• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 
2 /* pngwutil.c - utilities to write a PNG file
3  *
4  * Last changed in libpng 1.6.22 [May 26, 2016]
5  * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
6  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8  *
9  * This code is released under the libpng license.
10  * For conditions of distribution and use, see the disclaimer
11  * and license in png.h
12  */
13 
14 #include "pngpriv.h"
15 
16 #ifdef PNG_WRITE_SUPPORTED
17 
18 #ifdef PNG_WRITE_INT_FUNCTIONS_SUPPORTED
19 /* Place a 32-bit number into a buffer in PNG byte order.  We work
20  * with unsigned numbers for convenience, although one supported
21  * ancillary chunk uses signed (two's complement) numbers.
22  */
23 void PNGAPI
png_save_uint_32(png_bytep buf,png_uint_32 i)24 png_save_uint_32(png_bytep buf, png_uint_32 i)
25 {
26    buf[0] = (png_byte)((i >> 24) & 0xffU);
27    buf[1] = (png_byte)((i >> 16) & 0xffU);
28    buf[2] = (png_byte)((i >>  8) & 0xffU);
29    buf[3] = (png_byte)( i        & 0xffU);
30 }
31 
32 /* Place a 16-bit number into a buffer in PNG byte order.
33  * The parameter is declared unsigned int, not png_uint_16,
34  * just to avoid potential problems on pre-ANSI C compilers.
35  */
36 void PNGAPI
png_save_uint_16(png_bytep buf,unsigned int i)37 png_save_uint_16(png_bytep buf, unsigned int i)
38 {
39    buf[0] = (png_byte)((i >> 8) & 0xffU);
40    buf[1] = (png_byte)( i       & 0xffU);
41 }
42 #endif
43 
44 /* Simple function to write the signature.  If we have already written
45  * the magic bytes of the signature, or more likely, the PNG stream is
46  * being embedded into another stream and doesn't need its own signature,
47  * we should call png_set_sig_bytes() to tell libpng how many of the
48  * bytes have already been written.
49  */
50 void PNGAPI
png_write_sig(png_structrp png_ptr)51 png_write_sig(png_structrp png_ptr)
52 {
53    png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
54 
55 #ifdef PNG_IO_STATE_SUPPORTED
56    /* Inform the I/O callback that the signature is being written */
57    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_SIGNATURE;
58 #endif
59 
60    /* Write the rest of the 8 byte signature */
61    png_write_data(png_ptr, &png_signature[png_ptr->sig_bytes],
62       (png_size_t)(8 - png_ptr->sig_bytes));
63 
64    if (png_ptr->sig_bytes < 3)
65       png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;
66 }
67 
68 /* Write the start of a PNG chunk.  The type is the chunk type.
69  * The total_length is the sum of the lengths of all the data you will be
70  * passing in png_write_chunk_data().
71  */
72 static void
png_write_chunk_header(png_structrp png_ptr,png_uint_32 chunk_name,png_uint_32 length)73 png_write_chunk_header(png_structrp png_ptr, png_uint_32 chunk_name,
74     png_uint_32 length)
75 {
76    png_byte buf[8];
77 
78 #if defined(PNG_DEBUG) && (PNG_DEBUG > 0)
79    PNG_CSTRING_FROM_CHUNK(buf, chunk_name);
80    png_debug2(0, "Writing %s chunk, length = %lu", buf, (unsigned long)length);
81 #endif
82 
83    if (png_ptr == NULL)
84       return;
85 
86 #ifdef PNG_IO_STATE_SUPPORTED
87    /* Inform the I/O callback that the chunk header is being written.
88     * PNG_IO_CHUNK_HDR requires a single I/O call.
89     */
90    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_HDR;
91 #endif
92 
93    /* Write the length and the chunk name */
94    png_save_uint_32(buf, length);
95    png_save_uint_32(buf + 4, chunk_name);
96    png_write_data(png_ptr, buf, 8);
97 
98    /* Put the chunk name into png_ptr->chunk_name */
99    png_ptr->chunk_name = chunk_name;
100 
101    /* Reset the crc and run it over the chunk name */
102    png_reset_crc(png_ptr);
103 
104    png_calculate_crc(png_ptr, buf + 4, 4);
105 
106 #ifdef PNG_IO_STATE_SUPPORTED
107    /* Inform the I/O callback that chunk data will (possibly) be written.
108     * PNG_IO_CHUNK_DATA does NOT require a specific number of I/O calls.
109     */
110    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_DATA;
111 #endif
112 }
113 
114 void PNGAPI
png_write_chunk_start(png_structrp png_ptr,png_const_bytep chunk_string,png_uint_32 length)115 png_write_chunk_start(png_structrp png_ptr, png_const_bytep chunk_string,
116     png_uint_32 length)
117 {
118    png_write_chunk_header(png_ptr, PNG_CHUNK_FROM_STRING(chunk_string), length);
119 }
120 
121 /* Write the data of a PNG chunk started with png_write_chunk_header().
122  * Note that multiple calls to this function are allowed, and that the
123  * sum of the lengths from these calls *must* add up to the total_length
124  * given to png_write_chunk_header().
125  */
126 void PNGAPI
png_write_chunk_data(png_structrp png_ptr,png_const_bytep data,png_size_t length)127 png_write_chunk_data(png_structrp png_ptr, png_const_bytep data,
128     png_size_t length)
129 {
130    /* Write the data, and run the CRC over it */
131    if (png_ptr == NULL)
132       return;
133 
134    if (data != NULL && length > 0)
135    {
136       png_write_data(png_ptr, data, length);
137 
138       /* Update the CRC after writing the data,
139        * in case the user I/O routine alters it.
140        */
141       png_calculate_crc(png_ptr, data, length);
142    }
143 }
144 
145 /* Finish a chunk started with png_write_chunk_header(). */
146 void PNGAPI
png_write_chunk_end(png_structrp png_ptr)147 png_write_chunk_end(png_structrp png_ptr)
148 {
149    png_byte buf[4];
150 
151    if (png_ptr == NULL) return;
152 
153 #ifdef PNG_IO_STATE_SUPPORTED
154    /* Inform the I/O callback that the chunk CRC is being written.
155     * PNG_IO_CHUNK_CRC requires a single I/O function call.
156     */
157    png_ptr->io_state = PNG_IO_WRITING | PNG_IO_CHUNK_CRC;
158 #endif
159 
160    /* Write the crc in a single operation */
161    png_save_uint_32(buf, png_ptr->crc);
162 
163    png_write_data(png_ptr, buf, (png_size_t)4);
164 }
165 
166 /* Write a PNG chunk all at once.  The type is an array of ASCII characters
167  * representing the chunk name.  The array must be at least 4 bytes in
168  * length, and does not need to be null terminated.  To be safe, pass the
169  * pre-defined chunk names here, and if you need a new one, define it
170  * where the others are defined.  The length is the length of the data.
171  * All the data must be present.  If that is not possible, use the
172  * png_write_chunk_start(), png_write_chunk_data(), and png_write_chunk_end()
173  * functions instead.
174  */
175 static void
png_write_complete_chunk(png_structrp png_ptr,png_uint_32 chunk_name,png_const_bytep data,png_size_t length)176 png_write_complete_chunk(png_structrp png_ptr, png_uint_32 chunk_name,
177    png_const_bytep data, png_size_t length)
178 {
179    if (png_ptr == NULL)
180       return;
181 
182    /* On 64-bit architectures 'length' may not fit in a png_uint_32. */
183    if (length > PNG_UINT_31_MAX)
184       png_error(png_ptr, "length exceeds PNG maximum");
185 
186    png_write_chunk_header(png_ptr, chunk_name, (png_uint_32)length);
187    png_write_chunk_data(png_ptr, data, length);
188    png_write_chunk_end(png_ptr);
189 }
190 
191 /* This is the API that calls the internal function above. */
192 void PNGAPI
png_write_chunk(png_structrp png_ptr,png_const_bytep chunk_string,png_const_bytep data,png_size_t length)193 png_write_chunk(png_structrp png_ptr, png_const_bytep chunk_string,
194    png_const_bytep data, png_size_t length)
195 {
196    png_write_complete_chunk(png_ptr, PNG_CHUNK_FROM_STRING(chunk_string), data,
197       length);
198 }
199 
200 /* This is used below to find the size of an image to pass to png_deflate_claim,
201  * so it only needs to be accurate if the size is less than 16384 bytes (the
202  * point at which a lower LZ window size can be used.)
203  */
204 static png_alloc_size_t
png_image_size(png_structrp png_ptr)205 png_image_size(png_structrp png_ptr)
206 {
207    /* Only return sizes up to the maximum of a png_uint_32; do this by limiting
208     * the width and height used to 15 bits.
209     */
210    png_uint_32 h = png_ptr->height;
211 
212    if (png_ptr->rowbytes < 32768 && h < 32768)
213    {
214       if (png_ptr->interlaced != 0)
215       {
216          /* Interlacing makes the image larger because of the replication of
217           * both the filter byte and the padding to a byte boundary.
218           */
219          png_uint_32 w = png_ptr->width;
220          unsigned int pd = png_ptr->pixel_depth;
221          png_alloc_size_t cb_base;
222          int pass;
223 
224          for (cb_base=0, pass=0; pass<=6; ++pass)
225          {
226             png_uint_32 pw = PNG_PASS_COLS(w, pass);
227 
228             if (pw > 0)
229                cb_base += (PNG_ROWBYTES(pd, pw)+1) * PNG_PASS_ROWS(h, pass);
230          }
231 
232          return cb_base;
233       }
234 
235       else
236          return (png_ptr->rowbytes+1) * h;
237    }
238 
239    else
240       return 0xffffffffU;
241 }
242 
243 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
244    /* This is the code to hack the first two bytes of the deflate stream (the
245     * deflate header) to correct the windowBits value to match the actual data
246     * size.  Note that the second argument is the *uncompressed* size but the
247     * first argument is the *compressed* data (and it must be deflate
248     * compressed.)
249     */
250 static void
optimize_cmf(png_bytep data,png_alloc_size_t data_size)251 optimize_cmf(png_bytep data, png_alloc_size_t data_size)
252 {
253    /* Optimize the CMF field in the zlib stream.  The resultant zlib stream is
254     * still compliant to the stream specification.
255     */
256    if (data_size <= 16384) /* else windowBits must be 15 */
257    {
258       unsigned int z_cmf = data[0];  /* zlib compression method and flags */
259 
260       if ((z_cmf & 0x0f) == 8 && (z_cmf & 0xf0) <= 0x70)
261       {
262          unsigned int z_cinfo;
263          unsigned int half_z_window_size;
264 
265          z_cinfo = z_cmf >> 4;
266          half_z_window_size = 1U << (z_cinfo + 7);
267 
268          if (data_size <= half_z_window_size) /* else no change */
269          {
270             unsigned int tmp;
271 
272             do
273             {
274                half_z_window_size >>= 1;
275                --z_cinfo;
276             }
277             while (z_cinfo > 0 && data_size <= half_z_window_size);
278 
279             z_cmf = (z_cmf & 0x0f) | (z_cinfo << 4);
280 
281             data[0] = (png_byte)z_cmf;
282             tmp = data[1] & 0xe0;
283             tmp += 0x1f - ((z_cmf << 8) + tmp) % 0x1f;
284             data[1] = (png_byte)tmp;
285          }
286       }
287    }
288 }
289 #endif /* WRITE_OPTIMIZE_CMF */
290 
291 /* Initialize the compressor for the appropriate type of compression. */
292 static int
png_deflate_claim(png_structrp png_ptr,png_uint_32 owner,png_alloc_size_t data_size)293 png_deflate_claim(png_structrp png_ptr, png_uint_32 owner,
294    png_alloc_size_t data_size)
295 {
296    if (png_ptr->zowner != 0)
297    {
298 #if defined(PNG_WARNINGS_SUPPORTED) || defined(PNG_ERROR_TEXT_SUPPORTED)
299       char msg[64];
300 
301       PNG_STRING_FROM_CHUNK(msg, owner);
302       msg[4] = ':';
303       msg[5] = ' ';
304       PNG_STRING_FROM_CHUNK(msg+6, png_ptr->zowner);
305       /* So the message that results is "<chunk> using zstream"; this is an
306        * internal error, but is very useful for debugging.  i18n requirements
307        * are minimal.
