chunk_header().
125  */
126 void PNGAPI
png_write_chunk_data(png_structrp png_ptr,png_const_bytep data,png_size_t length)127 png_write_chunk_data(png_structrp png_ptr, png_const_bytep data,
128     png_size_t length)
129 {
130    /* Write the data, and run the CRC over it */
131    if (png_ptr == NULL)
132       return;
133 
134    if (data != NULL && length > 0)
135    {
136       png_write_data(png_ptr, data, length);
137 
138       /* Update the CRC after writing the data,
139        * in case that the user I/O routine alters it.
140        */
141       png_calculate_crc(png_ptr, data, length);
142    }
143 }
144 
145 /* Finish a chunk started with png_write_chunk_header(). */
146 void PNGAPI
png_write_chunk_end(png_structrp png_ptr)147 png_write_chunk_end(png_structrp png_ptr)
148 {
149    png_byte buf[4];
150 
151    if (png_ptr == NULL) return;
152 
153 #ifdef PNG_IO_STATE_SUPPORTED
154    /* Inform the I/O callback that the chunk CRC is being written.
155     * PNG_IO_CHUNK_CRC requires a single I/O function call.
156     */
157    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_CRC;
158 #endif
159 
160    /* Write the crc in a single operation */
161    png_save_uint_32(buf, png_ptr->crc);
162 
163    png_write_data(png_ptr, buf, (png_size_t)4);
164 }
165 
166 /* Write a PNG chunk all at once.  The type is an array of ASCII characters
167  * representing the chunk name.  The array must be at least 4 bytes in
168  * length, and does not need to be null terminated.  To be safe, pass the
169  * pre-defined chunk names here, and if you need a new one, define it
170  * where the others are defined.  The length is the length of the data.
171  * All the data must be present.  If that is not possible, use the
172  * png_write_chunk_start(), png_write_chunk_data(), and png_write_chunk_end()
173  * functions instead.
174  */
175 static void
png_write_complete_chunk(png_structrp png_ptr,png_uint_32 chunk_name,png_const_bytep data,png_size_t length)176 png_write_complete_chunk(png_structrp png_ptr, png_uint_32 chunk_name,
177    png_const_bytep data, png_size_t length)
178 {
179    if (png_ptr == NULL)
180       return;
181 
182    /* On 64 bit architectures 'length' may not fit in a png_uint_32. */
183    if (length > PNG_UINT_31_MAX)
184       png_error(png_ptr, "length exceeds PNG maxima");
185 
186    png_write_chunk_header(png_ptr, chunk_name, (png_uint_32)length);
187    png_write_chunk_data(png_ptr, data, length);
188    png_write_chunk_end(png_ptr);
189 }
190 
191 /* This is the API that calls the internal function above. */
192 void PNGAPI
png_write_chunk(png_structrp png_ptr,png_const_bytep chunk_string,png_const_bytep data,png_size_t length)193 png_write_chunk(png_structrp png_ptr, png_const_bytep chunk_string,
194    png_const_bytep data, png_size_t length)
195 {
196    png_write_complete_chunk(png_ptr, PNG_CHUNK_FROM_STRING(chunk_string), data,
197       length);
198 }
199 
200 /* This is used below to find the size of an image to pass to png_deflate_claim,
201  * so it only needs to be accurate if the size is less than 16384 bytes (the
202  * point at which a lower LZ window size can be used.)
203  */
204 static png_alloc_size_t
png_image_size(png_structrp png_ptr)205 png_image_size(png_structrp png_ptr)
206 {
207    /* Only return sizes up to the maximum of a png_uint_32, do this by limiting
208     * the width and height used to 15 bits.
209     */
210    png_uint_32 h = png_ptr->height;
211 
212    if (png_ptr->rowbytes < 32768 && h < 32768)
213    {
214       if (png_ptr->interlaced)
215       {
216          /* Interlacing makes the image larger because of the replication of
217           * both the filter byte and the padding to a byte boundary.
218           */
219          png_uint_32 w = png_ptr->width;
220          unsigned int pd = png_ptr->pixel_depth;
221          png_alloc_size_t cb_base;
222          int pass;
223 
224          for (cb_base=0, pass=0; pass<=6; ++pass)
225          {
226             png_uint_32 pw = PNG_PASS_COLS(w, pass);
227 
228             if (pw > 0)
229                cb_base += (PNG_ROWBYTES(pd, pw)+1) * PNG_PASS_ROWS(h, pass);
230          }
231 
232          return cb_base;
233       }
234 
235       else
236          return (png_ptr->rowbytes+1) * h;
237    }
238 
239    else
240       return 0xffffffffU;
241 }
242 
243 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
244    /* This is the code to hack the first two bytes of the deflate stream (the
245     * deflate header) to correct the windowBits value to match the actual data
246     * size.  Note that the second argument is the *uncompressed* size but the
247     * first argument is the *compressed* data (and it must be deflate
248     * compressed.)
249     */
250 static void
optimize_cmf(png_bytep data,png_alloc_size_t data_size)251 optimize_cmf(png_bytep data, png_alloc_size_t data_size)
252 {
253    /* Optimize the CMF field in the zlib stream.  The resultant zlib stream is
254     * still compliant to the stream specification.
255     */
256    if (data_size <= 16384) /* else windowBits must be 15 */
257    {
258       unsigned int z_cmf = data[0];  /* zlib compression method and flags */
259 
260       if ((z_cmf & 0x0f) == 8 && (z_cmf & 0xf0) <= 0x70)
261       {
262          unsigned int z_cinfo;
263          unsigned int half_z_window_size;
264 
265          z_cinfo = z_cmf >> 4;
266          half_z_window_size = 1U << (z_cinfo + 7);
267 
268          if (data_size <= half_z_window_size) /* else no change */
269          {
270             unsigned int tmp;
271 
272             do
273             {
274                half_z_window_size >>= 1;
275                --z_cinfo;
276             }
277             while (z_cinfo > 0 && data_size <= half_z_window_size);
278 
279             z_cmf = (z_cmf & 0x0f) | (z_cinfo << 4);
280 
281             data[0] = (png_byte)z_cmf;
282             tmp = data[1] & 0xe0;
283             tmp += 0x1f - ((z_cmf << 8) + tmp) % 0x1f;
284             data[1] = (png_byte)tmp;
285          }
286       }
287    }
288 }
289 #else
290 #  define optimize_cmf(dp,dl) ((void)0)
291 #endif /* PNG_WRITE_OPTIMIZE_CMF_SUPPORTED */
292 
293 /* Initialize the compressor for the appropriate type of compression. */
294 static int
png_deflate_claim(png_structrp png_ptr,png_uint_32 owner,png_alloc_size_t data_size)295 png_deflate_claim(png_structrp png_ptr, png_uint_32 owner,
296    png_alloc_size_t data_size)
297 {
298    if (png_ptr->zowner != 0)
299    {
300       char msg[64];
301 
302       PNG_STRING_FROM_CHUNK(msg, owner);
303       msg[4] = ':';
304       msg[5] = ' ';
305       PNG_STRING_FROM_CHUNK(msg+6, png_ptr->zowner);
306       /* So the message that results is "<chunk> using zstream"; this is an
307        * internal error, but is very useful for debugging.  i18n requirements
308        * are minimal.
309        */
310       (void)png_safecat(msg, (sizeof msg), 10, " using zstream");
311 #     if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC
312          png_warning(png_ptr, msg);
313 
314          /* Attempt sane error recovery */
315          if (png_ptr->zowner == png_IDAT) /* don't steal from IDAT */
316          {
317             png_ptr->zstream.msg = PNGZ_MSG_CAST("in use by IDAT");
318             return Z_STREAM_ERROR;
319          }
320 
321          png_ptr->zowner = 0;
322 #     else
323          png_error(png_ptr, msg);
324 #     endif
325    }
326 
327    {
328       int level = png_ptr->zlib_level;
329       int method = png_ptr->zlib_method;
330       int windowBits = png_ptr->zlib_window_bits;
331       int memLevel = png_ptr->zlib_mem_level;
332       int strategy; /* set below */
333       int ret; /* zlib return code */
334 
335       if (owner == png_IDAT)
336       {
337          if (png_ptr->flags & PNG_FLAG_ZLIB_CUSTOM_STRATEGY)
338             strategy = png_ptr->zlib_strategy;
339 
340          else if (png_ptr->do_filter != PNG_FILTER_NONE)
341             strategy = PNG_Z_DEFAULT_STRATEGY;
342 
343          else
344             strategy = PNG_Z_DEFAULT_NOFILTER_STRATEGY;
345       }
346 
347       else
348       {
349 #        ifdef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED
350             level = png_ptr->zlib_text_level;
351             method = png_ptr->zlib_text_method;
352             windowBits = png_ptr->zlib_text_window_bits;
353             memLevel = png_ptr->zlib_text_mem_level;
354             strategy = png_ptr->zlib_text_strategy;
355 #        else
356             /* If customization is not supported the values all come from the
357              * IDAT values except for the strategy, which is fixed to the
358              * default.  (This is the pre-1.6.0 behavior too, although it was
359              * implemented in a very different way.)
360              */
361             strategy = Z_DEFAULT_STRATEGY;
362 #        endif
363       }
364 
365       /* Adjust 'windowBits' down if larger than 'data_size'; to stop this
366        * happening just pass 32768 as the data_size parameter.  Notice that zlib
367        * requires an extra 262 bytes in the window in addition to the data to be
368        * able to see the whole of the data, so if data_size+262 takes us to the
369        * next windowBits size we need to fix up the value later.  (Because even
370        * though deflate needs the extra window, inflate does not!)
371        */
372       if (data_size <= 16384)
373       {
374          /* IMPLEMENTATION NOTE: this 'half_window_size' stuff is only here to
375           * work round a Microsoft Visual C misbehavior which, contrary to C-90,
376           * widens the result of the following shift to 64-bits if (and,
377           * apparently, only if) it is used in a test.
378           */
379          unsigned int half_window_size = 1U << (windowBits-1);
380 
381          while (data_size + 262 <= half_window_size)
382          {
383             half_window_size >>= 1;
384             --windowBits;
385          }
386       }
387 
388       /* Check against the previous initialized values, if any. */
389       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) &&
390          (png_ptr->zlib_set_level != level ||
391          png_ptr->zlib_set_method != method ||
392          png_ptr->zlib_set_window_bits != windowBits ||
393          png_ptr->zlib_set_mem_level != memLevel ||
394          png_ptr->zlib_set_strategy != strategy))
395       {
396          if (deflateEnd(&png_ptr->zstream) != Z_OK)
397             png_warning(png_ptr, "deflateEnd failed (ignored)");
398 
399          png_ptr->flags &= ~PNG_FLAG_ZSTREAM_INITIALIZED;
400       }
401 
402       /* For safety clear out the input and output pointers (currently zlib
403        * doesn't use them on Init, but it might in the future).
404        */
405       png_ptr->zstream.next_in = NULL;
406       png_ptr->zstream.avail_in = 0;
407       png_ptr->zstream.next_out = NULL;
408       png_ptr->zstream.avail_out = 0;
409 
410       /* Now initialize if required, setting the new parameters, otherwise just
411        * to a simple reset to the previous parameters.
412        */
413       if (png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED)
414          ret = deflateReset(&png_ptr->zstream);
415 
416       else
417       {
418          ret = deflateInit2(&png_ptr->zstream, level, method, windowBits,
419             memLevel, strategy);
420 
421          if (ret == Z_OK)
422             png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
423       }
424 
425       /* The return code is from either deflateReset or deflateInit2; they have
426        * pretty much the same set of error codes.
427        */
428       if (ret == Z_OK)
429          png_ptr->zowner = owner;
430 
431       else
432          png_zstream_error(png_ptr, ret);
433 
434       return ret;
435    }
436 }
437 
438 /* Clean up (or trim) a linked list of compression buffers. */
439 void /* PRIVATE */
png_free_buffer_list(png_structrp png_ptr,png_compression_bufferp * listp)440 png_free_buffer_list(png_structrp png_ptr, png_compression_bufferp *listp)
441 {
442    png_compression_bufferp list = *listp;
443 
444    if (list != NULL)
445    {
446       *listp = NULL;
447 
448       do
449       {
450          png_compression_bufferp next = list->next;
451 
452          png_free(png_ptr, list);
453          list = next;
454       }
455       while (list != NULL);
456    }
457 }
458 
459 #ifdef PNG_WRITE_COMPRESSED_TEXT_SUPPORTED
460 /* This pair of functions encapsulates the operation of (a) compressing a
461  * text string, and (b) issuing it later as a series of chunk data writes.
462  * The compression_state structure is shared context for these functions
463  * set up by the caller to allow access to the relevant local variables.
464  *
465  * compression_buffer (new in 1.6.0) is just a linked list of zbuffer_size
466  * temporary buffers.  From 1.6.0 it is retained in png_struct so that it will
467  * be correctly freed in the event of a write error (previous implementations
468  * just leaked memory.)
