• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* pngpread.c - read a png file in push mode
3  *
4  * Last changed in libpng 1.5.11 [June 14, 2012]
5  * Copyright (c) 1998-2012 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
17 
18 /* Push model modes */
19 #define PNG_READ_SIG_MODE   0
20 #define PNG_READ_CHUNK_MODE 1
21 #define PNG_READ_IDAT_MODE  2
22 #define PNG_SKIP_MODE       3
23 #define PNG_READ_tEXt_MODE  4
24 #define PNG_READ_zTXt_MODE  5
25 #define PNG_READ_DONE_MODE  6
26 #define PNG_READ_iTXt_MODE  7
27 #define PNG_ERROR_MODE      8
28 
29 void PNGAPI
png_process_data(png_structp png_ptr,png_infop info_ptr,png_bytep buffer,png_size_t buffer_size)30 png_process_data(png_structp png_ptr, png_infop info_ptr,
31     png_bytep buffer, png_size_t buffer_size)
32 {
33    if (png_ptr == NULL || info_ptr == NULL)
34       return;
35 
36    png_push_restore_buffer(png_ptr, buffer, buffer_size);
37 
38    while (png_ptr->buffer_size)
39    {
40       png_process_some_data(png_ptr, info_ptr);
41    }
42 }
43 
44 png_size_t PNGAPI
png_process_data_pause(png_structp png_ptr,int save)45 png_process_data_pause(png_structp png_ptr, int save)
46 {
47    if (png_ptr != NULL)
48    {
49       /* It's easiest for the caller if we do the save, then the caller doesn't
50        * have to supply the same data again:
51        */
52       if (save)
53          png_push_save_buffer(png_ptr);
54       else
55       {
56          /* This includes any pending saved bytes: */
57          png_size_t remaining = png_ptr->buffer_size;
58          png_ptr->buffer_size = 0;
59 
60          /* So subtract the saved buffer size, unless all the data
61           * is actually 'saved', in which case we just return 0
62           */
63          if (png_ptr->save_buffer_size < remaining)
64             return remaining - png_ptr->save_buffer_size;
65       }
66    }
67 
68    return 0;
69 }
70 
71 png_uint_32 PNGAPI
png_process_data_skip(png_structp png_ptr)72 png_process_data_skip(png_structp png_ptr)
73 {
74    png_uint_32 remaining = 0;
75 
76    if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE &&
77       png_ptr->skip_length > 0)
78    {
79       /* At the end of png_process_data the buffer size must be 0 (see the loop
80        * above) so we can detect a broken call here:
81        */
82       if (png_ptr->buffer_size != 0)
83          png_error(png_ptr,
84             "png_process_data_skip called inside png_process_data");
85 
86       /* If is impossible for there to be a saved buffer at this point -
87        * otherwise we could not be in SKIP mode.  This will also happen if
88        * png_process_skip is called inside png_process_data (but only very
89        * rarely.)
90        */
91       if (png_ptr->save_buffer_size != 0)
92          png_error(png_ptr, "png_process_data_skip called with saved data");
93 
94       remaining = png_ptr->skip_length;
95       png_ptr->skip_length = 0;
96       png_ptr->process_mode = PNG_READ_CHUNK_MODE;
97    }
98 
99    return remaining;
100 }
101 
102 /* What we do with the incoming data depends on what we were previously
103  * doing before we ran out of data...
104  */
105 void /* PRIVATE */
png_process_some_data(png_structp png_ptr,png_infop info_ptr)106 png_process_some_data(png_structp png_ptr, png_infop info_ptr)
107 {
108    if (png_ptr == NULL)
109       return;
110 
111    switch (png_ptr->process_mode)
112    {
113       case PNG_READ_SIG_MODE:
114       {
115          png_push_read_sig(png_ptr, info_ptr);
116          break;
117       }
118 
119       case PNG_READ_CHUNK_MODE:
120       {
121          png_push_read_chunk(png_ptr, info_ptr);
122          break;
123       }
124 
125       case PNG_READ_IDAT_MODE:
126       {
127          png_push_read_IDAT(png_ptr);
128          break;
129       }
130 
131       case PNG_SKIP_MODE:
132       {
133          png_push_crc_finish(png_ptr);
134          break;
135       }
136 
137       default:
138       {
139          png_ptr->buffer_size = 0;
140          break;
141       }
142    }
143 }
144 
145 /* Read any remaining signature bytes from the stream and compare them with
146  * the correct PNG signature.  It is possible that this routine is called
147  * with bytes already read from the signature, either because they have been
148  * checked by the calling application, or because of multiple calls to this
149  * routine.
150  */
151 void /* PRIVATE */
png_push_read_sig(png_structp png_ptr,png_infop info_ptr)152 png_push_read_sig(png_structp png_ptr, png_infop info_ptr)
153 {
154    png_size_t num_checked = png_ptr->sig_bytes,
155        num_to_check = 8 - num_checked;
156 
157    if (png_ptr->buffer_size < num_to_check)
158    {
159       num_to_check = png_ptr->buffer_size;
160    }
161 
162    png_push_fill_buffer(png_ptr, &(info_ptr->signature[num_checked]),
163        num_to_check);
164    png_ptr->sig_bytes = (png_byte)(png_ptr->sig_bytes + num_to_check);
165 
166    if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check))
167    {
168       if (num_checked < 4 &&
169           png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4))
170          png_error(png_ptr, "Not a PNG file");
171 
172       else
173          png_error(png_ptr, "PNG file corrupted by ASCII conversion");
174    }
175 
176    else
177    {
178       if (png_ptr->sig_bytes >= 8)
179       {
180          png_ptr->process_mode = PNG_READ_CHUNK_MODE;
181       }
182    }
183 }
184 
185 void /* PRIVATE */
png_push_read_chunk(png_structp png_ptr,png_infop info_ptr)186 png_push_read_chunk(png_structp png_ptr, png_infop info_ptr)
187 {
188    png_uint_32 chunk_name;
189 
190    /* First we make sure we have enough data for the 4 byte chunk name
191     * and the 4 byte chunk length before proceeding with decoding the
192     * chunk data.  To fully decode each of these chunks, we also make
193     * sure we have enough data in the buffer for the 4 byte CRC at the
194     * end of every chunk (except IDAT, which is handled separately).