308        */
309       (void)png_safecat(msg, (sizeof msg), 10, " using zstream");
310 #endif
311 #if PNG_RELEASE_BUILD
312          png_warning(png_ptr, msg);
313 
314          /* Attempt sane error recovery */
315          if (png_ptr->zowner == png_IDAT) /* don't steal from IDAT */
316          {
317             png_ptr->zstream.msg = PNGZ_MSG_CAST("in use by IDAT");
318             return Z_STREAM_ERROR;
319          }
320 
321          png_ptr->zowner = 0;
322 #else
323          png_error(png_ptr, msg);
324 #endif
325    }
326 
327    {
328       int level = png_ptr->zlib_level;
329       int method = png_ptr->zlib_method;
330       int windowBits = png_ptr->zlib_window_bits;
331       int memLevel = png_ptr->zlib_mem_level;
332       int strategy; /* set below */
333       int ret; /* zlib return code */
334 
335       if (owner == png_IDAT)
336       {
337          if ((png_ptr->flags & PNG_FLAG_ZLIB_CUSTOM_STRATEGY) != 0)
338             strategy = png_ptr->zlib_strategy;
339 
340          else if (png_ptr->do_filter != PNG_FILTER_NONE)
341             strategy = PNG_Z_DEFAULT_STRATEGY;
342 
343          else
344             strategy = PNG_Z_DEFAULT_NOFILTER_STRATEGY;
345       }
346 
347       else
348       {
349 #ifdef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED
350             level = png_ptr->zlib_text_level;
351             method = png_ptr->zlib_text_method;
352             windowBits = png_ptr->zlib_text_window_bits;
353             memLevel = png_ptr->zlib_text_mem_level;
354             strategy = png_ptr->zlib_text_strategy;
355 #else
356             /* If customization is not supported the values all come from the
357              * IDAT values except for the strategy, which is fixed to the
358              * default.  (This is the pre-1.6.0 behavior too, although it was
359              * implemented in a very different way.)
360              */
361             strategy = Z_DEFAULT_STRATEGY;
362 #endif
363       }
364 
365       /* Adjust 'windowBits' down if larger than 'data_size'; to stop this
366        * happening just pass 32768 as the data_size parameter.  Notice that zlib
367        * requires an extra 262 bytes in the window in addition to the data to be
368        * able to see the whole of the data, so if data_size+262 takes us to the
369        * next windowBits size we need to fix up the value later.  (Because even
370        * though deflate needs the extra window, inflate does not!)
371        */
372       if (data_size <= 16384)
373       {
374          /* IMPLEMENTATION NOTE: this 'half_window_size' stuff is only here to
375           * work round a Microsoft Visual C misbehavior which, contrary to C-90,
376           * widens the result of the following shift to 64-bits if (and,
377           * apparently, only if) it is used in a test.
378           */
379          unsigned int half_window_size = 1U << (windowBits-1);
380 
381          while (data_size + 262 <= half_window_size)
382          {
383             half_window_size >>= 1;
384             --windowBits;
385          }
386       }
387 
388       /* Check against the previous initialized values, if any. */
389       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0 &&
390          (png_ptr->zlib_set_level != level ||
391          png_ptr->zlib_set_method != method ||
392          png_ptr->zlib_set_window_bits != windowBits ||
393          png_ptr->zlib_set_mem_level != memLevel ||
394          png_ptr->zlib_set_strategy != strategy))
395       {
396          if (deflateEnd(&png_ptr->zstream) != Z_OK)
397             png_warning(png_ptr, "deflateEnd failed (ignored)");
398 
399          png_ptr->flags &= ~PNG_FLAG_ZSTREAM_INITIALIZED;
400       }
401 
402       /* For safety clear out the input and output pointers (currently zlib
403        * doesn't use them on Init, but it might in the future).
404        */
405       png_ptr->zstream.next_in = NULL;
406       png_ptr->zstream.avail_in = 0;
407       png_ptr->zstream.next_out = NULL;
408       png_ptr->zstream.avail_out = 0;
409 
410       /* Now initialize if required, setting the new parameters, otherwise just
411        * to a simple reset to the previous parameters.
412        */
413       if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)
414          ret = deflateReset(&png_ptr->zstream);
415 
416       else
417       {
418          ret = deflateInit2(&png_ptr->zstream, level, method, windowBits,
419             memLevel, strategy);
420 
421          if (ret == Z_OK)
422             png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;
423       }
424 
425       /* The return code is from either deflateReset or deflateInit2; they have
426        * pretty much the same set of error codes.
427        */
428       if (ret == Z_OK)
429          png_ptr->zowner = owner;
430 
431       else
432          png_zstream_error(png_ptr, ret);
433 
434       return ret;
435    }
436 }
437 
438 /* Clean up (or trim) a linked list of compression buffers. */
439 void /* PRIVATE */
png_free_buffer_list(png_structrp png_ptr,png_compression_bufferp * listp)440 png_free_buffer_list(png_structrp png_ptr, png_compression_bufferp *listp)
441 {
442    png_compression_bufferp list = *listp;
443 
444    if (list != NULL)
445    {
446       *listp = NULL;
447 
448       do
449       {
450          png_compression_bufferp next = list->next;
451 
452          png_free(png_ptr, list);
453          list = next;
454       }
455       while (list != NULL);
456    }
457 }
458 
459 #ifdef PNG_WRITE_COMPRESSED_TEXT_SUPPORTED
460 /* This pair of functions encapsulates the operation of (a) compressing a
461  * text string, and (b) issuing it later as a series of chunk data writes.
462  * The compression_state structure is shared context for these functions
463  * set up by the caller to allow access to the relevant local variables.
464  *
465  * compression_buffer (new in 1.6.0) is just a linked list of zbuffer_size
466  * temporary buffers.  From 1.6.0 it is retained in png_struct so that it will
467  * be correctly freed in the event of a write error (previous implementations
468  * just leaked memory.)
469  */
470 typedef struct
471 {
472    png_const_bytep      input;        /* The uncompressed input data */
473    png_alloc_size_t     input_len;    /* Its length */
474    png_uint_32          output_len;   /* Final compressed length */
475    png_byte             output[1024]; /* First block of output */
476 } compression_state;
477 
478 static void
png_text_compress_init(compression_state * comp,png_const_bytep input,png_alloc_size_t input_len)479 png_text_compress_init(compression_state *comp, png_const_bytep input,
480    png_alloc_size_t input_len)
481 {
482    comp->input = input;
483    comp->input_len = input_len;
484    comp->output_len = 0;
485 }
486 
487 /* Compress the data in the compression state input */
488 static int
png_text_compress(png_structrp png_ptr,png_uint_32 chunk_name,compression_state * comp,png_uint_32 prefix_len)489 png_text_compress(png_structrp png_ptr, png_uint_32 chunk_name,
490    compression_state *comp, png_uint_32 prefix_len)
491 {
492    int ret;
493 
494    /* To find the length of the output it is necessary to first compress the
495     * input. The result is buffered rather than using the two-pass algorithm
496     * that is used on the inflate side; deflate is assumed to be slower and a
497     * PNG writer is assumed to have more memory available than a PNG reader.
498     *
499     * IMPLEMENTATION NOTE: the zlib API deflateBound() can be used to find an
500     * upper limit on the output size, but it is always bigger than the input
501     * size so it is likely to be more efficient to use this linked-list
502     * approach.
503     */
504    ret = png_deflate_claim(png_ptr, chunk_name, comp->input_len);
505 
506    if (ret != Z_OK)
507       return ret;
508 
509    /* Set up the compression buffers, we need a loop here to avoid overflowing a
510     * uInt.  Use ZLIB_IO_MAX to limit the input.  The output is always limited
511     * by the output buffer size, so there is no need to check that.  Since this
512     * is ANSI-C we know that an 'int', hence a uInt, is always at least 16 bits
513     * in size.
514     */
515    {
516       png_compression_bufferp *end = &png_ptr->zbuffer_list;
517       png_alloc_size_t input_len = comp->input_len; /* may be zero! */
518       png_uint_32 output_len;
519 
520       /* zlib updates these for us: */
521       png_ptr->zstream.next_in = PNGZ_INPUT_CAST(comp->input);
522       png_ptr->zstream.avail_in = 0; /* Set below */
523       png_ptr->zstream.next_out = comp->output;
524       png_ptr->zstream.avail_out = (sizeof comp->output);
525 
526       output_len = png_ptr->zstream.avail_out;
527 
528       do
529       {
530          uInt avail_in = ZLIB_IO_MAX;
531 
532          if (avail_in > input_len)
533             avail_in = (uInt)input_len;
534 
535          input_len -= avail_in;
536 
537          png_ptr->zstream.avail_in = avail_in;
538 
539          if (png_ptr->zstream.avail_out == 0)
540          {
541             png_compression_buffer *next;
542 
543             /* Chunk data is limited to 2^31 bytes in length, so the prefix
544              * length must be counted here.
545              */
546             if (output_len + prefix_len > PNG_UINT_31_MAX)
547             {
548                ret = Z_MEM_ERROR;
549                break;
550             }
551 
552             /* Need a new (malloc'ed) buffer, but there may be one present
553              * already.
554              */
555             next = *end;
556             if (next == NULL)
557             {
558                next = png_voidcast(png_compression_bufferp, png_malloc_base
559                   (png_ptr, PNG_COMPRESSION_BUFFER_SIZE(png_ptr)));
560 
561                if (next == NULL)
562                {
563                   ret = Z_MEM_ERROR;
564                   break;
565                }
566 
567                /* Link in this buffer (so that it will be freed later) */
568                next->next = NULL;
569                *end = next;
570             }
571 
572             png_ptr->zstream.next_out = next->output;
573             png_ptr->zstream.avail_out = png_ptr->zbuffer_size;
574             output_len += png_ptr->zstream.avail_out;
575 
576             /* Move 'end' to the next buffer pointer. */
577             end = &next->next;
578          }
579 
580          /* Compress the data */
581          ret = deflate(&png_ptr->zstream,
582             input_len > 0 ? Z_NO_FLUSH : Z_FINISH);
583 
584          /* Claw back input data that was not consumed (because avail_in is
585           * reset above every time round the loop).
586           */
587          input_len += png_ptr->zstream.avail_in;
588          png_ptr->zstream.avail_in = 0; /* safety */
589       }
590       while (ret == Z_OK);
591 
592       /* There may be some space left in the last output buffer. This needs to
593        * be subtracted from output_len.
594        */
595       output_len -= png_ptr->zstream.avail_out;
596       png_ptr->zstream.avail_out = 0; /* safety */
597       comp->output_len = output_len;
598 
599       /* Now double check the output length, put in a custom message if it is
600        * too long.  Otherwise ensure the z_stream::msg pointer is set to
601        * something.
602        */
603       if (output_len + prefix_len >= PNG_UINT_31_MAX)
604       {
605          png_ptr->zstream.msg = PNGZ_MSG_CAST("compressed data too long");
606          ret = Z_MEM_ERROR;
607       }
608 
609       else
610          png_zstream_error(png_ptr, ret);
611 
612       /* Reset zlib for another zTXt/iTXt or image data */
613       png_ptr->zowner = 0;
614 
615       /* The only success case is Z_STREAM_END, input_len must be 0; if not this
616        * is an internal error.
617        */
618       if (ret == Z_STREAM_END && input_len == 0)
619       {
620 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
621          /* Fix up the deflate header, if required */
622          optimize_cmf(comp->output, comp->input_len);
623 #endif
624          /* But Z_OK is returned, not Z_STREAM_END; this allows the claim
625           * function above to return Z_STREAM_END on an error (though it never
626           * does in the current versions of zlib.)
627           */
628          return Z_OK;
629       }
630 
631       else
632          return ret;
633    }
634 }
635 
636 /* Ship the compressed text out via chunk writes */
637 static void
png_write_compressed_data_out(png_structrp png_ptr,compression_state * comp)638 png_write_compressed_data_out(png_structrp png_ptr, compression_state *comp)
639 {
640    png_uint_32 output_len = comp->output_len;
641    png_const_bytep output = comp->output;
642    png_uint_32 avail = (sizeof comp->output);
643    png_compression_buffer *next = png_ptr->zbuffer_list;
644 
645    for (;;)
646    {
647       if (avail > output_len)
648          avail = output_len;
649 
650       png_write_chunk_data(png_ptr, output, avail);
651 
652       output_len -= avail;
653 
654       if (output_len == 0 || next == NULL)
655          break;
656 
657       avail = png_ptr->zbuffer_size;
658       output = next->output;
659       next = next->next;
660    }
661 
662    /* This is an internal error; 'next' must have been NULL! */
663    if (output_len > 0)
664       png_error(png_ptr, "error writing ancillary chunked compressed data");
665 }
666 #endif /* WRITE_COMPRESSED_TEXT */
667 
668 /* Write the IHDR chunk, and update the png_struct with the necessary
669  * information.  Note that the rest of this code depends upon this
670  * information being correct.
