Coverage Report

Created: 2026-06-30 06:15

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/libpng/pngset.c
Line
Count
Source
1
/* pngset.c - storage of image information into info struct
2
 *
3
 * Copyright (c) 2018-2026 Cosmin Truta
4
 * Copyright (c) 1998-2018 Glenn Randers-Pehrson
5
 * Copyright (c) 1996-1997 Andreas Dilger
6
 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
7
 *
8
 * This code is released under the libpng license.
9
 * For conditions of distribution and use, see the disclaimer
10
 * and license in png.h
11
 *
12
 * The functions here are used during reads to store data from the file
13
 * into the info struct, and during writes to store application data
14
 * into the info struct for writing into the file.  This abstracts the
15
 * info struct and allows us to change the structure in the future.
16
 */
17
18
#include "pngpriv.h"
19
20
#if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
21
22
#ifdef PNG_bKGD_SUPPORTED
23
void PNGAPI
24
png_set_bKGD(png_const_structrp png_ptr, png_inforp info_ptr,
25
    png_const_color_16p background)
26
104
{
27
104
   png_debug1(1, "in %s storage function", "bKGD");
28
29
104
   if (png_ptr == NULL || info_ptr == NULL || background == NULL)
30
0
      return;
31
32
104
   info_ptr->background = *background;
33
104
   info_ptr->valid |= PNG_INFO_bKGD;
34
104
}
35
#endif
36
37
#ifdef PNG_cHRM_SUPPORTED
38
void PNGFAPI
39
png_set_cHRM_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
40
    png_fixed_point white_x, png_fixed_point white_y, png_fixed_point red_x,
41
    png_fixed_point red_y, png_fixed_point green_x, png_fixed_point green_y,
42
    png_fixed_point blue_x, png_fixed_point blue_y)
43
3.61k
{
44
3.61k
   png_debug1(1, "in %s storage function", "cHRM fixed");
45
46
3.61k
   if (png_ptr == NULL || info_ptr == NULL)
47
0
      return;
48
49
3.61k
   info_ptr->cHRM.redx = red_x;
50
3.61k
   info_ptr->cHRM.redy = red_y;
51
3.61k
   info_ptr->cHRM.greenx = green_x;
52
3.61k
   info_ptr->cHRM.greeny = green_y;
53
3.61k
   info_ptr->cHRM.bluex = blue_x;
54
3.61k
   info_ptr->cHRM.bluey = blue_y;
55
3.61k
   info_ptr->cHRM.whitex = white_x;
56
3.61k
   info_ptr->cHRM.whitey = white_y;
57
58
3.61k
   info_ptr->valid |= PNG_INFO_cHRM;
59
3.61k
}
60
61
void PNGFAPI
62
png_set_cHRM_XYZ_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
63
    png_fixed_point int_red_X, png_fixed_point int_red_Y,
64
    png_fixed_point int_red_Z, png_fixed_point int_green_X,
65
    png_fixed_point int_green_Y, png_fixed_point int_green_Z,
66
    png_fixed_point int_blue_X, png_fixed_point int_blue_Y,
67
    png_fixed_point int_blue_Z)
68
0
{
69
0
   png_XYZ XYZ;
70
0
   png_xy xy;
71
72
0
   png_debug1(1, "in %s storage function", "cHRM XYZ fixed");
73
74
0
   if (png_ptr == NULL || info_ptr == NULL)
75
0
      return;
76
77
0
   XYZ.red_X = int_red_X;
78
0
   XYZ.red_Y = int_red_Y;
79
0
   XYZ.red_Z = int_red_Z;
80
0
   XYZ.green_X = int_green_X;
81
0
   XYZ.green_Y = int_green_Y;
82
0
   XYZ.green_Z = int_green_Z;
83
0
   XYZ.blue_X = int_blue_X;
84
0
   XYZ.blue_Y = int_blue_Y;
85
0
