/* pngrutil.c - utilities to read a PNG file

 *

 * Copyright (c) 2018-2025 Cosmin Truta

 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson

 * Copyright (c) 1996-1997 Andreas Dilger

 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.

 *

 * This code is released under the libpng license.

 * For conditions of distribution and use, see the disclaimer

 * and license in png.h

 *

 * This file contains routines that are only called from within

 * libpng itself during the course of reading an image.

 */

#include "pngpriv.h"

#ifdef PNG_READ_SUPPORTED

/* The minimum 'zlib' stream is assumed to be just the 2 byte header, 5 bytes

 * minimum 'deflate' stream, and the 4 byte checksum.

 */

#define LZ77Min  (2U+5U+4U)

#ifdef PNG_READ_INTERLACING_SUPPORTED

/* Arrays to facilitate interlacing - use pass (0 - 6) as index. */

/* Start of interlace block */

static const png_byte png_pass_start[7] = {0, 4, 0, 2, 0, 1, 0};

/* Offset to next interlace block */

static const png_byte png_pass_inc[7] = {8, 8, 4, 4, 2, 2, 1};

/* Start of interlace block in the y direction */

static const png_byte png_pass_ystart[7] = {0, 0, 4, 0, 2, 0, 1};

/* Offset to next interlace block in the y direction */

static const png_byte png_pass_yinc[7] = {8, 8, 8, 4, 4, 2, 2};

/* TODO: Move these arrays to a common utility module to avoid duplication. */

#endif

png_uint_32

png_get_uint_31(const png_struct *png_ptr, const png_byte *buf)

{

   png_uint_32 uval = png_get_uint_32(buf);

   if (uval > PNG_UINT_31_MAX)

      png_error(png_ptr, "PNG unsigned integer out of range");

   return uval;

}

#ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED

/* NOTE: the read macros will obscure these definitions, so that if

 * PNG_USE_READ_MACROS is set the library will not use them internally,

 * but the APIs will still be available externally.

 *

 * The parentheses around function names in the following three functions

 * are necessary, because they allow the macros to co-exist with these

 * (unused but exported) functions.

 */

/* Grab an unsigned 32-bit integer from a buffer in big-endian format. */

png_uint_32

(png_get_uint_32)(const png_byte *buf)

{

   png_uint_32 uval =

       ((png_uint_32)(*(buf    )) << 24) +

       ((png_uint_32)(*(buf + 1)) << 16) +

       ((png_uint_32)(*(buf + 2)) <<  8) +

       ((png_uint_32)(*(buf + 3))      ) ;

   return uval;

}

/* Grab a signed 32-bit integer from a buffer in big-endian format.  The

 * data is stored in the PNG file in two's complement format and there

 * is no guarantee that a 'png_int_32' is exactly 32 bits, therefore

 * the following code does a two's complement to native conversion.

 */

png_int_32

(png_get_int_32)(const png_byte *buf)

{

   png_uint_32 uval = png_get_uint_32(buf);

   if ((uval & 0x80000000) == 0) /* non-negative */

      return (png_int_32)uval;

   uval = (uval ^ 0xffffffff) + 1;  /* 2's complement: -x = ~x+1 */

   if ((uval & 0x80000000) == 0) /* no overflow */

      return -(png_int_32)uval;

   /* The following has to be safe; this function only gets called on PNG data

    * and if we get here that data is invalid.  0 is the most safe value and

    * if not then an attacker would surely just generate a PNG with 0 instead.

    */

   return 0;

}

/* Grab an unsigned 16-bit integer from a buffer in big-endian format. */

png_uint_16

(png_get_uint_16)(const png_byte *buf)

{

   /* ANSI-C requires an int value to accommodate at least 16 bits so this

    * works and allows the compiler not to worry about possible narrowing

    * on 32-bit systems.  (Pre-ANSI systems did not make integers smaller

    * than 16 bits either.)

    */

   unsigned int val =

       ((unsigned int)(*buf) << 8) +

       ((unsigned int)(*(buf + 1)));

   return (png_uint_16)val;

}

#endif /* READ_INT_FUNCTIONS */

/* Read and check the PNG file signature */

void /* PRIVATE */

png_read_sig(png_struct *png_ptr, png_info *info_ptr)

{

   size_t num_checked, num_to_check;

   /* Exit if the user application does not expect a signature. */

   if (png_ptr->sig_bytes >= 8)

      return;

   num_checked = png_ptr->sig_bytes;

   num_to_check = 8 - num_checked;

#ifdef PNG_IO_STATE_SUPPORTED

   png_ptr->io_state = PNG_IO_READING | PNG_IO_SIGNATURE;