469  */
470 typedef struct
471 {
472    png_const_bytep      input;        /* The uncompressed input data */
473    png_alloc_size_t     input_len;    /* Its length */
474    png_uint_32          output_len;   /* Final compressed length */
475    png_byte             output[1024]; /* First block of output */
476 } compression_state;
477 
478 static void
png_text_compress_init(compression_state * comp,png_const_bytep input,png_alloc_size_t input_len)479 png_text_compress_init(compression_state *comp, png_const_bytep input,
480    png_alloc_size_t input_len)
481 {
482    comp->input = input;
483    comp->input_len = input_len;
484    comp->output_len = 0;
485 }
486 
487 /* Compress the data in the compression state input */
488 static int
png_text_compress(png_structrp png_ptr,png_uint_32 chunk_name,compression_state * comp,png_uint_32 prefix_len)489 png_text_compress(png_structrp png_ptr, png_uint_32 chunk_name,
490    compression_state *comp, png_uint_32 prefix_len)
491 {
492    int ret;
493 
494    /* To find the length of the output it is necessary to first compress the
495     * input, the result is buffered rather than using the two-pass algorithm
496     * that is used on the inflate side; deflate is assumed to be slower and a
497     * PNG writer is assumed to have more memory available than a PNG reader.
498     *
499     * IMPLEMENTATION NOTE: the zlib API deflateBound() can be used to find an
500     * upper limit on the output size, but it is always bigger than the input
501     * size so it is likely to be more efficient to use this linked-list
502     * approach.
503     */
504    ret = png_deflate_claim(png_ptr, chunk_name, comp->input_len);
505 
506    if (ret != Z_OK)
507       return ret;
508 
509    /* Set up the compression buffers, we need a loop here to avoid overflowing a
510     * uInt.  Use ZLIB_IO_MAX to limit the input.  The output is always limited
511     * by the output buffer size, so there is no need to check that.  Since this
512     * is ANSI-C we know that an 'int', hence a uInt, is always at least 16 bits
513     * in size.
514     */
515    {
516       png_compression_bufferp *end = &png_ptr->zbuffer_list;
517       png_alloc_size_t input_len = comp->input_len; /* may be zero! */
518       png_uint_32 output_len;
519 
520       /* zlib updates these for us: */
521       png_ptr->zstream.next_in = PNGZ_INPUT_CAST(comp->input);
522       png_ptr->zstream.avail_in = 0; /* Set below */
523       png_ptr->zstream.next_out = comp->output;
524       png_ptr->zstream.avail_out = (sizeof comp->output);
525 
526       output_len = png_ptr->zstream.avail_out;
527 
528       do
529       {
530          uInt avail_in = ZLIB_IO_MAX;
531 
532          if (avail_in > input_len)
533             avail_in = (uInt)input_len;
534 
535          input_len -= avail_in;
536 
537          png_ptr->zstream.avail_in = avail_in;
538 
539          if (png_ptr->zstream.avail_out == 0)
540          {
541             png_compression_buffer *next;
542 
543             /* Chunk data is limited to 2^31 bytes in length, so the prefix
544              * length must be counted here.
545              */
546             if (output_len + prefix_len > PNG_UINT_31_MAX)
547             {
548                ret = Z_MEM_ERROR;
549                break;
550             }
551 
552             /* Need a new (malloc'ed) buffer, but there may be one present
553              * already.
554              */
555             next = *end;
556             if (next == NULL)
557             {
558                next = png_voidcast(png_compression_bufferp, png_malloc_base
559                   (png_ptr, PNG_COMPRESSION_BUFFER_SIZE(png_ptr)));
560 
561                if (next == NULL)
562                {
563                   ret = Z_MEM_ERROR;
564                   break;
565                }
566 
567                /* Link in this buffer (so that it will be freed later) */
568                next->next = NULL;
569                *end = next;
570             }
571 
572             png_ptr->zstream.next_out = next->output;
573             png_ptr->zstream.avail_out = png_ptr->zbuffer_size;
574             output_len += png_ptr->zstream.avail_out;
575 
576             /* Move 'end' to the next buffer pointer. */
577             end = &next->next;
578          }
579 
580          /* Compress the data */
581          ret = deflate(&png_ptr->zstream,
582             input_len > 0 ? Z_NO_FLUSH : Z_FINISH);
583 
584          /* Claw back input data that was not consumed (because avail_in is
585           * reset above every time round the loop).
586           */
587          input_len += png_ptr->zstream.avail_in;
588          png_ptr->zstream.avail_in = 0; /* safety */
589       }
590       while (ret == Z_OK);
591 
592       /* There may be some space left in the last output buffer, this needs to
593        * be subtracted from output_len.
594        */
595       output_len -= png_ptr->zstream.avail_out;
596       png_ptr->zstream.avail_out = 0; /* safety */
597       comp->output_len = output_len;
598 
599       /* Now double check the output length, put in a custom message if it is
600        * too long.  Otherwise ensure the z_stream::msg pointer is set to
601        * something.
602        */
603       if (output_len + prefix_len >= PNG_UINT_31_MAX)
604       {
605          png_ptr->zstream.msg = PNGZ_MSG_CAST("compressed data too long");
606          ret = Z_MEM_ERROR;
607       }
608 
609       else
610          png_zstream_error(png_ptr, ret);
611 
612       /* Reset zlib for another zTXt/iTXt or image data */
613       png_ptr->zowner = 0;
614 
615       /* The only success case is Z_STREAM_END, input_len must be 0, if not this
616        * is an internal error.
617        */
618       if (ret == Z_STREAM_END && input_len == 0)
619       {
620          /* Fix up the deflate header, if required */
621          optimize_cmf(comp->output, comp->input_len);
622 
623          /* But Z_OK is returned, not Z_STREAM_END; this allows the claim
624           * function above to return Z_STREAM_END on an error (though it never
625           * does in the current versions of zlib.)
626           */
627          return Z_OK;
628       }
629 
630       else
631          return ret;
632    }
633 }
634 
635 /* Ship the compressed text out via chunk writes */
636 static void
png_write_compressed_data_out(png_structrp png_ptr,compression_state * comp)637 png_write_compressed_data_out(png_structrp png_ptr, compression_state *comp)
638 {
639    png_uint_32 output_len = comp->output_len;
640    png_const_bytep output = comp->output;
641    png_uint_32 avail = (sizeof comp->output);
642    png_compression_buffer *next = png_ptr->zbuffer_list;
643 
644    for (;;)
645    {
646       if (avail > output_len)
647          avail = output_len;
648 
649       png_write_chunk_data(png_ptr, output, avail);
650 
651       output_len -= avail;
652 
653       if (output_len == 0 || next == NULL)
654          break;
655 
656       avail = png_ptr->zbuffer_size;
657       output = next->output;
658       next = next->next;
659    }
660 
661    /* This is an internal error; 'next' must have been NULL! */
662    if (output_len > 0)
663       png_error(png_ptr, "error writing ancillary chunked compressed data");
664 }
665 #endif /* PNG_WRITE_COMPRESSED_TEXT_SUPPORTED */
666 
667 #if defined(PNG_WRITE_TEXT_SUPPORTED) || defined(PNG_WRITE_pCAL_SUPPORTED) || \
668     defined(PNG_WRITE_iCCP_SUPPORTED) || defined(PNG_WRITE_sPLT_SUPPORTED)
669 /* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
670  * and if invalid, correct the keyword rather than discarding the entire
671  * chunk.  The PNG 1.0 specification requires keywords 1-79 characters in
672  * length, forbids leading or trailing whitespace, multiple internal spaces,
673  * and the non-break space (0x80) from ISO 8859-1.  Returns keyword length.
674  *
675  * The 'new_key' buffer must be 80 characters in size (for the keyword plus a
676  * trailing '\0').  If this routine returns 0 then there was no keyword, or a
677  * valid one could not be generated, and the caller must png_error.
678  */
679 static png_uint_32
png_check_keyword(png_structrp png_ptr,png_const_charp key,png_bytep new_key)680 png_check_keyword(png_structrp png_ptr, png_const_charp key, png_bytep new_key)
681 {
682    png_const_charp orig_key = key;
683    png_uint_32 key_len = 0;
684    int bad_character = 0;
685    int space = 1;
686 
687    png_debug(1, "in png_check_keyword");
688 
689    if (key == NULL)
690    {
691       *new_key = 0;
692       return 0;
693    }
694 
695    while (*key && key_len < 79)
696    {
697       png_byte ch = (png_byte)(0xff & *key++);
698 
699       if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/))
700          *new_key++ = ch, ++key_len, space = 0;
701 
702       else if (!space)
703       {
704          /* A space or an invalid character when one wasn't seen immediately
705           * before; output just a space.
706           */
707          *new_key++ = 32, ++key_len, space = 1;
708 
709          /* If the character was not a space then it is invalid. */
710          if (ch != 32)
711             bad_character = ch;
712       }
713 
714       else if (!bad_character)
715          bad_character = ch; /* just skip it, record the first error */
716    }
717 
718    if (key_len > 0 && space) /* trailing space */
719    {
720       --key_len, --new_key;
721       if (!bad_character)
722          bad_character = 32;
723    }
724 
725    /* Terminate the keyword */
726    *new_key = 0;
727 
728    if (key_len == 0)
729       return 0;
730 
731    /* Try to only output one warning per keyword: */
732    if (*key) /* keyword too long */
733       png_warning(png_ptr, "keyword truncated");
734 
735    else if (bad_character)
736    {
737       PNG_WARNING_PARAMETERS(p)
738 
739       png_warning_parameter(p, 1, orig_key);
740       png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_02x, bad_character);
741 
742       png_formatted_warning(png_ptr, p, "keyword \"@1\": bad character '0x@2'");
743    }
744 
745    return key_len;
746 }
747 #endif
748 
749 /* Write the IHDR chunk, and update the png_struct with the necessary
750  * information.  Note that the rest of this code depends upon this
751  * information being correct.
752  */
753 void /* PRIVATE */
png_write_IHDR(png_structrp png_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int compression_type,int filter_type,int interlace_type)754 png_write_IHDR(png_structrp png_ptr, png_uint_32 width, png_uint_32 height,
755     int bit_depth, int color_type, int compression_type, int filter_type,
756     int interlace_type)
757 {
758    png_byte buf[13]; /* Buffer to store the IHDR info */
759 
760    png_debug(1, "in png_write_IHDR");
761 
762    /* Check that we have valid input data from the application info */
763    switch (color_type)
764    {
765       case PNG_COLOR_TYPE_GRAY:
766          switch (bit_depth)
767          {
768             case 1:
769             case 2:
770             case 4:
771             case 8:
772 #ifdef PNG_WRITE_16BIT_SUPPORTED
773             case 16:
774 #endif
775                png_ptr->channels = 1; break;
776 
777             default:
778                png_error(png_ptr,
779                    "Invalid bit depth for grayscale image");
780          }
781          break;
782 
783       case PNG_COLOR_TYPE_RGB:
784 #ifdef PNG_WRITE_16BIT_SUPPORTED
785          if (bit_depth != 8 && bit_depth != 16)
786 #else
787          if (bit_depth != 8)
788 #endif
789             png_error(png_ptr, "Invalid bit depth for RGB image");
790 
791          png_ptr->channels = 3;
792          break;
793 
794       case PNG_COLOR_TYPE_PALETTE:
795          switch (bit_depth)
796          {
797             case 1:
798             case 2:
799             case 4:
800             case 8:
801                png_ptr->channels = 1;
802                break;
803 
804             default:
805                png_error(png_ptr, "Invalid bit depth for paletted image");
806          }
807          break;
808 
809       case PNG_COLOR_TYPE_GRAY_ALPHA:
810          if (bit_depth != 8 && bit_depth != 16)
811             png_error(png_ptr, "Invalid bit depth for grayscale+alpha image");
812 
813          png_ptr->channels = 2;
814          break;
815 
816       case PNG_COLOR_TYPE_RGB_ALPHA:
817 #ifdef PNG_WRITE_16BIT_SUPPORTED
818          if (bit_depth != 8 && bit_depth != 16)
819 #else
820          if (bit_depth != 8)
821 #endif
822             png_error(png_ptr, "Invalid bit depth for RGBA image");
823 
824          png_ptr->channels = 4;
825          break;
826 
827       default:
828          png_error(png_ptr, "Invalid image color type specified");
829    }
830 
831    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
832    {
833       png_warning(png_ptr, "Invalid compression type specified");
834       compression_type = PNG_COMPRESSION_TYPE_BASE;
835    }
836 
837    /* Write filter_method 64 (intrapixel differencing) only if
838     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
839     * 2. Libpng did not write a PNG signature (this filter_method is only
840     *    used in PNG datastreams that are embedded in MNG datastreams) and
841     * 3. The application called png_permit_mng_features with a mask that
842     *    included PNG_FLAG_MNG_FILTER_64 and
843     * 4. The filter_method is 64 and
844     * 5. The color_type is RGB or RGBA
845     */
846    if (
847 #ifdef PNG_MNG_FEATURES_SUPPORTED
848        !((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) &&
849        ((png_ptr->mode&PNG_HAVE_PNG_SIGNATURE) == 0) &&
850        (color_type == PNG_COLOR_TYPE_RGB ||
851         color_type == PNG_COLOR_TYPE_RGB_ALPHA) &&
852        (filter_type == PNG_INTRAPIXEL_DIFFERENCING)) &&
853 #endif
854        filter_type != PNG_FILTER_TYPE_BASE)
855    {
856       png_warning(png_ptr, "Invalid filter type specified");
857       filter_type = PNG_FILTER_TYPE_BASE;
858    }
859 
860 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
861    if (interlace_type != PNG_INTERLACE_NONE &&
862        interlace_type != PNG_INTERLACE_ADAM7)
863    {
864       png_warning(png_ptr, "Invalid interlace type specified");
865       interlace_type = PNG_INTERLACE_ADAM7;
866    }
867 #else
868    interlace_type=PNG_INTERLACE_NONE;
869 #endif
870 
871    /* Save the relevent information */
872    png_ptr->bit_depth = (png_byte)bit_depth;
873    png_ptr->color_type = (png_byte)color_type;
874    png_ptr->interlaced = (png_byte)interlace_type;
875 #ifdef PNG_MNG_FEATURES_SUPPORTED
876    png_ptr->filter_type = (png_byte)filter_type;
877 #endif
878    png_ptr->compression_type = (png_byte)compression_type;
879    png_ptr->width = width;
880    png_ptr->height = height;
881 
882    png_ptr->pixel_depth = (png_byte)(bit_depth * png_ptr->channels);
883    png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, width);
884    /* Set the usr info, so any transformations can modify it */
885    png_ptr->usr_width = png_ptr->width;
886    png_ptr->usr_bit_depth = png_ptr->bit_depth;
887    png_ptr->usr_channels = png_ptr->channels;
888 
889    /* Pack the header information into the buffer */
890    png_save_uint_32(buf, width);
891    png_save_uint_32(buf + 4, height);
892    buf[8] = (png_byte)bit_depth;
893    buf[9] = (png_byte)color_type;
894    buf[10] = (png_byte)compression_type;
895    buf[11] = (png_byte)filter_type;
896    buf[12] = (png_byte)interlace_type;
897 
898    /* Write the chunk */
899    png_write_complete_chunk(png_ptr, png_IHDR, buf, (png_size_t)13);
900 
901    if (!(png_ptr->do_filter))
902    {
903       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE ||
904           png_ptr->bit_depth < 8)
905          png_ptr->do_filter = PNG_FILTER_NONE;
906 
907       else
908          png_ptr->do_filter = PNG_ALL_FILTERS;
909    }
910 
911    png_ptr->mode = PNG_HAVE_IHDR; /* not READY_FOR_ZTXT */
912 }
913 
914 /* Write the palette.  We are careful not to trust png_color to be in the
915  * correct order for PNG, so people can redefine it to any convenient
916  * structure.