   XYZ.blue_Z = int_blue_Z;
86
87
0
   if (png_xy_from_XYZ(&xy, &XYZ) == 0)
88
0
   {
89
0
      info_ptr->cHRM = xy;
90
0
      info_ptr->valid |= PNG_INFO_cHRM;
91
0
   }
92
93
0
   else
94
0
      png_app_error(png_ptr, "invalid cHRM XYZ");
95
0
}
96
97
#  ifdef PNG_FLOATING_POINT_SUPPORTED
98
void PNGAPI
99
png_set_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
100
    double white_x, double white_y, double red_x, double red_y,
101
    double green_x, double green_y, double blue_x, double blue_y)
102
0
{
103
0
   png_set_cHRM_fixed(png_ptr, info_ptr,
104
0
       png_fixed(png_ptr, white_x, "cHRM White X"),
105
0
       png_fixed(png_ptr, white_y, "cHRM White Y"),
106
0
       png_fixed(png_ptr, red_x, "cHRM Red X"),
107
0
       png_fixed(png_ptr, red_y, "cHRM Red Y"),
108
0
       png_fixed(png_ptr, green_x, "cHRM Green X"),
109
0
       png_fixed(png_ptr, green_y, "cHRM Green Y"),
110
0
       png_fixed(png_ptr, blue_x, "cHRM Blue X"),
111
0
       png_fixed(png_ptr, blue_y, "cHRM Blue Y"));
112
0
}
113
114
void PNGAPI
115
png_set_cHRM_XYZ(png_const_structrp png_ptr, png_inforp info_ptr, double red_X,
116
    double red_Y, double red_Z, double green_X, double green_Y, double green_Z,
117
    double blue_X, double blue_Y, double blue_Z)
118
0
{
119
0
   png_set_cHRM_XYZ_fixed(png_ptr, info_ptr,
120
0
       png_fixed(png_ptr, red_X, "cHRM Red X"),
121
0
       png_fixed(png_ptr, red_Y, "cHRM Red Y"),
122
0
       png_fixed(png_ptr, red_Z, "cHRM Red Z"),
123
0
       png_fixed(png_ptr, green_X, "cHRM Green X"),
124
0
       png_fixed(png_ptr, green_Y, "cHRM Green Y"),
125
0
       png_fixed(png_ptr, green_Z, "cHRM Green Z"),
126
0
       png_fixed(png_ptr, blue_X, "cHRM Blue X"),
127
0
       png_fixed(png_ptr, blue_Y, "cHRM Blue Y"),
128
0
       png_fixed(png_ptr, blue_Z, "cHRM Blue Z"));
129
0
}
130
#  endif /* FLOATING_POINT */
131
132
#endif /* cHRM */
133
134
#ifdef PNG_cICP_SUPPORTED
135
void PNGAPI
136
png_set_cICP(png_const_structrp png_ptr, png_inforp info_ptr,
137
             png_byte colour_primaries, png_byte transfer_function,
138
             png_byte matrix_coefficients, png_byte video_full_range_flag)
139
1.04k
{
140
1.04k
   png_debug1(1, "in %s storage function", "cICP");
141
142
1.04k
   if (png_ptr == NULL || info_ptr == NULL)
143
0
      return;
144
145
1.04k
   info_ptr->cicp_colour_primaries = colour_primaries;
146
1.04k
   info_ptr->cicp_transfer_function = transfer_function;
147
1.04k
   info_ptr->cicp_matrix_coefficients = matrix_coefficients;
148
1.04k
   info_ptr->cicp_video_full_range_flag = video_full_range_flag;
149
150
1.04k
   if (info_ptr->cicp_matrix_coefficients != 0)
151
735
   {
152
735
      png_warning(png_ptr, "Invalid cICP matrix coefficients");
153
735
      return;
154
735
   }
155
156
305
   info_ptr->valid |= PNG_INFO_cICP;
157
305
}
158
#endif /* cICP */
159
160
#ifdef PNG_cLLI_SUPPORTED
161
void PNGFAPI
162
png_set_cLLI_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
163
    /* The values below are in cd/m2 (nits) and are scaled by 10,000; not
164
     * 100,000 as in the case of png_fixed_point.