671  */
672 void /* PRIVATE */
png_write_IHDR(png_structrp png_ptr,png_uint_32 width,png_uint_32 height,int bit_depth,int color_type,int compression_type,int filter_type,int interlace_type)673 png_write_IHDR(png_structrp png_ptr, png_uint_32 width, png_uint_32 height,
674     int bit_depth, int color_type, int compression_type, int filter_type,
675     int interlace_type)
676 {
677    png_byte buf[13]; /* Buffer to store the IHDR info */
678 
679    png_debug(1, "in png_write_IHDR");
680 
681    /* Check that we have valid input data from the application info */
682    switch (color_type)
683    {
684       case PNG_COLOR_TYPE_GRAY:
685          switch (bit_depth)
686          {
687             case 1:
688             case 2:
689             case 4:
690             case 8:
691 #ifdef PNG_WRITE_16BIT_SUPPORTED
692             case 16:
693 #endif
694                png_ptr->channels = 1; break;
695 
696             default:
697                png_error(png_ptr,
698                    "Invalid bit depth for grayscale image");
699          }
700          break;
701 
702       case PNG_COLOR_TYPE_RGB:
703 #ifdef PNG_WRITE_16BIT_SUPPORTED
704          if (bit_depth != 8 && bit_depth != 16)
705 #else
706          if (bit_depth != 8)
707 #endif
708             png_error(png_ptr, "Invalid bit depth for RGB image");
709 
710          png_ptr->channels = 3;
711          break;
712 
713       case PNG_COLOR_TYPE_PALETTE:
714          switch (bit_depth)
715          {
716             case 1:
717             case 2:
718             case 4:
719             case 8:
720                png_ptr->channels = 1;
721                break;
722 
723             default:
724                png_error(png_ptr, "Invalid bit depth for paletted image");
725          }
726          break;
727 
728       case PNG_COLOR_TYPE_GRAY_ALPHA:
729          if (bit_depth != 8 && bit_depth != 16)
730             png_error(png_ptr, "Invalid bit depth for grayscale+alpha image");
731 
732          png_ptr->channels = 2;
733          break;
734 
735       case PNG_COLOR_TYPE_RGB_ALPHA:
736 #ifdef PNG_WRITE_16BIT_SUPPORTED
737          if (bit_depth != 8 && bit_depth != 16)
738 #else
739          if (bit_depth != 8)
740 #endif
741             png_error(png_ptr, "Invalid bit depth for RGBA image");
742 
743          png_ptr->channels = 4;
744          break;
745 
746       default:
747          png_error(png_ptr, "Invalid image color type specified");
748    }
749 
750    if (compression_type != PNG_COMPRESSION_TYPE_BASE)
751    {
752       png_warning(png_ptr, "Invalid compression type specified");
753       compression_type = PNG_COMPRESSION_TYPE_BASE;
754    }
755 
756    /* Write filter_method 64 (intrapixel differencing) only if
757     * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
758     * 2. Libpng did not write a PNG signature (this filter_method is only
759     *    used in PNG datastreams that are embedded in MNG datastreams) and
760     * 3. The application called png_permit_mng_features with a mask that
761     *    included PNG_FLAG_MNG_FILTER_64 and
762     * 4. The filter_method is 64 and
763     * 5. The color_type is RGB or RGBA
764     */
765    if (
766 #ifdef PNG_MNG_FEATURES_SUPPORTED
767        !((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
768        ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
769        (color_type == PNG_COLOR_TYPE_RGB ||
770         color_type == PNG_COLOR_TYPE_RGB_ALPHA) &&
771        (filter_type == PNG_INTRAPIXEL_DIFFERENCING)) &&
772 #endif
773        filter_type != PNG_FILTER_TYPE_BASE)
774    {
775       png_warning(png_ptr, "Invalid filter type specified");
776       filter_type = PNG_FILTER_TYPE_BASE;
777    }
778 
779 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
780    if (interlace_type != PNG_INTERLACE_NONE &&
781        interlace_type != PNG_INTERLACE_ADAM7)
782    {
783       png_warning(png_ptr, "Invalid interlace type specified");
784       interlace_type = PNG_INTERLACE_ADAM7;
785    }
786 #else
787    interlace_type=PNG_INTERLACE_NONE;
788 #endif
789 
790    /* Save the relevant information */
791    png_ptr->bit_depth = (png_byte)bit_depth;
792    png_ptr->color_type = (png_byte)color_type;
793    png_ptr->interlaced = (png_byte)interlace_type;
794 #ifdef PNG_MNG_FEATURES_SUPPORTED
795    png_ptr->filter_type = (png_byte)filter_type;
796 #endif
797    png_ptr->compression_type = (png_byte)compression_type;
798    png_ptr->width = width;
799    png_ptr->height = height;
800 
801    png_ptr->pixel_depth = (png_byte)(bit_depth * png_ptr->channels);
802    png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, width);
803    /* Set the usr info, so any transformations can modify it */
804    png_ptr->usr_width = png_ptr->width;
805    png_ptr->usr_bit_depth = png_ptr->bit_depth;
806    png_ptr->usr_channels = png_ptr->channels;
807 
808    /* Pack the header information into the buffer */
809    png_save_uint_32(buf, width);
810    png_save_uint_32(buf + 4, height);
811    buf[8] = (png_byte)bit_depth;
812    buf[9] = (png_byte)color_type;
813    buf[10] = (png_byte)compression_type;
814    buf[11] = (png_byte)filter_type;
815    buf[12] = (png_byte)interlace_type;
816 
817    /* Write the chunk */
818    png_write_complete_chunk(png_ptr, png_IHDR, buf, (png_size_t)13);
819 
820    if ((png_ptr->do_filter) == PNG_NO_FILTERS)
821    {
822       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE ||
823           png_ptr->bit_depth < 8)
824          png_ptr->do_filter = PNG_FILTER_NONE;
825 
826       else
827          png_ptr->do_filter = PNG_ALL_FILTERS;
828    }
829 
830    png_ptr->mode = PNG_HAVE_IHDR; /* not READY_FOR_ZTXT */
831 }
832 
833 /* Write the palette.  We are careful not to trust png_color to be in the
834  * correct order for PNG, so people can redefine it to any convenient
835  * structure.
836  */
837 void /* PRIVATE */
png_write_PLTE(png_structrp png_ptr,png_const_colorp palette,png_uint_32 num_pal)838 png_write_PLTE(png_structrp png_ptr, png_const_colorp palette,
839     png_uint_32 num_pal)
840 {
841    png_uint_32 max_palette_length, i;
842    png_const_colorp pal_ptr;
843    png_byte buf[3];
844 
845    png_debug(1, "in png_write_PLTE");
846 
847    max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
848       (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
849 
850    if ((
851 #ifdef PNG_MNG_FEATURES_SUPPORTED
852        (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 &&
853 #endif
854        num_pal == 0) || num_pal > max_palette_length)
855    {
856       if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
857       {
858          png_error(png_ptr, "Invalid number of colors in palette");
859       }
860 
861       else
862       {
863          png_warning(png_ptr, "Invalid number of colors in palette");
864          return;
865       }
866    }
867 
868    if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)
869    {
870       png_warning(png_ptr,
871           "Ignoring request to write a PLTE chunk in grayscale PNG");
872 
873       return;
874    }
875 
876    png_ptr->num_palette = (png_uint_16)num_pal;
877    png_debug1(3, "num_palette = %d", png_ptr->num_palette);
878 
879    png_write_chunk_header(png_ptr, png_PLTE, (png_uint_32)(num_pal * 3));
880 #ifdef PNG_POINTER_INDEXING_SUPPORTED
881 
882    for (i = 0, pal_ptr = palette; i < num_pal; i++, pal_ptr++)
883    {
884       buf[0] = pal_ptr->red;
885       buf[1] = pal_ptr->green;
886       buf[2] = pal_ptr->blue;
887       png_write_chunk_data(png_ptr, buf, (png_size_t)3);
888    }
889 
890 #else
891    /* This is a little slower but some buggy compilers need to do this
892     * instead
893     */
894    pal_ptr=palette;
895 
896    for (i = 0; i < num_pal; i++)
897    {
898       buf[0] = pal_ptr[i].red;
899       buf[1] = pal_ptr[i].green;
900       buf[2] = pal_ptr[i].blue;
901       png_write_chunk_data(png_ptr, buf, (png_size_t)3);
902    }
903 
904 #endif
905    png_write_chunk_end(png_ptr);
906    png_ptr->mode |= PNG_HAVE_PLTE;
907 }
908 
909 /* This is similar to png_text_compress, above, except that it does not require
910  * all of the data at once and, instead of buffering the compressed result,
911  * writes it as IDAT chunks.  Unlike png_text_compress it *can* png_error out
912  * because it calls the write interface.  As a result it does its own error
913  * reporting and does not return an error code.  In the event of error it will
914  * just call png_error.  The input data length may exceed 32-bits.  The 'flush'
915  * parameter is exactly the same as that to deflate, with the following
916  * meanings:
917  *
918  * Z_NO_FLUSH: normal incremental output of compressed data
919  * Z_SYNC_FLUSH: do a SYNC_FLUSH, used by png_write_flush
920  * Z_FINISH: this is the end of the input, do a Z_FINISH and clean up
921  *
922  * The routine manages the acquire and release of the png_ptr->zstream by
923  * checking and (at the end) clearing png_ptr->zowner; it does some sanity
924  * checks on the 'mode' flags while doing this.
925  */
926 void /* PRIVATE */
png_compress_IDAT(png_structrp png_ptr,png_const_bytep input,png_alloc_size_t input_len,int flush)927 png_compress_IDAT(png_structrp png_ptr, png_const_bytep input,
928    png_alloc_size_t input_len, int flush)
929 {
930    if (png_ptr->zowner != png_IDAT)
931    {
932       /* First time.   Ensure we have a temporary buffer for compression and
933        * trim the buffer list if it has more than one entry to free memory.
934        * If 'WRITE_COMPRESSED_TEXT' is not set the list will never have been
935        * created at this point, but the check here is quick and safe.
936        */
937       if (png_ptr->zbuffer_list == NULL)
938       {
939          png_ptr->zbuffer_list = png_voidcast(png_compression_bufferp,
940             png_malloc(png_ptr, PNG_COMPRESSION_BUFFER_SIZE(png_ptr)));
941          png_ptr->zbuffer_list->next = NULL;
942       }
943 
944       else
945          png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list->next);
946 
947       /* It is a terminal error if we can't claim the zstream. */
948       if (png_deflate_claim(png_ptr, png_IDAT, png_image_size(png_ptr)) != Z_OK)
949          png_error(png_ptr, png_ptr->zstream.msg);
950 
951       /* The output state is maintained in png_ptr->zstream, so it must be
952        * initialized here after the claim.
953        */
954       png_ptr->zstream.next_out = png_ptr->zbuffer_list->output;
955       png_ptr->zstream.avail_out = png_ptr->zbuffer_size;
956    }
957 
958    /* Now loop reading and writing until all the input is consumed or an error
959     * terminates the operation.  The _out values are maintained across calls to
960     * this function, but the input must be reset each time.
961     */
962    png_ptr->zstream.next_in = PNGZ_INPUT_CAST(input);
963    png_ptr->zstream.avail_in = 0; /* set below */
964    for (;;)
965    {
966       int ret;
967 
968       /* INPUT: from the row data */
969       uInt avail = ZLIB_IO_MAX;
970 
971       if (avail > input_len)
972          avail = (uInt)input_len; /* safe because of the check */
973 
974       png_ptr->zstream.avail_in = avail;
975       input_len -= avail;
976 
977       ret = deflate(&png_ptr->zstream, input_len > 0 ? Z_NO_FLUSH : flush);
978 
979       /* Include as-yet unconsumed input */
980       input_len += png_ptr->zstream.avail_in;
981       png_ptr->zstream.avail_in = 0;
982 
983       /* OUTPUT: write complete IDAT chunks when avail_out drops to zero. Note
984        * that these two zstream fields are preserved across the calls, therefore
985        * there is no need to set these up on entry to the loop.
986        */
987       if (png_ptr->zstream.avail_out == 0)
988       {
989          png_bytep data = png_ptr->zbuffer_list->output;
990          uInt size = png_ptr->zbuffer_size;
991 
992          /* Write an IDAT containing the data then reset the buffer.  The
993           * first IDAT may need deflate header optimization.
994           */
995 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
996             if ((png_ptr->mode & PNG_HAVE_IDAT) == 0 &&
997                 png_ptr->compression_type == PNG_COMPRESSION_TYPE_BASE)
998                optimize_cmf(data, png_image_size(png_ptr));
999 #endif
1000 
1001          png_write_complete_chunk(png_ptr, png_IDAT, data, size);
1002          png_ptr->mode |= PNG_HAVE_IDAT;
1003 
1004          png_ptr->zstream.next_out = data;
1005          png_ptr->zstream.avail_out = size;
1006 
1007          /* For SYNC_FLUSH or FINISH it is essential to keep calling zlib with
1008           * the same flush parameter until it has finished output, for NO_FLUSH
1009           * it doesn't matter.
1010           */
1011          if (ret == Z_OK && flush != Z_NO_FLUSH)
1012             continue;
1013       }
1014 
1015       /* The order of these checks doesn't matter much; it just affects which
1016        * possible error might be detected if multiple things go wrong at once.
1017        */
1018       if (ret == Z_OK) /* most likely return code! */
1019       {
1020          /* If all the input has been consumed then just return.  If Z_FINISH
1021           * was used as the flush parameter something has gone wrong if we get
1022           * here.
1023           */
1024          if (input_len == 0)
1025          {
1026             if (flush == Z_FINISH)
1027                png_error(png_ptr, "Z_OK on Z_FINISH with output space");
1028 
1029             return;
1030          }
1031       }
1032 
1033       else if (ret == Z_STREAM_END && flush == Z_FINISH)
1034       {
1035          /* This is the end of the IDAT data; any pending output must be
1036           * flushed.  For small PNG files we may still be at the beginning.