917  */
918 void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr,png_const_colorp palette,png_uint_32 num_pal)919 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
920     png_uint_32 num_pal)
921 {
922    png_uint_32 i;
923    png_const_colorp pal_ptr;
924    png_byte buf[3];
925 
926    png_debug(1, "in png_write_PLTE");
927 
928    if ((
929 #ifdef PNG_MNG_FEATURES_SUPPORTED
930        !(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) &&
931 #endif
932        num_pal == 0) || num_pal > 256)
933    {
934       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
935       {
936          png_error(png_ptr, "Invalid number of colors in palette");
937       }
938 
939       else
940       {
941          png_warning(png_ptr, "Invalid number of colors in palette");
942          return;
943       }
944    }
945 
946    if (!(png_ptr->color_type&PNG_COLOR_MASK_COLOR))
947    {
948       png_warning(png_ptr,
949           "Ignoring request to write a PLTE chunk in grayscale PNG");
950 
951       return;
952    }
953 
954    png_ptr->num_palette = (png_uint_16)num_pal;
955    png_debug1(3, "num_palette = %d", png_ptr->num_palette);
956 
957    png_write_chunk_header(png_ptr, png_PLTE, (png_uint_32)(num_pal * 3));
958 #ifdef PNG_POINTER_INDEXING_SUPPORTED
959 
960    for (i = 0, pal_ptr = palette; i < num_pal; i++, pal_ptr++)
961    {
962       buf[0] = pal_ptr->red;
963       buf[1] = pal_ptr->green;
964       buf[2] = pal_ptr->blue;
965       png_write_chunk_data(png_ptr, buf, (png_size_t)3);
966    }
967 
968 #else
969    /* This is a little slower but some buggy compilers need to do this
970     * instead
971     */
972    pal_ptr=palette;
973 
974    for (i = 0; i < num_pal; i++)
975    {
976       buf[0] = pal_ptr[i].red;
977       buf[1] = pal_ptr[i].green;
978       buf[2] = pal_ptr[i].blue;
979       png_write_chunk_data(png_ptr, buf, (png_size_t)3);
980    }
981 
982 #endif
983    png_write_chunk_end(png_ptr);
984    png_ptr->mode |= PNG_HAVE_PLTE;
985 }
986 
987 /* This is similar to png_text_compress, above, except that it does not require
988  * all of the data at once and, instead of buffering the compressed result,
989  * writes it as IDAT chunks.  Unlike png_text_compress it *can* png_error out
990  * because it calls the write interface.  As a result it does its own error
991  * reporting and does not return an error code.  In the event of error it will
992  * just call png_error.  The input data length may exceed 32-bits.  The 'flush'
993  * parameter is exactly the same as that to deflate, with the following
994  * meanings:
995  *
996  * Z_NO_FLUSH: normal incremental output of compressed data
997  * Z_SYNC_FLUSH: do a SYNC_FLUSH, used by png_write_flush
998  * Z_FINISH: this is the end of the input, do a Z_FINISH and clean up
999  *
1000  * The routine manages the acquire and release of the png_ptr->zstream by
1001  * checking and (at the end) clearing png_ptr->zowner, it does some sanity
1002  * checks on the 'mode' flags while doing this.
1003  */
1004 void /* PRIVATE */
png_compress_IDAT(png_structrp png_ptr,png_const_bytep input,png_alloc_size_t input_len,int flush)1005 png_compress_IDAT(png_structrp png_ptr, png_const_bytep input,
1006    png_alloc_size_t input_len, int flush)
1007 {
1008    if (png_ptr->zowner != png_IDAT)
1009    {
1010       /* First time.   Ensure we have a temporary buffer for compression and
1011        * trim the buffer list if it has more than one entry to free memory.
1012        * If 'WRITE_COMPRESSED_TEXT' is not set the list will never have been
1013        * created at this point, but the check here is quick and safe.
1014        */
1015       if (png_ptr->zbuffer_list == NULL)
1016       {
1017          png_ptr->zbuffer_list = png_voidcast(png_compression_bufferp,
1018             png_malloc(png_ptr, PNG_COMPRESSION_BUFFER_SIZE(png_ptr)));
1019          png_ptr->zbuffer_list->next = NULL;
1020       }
1021 
1022       else
1023          png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list->next);
1024 
1025       /* It is a terminal error if we can't claim the zstream. */
1026       if (png_deflate_claim(png_ptr, png_IDAT, png_image_size(png_ptr)) != Z_OK)
1027          png_error(png_ptr, png_ptr->zstream.msg);
1028 
1029       /* The output state is maintained in png_ptr->zstream, so it must be
1030        * initialized here after the claim.
1031        */
1032       png_ptr->zstream.next_out = png_ptr->zbuffer_list->output;
1033       png_ptr->zstream.avail_out = png_ptr->zbuffer_size;
1034    }
1035 
1036    /* Now loop reading and writing until all the input is consumed or an error
1037     * terminates the operation.  The _out values are maintained across calls to
1038     * this function, but the input must be reset each time.
1039     */
1040    png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
1041    png_ptr->zstream.avail_in = 0; /* set below */
1042    for (;;)
1043    {
1044       int ret;
1045 
1046       /* INPUT: from the row data */
1047       uInt avail = ZLIB_IO_MAX;
1048 
1049       if (avail > input_len)
1050          avail = (uInt)input_len; /* safe because of the check */
1051 
1052       png_ptr->zstream.avail_in = avail;
1053       input_len -= avail;
1054 
1055       ret = deflate(&png_ptr->zstream, input_len > 0 ? Z_NO_FLUSH : flush);
1056 
1057       /* Include as-yet unconsumed input */
1058       input_len += png_ptr->zstream.avail_in;
1059       png_ptr->zstream.avail_in = 0;
1060 
1061       /* OUTPUT: write complete IDAT chunks when avail_out drops to zero, note
1062        * that these two zstream fields are preserved across the calls, therefore
1063        * there is no need to set these up on entry to the loop.
1064        */
1065       if (png_ptr->zstream.avail_out == 0)
1066       {
1067          png_bytep data = png_ptr->zbuffer_list->output;
1068          uInt size = png_ptr->zbuffer_size;
1069 
1070          /* Write an IDAT containing the data then reset the buffer.  The
1071           * first IDAT may need deflate header optimization.
1072           */
1073 #        ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
1074             if (!(png_ptr->mode & PNG_HAVE_IDAT) &&
1075                png_ptr->compression_type == PNG_COMPRESSION_TYPE_BASE)
1076                optimize_cmf(data, png_image_size(png_ptr));
1077 #        endif
1078 
1079          png_write_complete_chunk(png_ptr, png_IDAT, data, size);
1080          png_ptr->mode |= PNG_HAVE_IDAT;
1081 
1082          png_ptr->zstream.next_out = data;
1083          png_ptr->zstream.avail_out = size;
1084 
1085          /* For SYNC_FLUSH or FINISH it is essential to keep calling zlib with
1086           * the same flush parameter until it has finished output, for NO_FLUSH
1087           * it doesn't matter.
1088           */
1089          if (ret == Z_OK && flush != Z_NO_FLUSH)
1090             continue;
1091       }
1092 
1093       /* The order of these checks doesn't matter much; it just effect which
1094        * possible error might be detected if multiple things go wrong at once.
1095        */
1096       if (ret == Z_OK) /* most likely return code! */
1097       {
1098          /* If all the input has been consumed then just return.  If Z_FINISH
1099           * was used as the flush parameter something has gone wrong if we get
1100           * here.
1101           */
1102          if (input_len == 0)
1103          {
1104             if (flush == Z_FINISH)
1105                png_error(png_ptr, "Z_OK on Z_FINISH with output space");
1106 
1107             return;
1108          }
1109       }
1110 
1111       else if (ret == Z_STREAM_END && flush == Z_FINISH)
1112       {
1113          /* This is the end of the IDAT data; any pending output must be
1114           * flushed.  For small PNG files we may still be at the beginning.
1115           */
1116          png_bytep data = png_ptr->zbuffer_list->output;
1117          uInt size = png_ptr->zbuffer_size - png_ptr->zstream.avail_out;
1118 
1119 #        ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
1120             if (!(png_ptr->mode & PNG_HAVE_IDAT) &&
1121                png_ptr->compression_type == PNG_COMPRESSION_TYPE_BASE)
1122                optimize_cmf(data, png_image_size(png_ptr));
1123 #        endif
1124 
1125          png_write_complete_chunk(png_ptr, png_IDAT, data, size);
1126          png_ptr->zstream.avail_out = 0;
1127          png_ptr->zstream.next_out = NULL;
1128          png_ptr->mode |= PNG_HAVE_IDAT | PNG_AFTER_IDAT;
1129 
1130          png_ptr->zowner = 0; /* Release the stream */
1131          return;
1132       }
1133 
1134       else
1135       {
1136          /* This is an error condition. */
1137          png_zstream_error(png_ptr, ret);
1138          png_error(png_ptr, png_ptr->zstream.msg);
1139       }
1140    }
1141 }
1142 
1143 /* Write an IEND chunk */
1144 void /* PRIVATE */
png_write_IEND(png_structrp png_ptr)1145 png_write_IEND(png_structrp png_ptr)
1146 {
1147    png_debug(1, "in png_write_IEND");
1148 
1149    png_write_complete_chunk(png_ptr, png_IEND, NULL, (png_size_t)0);
1150    png_ptr->mode |= PNG_HAVE_IEND;
1151 }
1152 
1153 #ifdef PNG_WRITE_gAMA_SUPPORTED
1154 /* Write a gAMA chunk */
1155 void /* PRIVATE */
png_write_gAMA_fixed(png_structrp png_ptr,png_fixed_point file_gamma)1156 png_write_gAMA_fixed(png_structrp png_ptr, png_fixed_point file_gamma)
1157 {
1158    png_byte buf[4];
1159 
1160    png_debug(1, "in png_write_gAMA");
1161 
1162    /* file_gamma is saved in 1/100,000ths */
1163    png_save_uint_32(buf, (png_uint_32)file_gamma);
1164    png_write_complete_chunk(png_ptr, png_gAMA, buf, (png_size_t)4);
1165 }
1166 #endif
1167 
1168 #ifdef PNG_WRITE_sRGB_SUPPORTED
1169 /* Write a sRGB chunk */
1170 void /* PRIVATE */
png_write_sRGB(png_structrp png_ptr,int srgb_intent)1171 png_write_sRGB(png_structrp png_ptr, int srgb_intent)
1172 {
1173    png_byte buf[1];
1174 
1175    png_debug(1, "in png_write_sRGB");
1176 
1177    if (srgb_intent >= PNG_sRGB_INTENT_LAST)
1178       png_warning(png_ptr,
1179           "Invalid sRGB rendering intent specified");
1180 
1181    buf[0]=(png_byte)srgb_intent;
1182    png_write_complete_chunk(png_ptr, png_sRGB, buf, (png_size_t)1);
1183 }
1184 #endif
1185 
1186 #ifdef PNG_WRITE_iCCP_SUPPORTED
1187 /* Write an iCCP chunk */
1188 void /* PRIVATE */
png_write_iCCP(png_structrp png_ptr,png_const_charp name,png_const_bytep profile)1189 png_write_iCCP(png_structrp png_ptr, png_const_charp name,
1190     png_const_bytep profile)
1191 {
1192    png_uint_32 name_len;
1193    png_uint_32 profile_len;
1194    png_byte new_name[81]; /* 1 byte for the compression byte */
1195    compression_state comp;
1196 
1197    png_debug(1, "in png_write_iCCP");
1198 
1199    /* These are all internal problems: the profile should have been checked
1200     * before when it was stored.