195     */
196    if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
197    {
198       png_byte chunk_length[4];
199       png_byte chunk_tag[4];
200 
201       if (png_ptr->buffer_size < 8)
202       {
203          png_push_save_buffer(png_ptr);
204          return;
205       }
206 
207       png_push_fill_buffer(png_ptr, chunk_length, 4);
208       png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
209       png_reset_crc(png_ptr);
210       png_crc_read(png_ptr, chunk_tag, 4);
211       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
212       png_check_chunk_name(png_ptr, png_ptr->chunk_name);
213       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
214    }
215 
216    chunk_name = png_ptr->chunk_name;
217 
218    if (chunk_name == png_IDAT)
219    {
220       /* This is here above the if/else case statement below because if the
221        * unknown handling marks 'IDAT' as unknown then the IDAT handling case is
222        * completely skipped.
223        *
224        * TODO: there must be a better way of doing this.
225        */
226       if (png_ptr->mode & PNG_AFTER_IDAT)
227          png_ptr->mode |= PNG_HAVE_CHUNK_AFTER_IDAT;
228    }
229 
230    if (chunk_name == png_IHDR)
231    {
232       if (png_ptr->push_length != 13)
233          png_error(png_ptr, "Invalid IHDR length");
234 
235       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
236       {
237          png_push_save_buffer(png_ptr);
238          return;
239       }
240 
241       png_handle_IHDR(png_ptr, info_ptr, png_ptr->push_length);
242    }
243 
244    else if (chunk_name == png_IEND)
245    {
246       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
247       {
248          png_push_save_buffer(png_ptr);
249          return;
250       }
251 
252       png_handle_IEND(png_ptr, info_ptr, png_ptr->push_length);
253 
254       png_ptr->process_mode = PNG_READ_DONE_MODE;
255       png_push_have_end(png_ptr, info_ptr);
256    }
257 
258 #ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
259    else if (png_chunk_unknown_handling(png_ptr, chunk_name))
260    {
261       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
262       {
263          png_push_save_buffer(png_ptr);
264          return;
265       }
266 
267       if (chunk_name == png_IDAT)
268          png_ptr->mode |= PNG_HAVE_IDAT;
269 
270       png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length);
271 
272       if (chunk_name == png_PLTE)
273          png_ptr->mode |= PNG_HAVE_PLTE;
274 
275       else if (chunk_name == png_IDAT)
276       {
277          if (!(png_ptr->mode & PNG_HAVE_IHDR))
278             png_error(png_ptr, "Missing IHDR before IDAT");
279 
280          else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
281              !(png_ptr->mode & PNG_HAVE_PLTE))
282             png_error(png_ptr, "Missing PLTE before IDAT");
283       }
284    }
285 #endif
286 
287    else if (chunk_name == png_PLTE)
288    {
289       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
290       {
291          png_push_save_buffer(png_ptr);
292          return;
293       }
294       png_handle_PLTE(png_ptr, info_ptr, png_ptr->push_length);
295    }
296 
297    else if (chunk_name == png_IDAT)
298    {
299       /* If we reach an IDAT chunk, this means we have read all of the
300        * header chunks, and we can start reading the image (or if this
301        * is called after the image has been read - we have an error).