1037           */
1038          png_bytep data = png_ptr->zbuffer_list->output;
1039          uInt size = png_ptr->zbuffer_size - png_ptr->zstream.avail_out;
1040 
1041 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
1042          if ((png_ptr->mode & PNG_HAVE_IDAT) == 0 &&
1043              png_ptr->compression_type == PNG_COMPRESSION_TYPE_BASE)
1044             optimize_cmf(data, png_image_size(png_ptr));
1045 #endif
1046 
1047          png_write_complete_chunk(png_ptr, png_IDAT, data, size);
1048          png_ptr->zstream.avail_out = 0;
1049          png_ptr->zstream.next_out = NULL;
1050          png_ptr->mode |= PNG_HAVE_IDAT | PNG_AFTER_IDAT;
1051 
1052          png_ptr->zowner = 0; /* Release the stream */
1053          return;
1054       }
1055 
1056       else
1057       {
1058          /* This is an error condition. */
1059          png_zstream_error(png_ptr, ret);
1060          png_error(png_ptr, png_ptr->zstream.msg);
1061       }
1062    }
1063 }
1064 
1065 /* Write an IEND chunk */
1066 void /* PRIVATE */
png_write_IEND(png_structrp png_ptr)1067 png_write_IEND(png_structrp png_ptr)
1068 {
1069    png_debug(1, "in png_write_IEND");
1070 
1071    png_write_complete_chunk(png_ptr, png_IEND, NULL, (png_size_t)0);
1072    png_ptr->mode |= PNG_HAVE_IEND;
1073 }
1074 
1075 #ifdef PNG_WRITE_gAMA_SUPPORTED
1076 /* Write a gAMA chunk */
1077 void /* PRIVATE */
png_write_gAMA_fixed(png_structrp png_ptr,png_fixed_point file_gamma)1078 png_write_gAMA_fixed(png_structrp png_ptr, png_fixed_point file_gamma)
1079 {
1080    png_byte buf[4];
1081 
1082    png_debug(1, "in png_write_gAMA");
1083 
1084    /* file_gamma is saved in 1/100,000ths */
1085    png_save_uint_32(buf, (png_uint_32)file_gamma);
1086    png_write_complete_chunk(png_ptr, png_gAMA, buf, (png_size_t)4);
1087 }
1088 #endif
1089 
1090 #ifdef PNG_WRITE_sRGB_SUPPORTED
1091 /* Write a sRGB chunk */
1092 void /* PRIVATE */
png_write_sRGB(png_structrp png_ptr,int srgb_intent)1093 png_write_sRGB(png_structrp png_ptr, int srgb_intent)
1094 {
1095    png_byte buf[1];
1096 
1097    png_debug(1, "in png_write_sRGB");
1098 
1099    if (srgb_intent >= PNG_sRGB_INTENT_LAST)
1100       png_warning(png_ptr,
1101           "Invalid sRGB rendering intent specified");
1102 
1103    buf[0]=(png_byte)srgb_intent;
1104    png_write_complete_chunk(png_ptr, png_sRGB, buf, (png_size_t)1);
1105 }
1106 #endif
1107 
1108 #ifdef PNG_WRITE_iCCP_SUPPORTED
1109 /* Write an iCCP chunk */
1110 void /* PRIVATE */
png_write_iCCP(png_structrp png_ptr,png_const_charp name,png_const_bytep profile)1111 png_write_iCCP(png_structrp png_ptr, png_const_charp name,
1112     png_const_bytep profile)
1113 {
1114    png_uint_32 name_len;
1115    png_uint_32 profile_len;
1116    png_byte new_name[81]; /* 1 byte for the compression byte */
1117    compression_state comp;
1118    png_uint_32 temp;
1119 
1120    png_debug(1, "in png_write_iCCP");
1121 
1122    /* These are all internal problems: the profile should have been checked
1123     * before when it was stored.
1124     */
1125    if (profile == NULL)
1126       png_error(png_ptr, "No profile for iCCP chunk"); /* internal error */
1127 
1128    profile_len = png_get_uint_32(profile);
1129 
1130    if (profile_len < 132)
1131       png_error(png_ptr, "ICC profile too short");
1132 
1133    temp = (png_uint_32) (*(profile+8));
1134    if (temp > 3 && (profile_len & 0x03))
1135       png_error(png_ptr, "ICC profile length invalid (not a multiple of 4)");
1136 
1137    {
1138       png_uint_32 embedded_profile_len = png_get_uint_32(profile);
1139 
1140       if (profile_len != embedded_profile_len)
1141          png_error(png_ptr, "Profile length does not match profile");
1142    }
1143 
1144    name_len = png_check_keyword(png_ptr, name, new_name);
1145 
1146    if (name_len == 0)
1147       png_error(png_ptr, "iCCP: invalid keyword");
1148 
1149    new_name[++name_len] = PNG_COMPRESSION_TYPE_BASE;
1150 
1151    /* Make sure we include the NULL after the name and the compression type */
1152    ++name_len;
1153 
1154    png_text_compress_init(&comp, profile, profile_len);
1155 
1156    /* Allow for keyword terminator and compression byte */
1157    if (png_text_compress(png_ptr, png_iCCP, &comp, name_len) != Z_OK)
1158       png_error(png_ptr, png_ptr->zstream.msg);
1159 
1160    png_write_chunk_header(png_ptr, png_iCCP, name_len + comp.output_len);
1161 
1162    png_write_chunk_data(png_ptr, new_name, name_len);
1163 
1164    png_write_compressed_data_out(png_ptr, &comp);
1165 
1166    png_write_chunk_end(png_ptr);
1167 }
1168 #endif
1169 
1170 #ifdef PNG_WRITE_sPLT_SUPPORTED
1171 /* Write a sPLT chunk */
1172 void /* PRIVATE */
png_write_sPLT(png_structrp png_ptr,png_const_sPLT_tp spalette)1173 png_write_sPLT(png_structrp png_ptr, png_const_sPLT_tp spalette)
1174 {
1175    png_uint_32 name_len;
1176    png_byte new_name[80];
1177    png_byte entrybuf[10];
1178    png_size_t entry_size = (spalette->depth == 8 ? 6 : 10);
1179    png_size_t palette_size = entry_size * spalette->nentries;
1180    png_sPLT_entryp ep;
1181 #ifndef PNG_POINTER_INDEXING_SUPPORTED
1182    int i;
1183 #endif
1184 
1185    png_debug(1, "in png_write_sPLT");
1186 
1187    name_len = png_check_keyword(png_ptr, spalette->name, new_name);
1188 
1189    if (name_len == 0)
1190       png_error(png_ptr, "sPLT: invalid keyword");
1191 
1192    /* Make sure we include the NULL after the name */
1193    png_write_chunk_header(png_ptr, png_sPLT,
1194        (png_uint_32)(name_len + 2 + palette_size));
1195 
1196    png_write_chunk_data(png_ptr, (png_bytep)new_name,
1197        (png_size_t)(name_len + 1));
1198 
1199    png_write_chunk_data(png_ptr, &spalette->depth, (png_size_t)1);
1200 
1201    /* Loop through each palette entry, writing appropriately */
1202 #ifdef PNG_POINTER_INDEXING_SUPPORTED
1203    for (ep = spalette->entries; ep<spalette->entries + spalette->nentries; ep++)
1204    {
1205       if (spalette->depth == 8)
1206       {
1207          entrybuf[0] = (png_byte)ep->red;
1208          entrybuf[1] = (png_byte)ep->green;
1209          entrybuf[2] = (png_byte)ep->blue;
1210          entrybuf[3] = (png_byte)ep->alpha;
1211          png_save_uint_16(entrybuf + 4, ep->frequency);
1212       }
1213 
1214       else
1215       {
1216          png_save_uint_16(entrybuf + 0, ep->red);
1217          png_save_uint_16(entrybuf + 2, ep->green);
1218          png_save_uint_16(entrybuf + 4, ep->blue);
1219          png_save_uint_16(entrybuf + 6, ep->alpha);
1220          png_save_uint_16(entrybuf + 8, ep->frequency);
1221       }
1222 
1223       png_write_chunk_data(png_ptr, entrybuf, entry_size);
1224    }
1225 #else
1226    ep=spalette->entries;
1227    for (i = 0; i>spalette->nentries; i++)
1228    {
1229       if (spalette->depth == 8)
1230       {
1231          entrybuf[0] = (png_byte)ep[i].red;
1232          entrybuf[1] = (png_byte)ep[i].green;
1233          entrybuf[2] = (png_byte)ep[i].blue;
1234          entrybuf[3] = (png_byte)ep[i].alpha;
1235          png_save_uint_16(entrybuf + 4, ep[i].frequency);
1236       }
1237 
1238       else
1239       {
1240          png_save_uint_16(entrybuf + 0, ep[i].red);
1241          png_save_uint_16(entrybuf + 2, ep[i].green);
1242          png_save_uint_16(entrybuf + 4, ep[i].blue);
1243          png_save_uint_16(entrybuf + 6, ep[i].alpha);
1244          png_save_uint_16(entrybuf + 8, ep[i].frequency);
1245       }
1246 
1247       png_write_chunk_data(png_ptr, entrybuf, entry_size);
1248    }
1249 #endif
1250 
1251    png_write_chunk_end(png_ptr);
1252 }
1253 #endif
1254 
1255 #ifdef PNG_WRITE_sBIT_SUPPORTED
1256 /* Write the sBIT chunk */
1257 void /* PRIVATE */
png_write_sBIT(png_structrp png_ptr,png_const_color_8p sbit,int color_type)1258 png_write_sBIT(png_structrp png_ptr, png_const_color_8p sbit, int color_type)
1259 {
1260    png_byte buf[4];
1261    png_size_t size;
1262 
1263    png_debug(1, "in png_write_sBIT");
1264 
1265    /* Make sure we don't depend upon the order of PNG_COLOR_8 */
1266    if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
1267    {
1268       png_byte maxbits;
1269 
1270       maxbits = (png_byte)(color_type==PNG_COLOR_TYPE_PALETTE ? 8 :
1271           png_ptr->usr_bit_depth);
1272 
1273       if (sbit->red == 0 || sbit->red > maxbits ||
1274           sbit->green == 0 || sbit->green > maxbits ||
1275           sbit->blue == 0 || sbit->blue > maxbits)
1276       {
1277          png_warning(png_ptr, "Invalid sBIT depth specified");
1278          return;
1279       }
1280 
1281       buf[0] = sbit->red;
1282       buf[1] = sbit->green;
1283       buf[2] = sbit->blue;
1284       size = 3;
1285    }
1286 
1287    else
1288    {
1289       if (sbit->gray == 0 || sbit->gray > png_ptr->usr_bit_depth)
1290       {
1291          png_warning(png_ptr, "Invalid sBIT depth specified");
1292          return;
1293       }
1294 
1295       buf[0] = sbit->gray;
1296       size = 1;
1297    }
1298 
1299    if ((color_type & PNG_COLOR_MASK_ALPHA) != 0)
1300    {
1301       if (sbit->alpha == 0 || sbit->alpha > png_ptr->usr_bit_depth)
1302       {
1303          png_warning(png_ptr, "Invalid sBIT depth specified");
1304          return;
1305       }
1306 
1307       buf[size++] = sbit->alpha;
1308    }
1309 
1310    png_write_complete_chunk(png_ptr, png_sBIT, buf, size);
1311 }
1312 #endif
1313 
1314 #ifdef PNG_WRITE_cHRM_SUPPORTED
1315 /* Write the cHRM chunk */
1316 void /* PRIVATE */
png_write_cHRM_fixed(png_structrp png_ptr,const png_xy * xy)1317 png_write_cHRM_fixed(png_structrp png_ptr, const png_xy *xy)
1318 {
1319    png_byte buf[32];
1320 
1321    png_debug(1, "in png_write_cHRM");
1322 
1323    /* Each value is saved in 1/100,000ths */
1324    png_save_int_32(buf,      xy->whitex);
1325    png_save_int_32(buf +  4, xy->whitey);
1326 
1327    png_save_int_32(buf +  8, xy->redx);
1328    png_save_int_32(buf + 12, xy->redy);
1329 
1330    png_save_int_32(buf + 16, xy->greenx);
1331    png_save_int_32(buf + 20, xy->greeny);
1332 
1333    png_save_int_32(buf + 24, xy->bluex);
1334    png_save_int_32(buf + 28, xy->bluey);
1335 
1336    png_write_complete_chunk(png_ptr, png_cHRM, buf, 32);
1337 }
1338 #endif
1339 
1340 #ifdef PNG_WRITE_tRNS_SUPPORTED
1341 /* Write the tRNS chunk */
1342 void /* PRIVATE */