1201     */
1202    if (profile == NULL)
1203       png_error(png_ptr, "No profile for iCCP chunk"); /* internal error */
1204 
1205    profile_len = png_get_uint_32(profile);
1206 
1207    if (profile_len < 132)
1208       png_error(png_ptr, "ICC profile too short");
1209 
1210    if (profile_len & 0x03)
1211       png_error(png_ptr, "ICC profile length invalid (not a multiple of 4)");
1212 
1213    {
1214       png_uint_32 embedded_profile_len = png_get_uint_32(profile);
1215 
1216       if (profile_len != embedded_profile_len)
1217          png_error(png_ptr, "Profile length does not match profile");
1218    }
1219 
1220    name_len = png_check_keyword(png_ptr, name, new_name);
1221 
1222    if (name_len == 0)
1223       png_error(png_ptr, "iCCP: invalid keyword");
1224 
1225    new_name[++name_len] = PNG_COMPRESSION_TYPE_BASE;
1226 
1227    /* Make sure we include the NULL after the name and the compression type */
1228    ++name_len;
1229 
1230    png_text_compress_init(&comp, profile, profile_len);
1231 
1232    /* Allow for keyword terminator and compression byte */
1233    if (png_text_compress(png_ptr, png_iCCP, &comp, name_len) != Z_OK)
1234       png_error(png_ptr, png_ptr->zstream.msg);
1235 
1236    png_write_chunk_header(png_ptr, png_iCCP, name_len + comp.output_len);
1237 
1238    png_write_chunk_data(png_ptr, new_name, name_len);
1239 
1240    png_write_compressed_data_out(png_ptr, &comp);
1241 
1242    png_write_chunk_end(png_ptr);
1243 }
1244 #endif
1245 
1246 #ifdef PNG_WRITE_sPLT_SUPPORTED
1247 /* Write a sPLT chunk */
1248 void /* PRIVATE */
png_write_sPLT(png_structrp png_ptr,png_const_sPLT_tp spalette)1249 png_write_sPLT(png_structrp png_ptr, png_const_sPLT_tp spalette)
1250 {
1251    png_uint_32 name_len;
1252    png_byte new_name[80];
1253    png_byte entrybuf[10];
1254    png_size_t entry_size = (spalette->depth == 8 ? 6 : 10);
1255    png_size_t palette_size = entry_size * spalette->nentries;
1256    png_sPLT_entryp ep;
1257 #ifndef PNG_POINTER_INDEXING_SUPPORTED
1258    int i;
1259 #endif
1260 
1261    png_debug(1, "in png_write_sPLT");
1262 
1263    name_len = png_check_keyword(png_ptr, spalette->name, new_name);
1264 
1265    if (name_len == 0)
1266       png_error(png_ptr, "sPLT: invalid keyword");
1267 
1268    /* Make sure we include the NULL after the name */
1269    png_write_chunk_header(png_ptr, png_sPLT,
1270        (png_uint_32)(name_len + 2 + palette_size));
1271 
1272    png_write_chunk_data(png_ptr, (png_bytep)new_name,
1273        (png_size_t)(name_len + 1));
1274 
1275    png_write_chunk_data(png_ptr, &spalette->depth, (png_size_t)1);
1276 
1277    /* Loop through each palette entry, writing appropriately */
1278 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1279    for (ep = spalette->entries; ep<spalette->entries + spalette->nentries; ep++)
1280    {
1281       if (spalette->depth == 8)
1282       {
1283          entrybuf[0] = (png_byte)ep->red;
1284          entrybuf[1] = (png_byte)ep->green;
1285          entrybuf[2] = (png_byte)ep->blue;
1286          entrybuf[3] = (png_byte)ep->alpha;
1287          png_save_uint_16(entrybuf + 4, ep->frequency);
1288       }
1289 
1290       else
1291       {
1292          png_save_uint_16(entrybuf + 0, ep->red);
1293          png_save_uint_16(entrybuf + 2, ep->green);
1294          png_save_uint_16(entrybuf + 4, ep->blue);
1295          png_save_uint_16(entrybuf + 6, ep->alpha);
1296          png_save_uint_16(entrybuf + 8, ep->frequency);
1297       }
1298 
1299       png_write_chunk_data(png_ptr, entrybuf, entry_size);
1300    }
1301 #else
1302    ep=spalette->entries;
1303    for (i = 0; i>spalette->nentries; i++)
1304    {
1305       if (spalette->depth == 8)
1306       {
1307          entrybuf[0] = (png_byte)ep[i].red;
1308          entrybuf[1] = (png_byte)ep[i].green;
1309          entrybuf[2] = (png_byte)ep[i].blue;
1310          entrybuf[3] = (png_byte)ep[i].alpha;
1311          png_save_uint_16(entrybuf + 4, ep[i].frequency);
1312       }
1313 
1314       else
1315       {
1316          png_save_uint_16(entrybuf + 0, ep[i].red);
1317          png_save_uint_16(entrybuf + 2, ep[i].green);
1318          png_save_uint_16(entrybuf + 4, ep[i].blue);
1319          png_save_uint_16(entrybuf + 6, ep[i].alpha);
1320          png_save_uint_16(entrybuf + 8, ep[i].frequency);
1321       }
1322 
1323       png_write_chunk_data(png_ptr, entrybuf, entry_size);
1324    }
1325 #endif
1326 
1327    png_write_chunk_end(png_ptr);
1328 }
1329 #endif
1330 
1331 #ifdef PNG_WRITE_sBIT_SUPPORTED
1332 /* Write the sBIT chunk */
1333 void /* PRIVATE */
png_write_sBIT(png_structrp png_ptr,png_const_color_8p sbit,int color_type)1334 png_write_sBIT(png_structrp png_ptr, png_const_color_8p sbit, int color_type)
1335 {
1336    png_byte buf[4];
1337    png_size_t size;
1338 
1339    png_debug(1, "in png_write_sBIT");
1340 
1341    /* Make sure we don't depend upon the order of PNG_COLOR_8 */
1342    if (color_type & PNG_COLOR_MASK_COLOR)
1343    {
1344       png_byte maxbits;
1345 
1346       maxbits = (png_byte)(color_type==PNG_COLOR_TYPE_PALETTE ? 8 :
1347           png_ptr->usr_bit_depth);
1348 
1349       if (sbit->red == 0 || sbit->red > maxbits ||
1350           sbit->green == 0 || sbit->green > maxbits ||
1351           sbit->blue == 0 || sbit->blue > maxbits)
1352       {
1353          png_warning(png_ptr, "Invalid sBIT depth specified");
1354          return;
1355       }
1356 
1357       buf[0] = sbit->red;
1358       buf[1] = sbit->green;
1359       buf[2] = sbit->blue;
1360       size = 3;
1361    }
1362 
1363    else
1364    {
1365       if (sbit->gray == 0 || sbit->gray > png_ptr->usr_bit_depth)
1366       {
1367          png_warning(png_ptr, "Invalid sBIT depth specified");
1368          return;
1369       }
1370 
1371       buf[0] = sbit->gray;
1372       size = 1;
1373    }
1374 
1375    if (color_type & PNG_COLOR_MASK_ALPHA)
1376    {
1377       if (sbit->alpha == 0 || sbit->alpha > png_ptr->usr_bit_depth)
1378       {
1379          png_warning(png_ptr, "Invalid sBIT depth specified");
1380          return;
1381       }
1382 
1383       buf[size++] = sbit->alpha;
1384    }
1385 
1386    png_write_complete_chunk(png_ptr, png_sBIT, buf, size);
1387 }
1388 #endif
1389 
1390 #ifdef PNG_WRITE_cHRM_SUPPORTED
1391 /* Write the cHRM chunk */
1392 void /* PRIVATE */
png_write_cHRM_fixed(png_structrp png_ptr,const png_xy * xy)1393 png_write_cHRM_fixed(png_structrp png_ptr, const png_xy *xy)
1394 {
1395    png_byte buf[32];
1396 
1397    png_debug(1, "in png_write_cHRM");
1398 
1399    /* Each value is saved in 1/100,000ths */
1400    png_save_int_32(buf,      xy->whitex);
1401    png_save_int_32(buf +  4, xy->whitey);
1402 
1403    png_save_int_32(buf +  8, xy->redx);
1404    png_save_int_32(buf + 12, xy->redy);
1405 
1406    png_save_int_32(buf + 16, xy->greenx);
1407    png_save_int_32(buf + 20, xy->greeny);
1408 
1409    png_save_int_32(buf + 24, xy->bluex);
1410    png_save_int_32(buf + 28, xy->bluey);
1411 
1412    png_write_complete_chunk(png_ptr, png_cHRM, buf, 32);
1413 }
1414 #endif
1415 
1416 #ifdef PNG_WRITE_tRNS_SUPPORTED
1417 /* Write the tRNS chunk */
1418 void /* PRIVATE */
png_write_tRNS(png_structrp png_ptr,png_const_bytep trans_alpha,png_const_color_16p tran,int num_trans,int color_type)1419 png_write_tRNS(png_structrp png_ptr, png_const_bytep trans_alpha,
1420     png_const_color_16p tran, int num_trans, int color_type)
1421 {
1422    png_byte buf[6];
1423 
1424    png_debug(1, "in png_write_tRNS");
1425 
1426    if (color_type == PNG_COLOR_TYPE_PALETTE)
1427    {
1428       if (num_trans <= 0 || num_trans > (int)png_ptr->num_palette)
1429       {
1430          png_app_warning(png_ptr,
1431              "Invalid number of transparent colors specified");
1432          return;
1433       }
1434 
1435       /* Write the chunk out as it is */
1436       png_write_complete_chunk(png_ptr, png_tRNS, trans_alpha,
1437          (png_size_t)num_trans);
1438    }
1439 
1440    else if (color_type == PNG_COLOR_TYPE_GRAY)
1441    {
1442       /* One 16 bit value */
1443       if (tran->gray >= (1 << png_ptr->bit_depth))
1444       {
1445          png_app_warning(png_ptr,
1446              "Ignoring attempt to write tRNS chunk out-of-range for bit_depth");
1447 
1448          return;
1449       }
1450 
1451       png_save_uint_16(buf, tran->gray);
1452       png_write_complete_chunk(png_ptr, png_tRNS, buf, (png_size_t)2);
1453    }
1454 
1455    else if (color_type == PNG_COLOR_TYPE_RGB)
1456    {
1457       /* Three 16 bit values */
1458       png_save_uint_16(buf, tran->red);
1459       png_save_uint_16(buf + 2, tran->green);
1460       png_save_uint_16(buf + 4, tran->blue);
1461 #ifdef PNG_WRITE_16BIT_SUPPORTED
1462       if (png_ptr->bit_depth == 8 && (buf[0] | buf[2] | buf[4]))
1463 #else
1464       if (buf[0] | buf[2] | buf[4])
1465 #endif
1466       {
1467          png_app_warning(png_ptr,
1468            "Ignoring attempt to write 16-bit tRNS chunk when bit_depth is 8");
1469          return;
1470       }
1471 
1472       png_write_complete_chunk(png_ptr, png_tRNS, buf, (png_size_t)6);
1473    }
1474 
1475    else
1476    {
1477       png_app_warning(png_ptr, "Can't write tRNS with an alpha channel");
1478    }
1479 }
1480 #endif
1481 
1482 #ifdef PNG_WRITE_bKGD_SUPPORTED
1483 /* Write the background chunk */
1484 void /* PRIVATE */
png_write_bKGD(png_structrp png_ptr,png_const_color_16p back,int color_type)1485 png_write_bKGD(png_structrp png_ptr, png_const_color_16p back, int color_type)
1486 {
1487    png_byte buf[6];
1488 
1489    png_debug(1, "in png_write_bKGD");
1490 
1491    if (color_type == PNG_COLOR_TYPE_PALETTE)
1492    {
1493       if (
1494 #ifdef PNG_MNG_FEATURES_SUPPORTED
1495           (png_ptr->num_palette ||
1496           (!(png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE))) &&
1497 #endif
1498          back->index >= png_ptr->num_palette)
1499       {
1500          png_warning(png_ptr, "Invalid background palette index");
1501          return;
1502       }
1503 
1504       buf[0] = back->index;
1505       png_write_complete_chunk(png_ptr, png_bKGD, buf, (png_size_t)1);
1506    }
1507 
1508    else if (color_type & PNG_COLOR_MASK_COLOR)
1509    {
1510       png_save_uint_16(buf, back->red);
1511       png_save_uint_16(buf + 2, back->green);
1512       png_save_uint_16(buf + 4, back->blue);
1513 #ifdef PNG_WRITE_16BIT_SUPPORTED
1514       if (png_ptr->bit_depth == 8 && (buf[0] | buf[2] | buf[4]))
1515 #else
1516       if (buf[0] | buf[2] | buf[4])
1517 #endif
1518       {
1519          png_warning(png_ptr,
1520              "Ignoring attempt to write 16-bit bKGD chunk when bit_depth is 8");
1521 
1522          return;
1523       }
1524 
1525       png_write_complete_chunk(png_ptr, png_bKGD, buf, (png_size_t)6);
1526    }
1527 
1528    else
1529    {
1530       if (back->gray >= (1 << png_ptr->bit_depth))
1531       {
1532          png_warning(png_ptr,
1533              "Ignoring attempt to write bKGD chunk out-of-range for bit_depth");
1534 
1535          return;
1536       }
1537 
1538       png_save_uint_16(buf, back->gray);
1539       png_write_complete_chunk(png_ptr, png_bKGD, buf, (png_size_t)2);
1540    }
1541 }
1542 #endif
1543 
1544 #ifdef PNG_WRITE_hIST_SUPPORTED
1545 /* Write the histogram */
1546 void /* PRIVATE */
png_write_hIST(png_structrp png_ptr,png_const_uint_16p hist,int num_hist)1547 png_write_hIST(png_structrp png_ptr, png_const_uint_16p hist, int num_hist)
1548 {
1549    int i;
1550    png_byte buf[3];
1551 
1552    png_debug(1, "in png_write_hIST");
1553 
1554    if (num_hist > (int)png_ptr->num_palette)
1555    {
1556       png_debug2(3, "num_hist = %d, num_palette = %d", num_hist,
1557           png_ptr->num_palette);
1558 
1559       png_warning(png_ptr, "Invalid number of histogram entries specified");
1560       return;
1561    }
1562 
1563    png_write_chunk_header(png_ptr, png_hIST, (png_uint_32)(num_hist * 2));
1564 
1565    for (i = 0; i < num_hist; i++)
1566    {
1567       png_save_uint_16(buf, hist[i]);
1568       png_write_chunk_data(png_ptr, buf, (png_size_t)2);
1569    }
1570 
1571    png_write_chunk_end(png_ptr);
1572 }
1573 #endif
1574 
1575 #ifdef PNG_WRITE_tEXt_SUPPORTED
1576 /* Write a tEXt chunk */
1577 void /* PRIVATE */
png_write_tEXt(png_structrp png_ptr,png_const_charp key,png_const_charp text,png_size_t text_len)1578 png_write_tEXt(png_structrp png_ptr, png_const_charp key, png_const_charp text,
1579     png_size_t text_len)
1580 {
1581    png_uint_32 key_len;
1582    png_byte new_key[80];
1583 
1584    png_debug(1, "in png_write_tEXt");
1585 
1586    key_len = png_check_keyword(png_ptr, key, new_key);
1587 
1588    if (key_len == 0)
1589       png_error(png_ptr, "tEXt: invalid keyword");
1590 
1591    if (text == NULL || *text == '\0')
1592       text_len = 0;
1593 
1594    else
1595       text_len = strlen(text);
1596 
1597    if (text_len > PNG_UINT_31_MAX - (key_len+1))
1598       png_error(png_ptr, "tEXt: text too long");
1599 
1600    /* Make sure we include the 0 after the key */
1601    png_write_chunk_header(png_ptr, png_tEXt,
1602        (png_uint_32)/*checked above*/(key_len + text_len + 1));
1603    /*
1604     * We leave it to the application to meet PNG-1.0 requirements on the
1605     * contents of the text.  PNG-1.0 through PNG-1.2 discourage the use of
1606     * any non-Latin-1 characters except for NEWLINE.  ISO PNG will forbid them.