#endif

   /* The signature must be serialized in a single I/O call. */

   png_read_data(png_ptr, &(info_ptr->signature[num_checked]), num_to_check);

   png_ptr->sig_bytes = 8;

   if (png_sig_cmp(info_ptr->signature, num_checked, num_to_check) != 0)

   {

      if (num_checked < 4 &&

          png_sig_cmp(info_ptr->signature, num_checked, num_to_check - 4) != 0)

         png_error(png_ptr, "Not a PNG file");

      else

         png_error(png_ptr, "PNG file corrupted by ASCII conversion");

   }

   if (num_checked < 3)

      png_ptr->mode |= PNG_HAVE_PNG_SIGNATURE;

}

/* This function is called to verify that a chunk name is valid.

 * Do this using the bit-whacking approach from contrib/tools/pngfix.c

 *

 * Copied from libpng 1.7.

 */

static int

check_chunk_name(png_uint_32 name)

{

   png_uint_32 t;

   /* Remove bit 5 from all but the reserved byte; this means

    * every 8-bit unit must be in the range 65-90 to be valid.

    * So bit 5 must be zero, bit 6 must be set and bit 7 zero.

    */

   name &= ~PNG_U32(32,32,0,32);

   t = (name & ~0x1f1f1f1fU) ^ 0x40404040U;

   /* Subtract 65 for each 8-bit quantity, this must not

    * overflow and each byte must then be in the range 0-25.

    */

   name -= PNG_U32(65,65,65,65);

   t |= name;

   /* Subtract 26, handling the overflow which should set the

    * top three bits of each byte.

    */

   name -= PNG_U32(25,25,25,26);

   t |= ~name;

   return (t & 0xe0e0e0e0U) == 0U;

}

/* Read the chunk header (length + type name).

 * Put the type name into png_ptr->chunk_name, and return the length.

 */

png_uint_32 /* PRIVATE */

png_read_chunk_header(png_struct *png_ptr)

{

   png_byte buf[8];

   png_uint_32 chunk_name, length;

#ifdef PNG_IO_STATE_SUPPORTED

   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_HDR;

#endif

   /* Read the length and the chunk name.  png_struct::chunk_name is immediately

    * updated even if they are detectably wrong.  This aids error message

    * handling by allowing png_chunk_error to be used.

    */

   png_read_data(png_ptr, buf, 8);

   length = png_get_uint_31(png_ptr, buf);

   png_ptr->chunk_name = chunk_name = PNG_CHUNK_FROM_STRING(buf+4);

   /* Reset the crc and run it over the chunk name. */

   png_reset_crc(png_ptr);

   png_calculate_crc(png_ptr, buf + 4, 4);

   png_debug2(0, "Reading chunk typeid = 0x%lx, length = %lu",

       (unsigned long)png_ptr->chunk_name, (unsigned long)length);

   /* Sanity check the length (first by <= 0x80) and the chunk name.  An error

    * here indicates a broken stream and libpng has no recovery from this.

    */

   if (buf[0] >= 0x80U)

      png_chunk_error(png_ptr, "bad header (invalid length)");

   /* Check to see if chunk name is valid. */

   if (!check_chunk_name(chunk_name))

      png_chunk_error(png_ptr, "bad header (invalid type)");

#ifdef PNG_IO_STATE_SUPPORTED

   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_DATA;

#endif

   return length;

}

/* Read data, and (optionally) run it through the CRC. */

void /* PRIVATE */

png_crc_read(png_struct *png_ptr, png_byte *buf, png_uint_32 length)

{

   if (png_ptr == NULL)

      return;

   png_read_data(png_ptr, buf, length);

   png_calculate_crc(png_ptr, buf, length);

}

/* Compare the CRC stored in the PNG file with that calculated by libpng from

 * the data it has read thus far.

 */

static int

png_crc_error(png_struct *png_ptr, int handle_as_ancillary)

{

   png_byte crc_bytes[4];

   png_uint_32 crc;

   int need_crc = 1;

   /* There are four flags two for ancillary and two for critical chunks.  The

    * default setting of these flags is all zero.

    *

    * PNG_FLAG_CRC_ANCILLARY_USE

    * PNG_FLAG_CRC_ANCILLARY_NOWARN

    *  USE+NOWARN: no CRC calculation (implemented here), else;

    *  NOWARN:     png_chunk_error on error (implemented in png_crc_finish)

    *  else:       png_chunk_warning on error (implemented in png_crc_finish)

    *              This is the default.

    *

    *    I.e. NOWARN without USE produces png_chunk_error.  The default setting

    *    where neither are set does the same thing.