165
     */
166
    png_uint_32 maxCLL, png_uint_32 maxFALL)
167
252
{
168
252
   png_debug1(1, "in %s storage function", "cLLI");
169
170
252
   if (png_ptr == NULL || info_ptr == NULL)
171
0
      return;
172
173
   /* Check the light level range: */
174
252
   if (maxCLL > 0x7FFFFFFFU || maxFALL > 0x7FFFFFFFU)
175
189
   {
176
      /* The limit is 200kcd/m2; somewhat bright but not inconceivable because
177
       * human vision is said to run up to 100Mcd/m2.  The sun is about 2Gcd/m2.
178
       *
179
       * The reference sRGB monitor is 80cd/m2 and the limit of PQ encoding is
180
       * 2kcd/m2.
181
       */
182
189
      png_chunk_report(png_ptr, "cLLI light level exceeds PNG limit",
183
189
            PNG_CHUNK_WRITE_ERROR);
184
189
      return;
185
189
   }
186
187
63
   info_ptr->maxCLL = maxCLL;
188
63
   info_ptr->maxFALL = maxFALL;
189
63
   info_ptr->valid |= PNG_INFO_cLLI;
190
63
}
191
192
#  ifdef PNG_FLOATING_POINT_SUPPORTED
193
void PNGAPI
194
png_set_cLLI(png_const_structrp png_ptr, png_inforp info_ptr,
195
   double maxCLL, double maxFALL)
196
0
{
197
0
   png_set_cLLI_fixed(png_ptr, info_ptr,
198
0
       png_fixed_ITU(png_ptr, maxCLL, "png_set_cLLI(maxCLL)"),
199
0
       png_fixed_ITU(png_ptr, maxFALL, "png_set_cLLI(maxFALL)"));
200
0
}
201
#  endif /* FLOATING_POINT */
202
#endif /* cLLI */
203
204
#ifdef PNG_mDCV_SUPPORTED
205
static png_uint_16
206
png_ITU_fixed_16(int *error, png_fixed_point v)
207
12.7k
{
208
   /* Return a safe uint16_t value scaled according to the ITU H273 rules for
209
    * 16-bit display chromaticities.  Functions like the corresponding
210
    * png_fixed() internal function with regard to errors: it's an error on
211
    * write, a chunk_benign_error on read: See the definition of
212
    * png_chunk_report in pngpriv.h.
213
    */
214
12.7k
   v /= 2; /* rounds to 0 in C: avoids insignificant arithmetic errors */
215
12.7k
   if (v > 65535 || v < 0)
216
0
   {
217
0
      *error = 1;
218
0
      return 0;
219
0
   }
220
221
12.7k
   return (png_uint_16)/*SAFE*/v;
222
12.7k
}
223
224
void PNGAPI
225
png_set_mDCV_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
226
    png_fixed_point white_x, png_fixed_point white_y,
227
    png_fixed_point red_x, png_fixed_point red_y,
228
    png_fixed_point green_x, png_fixed_point green_y,
229
    png_fixed_point blue_x, png_fixed_point blue_y,
230
    png_uint_32 maxDL,
231
    png_uint_32 minDL)
232
1.58k
{
233
1.58k
   png_uint_16 rx, ry, gx, gy, bx, by, wx, wy;
234
1.58k
   int error;
235
236
1.58k
   png_debug1(1, "in %s storage function", "mDCV");
237
238
1.58k
   if (png_ptr == NULL || info_ptr == NULL)
239
0
      return;
240
241
   /* Check the input values to ensure they are in the expected range: */
242
1.58k
   error = 0;
243
1.58k
   rx = png_ITU_fixed_16(&error, red_x);
244
1.58k
   ry = png_ITU_fixed_16(&error, red_y);
245
1.58k
   gx = png_ITU_fixed_16(&error, green_x);
246
1.58k
   gy = png_ITU_fixed_16(&error, green_y);
247
1.58k
   bx = png_ITU_fixed_16(&error, blue_x);
248
1.58k
   by = png_ITU_fixed_16(&error, blue_y);
249
1.58k
   wx = png_ITU_fixed_16(&error, white_x);
250
1.58k
   wy = png_ITU_fixed_16(&error, white_y);
251
252
1.58k
   if (error)
253
0
   {
254
0
      png_chunk_report(png_ptr,
255
0
         "mDCV chromaticities outside representable range",
256
0
         PNG_CHUNK_WRITE_ERROR);
257
0
      return;
258
0
   }
259
260
   /* Check the light level range: */
261
1.58k
   if (maxDL > 0x7FFFFFFFU || minDL > 0x7FFFFFFFU)
262
519
   {
263
      /* The limit is 200kcd/m2; somewhat bright but not inconceivable because
264
       * human vision is said to run up to 100Mcd/m2.  The sun is about 2Gcd/m2.