1607     * The NUL character is forbidden by PNG-1.0 through PNG-1.2 and ISO PNG.
1608     */
1609    png_write_chunk_data(png_ptr, new_key, key_len + 1);
1610 
1611    if (text_len)
1612       png_write_chunk_data(png_ptr, (png_const_bytep)text, text_len);
1613 
1614    png_write_chunk_end(png_ptr);
1615 }
1616 #endif
1617 
1618 #ifdef PNG_WRITE_zTXt_SUPPORTED
1619 /* Write a compressed text chunk */
1620 void /* PRIVATE */
png_write_zTXt(png_structrp png_ptr,png_const_charp key,png_const_charp text,png_size_t text_len,int compression)1621 png_write_zTXt(png_structrp png_ptr, png_const_charp key, png_const_charp text,
1622     png_size_t text_len, int compression)
1623 {
1624    png_uint_32 key_len;
1625    png_byte new_key[81];
1626    compression_state comp;
1627 
1628    png_debug(1, "in png_write_zTXt");
1629    PNG_UNUSED(text_len) /* Always use strlen */
1630 
1631    if (compression == PNG_TEXT_COMPRESSION_NONE)
1632    {
1633       png_write_tEXt(png_ptr, key, text, 0);
1634       return;
1635    }
1636 
1637    if (compression != PNG_TEXT_COMPRESSION_zTXt)
1638       png_error(png_ptr, "zTXt: invalid compression type");
1639 
1640    key_len = png_check_keyword(png_ptr, key, new_key);
1641 
1642    if (key_len == 0)
1643       png_error(png_ptr, "zTXt: invalid keyword");
1644 
1645    /* Add the compression method and 1 for the keyword separator. */
1646    new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE;
1647    ++key_len;
1648 
1649    /* Compute the compressed data; do it now for the length */
1650    png_text_compress_init(&comp, (png_const_bytep)text,
1651       text == NULL ? 0 : strlen(text));
1652 
1653    if (png_text_compress(png_ptr, png_zTXt, &comp, key_len) != Z_OK)
1654       png_error(png_ptr, png_ptr->zstream.msg);
1655 
1656    /* Write start of chunk */
1657    png_write_chunk_header(png_ptr, png_zTXt, key_len + comp.output_len);
1658 
1659    /* Write key */
1660    png_write_chunk_data(png_ptr, new_key, key_len);
1661 
1662    /* Write the compressed data */
1663    png_write_compressed_data_out(png_ptr, &comp);
1664 
1665    /* Close the chunk */
1666    png_write_chunk_end(png_ptr);
1667 }
1668 #endif
1669 
1670 #ifdef PNG_WRITE_iTXt_SUPPORTED
1671 /* Write an iTXt chunk */
1672 void /* PRIVATE */
png_write_iTXt(png_structrp png_ptr,int compression,png_const_charp key,png_const_charp lang,png_const_charp lang_key,png_const_charp text)1673 png_write_iTXt(png_structrp png_ptr, int compression, png_const_charp key,
1674     png_const_charp lang, png_const_charp lang_key, png_const_charp text)
1675 {
1676    png_uint_32 key_len, prefix_len;
1677    png_size_t lang_len, lang_key_len;
1678    png_byte new_key[82];
1679    compression_state comp;
1680 
1681    png_debug(1, "in png_write_iTXt");
1682 
1683    key_len = png_check_keyword(png_ptr, key, new_key);
1684 
1685    if (key_len == 0)
1686       png_error(png_ptr, "iTXt: invalid keyword");
1687 
1688    /* Set the compression flag */
1689    switch (compression)
1690    {
1691       case PNG_ITXT_COMPRESSION_NONE:
1692       case PNG_TEXT_COMPRESSION_NONE:
1693          compression = new_key[++key_len] = 0; /* no compression */
1694          break;
1695 
1696       case PNG_TEXT_COMPRESSION_zTXt:
1697       case PNG_ITXT_COMPRESSION_zTXt:
1698          compression = new_key[++key_len] = 1; /* compressed */
1699          break;
1700 
1701       default:
1702          png_error(png_ptr, "iTXt: invalid compression");
1703    }
1704 
1705    new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE;
1706    ++key_len; /* for the keywod separator */
1707 
1708    /* We leave it to the application to meet PNG-1.0 requirements on the
1709     * contents of the text.  PNG-1.0 through PNG-1.2 discourage the use of
1710     * any non-Latin-1 characters except for NEWLINE.  ISO PNG, however,
1711     * specifies that the text is UTF-8 and this really doesn't require any
1712     * checking.
1713     *
1714     * The NUL character is forbidden by PNG-1.0 through PNG-1.2 and ISO PNG.
1715     *
1716     * TODO: validate the language tag correctly (see the spec.)
1717     */
1718    if (lang == NULL) lang = ""; /* empty language is valid */
1719    lang_len = strlen(lang)+1;
1720    if (lang_key == NULL) lang_key = ""; /* may be empty */
1721    lang_key_len = strlen(lang_key)+1;
1722    if (text == NULL) text = ""; /* may be empty */
1723 
1724    prefix_len = key_len;
1725    if (lang_len > PNG_UINT_31_MAX-prefix_len)
1726       prefix_len = PNG_UINT_31_MAX;
1727    else
1728       prefix_len = (png_uint_32)(prefix_len + lang_len);
1729 
1730    if (lang_key_len > PNG_UINT_31_MAX-prefix_len)
1731       prefix_len = PNG_UINT_31_MAX;
1732    else
1733       prefix_len = (png_uint_32)(prefix_len + lang_key_len);
1734 
1735    png_text_compress_init(&comp, (png_const_bytep)text, strlen(text));
1736 
1737    if (compression)
1738    {
1739       if (png_text_compress(png_ptr, png_iTXt, &comp, prefix_len) != Z_OK)
1740          png_error(png_ptr, png_ptr->zstream.msg);
1741    }
1742 
1743    else
1744    {
1745       if (comp.input_len > PNG_UINT_31_MAX-prefix_len)
1746          png_error(png_ptr, "iTXt: uncompressed text too long");
1747 
1748       /* So the string will fit in a chunk: */
1749       comp.output_len = (png_uint_32)/*SAFE*/comp.input_len;
1750    }
1751 
1752    png_write_chunk_header(png_ptr, png_iTXt, comp.output_len + prefix_len);
1753 
1754    png_write_chunk_data(png_ptr, new_key, key_len);
1755 
1756    png_write_chunk_data(png_ptr, (png_const_bytep)lang, lang_len);
1757 
1758    png_write_chunk_data(png_ptr, (png_const_bytep)lang_key, lang_key_len);
1759 
1760    if (compression)
1761       png_write_compressed_data_out(png_ptr, &comp);
1762 
1763    else
1764       png_write_chunk_data(png_ptr, (png_const_bytep)text, comp.input_len);
1765 
1766    png_write_chunk_end(png_ptr);
1767 }
1768 #endif
1769 
1770 #ifdef PNG_WRITE_oFFs_SUPPORTED
1771 /* Write the oFFs chunk */
1772 void /* PRIVATE */
png_write_oFFs(png_structrp png_ptr,png_int_32 x_offset,png_int_32 y_offset,int unit_type)1773 png_write_oFFs(png_structrp png_ptr, png_int_32 x_offset, png_int_32 y_offset,
1774     int unit_type)
1775 {
1776    png_byte buf[9];
1777 
1778    png_debug(1, "in png_write_oFFs");
1779 
1780    if (unit_type >= PNG_OFFSET_LAST)
1781       png_warning(png_ptr, "Unrecognized unit type for oFFs chunk");
1782 
1783    png_save_int_32(buf, x_offset);
1784    png_save_int_32(buf + 4, y_offset);
1785    buf[8] = (png_byte)unit_type;
1786 
1787    png_write_complete_chunk(png_ptr, png_oFFs, buf, (png_size_t)9);
1788 }
1789 #endif
1790 #ifdef PNG_WRITE_pCAL_SUPPORTED
1791 /* Write the pCAL chunk (described in the PNG extensions document) */
1792 void /* PRIVATE */
png_write_pCAL(png_structrp png_ptr,png_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)1793 png_write_pCAL(png_structrp png_ptr, png_charp purpose, png_int_32 X0,
1794     png_int_32 X1, int type, int nparams, png_const_charp units,
1795     png_charpp params)
1796 {
1797    png_uint_32 purpose_len;
1798    png_size_t units_len, total_len;
1799    png_size_tp params_len;
1800    png_byte buf[10];
1801    png_byte new_purpose[80];
1802    int i;
1803 
1804    png_debug1(1, "in png_write_pCAL (%d parameters)", nparams);
1805 
1806    if (type >= PNG_EQUATION_LAST)
1807       png_error(png_ptr, "Unrecognized equation type for pCAL chunk");
1808 
1809    purpose_len = png_check_keyword(png_ptr, purpose, new_purpose);
1810 
1811    if (purpose_len == 0)
1812       png_error(png_ptr, "pCAL: invalid keyword");
1813 
1814    ++purpose_len; /* terminator */
1815 
1816    png_debug1(3, "pCAL purpose length = %d", (int)purpose_len);
1817    units_len = strlen(units) + (nparams == 0 ? 0 : 1);
1818    png_debug1(3, "pCAL units length = %d", (int)units_len);
1819    total_len = purpose_len + units_len + 10;
1820 
1821    params_len = (png_size_tp)png_malloc(png_ptr,
1822        (png_alloc_size_t)(nparams * (sizeof (png_size_t))));
1823 
1824    /* Find the length of each parameter, making sure we don't count the
1825     * null terminator for the last parameter.