    *

    * PNG_FLAG_CRC_CRITICAL_USE

    * PNG_FLAG_CRC_CRITICAL_IGNORE

    *  IGNORE: no CRC calculation (implemented here), else;

    *  USE:    png_chunk_warning on error (implemented in png_crc_finish)

    *  else:   png_chunk_error on error (implemented in png_crc_finish)

    *          This is the default.

    *

    * This arose because of original mis-implementation and has persisted for

    * compatibility reasons.

    *

    * TODO: the flag names are internal so maybe this can be changed to

    * something comprehensible.

    */

   if (handle_as_ancillary || PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)

   {

      if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==

          (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))

         need_crc = 0;

   }

   else /* critical */

   {

      if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)

         need_crc = 0;

   }

#ifdef PNG_IO_STATE_SUPPORTED

   png_ptr->io_state = PNG_IO_READING | PNG_IO_CHUNK_CRC;

#endif

   /* The chunk CRC must be serialized in a single I/O call. */

   png_read_data(png_ptr, crc_bytes, 4);

   if (need_crc != 0)

   {

      crc = png_get_uint_32(crc_bytes);

      return crc != png_ptr->crc;

   }

   else

      return 0;

}

/* Optionally skip data and then check the CRC.  Depending on whether we

 * are reading an ancillary or critical chunk, and how the program has set

 * things up, we may calculate the CRC on the data and print a message.

 * Returns '1' if there was a CRC error, '0' otherwise.

 *

 * There is one public version which is used in most places and another which

 * takes the value for the 'critical' flag to check.  This allows PLTE and IEND

 * handling code to ignore the CRC error and removes some confusing code

 * duplication.

 */

static int

png_crc_finish_critical(png_struct *png_ptr, png_uint_32 skip,

      int handle_as_ancillary)

{

   /* The size of the local buffer for inflate is a good guess as to a

    * reasonable size to use for buffering reads from the application.

    */

   while (skip > 0)

   {

      png_uint_32 len;

      png_byte tmpbuf[PNG_INFLATE_BUF_SIZE];

      len = (sizeof tmpbuf);

      if (len > skip)

         len = skip;

      skip -= len;

      png_crc_read(png_ptr, tmpbuf, len);

   }

   /* If 'handle_as_ancillary' has been requested and this is a critical chunk

    * but PNG_FLAG_CRC_CRITICAL_IGNORE was set then png_read_crc did not, in

    * fact, calculate the CRC so the ANCILLARY settings should not be used

    * instead.

    */

   if (handle_as_ancillary &&

       (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)

      handle_as_ancillary = 0;

   /* TODO: this might be more comprehensible if png_crc_error was inlined here.

    */

   if (png_crc_error(png_ptr, handle_as_ancillary) != 0)

   {

      /* See above for the explanation of how the flags work. */

      if (handle_as_ancillary || PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0 ?

          (png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_NOWARN) == 0 :

          (png_ptr->flags & PNG_FLAG_CRC_CRITICAL_USE) != 0)

         png_chunk_warning(png_ptr, "CRC error");

      else

         png_chunk_error(png_ptr, "CRC error");

      return 1;

   }

   return 0;

}

int /* PRIVATE */

png_crc_finish(png_struct *png_ptr, png_uint_32 skip)

{

   return png_crc_finish_critical(png_ptr, skip, 0/*critical handling*/);

}

#if defined(PNG_READ_iCCP_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) ||\

    defined(PNG_READ_pCAL_SUPPORTED) || defined(PNG_READ_sCAL_SUPPORTED) ||\

    defined(PNG_READ_sPLT_SUPPORTED) || defined(PNG_READ_tEXt_SUPPORTED) ||\

    defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_eXIf_SUPPORTED) ||\

    defined(PNG_SEQUENTIAL_READ_SUPPORTED)

/* Manage the read buffer; this simply reallocates the buffer if it is not small

 * enough (or if it is not allocated).  The routine returns a pointer to the

 * buffer; if an error occurs and 'warn' is set the routine returns NULL, else

 * it will call png_error on failure.