302        */
303 
304       if (!(png_ptr->mode & PNG_HAVE_IHDR))
305          png_error(png_ptr, "Missing IHDR before IDAT");
306 
307       else if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE &&
308           !(png_ptr->mode & PNG_HAVE_PLTE))
309          png_error(png_ptr, "Missing PLTE before IDAT");
310 
311       if (png_ptr->mode & PNG_HAVE_IDAT)
312       {
313          if (!(png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT))
314             if (png_ptr->push_length == 0)
315                return;
316 
317          if (png_ptr->mode & PNG_AFTER_IDAT)
318             png_benign_error(png_ptr, "Too many IDATs found");
319       }
320 
321       png_ptr->idat_size = png_ptr->push_length;
322       png_ptr->mode |= PNG_HAVE_IDAT;
323       png_ptr->process_mode = PNG_READ_IDAT_MODE;
324       png_push_have_info(png_ptr, info_ptr);
325       png_ptr->zstream.avail_out =
326           (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
327           png_ptr->iwidth) + 1;
328       png_ptr->zstream.next_out = png_ptr->row_buf;
329       return;
330    }
331 
332 #ifdef PNG_READ_gAMA_SUPPORTED
333    else if (png_ptr->chunk_name == png_gAMA)
334    {
335       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
336       {
337          png_push_save_buffer(png_ptr);
338          return;
339       }
340 
341       png_handle_gAMA(png_ptr, info_ptr, png_ptr->push_length);
342    }
343 
344 #endif
345 #ifdef PNG_READ_sBIT_SUPPORTED
346    else if (png_ptr->chunk_name == png_sBIT)
347    {
348       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
349       {
350          png_push_save_buffer(png_ptr);
351          return;
352       }
353 
354       png_handle_sBIT(png_ptr, info_ptr, png_ptr->push_length);
355    }
356 
357 #endif
358 #ifdef PNG_READ_cHRM_SUPPORTED
359    else if (png_ptr->chunk_name == png_cHRM)
360    {
361       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
362       {
363          png_push_save_buffer(png_ptr);
364          return;
365       }
366 
367       png_handle_cHRM(png_ptr, info_ptr, png_ptr->push_length);
368    }
369 
370 #endif
371 #ifdef PNG_READ_sRGB_SUPPORTED
372    else if (chunk_name == png_sRGB)
373    {
374       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
375       {
376          png_push_save_buffer(png_ptr);
377          return;
378       }
379 
380       png_handle_sRGB(png_ptr, info_ptr, png_ptr->push_length);
381    }
382 
383 #endif
384 #ifdef PNG_READ_iCCP_SUPPORTED
385    else if (png_ptr->chunk_name == png_iCCP)
386    {
387       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
388       {
389          png_push_save_buffer(png_ptr);
390          return;
391       }
392 
393       png_handle_iCCP(png_ptr, info_ptr, png_ptr->push_length);
394    }
395 
396 #endif
397 #ifdef PNG_READ_sPLT_SUPPORTED
398    else if (chunk_name == png_sPLT)
399    {
400       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
401       {
402          png_push_save_buffer(png_ptr);
403          return;
404       }
405 
406       png_handle_sPLT(png_ptr, info_ptr, png_ptr->push_length);
407    }
408 
409 #endif
410 #ifdef PNG_READ_tRNS_SUPPORTED
411    else if (chunk_name == png_tRNS)
412    {
413       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
414       {
415          png_push_save_buffer(png_ptr);
416          return;
417       }
418 
419       png_handle_tRNS(png_ptr, info_ptr, png_ptr->push_length);
420    }
421 
422 #endif
423 #ifdef PNG_READ_bKGD_SUPPORTED
424    else if (chunk_name == png_bKGD)
425    {
426       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
427       {
428          png_push_save_buffer(png_ptr);
429          return;
430       }
431 
432       png_handle_bKGD(png_ptr, info_ptr, png_ptr->push_length);
433    }
434 
435 #endif
436 #ifdef PNG_READ_hIST_SUPPORTED
437    else if (chunk_name == png_hIST)
438    {
439       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
440       {
441          png_push_save_buffer(png_ptr);
442          return;
443       }
444 
445       png_handle_hIST(png_ptr, info_ptr, png_ptr->push_length);
446    }
447 
448 #endif
449 #ifdef PNG_READ_pHYs_SUPPORTED
450    else if (chunk_name == png_pHYs)
451    {
452       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
453       {
454          png_push_save_buffer(png_ptr);
455          return;
456       }
457 
458       png_handle_pHYs(png_ptr, info_ptr, png_ptr->push_length);
459    }
460 
461 #endif
462 #ifdef PNG_READ_oFFs_SUPPORTED
463    else if (chunk_name == png_oFFs)
464    {
465       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
466       {
467          png_push_save_buffer(png_ptr);
468          return;
469       }
470 
471       png_handle_oFFs(png_ptr, info_ptr, png_ptr->push_length);
472    }
473 #endif
474 
475 #ifdef PNG_READ_pCAL_SUPPORTED
476    else if (chunk_name == png_pCAL)
477    {
478       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
479       {
480          png_push_save_buffer(png_ptr);
481          return;
482       }
483 
484       png_handle_pCAL(png_ptr, info_ptr, png_ptr->push_length);
485    }
486 
487 #endif
488 #ifdef PNG_READ_sCAL_SUPPORTED
489    else if (chunk_name == png_sCAL)
490    {
491       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
492       {
493          png_push_save_buffer(png_ptr);
494          return;
495       }
496 
497       png_handle_sCAL(png_ptr, info_ptr, png_ptr->push_length);
498    }
499 
500 #endif
501 #ifdef PNG_READ_tIME_SUPPORTED
502    else if (chunk_name == png_tIME)
503    {
504       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
505       {
506          png_push_save_buffer(png_ptr);
507          return;
508       }
509 
510       png_handle_tIME(png_ptr, info_ptr, png_ptr->push_length);
511    }
512 
513 #endif
514 #ifdef PNG_READ_tEXt_SUPPORTED
515    else if (chunk_name == png_tEXt)
516    {
517       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
518       {
519          png_push_save_buffer(png_ptr);
520          return;
521       }
522 
523       png_handle_tEXt(png_ptr, info_ptr, png_ptr->push_length);
524    }
525 
526 #endif
527 #ifdef PNG_READ_zTXt_SUPPORTED
528    else if (chunk_name == png_zTXt)
529    {
530       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
531       {
532          png_push_save_buffer(png_ptr);
533          return;
534       }
535 
536       png_handle_zTXt(png_ptr, info_ptr, png_ptr->push_length);
537    }
538 
539 #endif
540 #ifdef PNG_READ_iTXt_SUPPORTED
541    else if (chunk_name == png_iTXt)
542    {
543       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
544       {
545          png_push_save_buffer(png_ptr);
546          return;
547       }
548 
549       png_handle_iTXt(png_ptr, info_ptr, png_ptr->push_length);
550    }
551 
552 #endif
553 
554    else
555    {
556       if (png_ptr->push_length + 4 > png_ptr->buffer_size)
557       {
558          png_push_save_buffer(png_ptr);
559          return;
560       }
561       png_handle_unknown(png_ptr, info_ptr, png_ptr->push_length);
562    }
563 
564    png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
565 }
566 
567 void /* PRIVATE */
png_push_crc_skip(png_structp png_ptr,png_uint_32 skip)568 png_push_crc_skip(png_structp png_ptr, png_uint_32 skip)
569 {
570    png_ptr->process_mode = PNG_SKIP_MODE;
571    png_ptr->skip_length = skip;
572 }
573 
574 void /* PRIVATE */
png_push_crc_finish(png_structp png_ptr)575 png_push_crc_finish(png_structp png_ptr)
576 {
577    if (png_ptr->skip_length && png_ptr->save_buffer_size)
578    {
579       png_size_t save_size = png_ptr->save_buffer_size;
580       png_uint_32 skip_length = png_ptr->skip_length;
581 
582       /* We want the smaller of 'skip_length' and 'save_buffer_size', but
583        * they are of different types and we don't know which variable has the
584        * fewest bits.  Carefully select the smaller and cast it to the type of
585        * the larger - this cannot overflow.  Do not cast in the following test
586        * - it will break on either 16 or 64 bit platforms.