1826     */
1827    for (i = 0; i < nparams; i++)
1828    {
1829       params_len[i] = strlen(params[i]) + (i == nparams - 1 ? 0 : 1);
1830       png_debug2(3, "pCAL parameter %d length = %lu", i,
1831           (unsigned long)params_len[i]);
1832       total_len += params_len[i];
1833    }
1834 
1835    png_debug1(3, "pCAL total length = %d", (int)total_len);
1836    png_write_chunk_header(png_ptr, png_pCAL, (png_uint_32)total_len);
1837    png_write_chunk_data(png_ptr, new_purpose, purpose_len);
1838    png_save_int_32(buf, X0);
1839    png_save_int_32(buf + 4, X1);
1840    buf[8] = (png_byte)type;
1841    buf[9] = (png_byte)nparams;
1842    png_write_chunk_data(png_ptr, buf, (png_size_t)10);
1843    png_write_chunk_data(png_ptr, (png_const_bytep)units, (png_size_t)units_len);
1844 
1845    for (i = 0; i < nparams; i++)
1846    {
1847       png_write_chunk_data(png_ptr, (png_const_bytep)params[i], params_len[i]);
1848    }
1849 
1850    png_free(png_ptr, params_len);
1851    png_write_chunk_end(png_ptr);
1852 }
1853 #endif
1854 
1855 #ifdef PNG_WRITE_sCAL_SUPPORTED
1856 /* Write the sCAL chunk */
1857 void /* PRIVATE */
png_write_sCAL_s(png_structrp png_ptr,int unit,png_const_charp width,png_const_charp height)1858 png_write_sCAL_s(png_structrp png_ptr, int unit, png_const_charp width,
1859     png_const_charp height)
1860 {
1861    png_byte buf[64];
1862    png_size_t wlen, hlen, total_len;
1863 
1864    png_debug(1, "in png_write_sCAL_s");
1865 
1866    wlen = strlen(width);
1867    hlen = strlen(height);
1868    total_len = wlen + hlen + 2;
1869 
1870    if (total_len > 64)
1871    {
1872       png_warning(png_ptr, "Can't write sCAL (buffer too small)");
1873       return;
1874    }
1875 
1876    buf[0] = (png_byte)unit;
1877    memcpy(buf + 1, width, wlen + 1);      /* Append the '\0' here */
1878    memcpy(buf + wlen + 2, height, hlen);  /* Do NOT append the '\0' here */
1879 
1880    png_debug1(3, "sCAL total length = %u", (unsigned int)total_len);
1881    png_write_complete_chunk(png_ptr, png_sCAL, buf, total_len);
1882 }
1883 #endif
1884 
1885 #ifdef PNG_WRITE_pHYs_SUPPORTED
1886 /* Write the pHYs chunk */
1887 void /* PRIVATE */
png_write_pHYs(png_structrp png_ptr,png_uint_32 x_pixels_per_unit,png_uint_32 y_pixels_per_unit,int unit_type)1888 png_write_pHYs(png_structrp png_ptr, png_uint_32 x_pixels_per_unit,
1889     png_uint_32 y_pixels_per_unit,
1890     int unit_type)
1891 {
1892    png_byte buf[9];
1893 
1894    png_debug(1, "in png_write_pHYs");
1895 
1896    if (unit_type >= PNG_RESOLUTION_LAST)
1897       png_warning(png_ptr, "Unrecognized unit type for pHYs chunk");
1898 
1899    png_save_uint_32(buf, x_pixels_per_unit);
1900    png_save_uint_32(buf + 4, y_pixels_per_unit);
1901    buf[8] = (png_byte)unit_type;
1902 
1903    png_write_complete_chunk(png_ptr, png_pHYs, buf, (png_size_t)9);
1904 }
1905 #endif
1906 
1907 #ifdef PNG_WRITE_tIME_SUPPORTED
1908 /* Write the tIME chunk.  Use either png_convert_from_struct_tm()
1909  * or png_convert_from_time_t(), or fill in the structure yourself.
1910  */
1911 void /* PRIVATE */
png_write_tIME(png_structrp png_ptr,png_const_timep mod_time)1912 png_write_tIME(png_structrp png_ptr, png_const_timep mod_time)
1913 {
1914    png_byte buf[7];
1915 
1916    png_debug(1, "in png_write_tIME");
1917 
1918    if (mod_time->month  > 12 || mod_time->month  < 1 ||
1919        mod_time->day    > 31 || mod_time->day    < 1 ||
1920        mod_time->hour   > 23 || mod_time->second > 60)
1921    {
1922       png_warning(png_ptr, "Invalid time specified for tIME chunk");
1923       return;
1924    }
1925 
1926    png_save_uint_16(buf, mod_time->year);
1927    buf[2] = mod_time->month;
1928    buf[3] = mod_time->day;
1929    buf[4] = mod_time->hour;
1930    buf[5] = mod_time->minute;
1931    buf[6] = mod_time->second;
1932 
1933    png_write_complete_chunk(png_ptr, png_tIME, buf, (png_size_t)7);
1934 }
1935 #endif
1936 
1937 /* Initializes the row writing capability of libpng */
1938 void /* PRIVATE */
png_write_start_row(png_structrp png_ptr)1939 png_write_start_row(png_structrp png_ptr)
1940 {
1941 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
1942    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1943 
1944    /* Start of interlace block */
1945    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
1946 
1947    /* Offset to next interlace block */
1948    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
1949 
1950    /* Start of interlace block in the y direction */
1951    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
1952 
1953    /* Offset to next interlace block in the y direction */
1954    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
1955 #endif
1956 
1957    png_alloc_size_t buf_size;
1958    int usr_pixel_depth;
1959 
1960    png_debug(1, "in png_write_start_row");
1961 
1962    usr_pixel_depth = png_ptr->usr_channels * png_ptr->usr_bit_depth;
1963    buf_size = PNG_ROWBYTES(usr_pixel_depth, png_ptr->width) + 1;
1964 
1965    /* 1.5.6: added to allow checking in the row write code. */
1966    png_ptr->transformed_pixel_depth = png_ptr->pixel_depth;
1967    png_ptr->maximum_pixel_depth = (png_byte)usr_pixel_depth;
1968 
1969    /* Set up row buffer */
1970    png_ptr->row_buf = (png_bytep)png_malloc(png_ptr, buf_size);
1971 
1972    png_ptr->row_buf[0] = PNG_FILTER_VALUE_NONE;
1973 
1974 #ifdef PNG_WRITE_FILTER_SUPPORTED
1975    /* Set up filtering buffer, if using this filter */
1976    if (png_ptr->do_filter & PNG_FILTER_SUB)
1977    {
1978       png_ptr->sub_row = (png_bytep)png_malloc(png_ptr, png_ptr->rowbytes + 1);
1979 
1980       png_ptr->sub_row[0] = PNG_FILTER_VALUE_SUB;
1981    }
1982 
1983    /* We only need to keep the previous row if we are using one of these. */
1984    if (png_ptr->do_filter & (PNG_FILTER_AVG | PNG_FILTER_UP | PNG_FILTER_PAETH))
1985    {
1986       /* Set up previous row buffer */
1987       png_ptr->prev_row = (png_bytep)png_calloc(png_ptr, buf_size);
1988 
1989       if (png_ptr->do_filter & PNG_FILTER_UP)
1990       {
1991          png_ptr->up_row = (png_bytep)png_malloc(png_ptr,
1992             png_ptr->rowbytes + 1);
1993 
1994          png_ptr->up_row[0] = PNG_FILTER_VALUE_UP;
1995       }
1996 
1997       if (png_ptr->do_filter & PNG_FILTER_AVG)
1998       {
1999          png_ptr->avg_row = (png_bytep)png_malloc(png_ptr,
2000              png_ptr->rowbytes + 1);
2001 
2002          png_ptr->avg_row[0] = PNG_FILTER_VALUE_AVG;
2003       }
2004 
2005       if (png_ptr->do_filter & PNG_FILTER_PAETH)
2006       {
2007          png_ptr->paeth_row = (png_bytep)png_malloc(png_ptr,
2008              png_ptr->rowbytes + 1);
2009 
2010          png_ptr->paeth_row[0] = PNG_FILTER_VALUE_PAETH;
2011       }
2012    }
2013 #endif /* PNG_WRITE_FILTER_SUPPORTED */
2014 
2015 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2016    /* If interlaced, we need to set up width and height of pass */
2017    if (png_ptr->interlaced)
2018    {
2019       if (!(png_ptr->transformations & PNG_INTERLACE))
2020       {
2021          png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
2022              png_pass_ystart[0]) / png_pass_yinc[0];
2023 
2024          png_ptr->usr_width = (png_ptr->width + png_pass_inc[0] - 1 -
2025              png_pass_start[0]) / png_pass_inc[0];
2026       }
2027 
2028       else
2029       {
2030          png_ptr->num_rows = png_ptr->height;
2031          png_ptr->usr_width = png_ptr->width;
2032       }
2033    }
2034 
2035    else
2036 #endif
2037    {
2038       png_ptr->num_rows = png_ptr->height;
2039       png_ptr->usr_width = png_ptr->width;
2040    }
2041 }
2042 
2043 /* Internal use only.  Called when finished processing a row of data. */
2044 void /* PRIVATE */
png_write_finish_row(png_structrp png_ptr)2045 png_write_finish_row(png_structrp png_ptr)
2046 {
2047 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2048    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2049 
2050    /* Start of interlace block */
2051    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
2052 
2053    /* Offset to next interlace block */
2054    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2055 
2056    /* Start of interlace block in the y direction */
2057    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
2058 
2059    /* Offset to next interlace block in the y direction */
2060    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
2061 #endif
2062 
2063    png_debug(1, "in png_write_finish_row");
2064 
2065    /* Next row */
2066    png_ptr->row_number++;
2067 
2068    /* See if we are done */
2069    if (png_ptr->row_number < png_ptr->num_rows)
2070       return;
2071 
2072 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2073    /* If interlaced, go to next pass */
2074    if (png_ptr->interlaced)
2075    {
2076       png_ptr->row_number = 0;
2077       if (png_ptr->transformations & PNG_INTERLACE)
2078       {
2079          png_ptr->pass++;
2080       }
2081 
2082       else
2083       {
2084          /* Loop until we find a non-zero width or height pass */
2085          do
2086          {
2087             png_ptr->pass++;
2088 
2089             if (png_ptr->pass >= 7)
2090                break;
2091 
2092             png_ptr->usr_width = (png_ptr->width +
2093                 png_pass_inc[png_ptr->pass] - 1 -
2094                 png_pass_start[png_ptr->pass]) /
2095                 png_pass_inc[png_ptr->pass];
2096 
2097             png_ptr->num_rows = (png_ptr->height +
2098                 png_pass_yinc[png_ptr->pass] - 1 -
2099                 png_pass_ystart[png_ptr->pass]) /
2100                 png_pass_yinc[png_ptr->pass];
2101 
2102             if (png_ptr->transformations & PNG_INTERLACE)
2103                break;
2104 
2105          } while (png_ptr->usr_width == 0 || png_ptr->num_rows == 0);
2106 
2107       }
2108 
2109       /* Reset the row above the image for the next pass */
2110       if (png_ptr->pass < 7)
2111       {
2112          if (png_ptr->prev_row != NULL)
2113             memset(png_ptr->prev_row, 0,
2114                 (png_size_t)(PNG_ROWBYTES(png_ptr->usr_channels*
2115                 png_ptr->usr_bit_depth, png_ptr->width)) + 1);
2116 
2117          return;
2118       }
2119    }
2120 #endif
2121 
2122    /* If we get here, we've just written the last row, so we need
2123       to flush the compressor */
2124    png_compress_IDAT(png_ptr, NULL, 0, Z_FINISH);
2125 }
2126 
2127 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2128 /* Pick out the correct pixels for the interlace pass.
2129  * The basic idea here is to go through the row with a source
2130  * pointer and a destination pointer (sp and dp), and copy the
2131  * correct pixels for the pass.  As the row gets compacted,
2132  * sp will always be >= dp, so we should never overwrite anything.
2133  * See the default: case for the easiest code to understand.