 */

static png_byte *

png_read_buffer(png_struct *png_ptr, png_alloc_size_t new_size)

{

   png_byte *buffer = png_ptr->read_buffer;

   if (new_size > png_chunk_max(png_ptr)) return NULL;

   if (buffer != NULL && new_size > png_ptr->read_buffer_size)

   {

      png_ptr->read_buffer = NULL;

      png_ptr->read_buffer_size = 0;

      png_free(png_ptr, buffer);

      buffer = NULL;

   }

   if (buffer == NULL)

   {

      buffer = png_voidcast(png_byte *, png_malloc_base(png_ptr, new_size));

      if (buffer != NULL)

      {

#        ifndef PNG_NO_MEMZERO /* for detecting UIM bugs **only** */

            memset(buffer, 0, new_size); /* just in case */

#        endif

         png_ptr->read_buffer = buffer;

         png_ptr->read_buffer_size = new_size;

      }

   }

   return buffer;

}

#endif /* READ_iCCP|iTXt|pCAL|sCAL|sPLT|tEXt|zTXt|eXIf|SEQUENTIAL_READ */

/* png_inflate_claim: claim the zstream for some nefarious purpose that involves

 * decompression.  Returns Z_OK on success, else a zlib error code.  It checks

 * the owner but, in final release builds, just issues a warning if some other

 * chunk apparently owns the stream.  Prior to release it does a png_error.

 */

static int

png_inflate_claim(png_struct *png_ptr, png_uint_32 owner)

{

   if (png_ptr->zowner != 0)

   {

      char msg[64];

      PNG_STRING_FROM_CHUNK(msg, png_ptr->zowner);

      /* So the message that results is "<chunk> using zstream"; this is an

       * internal error, but is very useful for debugging.  i18n requirements

       * are minimal.

       */

      (void)png_safecat(msg, (sizeof msg), 4, " using zstream");

#if PNG_RELEASE_BUILD

      png_chunk_warning(png_ptr, msg);

      png_ptr->zowner = 0;

#else

      png_chunk_error(png_ptr, msg);

#endif

   }

   /* Implementation note: unlike 'png_deflate_claim' this internal function

    * does not take the size of the data as an argument.  Some efficiency could

    * be gained by using this when it is known *if* the zlib stream itself does

    * not record the number; however, this is an illusion: the original writer

    * of the PNG may have selected a lower window size, and we really must

    * follow that because, for systems with with limited capabilities, we

    * would otherwise reject the application's attempts to use a smaller window

    * size (zlib doesn't have an interface to say "this or lower"!).

    */

   {

      int ret; /* zlib return code */

      int window_bits = 0;

      if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) ==

          PNG_OPTION_ON)

      {

         window_bits = 15;

         png_ptr->zstream_start = 0; /* fixed window size */

      }

      else

      {

         png_ptr->zstream_start = 1;

      }

      /* Set this for safety, just in case the previous owner left pointers to

       * memory allocations.

       */

      png_ptr->zstream.next_in = NULL;

      png_ptr->zstream.avail_in = 0;

      png_ptr->zstream.next_out = NULL;

      png_ptr->zstream.avail_out = 0;

      if ((png_ptr->flags & PNG_FLAG_ZSTREAM_INITIALIZED) != 0)

      {

         ret = inflateReset2(&png_ptr->zstream, window_bits);

      }

      else

      {

         ret = inflateInit2(&png_ptr->zstream, window_bits);

         if (ret == Z_OK)

            png_ptr->flags |= PNG_FLAG_ZSTREAM_INITIALIZED;

      }

#ifdef PNG_DISABLE_ADLER32_CHECK_SUPPORTED

      if (((png_ptr->options >> PNG_IGNORE_ADLER32) & 3) == PNG_OPTION_ON)

         /* Turn off validation of the ADLER32 checksum in IDAT chunks */

         ret = inflateValidate(&png_ptr->zstream, 0);

#endif

      if (ret == Z_OK)

         png_ptr->zowner = owner;

      else

         png_zstream_error(png_ptr, ret);

      return ret;

   }

#ifdef window_bits

# undef window_bits

#endif

}

/* Handle the start of the inflate stream if we called inflateInit2(strm,0);

 * in this case some zlib versions skip validation of the CINFO field and, in

 * certain circumstances, libpng may end up displaying an invalid image, in

 * contrast to implementations that call zlib in the normal way (e.g. libpng

 * 1.5).

 */

int /* PRIVATE */

png_zlib_inflate(png_struct *png_ptr, int flush)

{

   if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0)

   {

      if ((*png_ptr->zstream.next_in >> 4) > 7)

      {

         png_ptr->zstream.msg = "invalid window size (libpng)";

         return Z_DATA_ERROR;

      }

      png_ptr->zstream_start = 0;

   }

   return inflate(&png_ptr->zstream, flush);

}

#ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED

#if defined(PNG_READ_zTXt_SUPPORTED) || defined (PNG_READ_iTXt_SUPPORTED)

/* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to

 * allow the caller to do multiple calls if required.  If the 'finish' flag is

 * set Z_FINISH will be passed to the final inflate() call and Z_STREAM_END must

 * be returned or there has been a problem, otherwise Z_SYNC_FLUSH is used and

 * Z_OK or Z_STREAM_END will be returned on success.