265
       *
266
       * The reference sRGB monitor is 80cd/m2 and the limit of PQ encoding is
267
       * 2kcd/m2.
268
       */
269
519
      png_chunk_report(png_ptr, "mDCV display light level exceeds PNG limit",
270
519
            PNG_CHUNK_WRITE_ERROR);
271
519
      return;
272
519
   }
273
274
   /* All values are safe, the settings are accepted.
275
    *
276
    * IMPLEMENTATION NOTE: in practice the values can be checked and assigned
277
    * but the result is confusing if a writing app calls png_set_mDCV more than
278
    * once, the second time with an invalid value.  This approach is more
279
    * obviously correct at the cost of typing and a very slight machine
280
    * overhead.
281
    */
282
1.07k
   info_ptr->mastering_red_x = rx;
283
1.07k
   info_ptr->mastering_red_y = ry;
284
1.07k
   info_ptr->mastering_green_x = gx;
285
1.07k
   info_ptr->mastering_green_y = gy;
286
1.07k
   info_ptr->mastering_blue_x = bx;
287
1.07k
   info_ptr->mastering_blue_y = by;
288
1.07k
   info_ptr->mastering_white_x = wx;
289
1.07k
   info_ptr->mastering_white_y = wy;
290
1.07k
   info_ptr->mastering_maxDL = maxDL;
291
1.07k
   info_ptr->mastering_minDL = minDL;
292
1.07k
   info_ptr->valid |= PNG_INFO_mDCV;
293
1.07k
}
294
295
#  ifdef PNG_FLOATING_POINT_SUPPORTED
296
void PNGAPI
297
png_set_mDCV(png_const_structrp png_ptr, png_inforp info_ptr,
298
    double white_x, double white_y, double red_x, double red_y, double green_x,
299
    double green_y, double blue_x, double blue_y,
300
    double maxDL, double minDL)
301
0
{
302
0
   png_set_mDCV_fixed(png_ptr, info_ptr,
303
0
      png_fixed(png_ptr, white_x, "png_set_mDCV(white(x))"),
304
0
      png_fixed(png_ptr, white_y, "png_set_mDCV(white(y))"),
305
0
      png_fixed(png_ptr, red_x, "png_set_mDCV(red(x))"),
306
0
      png_fixed(png_ptr, red_y, "png_set_mDCV(red(y))"),
307
0
      png_fixed(png_ptr, green_x, "png_set_mDCV(green(x))"),
308
0
      png_fixed(png_ptr, green_y, "png_set_mDCV(green(y))"),
309
0
      png_fixed(png_ptr, blue_x, "png_set_mDCV(blue(x))"),
310
0
      png_fixed(png_ptr, blue_y, "png_set_mDCV(blue(y))"),
311
0
      png_fixed_ITU(png_ptr, maxDL, "png_set_mDCV(maxDL)"),
312
0
      png_fixed_ITU(png_ptr, minDL, "png_set_mDCV(minDL)"));
313
0
}
314
#  endif /* FLOATING_POINT */
315
#endif /* mDCV */
316
317
#ifdef PNG_eXIf_SUPPORTED
318
void PNGAPI
319
png_set_eXIf(png_const_structrp png_ptr, png_inforp info_ptr,
320
    png_bytep exif)
321
0
{
322
0
  png_warning(png_ptr, "png_set_eXIf does not work; use png_set_eXIf_1");
323
0
  PNG_UNUSED(info_ptr)
324
0
  PNG_UNUSED(exif)
325
0
}
326
327
void PNGAPI
328
png_set_eXIf_1(png_const_structrp png_ptr, png_inforp info_ptr,
329
    png_uint_32 num_exif, png_bytep exif)