2134  */
2135 void /* PRIVATE */
png_do_write_interlace(png_row_infop row_info,png_bytep row,int pass)2136 png_do_write_interlace(png_row_infop row_info, png_bytep row, int pass)
2137 {
2138    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2139 
2140    /* Start of interlace block */
2141    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
2142 
2143    /* Offset to next interlace block */
2144    static PNG_CONST png_byte  png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2145 
2146    png_debug(1, "in png_do_write_interlace");
2147 
2148    /* We don't have to do anything on the last pass (6) */
2149    if (pass < 6)
2150    {
2151       /* Each pixel depth is handled separately */
2152       switch (row_info->pixel_depth)
2153       {
2154          case 1:
2155          {
2156             png_bytep sp;
2157             png_bytep dp;
2158             int shift;
2159             int d;
2160             int value;
2161             png_uint_32 i;
2162             png_uint_32 row_width = row_info->width;
2163 
2164             dp = row;
2165             d = 0;
2166             shift = 7;
2167 
2168             for (i = png_pass_start[pass]; i < row_width;
2169                i += png_pass_inc[pass])
2170             {
2171                sp = row + (png_size_t)(i >> 3);
2172                value = (int)(*sp >> (7 - (int)(i & 0x07))) & 0x01;
2173                d |= (value << shift);
2174 
2175                if (shift == 0)
2176                {
2177                   shift = 7;
2178                   *dp++ = (png_byte)d;
2179                   d = 0;
2180                }
2181 
2182                else
2183                   shift--;
2184 
2185             }
2186             if (shift != 7)
2187                *dp = (png_byte)d;
2188 
2189             break;
2190          }
2191 
2192          case 2:
2193          {
2194             png_bytep sp;
2195             png_bytep dp;
2196             int shift;
2197             int d;
2198             int value;
2199             png_uint_32 i;
2200             png_uint_32 row_width = row_info->width;
2201 
2202             dp = row;
2203             shift = 6;
2204             d = 0;
2205 
2206             for (i = png_pass_start[pass]; i < row_width;
2207                i += png_pass_inc[pass])
2208             {
2209                sp = row + (png_size_t)(i >> 2);
2210                value = (*sp >> ((3 - (int)(i & 0x03)) << 1)) & 0x03;
2211                d |= (value << shift);
2212 
2213                if (shift == 0)
2214                {
2215                   shift = 6;
2216                   *dp++ = (png_byte)d;
2217                   d = 0;
2218                }
2219 
2220                else
2221                   shift -= 2;
2222             }
2223             if (shift != 6)
2224                *dp = (png_byte)d;
2225 
2226             break;
2227          }
2228 
2229          case 4:
2230          {
2231             png_bytep sp;
2232             png_bytep dp;
2233             int shift;
2234             int d;
2235             int value;
2236             png_uint_32 i;
2237             png_uint_32 row_width = row_info->width;
2238 
2239             dp = row;
2240             shift = 4;
2241             d = 0;
2242             for (i = png_pass_start[pass]; i < row_width;
2243                 i += png_pass_inc[pass])
2244             {
2245                sp = row + (png_size_t)(i >> 1);
2246                value = (*sp >> ((1 - (int)(i & 0x01)) << 2)) & 0x0f;
2247                d |= (value << shift);
2248 
2249                if (shift == 0)
2250                {
2251                   shift = 4;
2252                   *dp++ = (png_byte)d;
2253                   d = 0;
2254                }
2255 
2256                else
2257                   shift -= 4;
2258             }
2259             if (shift != 4)
2260                *dp = (png_byte)d;
2261 
2262             break;
2263          }
2264 
2265          default:
2266          {
2267             png_bytep sp;
2268             png_bytep dp;
2269             png_uint_32 i;
2270             png_uint_32 row_width = row_info->width;
2271             png_size_t pixel_bytes;
2272 
2273             /* Start at the beginning */
2274             dp = row;
2275 
2276             /* Find out how many bytes each pixel takes up */
2277             pixel_bytes = (row_info->pixel_depth >> 3);
2278 
2279             /* Loop through the row, only looking at the pixels that matter */
2280             for (i = png_pass_start[pass]; i < row_width;
2281                i += png_pass_inc[pass])
2282             {
2283                /* Find out where the original pixel is */
2284                sp = row + (png_size_t)i * pixel_bytes;
2285 
2286                /* Move the pixel */
2287                if (dp != sp)
2288                   memcpy(dp, sp, pixel_bytes);
2289 
2290                /* Next pixel */
2291                dp += pixel_bytes;
2292             }
2293             break;
2294          }
2295       }
2296       /* Set new row width */
2297       row_info->width = (row_info->width +
2298           png_pass_inc[pass] - 1 -
2299           png_pass_start[pass]) /
2300           png_pass_inc[pass];
2301 
2302       row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth,
2303           row_info->width);
2304    }
2305 }
2306 #endif
2307 
2308 /* This filters the row, chooses which filter to use, if it has not already
2309  * been specified by the application, and then writes the row out with the
2310  * chosen filter.
2311  */
2312 static void
2313 png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row,
2314    png_size_t row_bytes);
2315 
2316 #define PNG_MAXSUM (((png_uint_32)(-1)) >> 1)
2317 #define PNG_HISHIFT 10
2318 #define PNG_LOMASK ((png_uint_32)0xffffL)
2319 #define PNG_HIMASK ((png_uint_32)(~PNG_LOMASK >> PNG_HISHIFT))
2320 void /* PRIVATE */
png_write_find_filter(png_structrp png_ptr,png_row_infop row_info)2321 png_write_find_filter(png_structrp png_ptr, png_row_infop row_info)
2322 {
2323    png_bytep best_row;
2324 #ifdef PNG_WRITE_FILTER_SUPPORTED
2325    png_bytep prev_row, row_buf;
2326    png_uint_32 mins, bpp;
2327    png_byte filter_to_do = png_ptr->do_filter;
2328    png_size_t row_bytes = row_info->rowbytes;
2329 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2330    int num_p_filters = png_ptr->num_prev_filters;
2331 #endif
2332 
2333    png_debug(1, "in png_write_find_filter");
2334 
2335 #ifndef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2336   if (png_ptr->row_number == 0 && filter_to_do == PNG_ALL_FILTERS)
2337   {
2338      /* These will never be selected so we need not test them. */
2339      filter_to_do &= ~(PNG_FILTER_UP | PNG_FILTER_PAETH);
2340   }
2341 #endif
2342 
2343    /* Find out how many bytes offset each pixel is */
2344    bpp = (row_info->pixel_depth + 7) >> 3;
2345 
2346    prev_row = png_ptr->prev_row;
2347 #endif
2348    best_row = png_ptr->row_buf;
2349 #ifdef PNG_WRITE_FILTER_SUPPORTED
2350    row_buf = best_row;
2351    mins = PNG_MAXSUM;
2352 
2353    /* The prediction method we use is to find which method provides the
2354     * smallest value when summing the absolute values of the distances
2355     * from zero, using anything >= 128 as negative numbers.  This is known
2356     * as the "minimum sum of absolute differences" heuristic.  Other
2357     * heuristics are the "weighted minimum sum of absolute differences"
2358     * (experimental and can in theory improve compression), and the "zlib
2359     * predictive" method (not implemented yet), which does test compressions
2360     * of lines using different filter methods, and then chooses the
2361     * (series of) filter(s) that give minimum compressed data size (VERY
2362     * computationally expensive).
2363     *
2364     * GRR 980525:  consider also
2365     *
2366     *   (1) minimum sum of absolute differences from running average (i.e.,
2367     *       keep running sum of non-absolute differences & count of bytes)
2368     *       [track dispersion, too?  restart average if dispersion too large?]
2369     *
2370     *  (1b) minimum sum of absolute differences from sliding average, probably
2371     *       with window size <= deflate window (usually 32K)
2372     *
2373     *   (2) minimum sum of squared differences from zero or running average
2374     *       (i.e., ~ root-mean-square approach)
2375     */
2376 
2377 
2378    /* We don't need to test the 'no filter' case if this is the only filter
2379     * that has been chosen, as it doesn't actually do anything to the data.
2380     */
2381    if ((filter_to_do & PNG_FILTER_NONE) && filter_to_do != PNG_FILTER_NONE)
2382    {
2383       png_bytep rp;
2384       png_uint_32 sum = 0;
2385       png_size_t i;
2386       int v;
2387 
2388       for (i = 0, rp = row_buf + 1; i < row_bytes; i++, rp++)
2389       {
2390          v = *rp;
2391          sum += (v < 128) ? v : 256 - v;
2392       }
2393 
2394 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2395       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2396       {
2397          png_uint_32 sumhi, sumlo;
2398          int j;
2399          sumlo = sum & PNG_LOMASK;
2400          sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK; /* Gives us some footroom */
2401 
2402          /* Reduce the sum if we match any of the previous rows */
2403          for (j = 0; j < num_p_filters; j++)
2404          {
2405             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_NONE)
2406             {
2407                sumlo = (sumlo * png_ptr->filter_weights[j]) >>
2408                    PNG_WEIGHT_SHIFT;
2409 
2410                sumhi = (sumhi * png_ptr->filter_weights[j]) >>
2411                    PNG_WEIGHT_SHIFT;
2412             }
2413          }
2414 
2415          /* Factor in the cost of this filter (this is here for completeness,
2416           * but it makes no sense to have a "cost" for the NONE filter, as
2417           * it has the minimum possible computational cost - none).
2418           */
2419          sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_NONE]) >>
2420              PNG_COST_SHIFT;
2421 
2422          sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_NONE]) >>
2423              PNG_COST_SHIFT;
2424 
2425          if (sumhi > PNG_HIMASK)
2426             sum = PNG_MAXSUM;
2427 
2428          else
2429             sum = (sumhi << PNG_HISHIFT) + sumlo;
2430       }
2431 #endif
2432       mins = sum;
2433    }
2434 
2435    /* Sub filter */
2436    if (filter_to_do == PNG_FILTER_SUB)
2437    /* It's the only filter so no testing is needed */
2438    {
2439       png_bytep rp, lp, dp;
2440       png_size_t i;
2441 
2442       for (i = 0, rp = row_buf + 1, dp = png_ptr->sub_row + 1; i < bpp;
2443            i++, rp++, dp++)
2444       {
2445          *dp = *rp;
2446       }
2447 
2448       for (lp = row_buf + 1; i < row_bytes;
2449          i++, rp++, lp++, dp++)
2450       {
2451          *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff);
2452       }
2453 
2454       best_row = png_ptr->sub_row;
2455    }
2456 
2457    else if (filter_to_do & PNG_FILTER_SUB)
2458    {
2459       png_bytep rp, dp, lp;
2460       png_uint_32 sum = 0, lmins = mins;
2461       png_size_t i;
2462       int v;
2463 
2464 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2465       /* We temporarily increase the "minimum sum" by the factor we
2466        * would reduce the sum of this filter, so that we can do the
2467        * early exit comparison without scaling the sum each time.