 *

 * The input and output sizes are updated to the actual amounts of data consumed

 * or written, not the amount available (as in a z_stream).  The data pointers

 * are not changed, so the next input is (data+input_size) and the next

 * available output is (output+output_size).

 */

static int

png_inflate(png_struct *png_ptr, png_uint_32 owner, int finish,

    /* INPUT: */ const png_byte *input, png_uint_32 *input_size_ptr,

    /* OUTPUT: */ png_byte *output, png_alloc_size_t *output_size_ptr)

{

   if (png_ptr->zowner == owner) /* Else not claimed */

   {

      int ret;

      png_alloc_size_t avail_out = *output_size_ptr;

      png_uint_32 avail_in = *input_size_ptr;

      /* zlib can't necessarily handle more than 65535 bytes at once (i.e. it

       * can't even necessarily handle 65536 bytes) because the type uInt is

       * "16 bits or more".  Consequently it is necessary to chunk the input to

       * zlib.  This code uses ZLIB_IO_MAX, from pngpriv.h, as the maximum (the

       * maximum value that can be stored in a uInt.)  It is possible to set

       * ZLIB_IO_MAX to a lower value in pngpriv.h and this may sometimes have

       * a performance advantage, because it reduces the amount of data accessed

       * at each step and that may give the OS more time to page it in.

       */

      png_ptr->zstream.next_in = input;

      /* avail_in and avail_out are set below from 'size' */

      png_ptr->zstream.avail_in = 0;

      png_ptr->zstream.avail_out = 0;

      /* Read directly into the output if it is available (this is set to

       * a local buffer below if output is NULL).

       */

      if (output != NULL)

         png_ptr->zstream.next_out = output;

      do

      {

         uInt avail;

         Byte local_buffer[PNG_INFLATE_BUF_SIZE];

         /* zlib INPUT BUFFER */

         /* The setting of 'avail_in' used to be outside the loop; by setting it

          * inside it is possible to chunk the input to zlib and simply rely on

          * zlib to advance the 'next_in' pointer.  This allows arbitrary

          * amounts of data to be passed through zlib at the unavoidable cost of

          * requiring a window save (memcpy of up to 32768 output bytes)

          * every ZLIB_IO_MAX input bytes.

          */

         avail_in += png_ptr->zstream.avail_in; /* not consumed last time */

         avail = ZLIB_IO_MAX;

         if (avail_in < avail)

            avail = (uInt)avail_in; /* safe: < than ZLIB_IO_MAX */

         avail_in -= avail;

         png_ptr->zstream.avail_in = avail;

         /* zlib OUTPUT BUFFER */

         avail_out += png_ptr->zstream.avail_out; /* not written last time */

         avail = ZLIB_IO_MAX; /* maximum zlib can process */

         if (output == NULL)

         {

            /* Reset the output buffer each time round if output is NULL and

             * make available the full buffer, up to 'remaining_space'

             */

            png_ptr->zstream.next_out = local_buffer;

            if ((sizeof local_buffer) < avail)

               avail = (sizeof local_buffer);

         }

         if (avail_out < avail)

            avail = (uInt)avail_out; /* safe: < ZLIB_IO_MAX */

         png_ptr->zstream.avail_out = avail;

         avail_out -= avail;

         /* zlib inflate call */

         /* In fact 'avail_out' may be 0 at this point, that happens at the end

          * of the read when the final LZ end code was not passed at the end of

          * the previous chunk of input data.  Tell zlib if we have reached the

          * end of the output buffer.

          */

         ret = png_zlib_inflate(png_ptr, avail_out > 0 ? Z_NO_FLUSH :

             (finish ? Z_FINISH : Z_SYNC_FLUSH));

      } while (ret == Z_OK);

      /* For safety kill the local buffer pointer now */

      if (output == NULL)

         png_ptr->zstream.next_out = NULL;

      /* Claw back the 'size' and 'remaining_space' byte counts. */

      avail_in += png_ptr->zstream.avail_in;

      avail_out += png_ptr->zstream.avail_out;

      /* Update the input and output sizes; the updated values are the amount

       * consumed or written, effectively the inverse of what zlib uses.

       */

      if (avail_out > 0)

         *output_size_ptr -= avail_out;

      if (avail_in > 0)

         *input_size_ptr -= avail_in;

      /* Ensure png_ptr->zstream.msg is set (even in the success case!) */

      png_zstream_error(png_ptr, ret);

      return ret;

   }

   else

   {

      /* This is a bad internal error.  The recovery assigns to the zstream msg

       * pointer, which is not owned by the caller, but this is safe; it's only

       * used on errors!