png_write_tRNS(png_structrp png_ptr,png_const_bytep trans_alpha,png_const_color_16p tran,int num_trans,int color_type)1343 png_write_tRNS(png_structrp png_ptr, png_const_bytep trans_alpha,
1344     png_const_color_16p tran, int num_trans, int color_type)
1345 {
1346    png_byte buf[6];
1347 
1348    png_debug(1, "in png_write_tRNS");
1349 
1350    if (color_type == PNG_COLOR_TYPE_PALETTE)
1351    {
1352       if (num_trans <= 0 || num_trans > (int)png_ptr->num_palette)
1353       {
1354          png_app_warning(png_ptr,
1355              "Invalid number of transparent colors specified");
1356          return;
1357       }
1358 
1359       /* Write the chunk out as it is */
1360       png_write_complete_chunk(png_ptr, png_tRNS, trans_alpha,
1361          (png_size_t)num_trans);
1362    }
1363 
1364    else if (color_type == PNG_COLOR_TYPE_GRAY)
1365    {
1366       /* One 16-bit value */
1367       if (tran->gray >= (1 << png_ptr->bit_depth))
1368       {
1369          png_app_warning(png_ptr,
1370              "Ignoring attempt to write tRNS chunk out-of-range for bit_depth");
1371 
1372          return;
1373       }
1374 
1375       png_save_uint_16(buf, tran->gray);
1376       png_write_complete_chunk(png_ptr, png_tRNS, buf, (png_size_t)2);
1377    }
1378 
1379    else if (color_type == PNG_COLOR_TYPE_RGB)
1380    {
1381       /* Three 16-bit values */
1382       png_save_uint_16(buf, tran->red);
1383       png_save_uint_16(buf + 2, tran->green);
1384       png_save_uint_16(buf + 4, tran->blue);
1385 #ifdef PNG_WRITE_16BIT_SUPPORTED
1386       if (png_ptr->bit_depth == 8 && (buf[0] | buf[2] | buf[4]) != 0)
1387 #else
1388       if ((buf[0] | buf[2] | buf[4]) != 0)
1389 #endif
1390       {
1391          png_app_warning(png_ptr,
1392            "Ignoring attempt to write 16-bit tRNS chunk when bit_depth is 8");
1393          return;
1394       }
1395 
1396       png_write_complete_chunk(png_ptr, png_tRNS, buf, (png_size_t)6);
1397    }
1398 
1399    else
1400    {
1401       png_app_warning(png_ptr, "Can't write tRNS with an alpha channel");
1402    }
1403 }
1404 #endif
1405 
1406 #ifdef PNG_WRITE_bKGD_SUPPORTED
1407 /* Write the background chunk */
1408 void /* PRIVATE */
png_write_bKGD(png_structrp png_ptr,png_const_color_16p back,int color_type)1409 png_write_bKGD(png_structrp png_ptr, png_const_color_16p back, int color_type)
1410 {
1411    png_byte buf[6];
1412 
1413    png_debug(1, "in png_write_bKGD");
1414 
1415    if (color_type == PNG_COLOR_TYPE_PALETTE)
1416    {
1417       if (
1418 #ifdef PNG_MNG_FEATURES_SUPPORTED
1419           (png_ptr->num_palette != 0 ||
1420           (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0) &&
1421 #endif
1422          back->index >= png_ptr->num_palette)
1423       {
1424          png_warning(png_ptr, "Invalid background palette index");
1425          return;
1426       }
1427 
1428       buf[0] = back->index;
1429       png_write_complete_chunk(png_ptr, png_bKGD, buf, (png_size_t)1);
1430    }
1431 
1432    else if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
1433    {
1434       png_save_uint_16(buf, back->red);
1435       png_save_uint_16(buf + 2, back->green);
1436       png_save_uint_16(buf + 4, back->blue);
1437 #ifdef PNG_WRITE_16BIT_SUPPORTED
1438       if (png_ptr->bit_depth == 8 && (buf[0] | buf[2] | buf[4]) != 0)
1439 #else
1440       if ((buf[0] | buf[2] | buf[4]) != 0)
1441 #endif
1442       {
1443          png_warning(png_ptr,
1444              "Ignoring attempt to write 16-bit bKGD chunk when bit_depth is 8");
1445 
1446          return;
1447       }
1448 
1449       png_write_complete_chunk(png_ptr, png_bKGD, buf, (png_size_t)6);
1450    }
1451 
1452    else
1453    {
1454       if (back->gray >= (1 << png_ptr->bit_depth))
1455       {
1456          png_warning(png_ptr,
1457              "Ignoring attempt to write bKGD chunk out-of-range for bit_depth");
1458 
1459          return;
1460       }
1461 
1462       png_save_uint_16(buf, back->gray);
1463       png_write_complete_chunk(png_ptr, png_bKGD, buf, (png_size_t)2);
1464    }
1465 }
1466 #endif
1467 
1468 #ifdef PNG_WRITE_hIST_SUPPORTED
1469 /* Write the histogram */
1470 void /* PRIVATE */
png_write_hIST(png_structrp png_ptr,png_const_uint_16p hist,int num_hist)1471 png_write_hIST(png_structrp png_ptr, png_const_uint_16p hist, int num_hist)
1472 {
1473    int i;
1474    png_byte buf[3];
1475 
1476    png_debug(1, "in png_write_hIST");
1477 
1478    if (num_hist > (int)png_ptr->num_palette)
1479    {
1480       png_debug2(3, "num_hist = %d, num_palette = %d", num_hist,
1481           png_ptr->num_palette);
1482 
1483       png_warning(png_ptr, "Invalid number of histogram entries specified");
1484       return;
1485    }
1486 
1487    png_write_chunk_header(png_ptr, png_hIST, (png_uint_32)(num_hist * 2));
1488 
1489    for (i = 0; i < num_hist; i++)
1490    {
1491       png_save_uint_16(buf, hist[i]);
1492       png_write_chunk_data(png_ptr, buf, (png_size_t)2);
1493    }
1494 
1495    png_write_chunk_end(png_ptr);
1496 }
1497 #endif
1498 
1499 #ifdef PNG_WRITE_tEXt_SUPPORTED
1500 /* Write a tEXt chunk */
1501 void /* PRIVATE */
png_write_tEXt(png_structrp png_ptr,png_const_charp key,png_const_charp text,png_size_t text_len)1502 png_write_tEXt(png_structrp png_ptr, png_const_charp key, png_const_charp text,
1503     png_size_t text_len)
1504 {
1505    png_uint_32 key_len;
1506    png_byte new_key[80];
1507 
1508    png_debug(1, "in png_write_tEXt");
1509 
1510    key_len = png_check_keyword(png_ptr, key, new_key);
1511 
1512    if (key_len == 0)
1513       png_error(png_ptr, "tEXt: invalid keyword");
1514 
1515    if (text == NULL || *text == '\0')
1516       text_len = 0;
1517 
1518    else
1519       text_len = strlen(text);
1520 
1521    if (text_len > PNG_UINT_31_MAX - (key_len+1))
1522       png_error(png_ptr, "tEXt: text too long");
1523 
1524    /* Make sure we include the 0 after the key */
1525    png_write_chunk_header(png_ptr, png_tEXt,
1526        (png_uint_32)/*checked above*/(key_len + text_len + 1));
1527    /*
1528     * We leave it to the application to meet PNG-1.0 requirements on the
1529     * contents of the text.  PNG-1.0 through PNG-1.2 discourage the use of
1530     * any non-Latin-1 characters except for NEWLINE.  ISO PNG will forbid them.
1531     * The NUL character is forbidden by PNG-1.0 through PNG-1.2 and ISO PNG.
1532     */
1533    png_write_chunk_data(png_ptr, new_key, key_len + 1);
1534 
1535    if (text_len != 0)
1536       png_write_chunk_data(png_ptr, (png_const_bytep)text, text_len);
1537 
1538    png_write_chunk_end(png_ptr);
1539 }
1540 #endif
1541 
1542 #ifdef PNG_WRITE_zTXt_SUPPORTED
1543 /* Write a compressed text chunk */
1544 void /* PRIVATE */
png_write_zTXt(png_structrp png_ptr,png_const_charp key,png_const_charp text,int compression)1545 png_write_zTXt(png_structrp png_ptr, png_const_charp key, png_const_charp text,
1546     int compression)
1547 {
1548    png_uint_32 key_len;
1549    png_byte new_key[81];
1550    compression_state comp;
1551 
1552    png_debug(1, "in png_write_zTXt");
1553 
1554    if (compression == PNG_TEXT_COMPRESSION_NONE)
1555    {
1556       png_write_tEXt(png_ptr, key, text, 0);
1557       return;
1558    }
1559 
1560    if (compression != PNG_TEXT_COMPRESSION_zTXt)
1561       png_error(png_ptr, "zTXt: invalid compression type");
1562 
1563    key_len = png_check_keyword(png_ptr, key, new_key);
1564 
1565    if (key_len == 0)
1566       png_error(png_ptr, "zTXt: invalid keyword");
1567 
1568    /* Add the compression method and 1 for the keyword separator. */
1569    new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE;
1570    ++key_len;
1571 
1572    /* Compute the compressed data; do it now for the length */
1573    png_text_compress_init(&comp, (png_const_bytep)text,
1574       text == NULL ? 0 : strlen(text));
1575 
1576    if (png_text_compress(png_ptr, png_zTXt, &comp, key_len) != Z_OK)
1577       png_error(png_ptr, png_ptr->zstream.msg);
1578 
1579    /* Write start of chunk */
1580    png_write_chunk_header(png_ptr, png_zTXt, key_len + comp.output_len);
1581 
1582    /* Write key */
1583    png_write_chunk_data(png_ptr, new_key, key_len);
1584 
1585    /* Write the compressed data */
1586    png_write_compressed_data_out(png_ptr, &comp);
1587 
1588    /* Close the chunk */
1589    png_write_chunk_end(png_ptr);
1590 }
1591 #endif
1592 
1593 #ifdef PNG_WRITE_iTXt_SUPPORTED
1594 /* Write an iTXt chunk */
1595 void /* PRIVATE */
png_write_iTXt(png_structrp png_ptr,int compression,png_const_charp key,png_const_charp lang,png_const_charp lang_key,png_const_charp text)1596 png_write_iTXt(png_structrp png_ptr, int compression, png_const_charp key,
1597     png_const_charp lang, png_const_charp lang_key, png_const_charp text)
1598 {
1599    png_uint_32 key_len, prefix_len;
1600    png_size_t lang_len, lang_key_len;
1601    png_byte new_key[82];
1602    compression_state comp;
1603 
1604    png_debug(1, "in png_write_iTXt");
1605 
1606    key_len = png_check_keyword(png_ptr, key, new_key);
1607 
1608    if (key_len == 0)
1609       png_error(png_ptr, "iTXt: invalid keyword");
1610 
1611    /* Set the compression flag */
1612    switch (compression)
1613    {
1614       case PNG_ITXT_COMPRESSION_NONE:
1615       case PNG_TEXT_COMPRESSION_NONE:
1616          compression = new_key[++key_len] = 0; /* no compression */
1617          break;
1618 
1619       case PNG_TEXT_COMPRESSION_zTXt:
1620       case PNG_ITXT_COMPRESSION_zTXt:
1621          compression = new_key[++key_len] = 1; /* compressed */
1622          break;
1623 
1624       default:
1625          png_error(png_ptr, "iTXt: invalid compression");
1626    }
1627 
1628    new_key[++key_len] = PNG_COMPRESSION_TYPE_BASE;
1629    ++key_len; /* for the keywod separator */
1630 
1631    /* We leave it to the application to meet PNG-1.0 requirements on the
1632     * contents of the text.  PNG-1.0 through PNG-1.2 discourage the use of
1633     * any non-Latin-1 characters except for NEWLINE.  ISO PNG, however,
1634     * specifies that the text is UTF-8 and this really doesn't require any
1635     * checking.
1636     *
1637     * The NUL character is forbidden by PNG-1.0 through PNG-1.2 and ISO PNG.
1638     *
1639     * TODO: validate the language tag correctly (see the spec.)