2468        */
2469       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2470       {
2471          int j;
2472          png_uint_32 lmhi, lmlo;
2473          lmlo = lmins & PNG_LOMASK;
2474          lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK;
2475 
2476          for (j = 0; j < num_p_filters; j++)
2477          {
2478             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_SUB)
2479             {
2480                lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >>
2481                    PNG_WEIGHT_SHIFT;
2482 
2483                lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >>
2484                    PNG_WEIGHT_SHIFT;
2485             }
2486          }
2487 
2488          lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >>
2489              PNG_COST_SHIFT;
2490 
2491          lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >>
2492              PNG_COST_SHIFT;
2493 
2494          if (lmhi > PNG_HIMASK)
2495             lmins = PNG_MAXSUM;
2496 
2497          else
2498             lmins = (lmhi << PNG_HISHIFT) + lmlo;
2499       }
2500 #endif
2501 
2502       for (i = 0, rp = row_buf + 1, dp = png_ptr->sub_row + 1; i < bpp;
2503            i++, rp++, dp++)
2504       {
2505          v = *dp = *rp;
2506 
2507          sum += (v < 128) ? v : 256 - v;
2508       }
2509 
2510       for (lp = row_buf + 1; i < row_bytes;
2511          i++, rp++, lp++, dp++)
2512       {
2513          v = *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff);
2514 
2515          sum += (v < 128) ? v : 256 - v;
2516 
2517          if (sum > lmins)  /* We are already worse, don't continue. */
2518             break;
2519       }
2520 
2521 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2522       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2523       {
2524          int j;
2525          png_uint_32 sumhi, sumlo;
2526          sumlo = sum & PNG_LOMASK;
2527          sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK;
2528 
2529          for (j = 0; j < num_p_filters; j++)
2530          {
2531             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_SUB)
2532             {
2533                sumlo = (sumlo * png_ptr->inv_filter_weights[j]) >>
2534                    PNG_WEIGHT_SHIFT;
2535 
2536                sumhi = (sumhi * png_ptr->inv_filter_weights[j]) >>
2537                    PNG_WEIGHT_SHIFT;
2538             }
2539          }
2540 
2541          sumlo = (sumlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >>
2542              PNG_COST_SHIFT;
2543 
2544          sumhi = (sumhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >>
2545              PNG_COST_SHIFT;
2546 
2547          if (sumhi > PNG_HIMASK)
2548             sum = PNG_MAXSUM;
2549 
2550          else
2551             sum = (sumhi << PNG_HISHIFT) + sumlo;
2552       }
2553 #endif
2554 
2555       if (sum < mins)
2556       {
2557          mins = sum;
2558          best_row = png_ptr->sub_row;
2559       }
2560    }
2561 
2562    /* Up filter */
2563    if (filter_to_do == PNG_FILTER_UP)
2564    {
2565       png_bytep rp, dp, pp;
2566       png_size_t i;
2567 
2568       for (i = 0, rp = row_buf + 1, dp = png_ptr->up_row + 1,
2569           pp = prev_row + 1; i < row_bytes;
2570           i++, rp++, pp++, dp++)
2571       {
2572          *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff);
2573       }
2574 
2575       best_row = png_ptr->up_row;
2576    }
2577 
2578    else if (filter_to_do & PNG_FILTER_UP)
2579    {
2580       png_bytep rp, dp, pp;
2581       png_uint_32 sum = 0, lmins = mins;
2582       png_size_t i;
2583       int v;
2584 
2585 
2586 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2587       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2588       {
2589          int j;
2590          png_uint_32 lmhi, lmlo;
2591          lmlo = lmins & PNG_LOMASK;
2592          lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK;
2593 
2594          for (j = 0; j < num_p_filters; j++)
2595          {
2596             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_UP)
2597             {
2598                lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >>
2599                    PNG_WEIGHT_SHIFT;
2600 
2601                lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >>
2602                    PNG_WEIGHT_SHIFT;
2603             }
2604          }
2605 
2606          lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_UP]) >>
2607              PNG_COST_SHIFT;
2608 
2609          lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_UP]) >>
2610              PNG_COST_SHIFT;
2611 
2612          if (lmhi > PNG_HIMASK)
2613             lmins = PNG_MAXSUM;
2614 
2615          else
2616             lmins = (lmhi << PNG_HISHIFT) + lmlo;
2617       }
2618 #endif
2619 
2620       for (i = 0, rp = row_buf + 1, dp = png_ptr->up_row + 1,
2621           pp = prev_row + 1; i < row_bytes; i++)
2622       {
2623          v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2624 
2625          sum += (v < 128) ? v : 256 - v;
2626 
2627          if (sum > lmins)  /* We are already worse, don't continue. */
2628             break;
2629       }
2630 
2631 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2632       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2633       {
2634          int j;
2635          png_uint_32 sumhi, sumlo;
2636          sumlo = sum & PNG_LOMASK;
2637          sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK;
2638 
2639          for (j = 0; j < num_p_filters; j++)
2640          {
2641             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_UP)
2642             {
2643                sumlo = (sumlo * png_ptr->filter_weights[j]) >>
2644                    PNG_WEIGHT_SHIFT;
2645 
2646                sumhi = (sumhi * png_ptr->filter_weights[j]) >>
2647                    PNG_WEIGHT_SHIFT;
2648             }
2649          }
2650 
2651          sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_UP]) >>
2652              PNG_COST_SHIFT;
2653 
2654          sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_UP]) >>
2655              PNG_COST_SHIFT;
2656 
2657          if (sumhi > PNG_HIMASK)
2658             sum = PNG_MAXSUM;
2659 
2660          else
2661             sum = (sumhi << PNG_HISHIFT) + sumlo;
2662       }
2663 #endif
2664 
2665       if (sum < mins)
2666       {
2667          mins = sum;
2668          best_row = png_ptr->up_row;
2669       }
2670    }
2671 
2672    /* Avg filter */
2673    if (filter_to_do == PNG_FILTER_AVG)
2674    {
2675       png_bytep rp, dp, pp, lp;
2676       png_uint_32 i;
2677 
2678       for (i = 0, rp = row_buf + 1, dp = png_ptr->avg_row + 1,
2679            pp = prev_row + 1; i < bpp; i++)
2680       {
2681          *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff);
2682       }
2683 
2684       for (lp = row_buf + 1; i < row_bytes; i++)
2685       {
2686          *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2))
2687                  & 0xff);
2688       }
2689       best_row = png_ptr->avg_row;
2690    }
2691 
2692    else if (filter_to_do & PNG_FILTER_AVG)
2693    {
2694       png_bytep rp, dp, pp, lp;
2695       png_uint_32 sum = 0, lmins = mins;
2696       png_size_t i;
2697       int v;
2698 
2699 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2700       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2701       {
2702          int j;
2703          png_uint_32 lmhi, lmlo;
2704          lmlo = lmins & PNG_LOMASK;
2705          lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK;
2706 
2707          for (j = 0; j < num_p_filters; j++)
2708          {
2709             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_AVG)
2710             {
2711                lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >>
2712                    PNG_WEIGHT_SHIFT;
2713 
2714                lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >>
2715                    PNG_WEIGHT_SHIFT;
2716             }
2717          }
2718 
2719          lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_AVG]) >>
2720              PNG_COST_SHIFT;
2721 
2722          lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_AVG]) >>
2723              PNG_COST_SHIFT;
2724 
2725          if (lmhi > PNG_HIMASK)
2726             lmins = PNG_MAXSUM;
2727 
2728          else
2729             lmins = (lmhi << PNG_HISHIFT) + lmlo;
2730       }
2731 #endif
2732 
2733       for (i = 0, rp = row_buf + 1, dp = png_ptr->avg_row + 1,
2734            pp = prev_row + 1; i < bpp; i++)
2735       {
2736          v = *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff);
2737 
2738          sum += (v < 128) ? v : 256 - v;
2739       }
2740 
2741       for (lp = row_buf + 1; i < row_bytes; i++)
2742       {
2743          v = *dp++ =
2744              (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2)) & 0xff);
2745 
2746          sum += (v < 128) ? v : 256 - v;
2747 
2748          if (sum > lmins)  /* We are already worse, don't continue. */
2749             break;
2750       }
2751 
2752 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2753       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2754       {
2755          int j;
2756          png_uint_32 sumhi, sumlo;
2757          sumlo = sum & PNG_LOMASK;
2758          sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK;
2759 
2760          for (j = 0; j < num_p_filters; j++)
2761          {
2762             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_NONE)
2763             {
2764                sumlo = (sumlo * png_ptr->filter_weights[j]) >>
2765                    PNG_WEIGHT_SHIFT;
2766 
2767                sumhi = (sumhi * png_ptr->filter_weights[j]) >>
2768                    PNG_WEIGHT_SHIFT;
2769             }
2770          }
2771 
2772          sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_AVG]) >>
2773              PNG_COST_SHIFT;
2774 
2775          sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_AVG]) >>
2776              PNG_COST_SHIFT;
2777 
2778          if (sumhi > PNG_HIMASK)
2779             sum = PNG_MAXSUM;
2780 
2781          else
2782             sum = (sumhi << PNG_HISHIFT) + sumlo;
2783       }
2784 #endif
2785 
2786       if (sum < mins)
2787       {
2788          mins = sum;
2789          best_row = png_ptr->avg_row;
2790       }
2791    }
2792 
2793    /* Paeth filter */
2794    if (filter_to_do == PNG_FILTER_PAETH)
2795    {
2796       png_bytep rp, dp, pp, cp, lp;
2797       png_size_t i;
2798 
2799       for (i = 0, rp = row_buf + 1, dp = png_ptr->paeth_row + 1,
2800           pp = prev_row + 1; i < bpp; i++)
2801       {
2802          *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2803       }
2804 
2805       for (lp = row_buf + 1, cp = prev_row + 1; i < row_bytes; i++)
2806       {
2807          int a, b, c, pa, pb, pc, p;
2808 
2809          b = *pp++;
2810          c = *cp++;
2811          a = *lp++;
2812 
2813          p = b - c;
2814          pc = a - c;
2815 
2816 #ifdef PNG_USE_ABS
2817          pa = abs(p);
2818          pb = abs(pc);
2819          pc = abs(p + pc);
2820 #else
2821          pa = p < 0 ? -p : p;
2822          pb = pc < 0 ? -pc : pc;
2823          pc = (p + pc) < 0 ? -(p + pc) : p + pc;
2824 #endif
2825 
2826          p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c;
2827 
2828          *dp++ = (png_byte)(((int)*rp++ - p) & 0xff);
2829       }
2830       best_row = png_ptr->paeth_row;
2831    }
2832 
2833    else if (filter_to_do & PNG_FILTER_PAETH)
2834    {
2835       png_bytep rp, dp, pp, cp, lp;
2836       png_uint_32 sum = 0, lmins = mins;
2837       png_size_t i;
2838       int v;
2839 
2840 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2841       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2842       {
2843          int j;
2844          png_uint_32 lmhi, lmlo;
2845          lmlo = lmins & PNG_LOMASK;
2846          lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK;
2847 
2848          for (j = 0; j < num_p_filters; j++)
2849          {
2850             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_PAETH)
2851             {
2852                lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >>
2853                    PNG_WEIGHT_SHIFT;
2854 
2855                lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >>
2856                    PNG_WEIGHT_SHIFT;
2857             }
2858          }
2859 
2860          lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_PAETH]) >>
2861              PNG_COST_SHIFT;
2862 
2863          lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_PAETH]) >>
2864              PNG_COST_SHIFT;
2865 
2866          if (lmhi > PNG_HIMASK)
2867             lmins = PNG_MAXSUM;
2868 
2869          else
2870             lmins = (lmhi << PNG_HISHIFT) + lmlo;
2871       }
2872 #endif
2873 
2874       for (i = 0, rp = row_buf + 1, dp = png_ptr->paeth_row + 1,
2875           pp = prev_row + 1; i < bpp; i++)
2876       {
2877          v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2878 
2879          sum += (v < 128) ? v : 256 - v;
2880       }
2881 
2882       for (lp = row_buf + 1, cp = prev_row + 1; i < row_bytes; i++)
2883       {
2884          int a, b, c, pa, pb, pc, p;
2885 
2886          b = *pp++;
2887          c = *cp++;
2888          a = *lp++;
2889 
2890 #ifndef PNG_SLOW_PAETH
2891          p = b - c;
2892          pc = a - c;
2893 #ifdef PNG_USE_ABS
2894          pa = abs(p);
2895          pb = abs(pc);
2896          pc = abs(p + pc);
2897 #else
2898          pa = p < 0 ? -p : p;
2899          pb = pc < 0 ? -pc : pc;
2900          pc = (p + pc) < 0 ? -(p + pc) : p + pc;
2901 #endif
2902          p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c;
2903 #else /* PNG_SLOW_PAETH */
2904          p = a + b - c;
2905          pa = abs(p - a);
2906          pb = abs(p - b);
2907          pc = abs(p - c);
2908 
2909          if (pa <= pb && pa <= pc)
2910             p = a;
2911 
2912          else if (pb <= pc)
2913             p = b;
2914 
2915          else
2916             p = c;
2917 #endif /* PNG_SLOW_PAETH */
2918 
2919          v = *dp++ = (png_byte)(((int)*rp++ - p) & 0xff);
2920 
2921          sum += (v < 128) ? v : 256 - v;
2922 
2923          if (sum > lmins)  /* We are already worse, don't continue. */
2924             break;
2925       }
2926 
2927 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2928       if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED)
2929       {
2930          int j;
2931          png_uint_32 sumhi, sumlo;
2932          sumlo = sum & PNG_LOMASK;
2933          sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK;
2934 
2935          for (j = 0; j < num_p_filters; j++)
2936          {
2937             if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_PAETH)
2938             {
2939                sumlo = (sumlo * png_ptr->filter_weights[j]) >>
2940                    PNG_WEIGHT_SHIFT;
2941 
2942                sumhi = (sumhi * png_ptr->filter_weights[j]) >>
2943                    PNG_WEIGHT_SHIFT;
2944             }
2945          }
2946 
2947          sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_PAETH]) >>
2948              PNG_COST_SHIFT;
2949 
2950          sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_PAETH]) >>
2951              PNG_COST_SHIFT;
2952 
2953          if (sumhi > PNG_HIMASK)
2954             sum = PNG_MAXSUM;
2955 
2956          else
2957             sum = (sumhi << PNG_HISHIFT) + sumlo;
2958       }
2959 #endif
2960 
2961       if (sum < mins)
2962       {
2963          best_row = png_ptr->paeth_row;
2964       }
2965    }
2966 #endif /* PNG_WRITE_FILTER_SUPPORTED */
2967 
2968    /* Do the actual writing of the filtered row data from the chosen filter. */
2969    png_write_filtered_row(png_ptr, best_row, row_info->rowbytes+1);
2970 
2971 #ifdef PNG_WRITE_FILTER_SUPPORTED
2972 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
2973    /* Save the type of filter we picked this time for future calculations */
2974    if (png_ptr->num_prev_filters > 0)
2975    {
2976       int j;
2977 
2978       for (j = 1; j < num_p_filters; j++)
2979       {
2980          png_ptr->prev_filters[j] = png_ptr->prev_filters[j - 1];
2981       }
2982 
2983       png_ptr->prev_filters[j] = best_row[0];
2984    }
2985 #endif
2986 #endif /* PNG_WRITE_FILTER_SUPPORTED */
2987 }
2988 
2989 
2990 /* Do the actual writing of a previously filtered row. */
2991 static void
png_write_filtered_row(png_structrp png_ptr,png_bytep filtered_row,png_size_t full_row_length)2992 png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row,
2993    png_size_t full_row_length/*includes filter byte*/)
2994 {
2995    png_debug(1, "in png_write_filtered_row");
2996 
2997    png_debug1(2, "filter = %d", filtered_row[0]);
2998 
2999    png_compress_IDAT(png_ptr, filtered_row, full_row_length, Z_NO_FLUSH);
3000 
3001    /* Swap the current and previous rows */
3002    if (png_ptr->prev_row != NULL)
3003    {
3004       png_bytep tptr;
3005 
3006       tptr = png_ptr->prev_row;
3007       png_ptr->prev_row = png_ptr->row_buf;
3008       png_ptr->row_buf = tptr;
3009    }
3010 
3011    /* Finish row - updates counters and flushes zlib if last row */
3012    png_write_finish_row(png_ptr);
3013 
3014 #ifdef PNG_WRITE_FLUSH_SUPPORTED
3015    png_ptr->flush_rows++;
3016 
3017    if (png_ptr->flush_dist > 0 &&
3018        png_ptr->flush_rows >= png_ptr->flush_dist)
3019    {
3020       png_write_flush(png_ptr);
3021    }
3022 #endif
3023 }
3024 #endif /* PNG_WRITE_SUPPORTED */
3025