587        */
588       if (skip_length < save_size)
589          save_size = (png_size_t)skip_length;
590 
591       else
592          skip_length = (png_uint_32)save_size;
593 
594       png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
595 
596       png_ptr->skip_length -= skip_length;
597       png_ptr->buffer_size -= save_size;
598       png_ptr->save_buffer_size -= save_size;
599       png_ptr->save_buffer_ptr += save_size;
600    }
601 
602    if (png_ptr->skip_length && png_ptr->current_buffer_size)
603    {
604       png_size_t save_size = png_ptr->current_buffer_size;
605       png_uint_32 skip_length = png_ptr->skip_length;
606 
607       /* We want the smaller of 'skip_length' and 'current_buffer_size', here,
608        * the same problem exists as above and the same solution.
609        */
610       if (skip_length < save_size)
611          save_size = (png_size_t)skip_length;
612 
613       else
614          skip_length = (png_uint_32)save_size;
615 
616       png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
617 
618       png_ptr->skip_length -= skip_length;
619       png_ptr->buffer_size -= save_size;
620       png_ptr->current_buffer_size -= save_size;
621       png_ptr->current_buffer_ptr += save_size;
622    }
623 
624    if (!png_ptr->skip_length)
625    {
626       if (png_ptr->buffer_size < 4)
627       {
628          png_push_save_buffer(png_ptr);
629          return;
630       }
631 
632       png_crc_finish(png_ptr, 0);
633       png_ptr->process_mode = PNG_READ_CHUNK_MODE;
634    }
635 }
636 
637 void PNGCBAPI
png_push_fill_buffer(png_structp png_ptr,png_bytep buffer,png_size_t length)638 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
639 {
640    png_bytep ptr;
641 
642    if (png_ptr == NULL)
643       return;
644 
645    ptr = buffer;
646 
647    if (png_ptr->save_buffer_size)
648    {
649       png_size_t save_size;
650 
651       if (length < png_ptr->save_buffer_size)
652          save_size = length;
653 
654       else
655          save_size = png_ptr->save_buffer_size;
656 
657       png_memcpy(ptr, png_ptr->save_buffer_ptr, save_size);
658       length -= save_size;
659       ptr += save_size;
660       png_ptr->buffer_size -= save_size;
661       png_ptr->save_buffer_size -= save_size;
662       png_ptr->save_buffer_ptr += save_size;
663    }
664 
665    if (length && png_ptr->current_buffer_size)
666    {
667       png_size_t save_size;
668 
669       if (length < png_ptr->current_buffer_size)
670          save_size = length;
671 
672       else
673          save_size = png_ptr->current_buffer_size;
674 
675       png_memcpy(ptr, png_ptr->current_buffer_ptr, save_size);
676       png_ptr->buffer_size -= save_size;
677       png_ptr->current_buffer_size -= save_size;
678       png_ptr->current_buffer_ptr += save_size;
679    }
680 }
681 
682 void /* PRIVATE */
png_push_save_buffer(png_structp png_ptr)683 png_push_save_buffer(png_structp png_ptr)
684 {
685    if (png_ptr->save_buffer_size)
686    {
687       if (png_ptr->save_buffer_ptr != png_ptr->save_buffer)
688       {
689          png_size_t i, istop;
690          png_bytep sp;
691          png_bytep dp;
692 
693          istop = png_ptr->save_buffer_size;
694 
695          for (i = 0, sp = png_ptr->save_buffer_ptr, dp = png_ptr->save_buffer;
696              i < istop; i++, sp++, dp++)
697          {
698             *dp = *sp;
699          }
700       }
701    }
702 
703    if (png_ptr->save_buffer_size + png_ptr->current_buffer_size >
704        png_ptr->save_buffer_max)
705    {
706       png_size_t new_max;
707       png_bytep old_buffer;
708 
709       if (png_ptr->save_buffer_size > PNG_SIZE_MAX -
710           (png_ptr->current_buffer_size + 256))
711       {
712          png_error(png_ptr, "Potential overflow of save_buffer");
713       }
714 
715       new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256;
716       old_buffer = png_ptr->save_buffer;
717       png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, new_max);
718 
719       if (png_ptr->save_buffer == NULL)
720       {
721          png_free(png_ptr, old_buffer);
722          png_error(png_ptr, "Insufficient memory for save_buffer");
723       }
724 
725       png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
726       png_free(png_ptr, old_buffer);
727       png_ptr->save_buffer_max = new_max;
728    }
729 
730    if (png_ptr->current_buffer_size)
731    {
732       png_memcpy(png_ptr->save_buffer + png_ptr->save_buffer_size,
733          png_ptr->current_buffer_ptr, png_ptr->current_buffer_size);
734       png_ptr->save_buffer_size += png_ptr->current_buffer_size;
735       png_ptr->current_buffer_size = 0;
736    }
737 