       */

      png_ptr->zstream.msg = "zstream unclaimed";

      return Z_STREAM_ERROR;

   }

}

/*

 * Decompress trailing data in a chunk.  The assumption is that read_buffer

 * points at an allocated area holding the contents of a chunk with a

 * trailing compressed part.  What we get back is an allocated area

 * holding the original prefix part and an uncompressed version of the

 * trailing part (the malloc area passed in is freed).

 */

static int

png_decompress_chunk(png_struct *png_ptr,

    png_uint_32 chunklength, png_uint_32 prefix_size,

    png_alloc_size_t *newlength /* must be initialized to the maximum! */,

    int terminate /*add a '\0' to the end of the uncompressed data*/)

{

   /* TODO: implement different limits for different types of chunk.

    *

    * The caller supplies *newlength set to the maximum length of the

    * uncompressed data, but this routine allocates space for the prefix and

    * maybe a '\0' terminator too.  We have to assume that 'prefix_size' is

    * limited only by the maximum chunk size.

    */

   png_alloc_size_t limit = png_chunk_max(png_ptr);

   if (limit >= prefix_size + (terminate != 0))

   {

      int ret;

      limit -= prefix_size + (terminate != 0);

      if (limit < *newlength)

         *newlength = limit;

      /* Now try to claim the stream. */

      ret = png_inflate_claim(png_ptr, png_ptr->chunk_name);

      if (ret == Z_OK)

      {

         png_uint_32 lzsize = chunklength - prefix_size;

         ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,

             /* input: */ png_ptr->read_buffer + prefix_size, &lzsize,

             /* output: */ NULL, newlength);

         if (ret == Z_STREAM_END)

         {

            /* Use 'inflateReset' here, not 'inflateReset2' because this

             * preserves the previously decided window size (otherwise it would

             * be necessary to store the previous window size.)  In practice

             * this doesn't matter anyway, because png_inflate will call inflate

             * with Z_FINISH in almost all cases, so the window will not be

             * maintained.

             */

            if (inflateReset(&png_ptr->zstream) == Z_OK)

            {

               /* Because of the limit checks above we know that the new,

                * expanded, size will fit in a size_t (let alone an

                * png_alloc_size_t).  Use png_malloc_base here to avoid an

                * extra OOM message.

                */

               png_alloc_size_t new_size = *newlength;

               png_alloc_size_t buffer_size = prefix_size + new_size +

                   (terminate != 0);

               png_byte *text = png_voidcast(png_byte *,

                   png_malloc_base(png_ptr, buffer_size));

               if (text != NULL)

               {

                  memset(text, 0, buffer_size);

                  ret = png_inflate(png_ptr, png_ptr->chunk_name, 1/*finish*/,

                      png_ptr->read_buffer + prefix_size, &lzsize,

                      text + prefix_size, newlength);

                  if (ret == Z_STREAM_END)

                  {

                     if (new_size == *newlength)

                     {

                        if (terminate != 0)

                           text[prefix_size + *newlength] = 0;

                        if (prefix_size > 0)

                           memcpy(text, png_ptr->read_buffer, prefix_size);

                        {

                           png_byte *old_ptr = png_ptr->read_buffer;

                           png_ptr->read_buffer = text;

                           png_ptr->read_buffer_size = buffer_size;

                           text = old_ptr; /* freed below */

                        }

                     }

                     else

                     {

                        /* The size changed on the second read, there can be no

                         * guarantee that anything is correct at this point.

                         * The 'msg' pointer has been set to "unexpected end of

                         * LZ stream", which is fine, but return an error code

                         * that the caller won't accept.

                         */

                        ret = PNG_UNEXPECTED_ZLIB_RETURN;

                     }

                  }

                  else if (ret == Z_OK)

                     ret = PNG_UNEXPECTED_ZLIB_RETURN; /* for safety */

                  /* Free the text pointer (this is the old read_buffer on

                   * success)

                   */

                  png_free(png_ptr, text);

                  /* This really is very benign, but it's still an error because

                   * the extra space may otherwise be used as a Trojan Horse.