1640     */
1641    if (lang == NULL) lang = ""; /* empty language is valid */
1642    lang_len = strlen(lang)+1;
1643    if (lang_key == NULL) lang_key = ""; /* may be empty */
1644    lang_key_len = strlen(lang_key)+1;
1645    if (text == NULL) text = ""; /* may be empty */
1646 
1647    prefix_len = key_len;
1648    if (lang_len > PNG_UINT_31_MAX-prefix_len)
1649       prefix_len = PNG_UINT_31_MAX;
1650    else
1651       prefix_len = (png_uint_32)(prefix_len + lang_len);
1652 
1653    if (lang_key_len > PNG_UINT_31_MAX-prefix_len)
1654       prefix_len = PNG_UINT_31_MAX;
1655    else
1656       prefix_len = (png_uint_32)(prefix_len + lang_key_len);
1657 
1658    png_text_compress_init(&comp, (png_const_bytep)text, strlen(text));
1659 
1660    if (compression != 0)
1661    {
1662       if (png_text_compress(png_ptr, png_iTXt, &comp, prefix_len) != Z_OK)
1663          png_error(png_ptr, png_ptr->zstream.msg);
1664    }
1665 
1666    else
1667    {
1668       if (comp.input_len > PNG_UINT_31_MAX-prefix_len)
1669          png_error(png_ptr, "iTXt: uncompressed text too long");
1670 
1671       /* So the string will fit in a chunk: */
1672       comp.output_len = (png_uint_32)/*SAFE*/comp.input_len;
1673    }
1674 
1675    png_write_chunk_header(png_ptr, png_iTXt, comp.output_len + prefix_len);
1676 
1677    png_write_chunk_data(png_ptr, new_key, key_len);
1678 
1679    png_write_chunk_data(png_ptr, (png_const_bytep)lang, lang_len);
1680 
1681    png_write_chunk_data(png_ptr, (png_const_bytep)lang_key, lang_key_len);
1682 
1683    if (compression != 0)
1684       png_write_compressed_data_out(png_ptr, &comp);
1685 
1686    else
1687       png_write_chunk_data(png_ptr, (png_const_bytep)text, comp.output_len);
1688 
1689    png_write_chunk_end(png_ptr);
1690 }
1691 #endif
1692 
1693 #ifdef PNG_WRITE_oFFs_SUPPORTED
1694 /* Write the oFFs chunk */
1695 void /* PRIVATE */
png_write_oFFs(png_structrp png_ptr,png_int_32 x_offset,png_int_32 y_offset,int unit_type)1696 png_write_oFFs(png_structrp png_ptr, png_int_32 x_offset, png_int_32 y_offset,
1697     int unit_type)
1698 {
1699    png_byte buf[9];
1700 
1701    png_debug(1, "in png_write_oFFs");
1702 
1703    if (unit_type >= PNG_OFFSET_LAST)
1704       png_warning(png_ptr, "Unrecognized unit type for oFFs chunk");
1705 
1706    png_save_int_32(buf, x_offset);
1707    png_save_int_32(buf + 4, y_offset);
1708    buf[8] = (png_byte)unit_type;
1709 
1710    png_write_complete_chunk(png_ptr, png_oFFs, buf, (png_size_t)9);
1711 }
1712 #endif
1713 #ifdef PNG_WRITE_pCAL_SUPPORTED
1714 /* Write the pCAL chunk (described in the PNG extensions document) */
1715 void /* PRIVATE */
png_write_pCAL(png_structrp png_ptr,png_charp purpose,png_int_32 X0,png_int_32 X1,int type,int nparams,png_const_charp units,png_charpp params)1716 png_write_pCAL(png_structrp png_ptr, png_charp purpose, png_int_32 X0,
1717     png_int_32 X1, int type, int nparams, png_const_charp units,
1718     png_charpp params)
1719 {
1720    png_uint_32 purpose_len;
1721    png_size_t units_len, total_len;
1722    png_size_tp params_len;
1723    png_byte buf[10];
1724    png_byte new_purpose[80];
1725    int i;
1726 
1727    png_debug1(1, "in png_write_pCAL (%d parameters)", nparams);
1728 
1729    if (type >= PNG_EQUATION_LAST)
1730       png_error(png_ptr, "Unrecognized equation type for pCAL chunk");
1731 
1732    purpose_len = png_check_keyword(png_ptr, purpose, new_purpose);
1733 
1734    if (purpose_len == 0)
1735       png_error(png_ptr, "pCAL: invalid keyword");
1736 
1737    ++purpose_len; /* terminator */
1738 
1739    png_debug1(3, "pCAL purpose length = %d", (int)purpose_len);
1740    units_len = strlen(units) + (nparams == 0 ? 0 : 1);
1741    png_debug1(3, "pCAL units length = %d", (int)units_len);
1742    total_len = purpose_len + units_len + 10;
1743 
1744    params_len = (png_size_tp)png_malloc(png_ptr,
1745        (png_alloc_size_t)(nparams * (sizeof (png_size_t))));
1746 
1747    /* Find the length of each parameter, making sure we don't count the
1748     * null terminator for the last parameter.
1749     */
1750    for (i = 0; i < nparams; i++)
1751    {
1752       params_len[i] = strlen(params[i]) + (i == nparams - 1 ? 0 : 1);
1753       png_debug2(3, "pCAL parameter %d length = %lu", i,
1754           (unsigned long)params_len[i]);
1755       total_len += params_len[i];
1756    }
1757 
1758    png_debug1(3, "pCAL total length = %d", (int)total_len);
1759    png_write_chunk_header(png_ptr, png_pCAL, (png_uint_32)total_len);
1760    png_write_chunk_data(png_ptr, new_purpose, purpose_len);
1761    png_save_int_32(buf, X0);
1762    png_save_int_32(buf + 4, X1);
1763    buf[8] = (png_byte)type;
1764    buf[9] = (png_byte)nparams;
1765    png_write_chunk_data(png_ptr, buf, (png_size_t)10);
1766    png_write_chunk_data(png_ptr, (png_const_bytep)units, (png_size_t)units_len);
1767 
1768    for (i = 0; i < nparams; i++)
1769    {
1770       png_write_chunk_data(png_ptr, (png_const_bytep)params[i], params_len[i]);
1771    }
1772 
1773    png_free(png_ptr, params_len);
1774    png_write_chunk_end(png_ptr);
1775 }
1776 #endif
1777 
1778 #ifdef PNG_WRITE_sCAL_SUPPORTED
1779 /* Write the sCAL chunk */
1780 void /* PRIVATE */
png_write_sCAL_s(png_structrp png_ptr,int unit,png_const_charp width,png_const_charp height)1781 png_write_sCAL_s(png_structrp png_ptr, int unit, png_const_charp width,
1782     png_const_charp height)
1783 {
1784    png_byte buf[64];
1785    png_size_t wlen, hlen, total_len;
1786 
1787    png_debug(1, "in png_write_sCAL_s");
1788 
1789    wlen = strlen(width);
1790    hlen = strlen(height);
1791    total_len = wlen + hlen + 2;
1792 
1793    if (total_len > 64)
1794    {
1795       png_warning(png_ptr, "Can't write sCAL (buffer too small)");
1796       return;
1797    }
1798 
1799    buf[0] = (png_byte)unit;
1800    memcpy(buf + 1, width, wlen + 1);      /* Append the '\0' here */
1801    memcpy(buf + wlen + 2, height, hlen);  /* Do NOT append the '\0' here */
1802 
1803    png_debug1(3, "sCAL total length = %u", (unsigned int)total_len);
1804    png_write_complete_chunk(png_ptr, png_sCAL, buf, total_len);
1805 }
1806 #endif
1807 
1808 #ifdef PNG_WRITE_pHYs_SUPPORTED
1809 /* Write the pHYs chunk */
1810 void /* PRIVATE */
png_write_pHYs(png_structrp png_ptr,png_uint_32 x_pixels_per_unit,png_uint_32 y_pixels_per_unit,int unit_type)1811 png_write_pHYs(png_structrp png_ptr, png_uint_32 x_pixels_per_unit,
1812     png_uint_32 y_pixels_per_unit,
1813     int unit_type)
1814 {
1815    png_byte buf[9];
1816 
1817    png_debug(1, "in png_write_pHYs");
1818 
1819    if (unit_type >= PNG_RESOLUTION_LAST)
1820       png_warning(png_ptr, "Unrecognized unit type for pHYs chunk");
1821 
1822    png_save_uint_32(buf, x_pixels_per_unit);
1823    png_save_uint_32(buf + 4, y_pixels_per_unit);
1824    buf[8] = (png_byte)unit_type;
1825 
1826    png_write_complete_chunk(png_ptr, png_pHYs, buf, (png_size_t)9);
1827 }
1828 #endif
1829 
1830 #ifdef PNG_WRITE_tIME_SUPPORTED
1831 /* Write the tIME chunk.  Use either png_convert_from_struct_tm()
1832  * or png_convert_from_time_t(), or fill in the structure yourself.
1833  */
1834 void /* PRIVATE */
png_write_tIME(png_structrp png_ptr,png_const_timep mod_time)1835 png_write_tIME(png_structrp png_ptr, png_const_timep mod_time)
1836 {
1837    png_byte buf[7];
1838 
1839    png_debug(1, "in png_write_tIME");
1840 
1841    if (mod_time->month  > 12 || mod_time->month  < 1 ||
1842        mod_time->day    > 31 || mod_time->day    < 1 ||
1843        mod_time->hour   > 23 || mod_time->second > 60)
1844    {
1845       png_warning(png_ptr, "Invalid time specified for tIME chunk");
1846       return;
1847    }
1848 
1849    png_save_uint_16(buf, mod_time->year);
1850    buf[2] = mod_time->month;
1851    buf[3] = mod_time->day;
1852    buf[4] = mod_time->hour;
1853    buf[5] = mod_time->minute;
1854    buf[6] = mod_time->second;
1855 
1856    png_write_complete_chunk(png_ptr, png_tIME, buf, (png_size_t)7);
1857 }
1858 #endif
1859 
1860 /* Initializes the row writing capability of libpng */
1861 void /* PRIVATE */
png_write_start_row(png_structrp png_ptr)1862 png_write_start_row(png_structrp png_ptr)
1863 {
1864 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
1865    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1866 
1867    /* Start of interlace block */
1868    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
1869 
1870    /* Offset to next interlace block */
1871    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
1872 
1873    /* Start of interlace block in the y direction */
1874    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
1875 
1876    /* Offset to next interlace block in the y direction */
1877    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
1878 #endif
1879 
1880    png_alloc_size_t buf_size;
1881    int usr_pixel_depth;
1882 
1883 #ifdef PNG_WRITE_FILTER_SUPPORTED
1884    png_byte filters;
1885 #endif
1886 
1887    png_debug(1, "in png_write_start_row");
1888 
1889    usr_pixel_depth = png_ptr->usr_channels * png_ptr->usr_bit_depth;
1890    buf_size = PNG_ROWBYTES(usr_pixel_depth, png_ptr->width) + 1;
1891 
1892    /* 1.5.6: added to allow checking in the row write code. */
1893    png_ptr->transformed_pixel_depth = png_ptr->pixel_depth;
1894    png_ptr->maximum_pixel_depth = (png_byte)usr_pixel_depth;
1895 
1896    /* Set up row buffer */
1897    png_ptr->row_buf = png_voidcast(png_bytep, png_malloc(png_ptr, buf_size));
1898 
1899    png_ptr->row_buf[0] = PNG_FILTER_VALUE_NONE;
1900 
1901 #ifdef PNG_WRITE_FILTER_SUPPORTED
1902    filters = png_ptr->do_filter;
1903 
1904    if (png_ptr->height == 1)
1905       filters &= 0xff & ~(PNG_FILTER_UP|PNG_FILTER_AVG|PNG_FILTER_PAETH);
1906 
1907    if (png_ptr->width == 1)
1908       filters &= 0xff & ~(PNG_FILTER_SUB|PNG_FILTER_AVG|PNG_FILTER_PAETH);
1909 
1910    if (filters == 0)
1911       filters = PNG_FILTER_NONE;
1912 
1913    png_ptr->do_filter = filters;
1914 
1915    if (((filters & (PNG_FILTER_SUB | PNG_FILTER_UP | PNG_FILTER_AVG |
1916        PNG_FILTER_PAETH)) != 0) && png_ptr->try_row == NULL)
1917    {
1918       int num_filters = 0;
1919 
1920       png_ptr->try_row = png_voidcast(png_bytep, png_malloc(png_ptr, buf_size));
1921 
1922       if (filters & PNG_FILTER_SUB)
1923          num_filters++;
1924 
1925       if (filters & PNG_FILTER_UP)
1926          num_filters++;
1927 
1928       if (filters & PNG_FILTER_AVG)
1929          num_filters++;
1930 
1931       if (filters & PNG_FILTER_PAETH)
1932          num_filters++;
1933 
1934       if (num_filters > 1)
1935          png_ptr->tst_row = png_voidcast(png_bytep, png_malloc(png_ptr,
1936              buf_size));
1937    }
1938 
1939    /* We only need to keep the previous row if we are using one of the following
1940     * filters.