738    png_ptr->save_buffer_ptr = png_ptr->save_buffer;
739    png_ptr->buffer_size = 0;
740 }
741 
742 void /* PRIVATE */
png_push_restore_buffer(png_structp png_ptr,png_bytep buffer,png_size_t buffer_length)743 png_push_restore_buffer(png_structp png_ptr, png_bytep buffer,
744    png_size_t buffer_length)
745 {
746    png_ptr->current_buffer = buffer;
747    png_ptr->current_buffer_size = buffer_length;
748    png_ptr->buffer_size = buffer_length + png_ptr->save_buffer_size;
749    png_ptr->current_buffer_ptr = png_ptr->current_buffer;
750 }
751 
752 void /* PRIVATE */
png_push_read_IDAT(png_structp png_ptr)753 png_push_read_IDAT(png_structp png_ptr)
754 {
755    if (!(png_ptr->mode & PNG_HAVE_CHUNK_HEADER))
756    {
757       png_byte chunk_length[4];
758       png_byte chunk_tag[4];
759 
760       /* TODO: this code can be commoned up with the same code in push_read */
761       if (png_ptr->buffer_size < 8)
762       {
763          png_push_save_buffer(png_ptr);
764          return;
765       }
766 
767       png_push_fill_buffer(png_ptr, chunk_length, 4);
768       png_ptr->push_length = png_get_uint_31(png_ptr, chunk_length);
769       png_reset_crc(png_ptr);
770       png_crc_read(png_ptr, chunk_tag, 4);
771       png_ptr->chunk_name = PNG_CHUNK_FROM_STRING(chunk_tag);
772       png_ptr->mode |= PNG_HAVE_CHUNK_HEADER;
773 
774       if (png_ptr->chunk_name != png_IDAT)
775       {
776          png_ptr->process_mode = PNG_READ_CHUNK_MODE;
777 
778          if (!(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
779             png_error(png_ptr, "Not enough compressed data");
780 
781          return;
782       }
783 
784       png_ptr->idat_size = png_ptr->push_length;
785    }
786 
787    if (png_ptr->idat_size && png_ptr->save_buffer_size)
788    {
789       png_size_t save_size = png_ptr->save_buffer_size;
790       png_uint_32 idat_size = png_ptr->idat_size;
791 
792       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
793        * are of different types and we don't know which variable has the fewest
794        * bits.  Carefully select the smaller and cast it to the type of the
795        * larger - this cannot overflow.  Do not cast in the following test - it
796        * will break on either 16 or 64 bit platforms.
797        */
798       if (idat_size < save_size)
799          save_size = (png_size_t)idat_size;
800 
801       else
802          idat_size = (png_uint_32)save_size;
803 
804       png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
805 
806       png_process_IDAT_data(png_ptr, png_ptr->save_buffer_ptr, save_size);
807 
808       png_ptr->idat_size -= idat_size;
809       png_ptr->buffer_size -= save_size;
810       png_ptr->save_buffer_size -= save_size;
811       png_ptr->save_buffer_ptr += save_size;
812    }
813 
814    if (png_ptr->idat_size && png_ptr->current_buffer_size)
815    {
816       png_size_t save_size = png_ptr->current_buffer_size;
817       png_uint_32 idat_size = png_ptr->idat_size;
818 
819       /* We want the smaller of 'idat_size' and 'current_buffer_size', but they
820        * are of different types and we don't know which variable has the fewest
821        * bits.  Carefully select the smaller and cast it to the type of the
822        * larger - this cannot overflow.
823        */
824       if (idat_size < save_size)
825          save_size = (png_size_t)idat_size;
826 
827       else
828          idat_size = (png_uint_32)save_size;
829 
830       png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
831 
832       png_process_IDAT_data(png_ptr, png_ptr->current_buffer_ptr, save_size);
833 
834       png_ptr->idat_size -= idat_size;
835       png_ptr->buffer_size -= save_size;
836       png_ptr->current_buffer_size -= save_size;
837       png_ptr->current_buffer_ptr += save_size;
838    }
839 
840    if (!png_ptr->idat_size)
841    {
842       if (png_ptr->buffer_size < 4)
843       {
844          png_push_save_buffer(png_ptr);
845          return;
846       }
847 
848       png_crc_finish(png_ptr, 0);
849       png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
850       png_ptr->mode |= PNG_AFTER_IDAT;
851    }
852 }
853 
854 void /* PRIVATE */
png_process_IDAT_data(png_structp png_ptr,png_bytep buffer,png_size_t buffer_length)855 png_process_IDAT_data(png_structp png_ptr, png_bytep buffer,
856    png_size_t buffer_length)
857 {
858    /* The caller checks for a non-zero buffer length. */
859    if (!(buffer_length > 0) || buffer == NULL)
860       png_error(png_ptr, "No IDAT data (internal error)");
861 
862    /* This routine must process all the data it has been given
863     * before returning, calling the row callback as required to
864     * handle the uncompressed results.