                   */

                  if (ret == Z_STREAM_END &&

                      chunklength - prefix_size != lzsize)

                     png_chunk_benign_error(png_ptr, "extra compressed data");

               }

               else

               {

                  /* Out of memory allocating the buffer */

                  ret = Z_MEM_ERROR;

                  png_zstream_error(png_ptr, Z_MEM_ERROR);

               }

            }

            else

            {

               /* inflateReset failed, store the error message */

               png_zstream_error(png_ptr, ret);

               ret = PNG_UNEXPECTED_ZLIB_RETURN;

            }

         }

         else if (ret == Z_OK)

            ret = PNG_UNEXPECTED_ZLIB_RETURN;

         /* Release the claimed stream */

         png_ptr->zowner = 0;

      }

      else /* the claim failed */ if (ret == Z_STREAM_END) /* impossible! */

         ret = PNG_UNEXPECTED_ZLIB_RETURN;

      return ret;

   }

   else

   {

      /* Application/configuration limits exceeded */

      png_zstream_error(png_ptr, Z_MEM_ERROR);

      return Z_MEM_ERROR;

   }

}

#endif /* READ_zTXt || READ_iTXt */

#endif /* READ_COMPRESSED_TEXT */

#ifdef PNG_READ_iCCP_SUPPORTED

/* Perform a partial read and decompress, producing 'avail_out' bytes and

 * reading from the current chunk as required.

 */

static int

png_inflate_read(png_struct *png_ptr, png_byte *read_buffer, uInt read_size,

    png_uint_32 *chunk_bytes, png_byte *next_out, png_alloc_size_t *out_size,

    int finish)

{

   if (png_ptr->zowner == png_ptr->chunk_name)

   {

      int ret;

      /* next_in and avail_in must have been initialized by the caller. */

      png_ptr->zstream.next_out = next_out;

      png_ptr->zstream.avail_out = 0; /* set in the loop */

      do

      {

         if (png_ptr->zstream.avail_in == 0)

         {

            if (read_size > *chunk_bytes)

               read_size = (uInt)*chunk_bytes;

            *chunk_bytes -= read_size;

            if (read_size > 0)

               png_crc_read(png_ptr, read_buffer, read_size);

            png_ptr->zstream.next_in = read_buffer;

            png_ptr->zstream.avail_in = read_size;

         }

         if (png_ptr->zstream.avail_out == 0)

         {

            uInt avail = ZLIB_IO_MAX;

            if (avail > *out_size)

               avail = (uInt)*out_size;

            *out_size -= avail;

            png_ptr->zstream.avail_out = avail;

         }

         /* Use Z_SYNC_FLUSH when there is no more chunk data to ensure that all

          * the available output is produced; this allows reading of truncated

          * streams.

          */

         ret = png_zlib_inflate(png_ptr, *chunk_bytes > 0 ?

             Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH));

      }

      while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0));

      *out_size += png_ptr->zstream.avail_out;

      png_ptr->zstream.avail_out = 0; /* Should not be required, but is safe */

      /* Ensure the error message pointer is always set: */

      png_zstream_error(png_ptr, ret);

      return ret;

   }

   else

   {

      png_ptr->zstream.msg = "zstream unclaimed";

      return Z_STREAM_ERROR;

   }

}

#endif /* READ_iCCP */

/* CHUNK HANDLING */

/* Read and check the IDHR chunk */

static png_handle_result_code

png_handle_IHDR(png_struct *png_ptr, png_info *info_ptr, png_uint_32 length)

{

   png_byte buf[13];

   png_uint_32 width, height;

   int bit_depth, color_type, compression_type, filter_type;

   int interlace_type;

   png_debug(1, "in png_handle_IHDR");

   /* Length and position are checked by the caller. */

   png_ptr->mode |= PNG_HAVE_IHDR;

   png_crc_read(png_ptr, buf, 13);

   png_crc_finish(png_ptr, 0);

   width = png_get_uint_31(png_ptr, buf);

   height = png_get_uint_31(png_ptr, buf + 4);

   bit_depth = buf[8];

   color_type = buf[9];

   compression_type = buf[10];

   filter_type = buf[11];

   interlace_type = buf[12];

#ifdef PNG_READ_APNG_SUPPORTED

   png_ptr->first_frame_width = width;

   png_ptr->first_frame_height = height;

#endif

   /* Set internal variables */

   png_ptr->width = width;

   png_ptr->height = height;

   png_ptr->bit_depth = (png_byte)bit_depth;

   png_ptr->interlaced = (png_byte)interlace_type;

   png_ptr->color_type = (png_byte)color_type;

#ifdef PNG_MNG_FEATURES_SUPPORTED

   png_ptr->filter_type = (png_byte)filter_type;

#endif

   png_ptr->compression_type = (png_byte)compression_type;

   /* Find number of channels */

   switch (png_ptr->color_type)