1941     */
1942    if ((filters & (PNG_FILTER_AVG | PNG_FILTER_UP | PNG_FILTER_PAETH)) != 0)
1943       png_ptr->prev_row = png_voidcast(png_bytep,
1944          png_calloc(png_ptr, buf_size));
1945 #endif /* WRITE_FILTER */
1946 
1947 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
1948    /* If interlaced, we need to set up width and height of pass */
1949    if (png_ptr->interlaced != 0)
1950    {
1951       if ((png_ptr->transformations & PNG_INTERLACE) == 0)
1952       {
1953          png_ptr->num_rows = (png_ptr->height + png_pass_yinc[0] - 1 -
1954              png_pass_ystart[0]) / png_pass_yinc[0];
1955 
1956          png_ptr->usr_width = (png_ptr->width + png_pass_inc[0] - 1 -
1957              png_pass_start[0]) / png_pass_inc[0];
1958       }
1959 
1960       else
1961       {
1962          png_ptr->num_rows = png_ptr->height;
1963          png_ptr->usr_width = png_ptr->width;
1964       }
1965    }
1966 
1967    else
1968 #endif
1969    {
1970       png_ptr->num_rows = png_ptr->height;
1971       png_ptr->usr_width = png_ptr->width;
1972    }
1973 }
1974 
1975 /* Internal use only.  Called when finished processing a row of data. */
1976 void /* PRIVATE */
png_write_finish_row(png_structrp png_ptr)1977 png_write_finish_row(png_structrp png_ptr)
1978 {
1979 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
1980    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
1981 
1982    /* Start of interlace block */
1983    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
1984 
1985    /* Offset to next interlace block */
1986    static PNG_CONST png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
1987 
1988    /* Start of interlace block in the y direction */
1989    static PNG_CONST png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};
1990 
1991    /* Offset to next interlace block in the y direction */
1992    static PNG_CONST png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};
1993 #endif
1994 
1995    png_debug(1, "in png_write_finish_row");
1996 
1997    /* Next row */
1998    png_ptr->row_number++;
1999 
2000    /* See if we are done */
2001    if (png_ptr->row_number < png_ptr->num_rows)
2002       return;
2003 
2004 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2005    /* If interlaced, go to next pass */
2006    if (png_ptr->interlaced != 0)
2007    {
2008       png_ptr->row_number = 0;
2009       if ((png_ptr->transformations & PNG_INTERLACE) != 0)
2010       {
2011          png_ptr->pass++;
2012       }
2013 
2014       else
2015       {
2016          /* Loop until we find a non-zero width or height pass */
2017          do
2018          {
2019             png_ptr->pass++;
2020 
2021             if (png_ptr->pass >= 7)
2022                break;
2023 
2024             png_ptr->usr_width = (png_ptr->width +
2025                 png_pass_inc[png_ptr->pass] - 1 -
2026                 png_pass_start[png_ptr->pass]) /
2027                 png_pass_inc[png_ptr->pass];
2028 
2029             png_ptr->num_rows = (png_ptr->height +
2030                 png_pass_yinc[png_ptr->pass] - 1 -
2031                 png_pass_ystart[png_ptr->pass]) /
2032                 png_pass_yinc[png_ptr->pass];
2033 
2034             if ((png_ptr->transformations & PNG_INTERLACE) != 0)
2035                break;
2036 
2037          } while (png_ptr->usr_width == 0 || png_ptr->num_rows == 0);
2038 
2039       }
2040 
2041       /* Reset the row above the image for the next pass */
2042       if (png_ptr->pass < 7)
2043       {
2044          if (png_ptr->prev_row != NULL)
2045             memset(png_ptr->prev_row, 0,
2046                 (png_size_t)(PNG_ROWBYTES(png_ptr->usr_channels*
2047                 png_ptr->usr_bit_depth, png_ptr->width)) + 1);
2048 
2049          return;
2050       }
2051    }
2052 #endif
2053 
2054    /* If we get here, we've just written the last row, so we need
2055       to flush the compressor */
2056    png_compress_IDAT(png_ptr, NULL, 0, Z_FINISH);
2057 }
2058 
2059 #ifdef PNG_WRITE_INTERLACING_SUPPORTED
2060 /* Pick out the correct pixels for the interlace pass.
2061  * The basic idea here is to go through the row with a source
2062  * pointer and a destination pointer (sp and dp), and copy the
2063  * correct pixels for the pass.  As the row gets compacted,
2064  * sp will always be >= dp, so we should never overwrite anything.
2065  * See the default: case for the easiest code to understand.
2066  */
2067 void /* PRIVATE */
png_do_write_interlace(png_row_infop row_info,png_bytep row,int pass)2068 png_do_write_interlace(png_row_infop row_info, png_bytep row, int pass)
2069 {
2070    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
2071 
2072    /* Start of interlace block */
2073    static PNG_CONST png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};
2074 
2075    /* Offset to next interlace block */
2076    static PNG_CONST png_byte  png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};
2077 
2078    png_debug(1, "in png_do_write_interlace");
2079 
2080    /* We don't have to do anything on the last pass (6) */
2081    if (pass < 6)
2082    {
2083       /* Each pixel depth is handled separately */
2084       switch (row_info->pixel_depth)
2085       {
2086          case 1:
2087          {
2088             png_bytep sp;
2089             png_bytep dp;
2090             unsigned int shift;
2091             int d;
2092             int value;
2093             png_uint_32 i;
2094             png_uint_32 row_width = row_info->width;
2095 
2096             dp = row;
2097             d = 0;
2098             shift = 7;
2099 
2100             for (i = png_pass_start[pass]; i < row_width;
2101                i += png_pass_inc[pass])
2102             {
2103                sp = row + (png_size_t)(i >> 3);
2104                value = (int)(*sp >> (7 - (int)(i & 0x07))) & 0x01;
2105                d |= (value << shift);
2106 
2107                if (shift == 0)
2108                {
2109                   shift = 7;
2110                   *dp++ = (png_byte)d;
2111                   d = 0;
2112                }
2113 
2114                else
2115                   shift--;
2116 
2117             }
2118             if (shift != 7)
2119                *dp = (png_byte)d;
2120 
2121             break;
2122          }
2123 
2124          case 2:
2125          {
2126             png_bytep sp;
2127             png_bytep dp;
2128             unsigned int shift;
2129             int d;
2130             int value;
2131             png_uint_32 i;
2132             png_uint_32 row_width = row_info->width;
2133 
2134             dp = row;
2135             shift = 6;
2136             d = 0;
2137 
2138             for (i = png_pass_start[pass]; i < row_width;
2139                i += png_pass_inc[pass])
2140             {
2141                sp = row + (png_size_t)(i >> 2);
2142                value = (*sp >> ((3 - (int)(i & 0x03)) << 1)) & 0x03;
2143                d |= (value << shift);
2144 
2145                if (shift == 0)
2146                {
2147                   shift = 6;
2148                   *dp++ = (png_byte)d;
2149                   d = 0;
2150                }
2151 
2152                else
2153                   shift -= 2;
2154             }
2155             if (shift != 6)
2156                *dp = (png_byte)d;
2157 
2158             break;
2159          }
2160 
2161          case 4:
2162          {
2163             png_bytep sp;
2164             png_bytep dp;
2165             unsigned int shift;
2166             int d;
2167             int value;
2168             png_uint_32 i;
2169             png_uint_32 row_width = row_info->width;
2170 
2171             dp = row;
2172             shift = 4;
2173             d = 0;
2174             for (i = png_pass_start[pass]; i < row_width;
2175                 i += png_pass_inc[pass])
2176             {
2177                sp = row + (png_size_t)(i >> 1);
2178                value = (*sp >> ((1 - (int)(i & 0x01)) << 2)) & 0x0f;
2179                d |= (value << shift);
2180 
2181                if (shift == 0)
2182                {
2183                   shift = 4;
2184                   *dp++ = (png_byte)d;
2185                   d = 0;
2186                }
2187 
2188                else
2189                   shift -= 4;
2190             }
2191             if (shift != 4)
2192                *dp = (png_byte)d;
2193 
2194             break;
2195          }
2196 
2197          default:
2198          {
2199             png_bytep sp;
2200             png_bytep dp;
2201             png_uint_32 i;
2202             png_uint_32 row_width = row_info->width;
2203             png_size_t pixel_bytes;
2204 
2205             /* Start at the beginning */
2206             dp = row;
2207 
2208             /* Find out how many bytes each pixel takes up */
2209             pixel_bytes = (row_info->pixel_depth >> 3);
2210 
2211             /* Loop through the row, only looking at the pixels that matter */
2212             for (i = png_pass_start[pass]; i < row_width;
2213                i += png_pass_inc[pass])
2214             {
2215                /* Find out where the original pixel is */
2216                sp = row + (png_size_t)i * pixel_bytes;
2217 
2218                /* Move the pixel */
2219                if (dp != sp)
2220                   memcpy(dp, sp, pixel_bytes);
2221 
2222                /* Next pixel */
2223                dp += pixel_bytes;
2224             }
2225             break;
2226          }
2227       }
2228       /* Set new row width */
2229       row_info->width = (row_info->width +
2230           png_pass_inc[pass] - 1 -
2231           png_pass_start[pass]) /
2232           png_pass_inc[pass];
2233 
2234       row_info->rowbytes = PNG_ROWBYTES(row_info->pixel_depth,
2235           row_info->width);
2236    }
2237 }
2238 #endif
2239 
2240 
2241 /* This filters the row, chooses which filter to use, if it has not already
2242  * been specified by the application, and then writes the row out with the
2243  * chosen filter.
2244  */
2245 static void /* PRIVATE */
2246 png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row,
2247    png_size_t row_bytes);
2248 
2249 #ifdef PNG_WRITE_FILTER_SUPPORTED
2250 static png_size_t /* PRIVATE */
png_setup_sub_row(png_structrp png_ptr,const png_uint_32 bpp,const png_size_t row_bytes,const png_size_t lmins)2251 png_setup_sub_row(png_structrp png_ptr, const png_uint_32 bpp,
2252     const png_size_t row_bytes, const png_size_t lmins)
2253 {
2254    png_bytep rp, dp, lp;
2255    png_size_t i;
2256    png_size_t sum = 0;
2257    int v;
2258 
2259    png_ptr->try_row[0] = PNG_FILTER_VALUE_SUB;
2260 
2261    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1; i < bpp;
2262         i++, rp++, dp++)
2263    {
2264       v = *dp = *rp;
2265       sum += (v < 128) ? v : 256 - v;
2266    }
2267 
2268    for (lp = png_ptr->row_buf + 1; i < row_bytes;
2269       i++, rp++, lp++, dp++)
2270    {
2271       v = *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff);
2272       sum += (v < 128) ? v : 256 - v;
2273 
2274       if (sum > lmins)  /* We are already worse, don't continue. */
2275         break;
2276    }
2277 
2278    return (sum);
2279 }
2280 
2281 static void /* PRIVATE */
png_setup_sub_row_only(png_structrp png_ptr,const png_uint_32 bpp,const png_size_t row_bytes)2282 png_setup_sub_row_only(png_structrp png_ptr, const png_uint_32 bpp,
2283     const png_size_t row_bytes)
2284 {
2285    png_bytep rp, dp, lp;
2286    png_size_t i;
2287 
2288    png_ptr->try_row[0] = PNG_FILTER_VALUE_SUB;
2289 
2290    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1; i < bpp;
2291         i++, rp++, dp++)
2292    {
2293       *dp = *rp;
2294    }
2295 
2296    for (lp = png_ptr->row_buf + 1; i < row_bytes;
2297       i++, rp++, lp++, dp++)
2298    {
2299       *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff);
2300    }
2301 }
2302 
2303 static png_size_t /* PRIVATE */
png_setup_up_row(png_structrp png_ptr,const png_size_t row_bytes,const png_size_t lmins)2304 png_setup_up_row(png_structrp png_ptr, const png_size_t row_bytes,
2305     const png_size_t lmins)
2306 {
2307    png_bytep rp, dp, pp;
2308    png_size_t i;
2309    png_size_t sum = 0;
2310    int v;
2311 
2312    png_ptr->try_row[0] = PNG_FILTER_VALUE_UP;
2313 
2314    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2315        pp = png_ptr->prev_row + 1; i < row_bytes;
2316        i++, rp++, pp++, dp++)
2317    {
2318       v = *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff);
2319       sum += (v < 128) ? v : 256 - v;
2320 
2321       if (sum > lmins)  /* We are already worse, don't continue. */
2322         break;
2323    }
2324 
2325    return (sum);
2326 }
2327 static void /* PRIVATE */