865     */
866    png_ptr->zstream.next_in = buffer;
867    png_ptr->zstream.avail_in = (uInt)buffer_length;
868 
869    /* Keep going until the decompressed data is all processed
870     * or the stream marked as finished.
871     */
872    while (png_ptr->zstream.avail_in > 0 &&
873           !(png_ptr->flags & PNG_FLAG_ZLIB_FINISHED))
874    {
875       int ret;
876 
877       /* We have data for zlib, but we must check that zlib
878        * has someplace to put the results.  It doesn't matter
879        * if we don't expect any results -- it may be the input
880        * data is just the LZ end code.
881        */
882       if (!(png_ptr->zstream.avail_out > 0))
883       {
884          png_ptr->zstream.avail_out =
885              (uInt) PNG_ROWBYTES(png_ptr->pixel_depth,
886              png_ptr->iwidth) + 1;
887 
888          png_ptr->zstream.next_out = png_ptr->row_buf;
889       }
890 
891       /* Using Z_SYNC_FLUSH here means that an unterminated
892        * LZ stream (a stream with a missing end code) can still
893        * be handled, otherwise (Z_NO_FLUSH) a future zlib
894        * implementation might defer output and therefore
895        * change the current behavior (see comments in inflate.c
896        * for why this doesn't happen at present with zlib 1.2.5).
897        */
898       ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
899 
900       /* Check for any failure before proceeding. */
901       if (ret != Z_OK && ret != Z_STREAM_END)
902       {
903          /* Terminate the decompression. */
904          png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
905 
906          /* This may be a truncated stream (missing or
907           * damaged end code).  Treat that as a warning.
908           */
909          if (png_ptr->row_number >= png_ptr->num_rows ||
910              png_ptr->pass > 6)
911             png_warning(png_ptr, "Truncated compressed data in IDAT");
912 
913          else
914             png_error(png_ptr, "Decompression error in IDAT");
915 
916          /* Skip the check on unprocessed input */
917          return;
918       }
919 
920       /* Did inflate output any data? */
921       if (png_ptr->zstream.next_out != png_ptr->row_buf)
922       {
923          /* Is this unexpected data after the last row?
924           * If it is, artificially terminate the LZ output
925           * here.
926           */
927          if (png_ptr->row_number >= png_ptr->num_rows ||
928              png_ptr->pass > 6)
929          {
930             /* Extra data. */
931             png_warning(png_ptr, "Extra compressed data in IDAT");
932             png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
933 
934             /* Do no more processing; skip the unprocessed
935              * input check below.
936              */
937             return;
938          }
939 
940          /* Do we have a complete row? */
941          if (png_ptr->zstream.avail_out == 0)
942             png_push_process_row(png_ptr);
943       }
944 
945       /* And check for the end of the stream. */
946       if (ret == Z_STREAM_END)
947          png_ptr->flags |= PNG_FLAG_ZLIB_FINISHED;
948    }
949 
950    /* All the data should have been processed, if anything
951     * is left at this point we have bytes of IDAT data
952     * after the zlib end code.
953     */
954    if (png_ptr->zstream.avail_in > 0)
955       png_warning(png_ptr, "Extra compression data in IDAT");
956 }
957 
958 void /* PRIVATE */
png_push_process_row(png_structp png_ptr)959 png_push_process_row(png_structp png_ptr)
960 {
961    /* 1.5.6: row_info moved out of png_struct to a local here. */
962    png_row_info row_info;
963 
964    row_info.width = png_ptr->iwidth; /* NOTE: width of current interlaced row */
965    row_info.color_type = png_ptr->color_type;
966    row_info.bit_depth = png_ptr->bit_depth;
967    row_info.channels = png_ptr->channels;
968    row_info.pixel_depth = png_ptr->pixel_depth;
969    row_info.rowbytes = PNG_ROWBYTES(row_info.pixel_depth, row_info.width);
970 
971    if (png_ptr->row_buf[0] > PNG_FILTER_VALUE_NONE)
972    {
973       if (png_ptr->row_buf[0] < PNG_FILTER_VALUE_LAST)
974          png_read_filter_row(png_ptr, &row_info, png_ptr->row_buf + 1,
975             png_ptr->prev_row + 1, png_ptr->row_buf[0]);
976       else
977          png_error(png_ptr, "bad adaptive filter value");
978    }
979 
980    /* libpng 1.5.6: the following line was copying png_ptr->rowbytes before
981     * 1.5.6, while the buffer really is this big in current versions of libpng
982     * it may not be in the future, so this was changed just to copy the
983     * interlaced row count:
984     */
985    png_memcpy(png_ptr->prev_row, png_ptr->row_buf, row_info.rowbytes + 1);
986 
987 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
988    if (png_ptr->transformations)
989       png_do_read_transformations(png_ptr, &row_info);
990 #endif
991 
992    /* The transformed pixel depth should match the depth now in row_info. */
993    if (png_ptr->transformed_pixel_depth == 0)
994    {
995       png_ptr->transformed_pixel_depth = row_info.pixel_depth;
996       if (row_info.pixel_depth > png_ptr->maximum_pixel_depth)
997          png_error(png_ptr, "progressive row overflow");
998    }
999 
1000    else if (png_ptr->transformed_pixel_depth != row_info.pixel_depth)
1001       png_error(png_ptr, "internal progressive row size calculation error");