   {

      default: /* invalid, png_set_IHDR calls png_error */

      case PNG_COLOR_TYPE_GRAY:

      case PNG_COLOR_TYPE_PALETTE:

         png_ptr->channels = 1;

         break;

      case PNG_COLOR_TYPE_RGB:

         png_ptr->channels = 3;

         break;

      case PNG_COLOR_TYPE_GRAY_ALPHA:

         png_ptr->channels = 2;

         break;

      case PNG_COLOR_TYPE_RGB_ALPHA:

         png_ptr->channels = 4;

         break;

   }

   /* Set up other useful info */

   png_ptr->pixel_depth = (png_byte)(png_ptr->bit_depth * png_ptr->channels);

   png_ptr->rowbytes = PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->width);

   png_debug1(3, "bit_depth = %d", png_ptr->bit_depth);

   png_debug1(3, "channels = %d", png_ptr->channels);

   png_debug1(3, "rowbytes = %lu", (unsigned long)png_ptr->rowbytes);

   /* Rely on png_set_IHDR to completely validate the data and call png_error if

    * it's wrong.

    */

   png_set_IHDR(png_ptr, info_ptr, width, height, bit_depth,

       color_type, interlace_type, compression_type, filter_type);

   return handled_ok;

   PNG_UNUSED(length)

}

/* Read and check the palette */

/* TODO: there are several obvious errors in this code when handling

 * out-of-place chunks and there is much over-complexity caused by trying to

 * patch up the problems.

 */

static png_handle_result_code

png_handle_PLTE(png_struct *png_ptr, png_info *info_ptr, png_uint_32 length)

{

   const char *errmsg = NULL;

   png_debug(1, "in png_handle_PLTE");

   /* 1.6.47: consistency.  This used to be especially treated as a critical

    * error even in an image which is not colour mapped, there isn't a good

    * justification for treating some errors here one way and others another so

    * everything uses the same logic.

    */

   if ((png_ptr->mode & PNG_HAVE_PLTE) != 0)

      errmsg = "duplicate";

   else if ((png_ptr->mode & PNG_HAVE_IDAT) != 0)

      errmsg = "out of place";

   else if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) == 0)

      errmsg = "ignored in grayscale PNG";

   else if (length > 3*PNG_MAX_PALETTE_LENGTH || (length % 3) != 0)

      errmsg = "invalid";

   /* This drops PLTE in favour of tRNS or bKGD because both of those chunks

    * can have an effect on the rendering of the image whereas PLTE only matters

    * in the case of an 8-bit display with a decoder which controls the palette.

    *

    * The alternative here is to ignore the error and store the palette anyway;

    * destroying the tRNS will definately cause problems.

    *

    * NOTE: the case of PNG_COLOR_TYPE_PALETTE need not be considered because

    * the png_handle_ routines for the three 'after PLTE' chunks tRNS, bKGD and

    * hIST all check for a preceding PLTE in these cases.

    */

   else if (png_ptr->color_type != PNG_COLOR_TYPE_PALETTE &&

            (png_has_chunk(png_ptr, tRNS) || png_has_chunk(png_ptr, bKGD)))

      errmsg = "out of place";

   else

   {

      /* If the palette has 256 or fewer entries but is too large for the bit

       * depth we don't issue an error to preserve the behavior of previous

       * libpng versions. We silently truncate the unused extra palette entries

       * here.

       */

      const unsigned max_palette_length =

         (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?

            1U << png_ptr->bit_depth : PNG_MAX_PALETTE_LENGTH;

      /* The cast is safe because 'length' is less than

       * 3*PNG_MAX_PALETTE_LENGTH

       */

      const unsigned num = (length > 3U*max_palette_length) ?

         max_palette_length : (unsigned)length / 3U;

      unsigned i, j;

      png_byte buf[3*PNG_MAX_PALETTE_LENGTH];

      png_color palette[PNG_MAX_PALETTE_LENGTH];

      /* Read the chunk into the buffer then read to the end of the chunk. */

      png_crc_read(png_ptr, buf, num*3U);

      png_crc_finish_critical(png_ptr, length - 3U*num,

            /* Handle as ancillary if PLTE is optional: */

            png_ptr->color_type != PNG_COLOR_TYPE_PALETTE);

      for (i = 0U, j = 0U; i < num; i++)

      {

         palette[i].red = buf[j++];

         palette[i].green = buf[j++];

         palette[i].blue = buf[j++];

      }

      /* A valid PLTE chunk has been read */

      png_ptr->mode |= PNG_HAVE_PLTE;

      /* TODO: png_set_PLTE has the side effect of setting png_ptr->palette to

       * its own copy of the palette.  This has the side effect that when

       * png_start_row is called (this happens after any call to

       * png_read_update_info) the info_ptr palette gets changed.  This is

       * extremely unexpected and confusing.

       *