png_setup_up_row_only(png_structrp png_ptr,const png_size_t row_bytes)2328 png_setup_up_row_only(png_structrp png_ptr, const png_size_t row_bytes)
2329 {
2330    png_bytep rp, dp, pp;
2331    png_size_t i;
2332 
2333    png_ptr->try_row[0] = PNG_FILTER_VALUE_UP;
2334 
2335    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2336        pp = png_ptr->prev_row + 1; i < row_bytes;
2337        i++, rp++, pp++, dp++)
2338    {
2339       *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff);
2340    }
2341 }
2342 
2343 static png_size_t /* PRIVATE */
png_setup_avg_row(png_structrp png_ptr,const png_uint_32 bpp,const png_size_t row_bytes,const png_size_t lmins)2344 png_setup_avg_row(png_structrp png_ptr, const png_uint_32 bpp,
2345       const png_size_t row_bytes, const png_size_t lmins)
2346 {
2347    png_bytep rp, dp, pp, lp;
2348    png_uint_32 i;
2349    png_size_t sum = 0;
2350    int v;
2351 
2352    png_ptr->try_row[0] = PNG_FILTER_VALUE_AVG;
2353 
2354    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2355         pp = png_ptr->prev_row + 1; i < bpp; i++)
2356    {
2357       v = *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff);
2358 
2359       sum += (v < 128) ? v : 256 - v;
2360    }
2361 
2362    for (lp = png_ptr->row_buf + 1; i < row_bytes; i++)
2363    {
2364       v = *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2))
2365           & 0xff);
2366 
2367       sum += (v < 128) ? v : 256 - v;
2368 
2369       if (sum > lmins)  /* We are already worse, don't continue. */
2370         break;
2371    }
2372 
2373    return (sum);
2374 }
2375 static void /* PRIVATE */
png_setup_avg_row_only(png_structrp png_ptr,const png_uint_32 bpp,const png_size_t row_bytes)2376 png_setup_avg_row_only(png_structrp png_ptr, const png_uint_32 bpp,
2377       const png_size_t row_bytes)
2378 {
2379    png_bytep rp, dp, pp, lp;
2380    png_uint_32 i;
2381 
2382    png_ptr->try_row[0] = PNG_FILTER_VALUE_AVG;
2383 
2384    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2385         pp = png_ptr->prev_row + 1; i < bpp; i++)
2386    {
2387       *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff);
2388    }
2389 
2390    for (lp = png_ptr->row_buf + 1; i < row_bytes; i++)
2391    {
2392       *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2))
2393           & 0xff);
2394    }
2395 }
2396 
2397 static png_size_t /* PRIVATE */
png_setup_paeth_row(png_structrp png_ptr,const png_uint_32 bpp,const png_size_t row_bytes,const png_size_t lmins)2398 png_setup_paeth_row(png_structrp png_ptr, const png_uint_32 bpp,
2399     const png_size_t row_bytes, const png_size_t lmins)
2400 {
2401    png_bytep rp, dp, pp, cp, lp;
2402    png_size_t i;
2403    png_size_t sum = 0;
2404    int v;
2405 
2406    png_ptr->try_row[0] = PNG_FILTER_VALUE_PAETH;
2407 
2408    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2409        pp = png_ptr->prev_row + 1; i < bpp; i++)
2410    {
2411       v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2412 
2413       sum += (v < 128) ? v : 256 - v;
2414    }
2415 
2416    for (lp = png_ptr->row_buf + 1, cp = png_ptr->prev_row + 1; i < row_bytes;
2417         i++)
2418    {
2419       int a, b, c, pa, pb, pc, p;
2420 
2421       b = *pp++;
2422       c = *cp++;
2423       a = *lp++;
2424 
2425       p = b - c;
2426       pc = a - c;
2427 
2428 #ifdef PNG_USE_ABS
2429       pa = abs(p);
2430       pb = abs(pc);
2431       pc = abs(p + pc);
2432 #else
2433       pa = p < 0 ? -p : p;
2434       pb = pc < 0 ? -pc : pc;
2435       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
2436 #endif
2437 
2438       p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c;
2439 
2440       v = *dp++ = (png_byte)(((int)*rp++ - p) & 0xff);
2441 
2442       sum += (v < 128) ? v : 256 - v;
2443 
2444       if (sum > lmins)  /* We are already worse, don't continue. */
2445         break;
2446    }
2447 
2448    return (sum);
2449 }
2450 static void /* PRIVATE */
png_setup_paeth_row_only(png_structrp png_ptr,const png_uint_32 bpp,const png_size_t row_bytes)2451 png_setup_paeth_row_only(png_structrp png_ptr, const png_uint_32 bpp,
2452     const png_size_t row_bytes)
2453 {
2454    png_bytep rp, dp, pp, cp, lp;
2455    png_size_t i;
2456 
2457    png_ptr->try_row[0] = PNG_FILTER_VALUE_PAETH;
2458 
2459    for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1,
2460        pp = png_ptr->prev_row + 1; i < bpp; i++)
2461    {
2462       *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff);
2463    }
2464 
2465    for (lp = png_ptr->row_buf + 1, cp = png_ptr->prev_row + 1; i < row_bytes;
2466         i++)
2467    {
2468       int a, b, c, pa, pb, pc, p;
2469 
2470       b = *pp++;
2471       c = *cp++;
2472       a = *lp++;
2473 
2474       p = b - c;
2475       pc = a - c;
2476 
2477 #ifdef PNG_USE_ABS
2478       pa = abs(p);
2479       pb = abs(pc);
2480       pc = abs(p + pc);
2481 #else
2482       pa = p < 0 ? -p : p;
2483       pb = pc < 0 ? -pc : pc;
2484       pc = (p + pc) < 0 ? -(p + pc) : p + pc;
2485 #endif
2486 
2487       p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c;
2488 
2489       *dp++ = (png_byte)(((int)*rp++ - p) & 0xff);
2490    }
2491 }
2492 #endif /* WRITE_FILTER */
2493 
2494 void /* PRIVATE */
png_write_find_filter(png_structrp png_ptr,png_row_infop row_info)2495 png_write_find_filter(png_structrp png_ptr, png_row_infop row_info)
2496 {
2497 #ifndef PNG_WRITE_FILTER_SUPPORTED
2498    png_write_filtered_row(png_ptr, png_ptr->row_buf, row_info->rowbytes+1);
2499 #else
2500    unsigned int filter_to_do = png_ptr->do_filter;
2501    png_bytep row_buf;
2502    png_bytep best_row;
2503    png_uint_32 bpp;
2504    png_size_t mins;
2505    png_size_t row_bytes = row_info->rowbytes;
2506 
2507    png_debug(1, "in png_write_find_filter");
2508 
2509    /* Find out how many bytes offset each pixel is */
2510    bpp = (row_info->pixel_depth + 7) >> 3;
2511 
2512    row_buf = png_ptr->row_buf;
2513    mins = PNG_SIZE_MAX - 256/* so we can detect potential overflow of the
2514                                running sum */;
2515 
2516    /* The prediction method we use is to find which method provides the
2517     * smallest value when summing the absolute values of the distances
2518     * from zero, using anything >= 128 as negative numbers.  This is known
2519     * as the "minimum sum of absolute differences" heuristic.  Other
2520     * heuristics are the "weighted minimum sum of absolute differences"
2521     * (experimental and can in theory improve compression), and the "zlib
2522     * predictive" method (not implemented yet), which does test compressions
2523     * of lines using different filter methods, and then chooses the
2524     * (series of) filter(s) that give minimum compressed data size (VERY
2525     * computationally expensive).
2526     *
2527     * GRR 980525:  consider also
2528     *
2529     *   (1) minimum sum of absolute differences from running average (i.e.,
2530     *       keep running sum of non-absolute differences & count of bytes)
2531     *       [track dispersion, too?  restart average if dispersion too large?]
2532     *
2533     *  (1b) minimum sum of absolute differences from sliding average, probably
2534     *       with window size <= deflate window (usually 32K)
2535     *
2536     *   (2) minimum sum of squared differences from zero or running average
2537     *       (i.e., ~ root-mean-square approach)
2538     */
2539 
2540 
2541    /* We don't need to test the 'no filter' case if this is the only filter
2542     * that has been chosen, as it doesn't actually do anything to the data.
2543     */
2544    best_row = png_ptr->row_buf;
2545 
2546    if (PNG_SIZE_MAX/128 <= row_bytes)
2547    {
2548       /* Overflow can occur in the calculation, just select the lowest set
2549        * filter.
2550        */
2551       filter_to_do &= -filter_to_do;
2552    }
2553    else if ((filter_to_do & PNG_FILTER_NONE) != 0 &&
2554          filter_to_do != PNG_FILTER_NONE)
2555    {
2556       /* Overflow not possible and multiple filters in the list, including the
2557        * 'none' filter.
2558        */
2559       png_bytep rp;
2560       png_size_t sum = 0;
2561       png_size_t i;
2562       int v;
2563 
2564       {
2565          for (i = 0, rp = row_buf + 1; i < row_bytes; i++, rp++)
2566          {
2567             v = *rp;
2568             sum += (v < 128) ? v : 256 - v;
2569          }
2570       }
2571 
2572       mins = sum;
2573    }
2574 
2575    /* Sub filter */
2576    if (filter_to_do == PNG_FILTER_SUB)
2577    /* It's the only filter so no testing is needed */
2578    {
2579       png_setup_sub_row_only(png_ptr, bpp, row_bytes);
2580       best_row = png_ptr->try_row;
2581    }
2582 
2583    else if ((filter_to_do & PNG_FILTER_SUB) != 0)
2584    {
2585       png_size_t sum;
2586       png_size_t lmins = mins;
2587 
2588       sum = png_setup_sub_row(png_ptr, bpp, row_bytes, lmins);
2589 
2590       if (sum < mins)
2591       {
2592          mins = sum;
2593          best_row = png_ptr->try_row;
2594          if (png_ptr->tst_row != NULL)
2595          {
2596             png_ptr->try_row = png_ptr->tst_row;
2597             png_ptr->tst_row = best_row;
2598          }
2599       }
2600    }
2601 
2602    /* Up filter */
2603    if (filter_to_do == PNG_FILTER_UP)
2604    {
2605       png_setup_up_row_only(png_ptr, row_bytes);
2606       best_row = png_ptr->try_row;
2607    }
2608 
2609    else if ((filter_to_do & PNG_FILTER_UP) != 0)
2610    {
2611       png_size_t sum;
2612       png_size_t lmins = mins;
2613 
2614       sum = png_setup_up_row(png_ptr, row_bytes, lmins);
2615 
2616       if (sum < mins)
2617       {
2618          mins = sum;
2619          best_row = png_ptr->try_row;
2620          if (png_ptr->tst_row != NULL)
2621          {
2622             png_ptr->try_row = png_ptr->tst_row;
2623             png_ptr->tst_row = best_row;
2624          }
2625       }
2626    }
2627 
2628    /* Avg filter */
2629    if (filter_to_do == PNG_FILTER_AVG)
2630    {
2631       png_setup_avg_row_only(png_ptr, bpp, row_bytes);
2632       best_row = png_ptr->try_row;
2633    }
2634 
2635    else if ((filter_to_do & PNG_FILTER_AVG) != 0)
2636    {
2637       png_size_t sum;
2638       png_size_t lmins = mins;
2639 
2640       sum= png_setup_avg_row(png_ptr, bpp, row_bytes, lmins);
2641 
2642       if (sum < mins)
2643       {
2644          mins = sum;
2645          best_row = png_ptr->try_row;
2646          if (png_ptr->tst_row != NULL)
2647          {
2648             png_ptr->try_row = png_ptr->tst_row;
2649             png_ptr->tst_row = best_row;
2650          }
2651       }
2652    }
2653 
2654    /* Paeth filter */
2655    if ((filter_to_do == PNG_FILTER_PAETH) != 0)
2656    {
2657       png_setup_paeth_row_only(png_ptr, bpp, row_bytes);
2658       best_row = png_ptr->try_row;
2659    }
2660 
2661    else if ((filter_to_do & PNG_FILTER_PAETH) != 0)
2662    {
2663       png_size_t sum;
2664       png_size_t lmins = mins;
2665 
2666       sum = png_setup_paeth_row(png_ptr, bpp, row_bytes, lmins);
2667 
2668       if (sum < mins)
2669       {
2670          best_row = png_ptr->try_row;
2671          if (png_ptr->tst_row != NULL)
2672          {
2673             png_ptr->try_row = png_ptr->tst_row;
2674             png_ptr->tst_row = best_row;
2675          }
2676       }
2677    }
2678 
2679    /* Do the actual writing of the filtered row data from the chosen filter. */
2680    png_write_filtered_row(png_ptr, best_row, row_info->rowbytes+1);
2681 
2682 #endif /* WRITE_FILTER */
2683 }
2684 
2685 
2686 /* Do the actual writing of a previously filtered row. */
2687 static void
png_write_filtered_row(png_structrp png_ptr,png_bytep filtered_row,png_size_t full_row_length)2688 png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row,
2689    png_size_t full_row_length/*includes filter byte*/)
2690 {
2691    png_debug(1, "in png_write_filtered_row");
2692 
2693    png_debug1(2, "filter = %d", filtered_row[0]);
2694 
2695    png_compress_IDAT(png_ptr, filtered_row, full_row_length, Z_NO_FLUSH);
2696 
2697 #ifdef PNG_WRITE_FILTER_SUPPORTED
2698    /* Swap the current and previous rows */
2699    if (png_ptr->prev_row != NULL)
2700    {
2701       png_bytep tptr;
2702 
2703       tptr = png_ptr->prev_row;
2704       png_ptr->prev_row = png_ptr->row_buf;
2705       png_ptr->row_buf = tptr;
2706    }
2707 #endif /* WRITE_FILTER */
2708 
2709    /* Finish row - updates counters and flushes zlib if last row */
2710    png_write_finish_row(png_ptr);
2711 
2712 #ifdef PNG_WRITE_FLUSH_SUPPORTED
2713    png_ptr->flush_rows++;
2714 
2715    if (png_ptr->flush_dist > 0 &&
2716        png_ptr->flush_rows >= png_ptr->flush_dist)
2717    {
2718       png_write_flush(png_ptr);
2719    }
2720 #endif /* WRITE_FLUSH */
2721 }
2722 #endif /* WRITE */
2723