1002 
1003 
1004 #ifdef PNG_READ_INTERLACING_SUPPORTED
1005    /* Blow up interlaced rows to full size */
1006    if (png_ptr->interlaced && (png_ptr->transformations & PNG_INTERLACE))
1007    {
1008       if (png_ptr->pass < 6)
1009          png_do_read_interlace(&row_info, png_ptr->row_buf + 1, png_ptr->pass,
1010             png_ptr->transformations);
1011 
1012     switch (png_ptr->pass)
1013     {
1014          case 0:
1015          {
1016             int i;
1017             for (i = 0; i < 8 && png_ptr->pass == 0; i++)
1018             {
1019                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1020                png_read_push_finish_row(png_ptr); /* Updates png_ptr->pass */
1021             }
1022 
1023             if (png_ptr->pass == 2) /* Pass 1 might be empty */
1024             {
1025                for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1026                {
1027                   png_push_have_row(png_ptr, NULL);
1028                   png_read_push_finish_row(png_ptr);
1029                }
1030             }
1031 
1032             if (png_ptr->pass == 4 && png_ptr->height <= 4)
1033             {
1034                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1035                {
1036                   png_push_have_row(png_ptr, NULL);
1037                   png_read_push_finish_row(png_ptr);
1038                }
1039             }
1040 
1041             if (png_ptr->pass == 6 && png_ptr->height <= 4)
1042             {
1043                 png_push_have_row(png_ptr, NULL);
1044                 png_read_push_finish_row(png_ptr);
1045             }
1046 
1047             break;
1048          }
1049 
1050          case 1:
1051          {
1052             int i;
1053             for (i = 0; i < 8 && png_ptr->pass == 1; i++)
1054             {
1055                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1056                png_read_push_finish_row(png_ptr);
1057             }
1058 
1059             if (png_ptr->pass == 2) /* Skip top 4 generated rows */
1060             {
1061                for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1062                {
1063                   png_push_have_row(png_ptr, NULL);
1064                   png_read_push_finish_row(png_ptr);
1065                }
1066             }
1067 
1068             break;
1069          }
1070 
1071          case 2:
1072          {
1073             int i;
1074 
1075             for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1076             {
1077                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1078                png_read_push_finish_row(png_ptr);
1079             }
1080 
1081             for (i = 0; i < 4 && png_ptr->pass == 2; i++)
1082             {
1083                png_push_have_row(png_ptr, NULL);
1084                png_read_push_finish_row(png_ptr);
1085             }
1086 
1087             if (png_ptr->pass == 4) /* Pass 3 might be empty */
1088             {
1089                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1090                {
1091                   png_push_have_row(png_ptr, NULL);
1092                   png_read_push_finish_row(png_ptr);
1093                }
1094             }
1095 
1096             break;
1097          }
1098 
1099          case 3:
1100          {
1101             int i;
1102 
1103             for (i = 0; i < 4 && png_ptr->pass == 3; i++)
1104             {
1105                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1106                png_read_push_finish_row(png_ptr);
1107             }
1108 
1109             if (png_ptr->pass == 4) /* Skip top two generated rows */
1110             {
1111                for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1112                {
1113                   png_push_have_row(png_ptr, NULL);
1114                   png_read_push_finish_row(png_ptr);
1115                }
1116             }
1117 
1118             break;
1119          }
1120 
1121          case 4:
1122          {
1123             int i;
1124 
1125             for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1126             {
1127                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1128                png_read_push_finish_row(png_ptr);
1129             }
1130 
1131             for (i = 0; i < 2 && png_ptr->pass == 4; i++)
1132             {
1133                png_push_have_row(png_ptr, NULL);
1134                png_read_push_finish_row(png_ptr);
1135             }
1136 
1137             if (png_ptr->pass == 6) /* Pass 5 might be empty */
1138             {
1139                png_push_have_row(png_ptr, NULL);
1140                png_read_push_finish_row(png_ptr);
1141             }
1142 
1143             break;
1144          }
1145 
1146          case 5:
1147          {
1148             int i;
1149 
1150             for (i = 0; i < 2 && png_ptr->pass == 5; i++)
1151             {
1152                png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1153                png_read_push_finish_row(png_ptr);
1154             }
1155 
1156             if (png_ptr->pass == 6) /* Skip top generated row */
1157             {
1158                png_push_have_row(png_ptr, NULL);
1159                png_read_push_finish_row(png_ptr);
1160             }
1161 
1162             break;
1163          }
1164 
1165          default:
1166          case 6:
1167          {
1168             png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1169             png_read_push_finish_row(png_ptr);
1170 
1171             if (png_ptr->pass != 6)
1172                break;
1173 
1174             png_push_have_row(png_ptr, NULL);
1175             png_read_push_finish_row(png_ptr);
1176          }
1177       }
1178    }
1179    else
1180 #endif
1181    {
1182       png_push_have_row(png_ptr, png_ptr->row_buf + 1);
1183       png_read_push_finish_row(png_ptr);
1184    }
1185 }
1186 
1187 void /* PRIVATE */
png_read_push_finish_row(png_structp png_ptr)1188 png_read_push_finish_row(png_structp png_ptr)
1189 {
1190 #ifdef PNG_READ_INTERLACING_SUPPORTED
1191    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1192 
1193    /* Start of interlace block */
1194    static PNG_CONST png_byte FARDATA png_pass_start[] = {0, 4, 0, 2, 0, 1, 0};
1195 
1196    /* Offset to next interlace block */
1197    static PNG_CONST png_byte FARDATA png_pass_inc[] = {8, 8, 4, 4, 2, 2, 1};
1198 
1199    /* Start of interlace block in the y direction */
1200    static PNG_CONST png_byte FARDATA png_pass_ystart[] = {0, 0, 4, 0, 2, 0, 1};
1201 
1202    /* Offset to next interlace block in the y direction */
1203    static PNG_CONST png_byte FARDATA png_pass_yinc[] = {8, 8, 8, 4, 4, 2, 2};
1204 
1205    /* Height of interlace block.  This is not currently used - if you need
1206     * it, uncomment it here and in png.h
1207    static PNG_CONST png_byte FARDATA png_pass_height[] = {8, 8, 4, 4, 2, 2, 1};
1208    */
1209 #endif
1210 
1211    png_ptr->row_number++;
1212    if (png_ptr->row_number < png_ptr->num_rows)
1213       return;
1214 
1215 #ifdef PNG_READ_INTERLACING_SUPPORTED
1216    if (png_ptr->interlaced)
1217    {
1218       png_ptr->row_number = 0;
1219       png_memset(png_ptr->prev_row, 0, png_ptr->rowbytes + 1);
1220 
1221       do
1222       {
1223          png_ptr->pass++;
1224          if ((png_ptr->pass == 1 && png_ptr->width < 5) ||
1225              (png_ptr->pass == 3 && png_ptr->width < 3) ||
1226              (png_ptr->pass == 5 && png_ptr->width < 2))
1227             png_ptr->pass++;
1228 
1229          if (png_ptr->pass > 7)
1230             png_ptr->pass--;
1231 
1232          if (png_ptr->pass >= 7)
1233             break;
1234 
1235          png_ptr->iwidth = (png_ptr->width +
1236              png_pass_inc[png_ptr->pass] - 1 -
1237              png_pass_start[png_ptr->pass]) /
1238              png_pass_inc[png_ptr->pass];
1239 
1240          if (png_ptr->transformations & PNG_INTERLACE)
1241             break;
1242 
1243          png_ptr->num_rows = (png_ptr->height +
1244              png_pass_yinc[png_ptr->pass] - 1 -
1245              png_pass_ystart[png_ptr->pass]) /
1246              png_pass_yinc[png_ptr->pass];
1247 
1248       } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
1249    }
1250 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1251 }
1252 
1253 void /* PRIVATE */
png_push_have_info(png_structp png_ptr,png_infop info_ptr)1254 png_push_have_info(png_structp png_ptr, png_infop info_ptr)
1255 {
1256    if (png_ptr->info_fn != NULL)
1257       (*(png_ptr->info_fn))(png_ptr, info_ptr);
1258 }
1259 
1260 void /* PRIVATE */
png_push_have_end(png_structp png_ptr,png_infop info_ptr)1261 png_push_have_end(png_structp png_ptr, png_infop info_ptr)
1262 {
1263    if (png_ptr->end_fn != NULL)
1264       (*(png_ptr->end_fn))(png_ptr, info_ptr);
1265 }
1266 
1267 void /* PRIVATE */
png_push_have_row(png_structp png_ptr,png_bytep row)1268 png_push_have_row(png_structp png_ptr, png_bytep row)
1269 {
1270    if (png_ptr->row_fn != NULL)
1271       (*(png_ptr->row_fn))(png_ptr, row, png_ptr->row_number,
1272          (int)png_ptr->pass);
1273 }
1274 
1275 #ifdef PNG_READ_INTERLACING_SUPPORTED
1276 void PNGAPI
png_progressive_combine_row(png_structp png_ptr,png_bytep old_row,png_const_bytep new_row)1277 png_progressive_combine_row (png_structp png_ptr, png_bytep old_row,
1278     png_const_bytep new_row)
1279 {
1280    if (png_ptr == NULL)
1281       return;
1282 
1283    /* new_row is a flag here - if it is NULL then the app callback was called
1284     * from an empty row (see the calls to png_struct::row_fn below), otherwise
1285     * it must be png_ptr->row_buf+1
1286     */
1287    if (new_row != NULL)
1288       png_combine_row(png_ptr, old_row, 1/*display*/);
1289 }
1290 #endif /* PNG_READ_INTERLACING_SUPPORTED */
1291 
1292 void PNGAPI
png_set_progressive_read_fn(png_structp png_ptr,png_voidp progressive_ptr,png_progressive_info_ptr info_fn,png_progressive_row_ptr row_fn,png_progressive_end_ptr end_fn)1293 png_set_progressive_read_fn(png_structp png_ptr, png_voidp progressive_ptr,
1294     png_progressive_info_ptr info_fn, png_progressive_row_ptr row_fn,
1295     png_progressive_end_ptr end_fn)
1296 {
1297    if (png_ptr == NULL)
1298       return;
1299 
1300    png_ptr->info_fn = info_fn;
1301    png_ptr->row_fn = row_fn;
1302    png_ptr->end_fn = end_fn;
1303 
1304    png_set_read_fn(png_ptr, progressive_ptr, png_push_fill_buffer);
1305 }
1306 
1307 png_voidp PNGAPI
png_get_progressive_ptr(png_const_structp png_ptr)1308 png_get_progressive_ptr(png_const_structp png_ptr)
1309 {
1310    if (png_ptr == NULL)
1311       return (NULL);
1312 
1313    return png_ptr->io_ptr;
1314 }
1315 #endif /* PNG_PROGRESSIVE_READ_SUPPORTED */
1316