330
58
{
331
58
   png_bytep new_exif;
332
333
58
   png_debug1(1, "in %s storage function", "eXIf");
334
335
58
   if (png_ptr == NULL || info_ptr == NULL ||
336
58
       (png_ptr->mode & PNG_WROTE_eXIf) != 0 ||
337
58
       exif == NULL)
338
0
      return;
339
340
58
   new_exif = png_voidcast(png_bytep, png_malloc_warn(png_ptr, num_exif));
341
342
58
   if (new_exif == NULL)
343
0
   {
344
0
      png_warning(png_ptr, "Insufficient memory for eXIf chunk data");
345
0
      return;
346
0
   }
347
348
58
   memcpy(new_exif, exif, (size_t)num_exif);
349
350
58
   png_free_data(png_ptr, info_ptr, PNG_FREE_EXIF, 0);
351
352
58
   info_ptr->num_exif = num_exif;
353
58
   info_ptr->exif = new_exif;
354
58
   info_ptr->free_me |= PNG_FREE_EXIF;
355
58
   info_ptr->valid |= PNG_INFO_eXIf;
356
58
}
357
#endif /* eXIf */
358
359
#ifdef PNG_gAMA_SUPPORTED
360
void PNGFAPI
361
png_set_gAMA_fixed(png_const_structrp png_ptr, png_inforp info_ptr,
362
    png_fixed_point file_gamma)
363
1.39k
{
364
1.39k
   png_debug1(1, "in %s storage function", "gAMA");
365
366
1.39k
   if (png_ptr == NULL || info_ptr == NULL)
367
0
      return;
368
369
1.39k
   info_ptr->gamma = file_gamma;
370
1.39k
   info_ptr->valid |= PNG_INFO_gAMA;
371
1.39k
}
372
373
#  ifdef PNG_FLOATING_POINT_SUPPORTED
374
void PNGAPI
375
png_set_gAMA(png_const_structrp png_ptr, png_inforp info_ptr, double file_gamma)
376
0
{
377
0
   png_set_gAMA_fixed(png_ptr, info_ptr, png_fixed(png_ptr, file_gamma,
378
0
       "png_set_gAMA"));
379
0
}
380
#  endif
381
#endif
382
383
#ifdef PNG_hIST_SUPPORTED
384
void PNGAPI
385
png_set_hIST(png_const_structrp png_ptr, png_inforp info_ptr,
386
    png_const_uint_16p hist)
387
74
{
388
74
   png_uint_16 safe_hist[PNG_MAX_PALETTE_LENGTH];
389
74
   int i;
390
391
74
   png_debug1(1, "in %s storage function", "hIST");
392
393
74
   if (png_ptr == NULL || info_ptr == NULL || hist == NULL)
394
0
      return;
395
396
74
   if (info_ptr->num_palette == 0 || info_ptr->num_palette
397
0
       > PNG_MAX_PALETTE_LENGTH)
398
74
   {
399
74
      png_warning(png_ptr,
400
74
          "Invalid palette size, hIST allocation skipped");
401
402
74
      return;
403
74
   }
404
405
   /* Snapshot the caller's hist before freeing, in case it points to
406
    * info_ptr->hist (getter-to-setter aliasing).
407
    */
408
0
   memcpy(safe_hist, hist, (unsigned int)info_ptr->num_palette *
409
0
       (sizeof (png_uint_16)));
410
0
   hist = safe_hist;
411
412
0
   png_free_data(png_ptr, info_ptr, PNG_FREE_HIST, 0);
413
414
   /* Changed from info->num_palette to PNG_MAX_PALETTE_LENGTH in
415
    * version 1.2.1
416
    */
417
0
   info_ptr->hist = png_voidcast(png_uint_16p, png_malloc_warn(png_ptr,
418
0
       PNG_MAX_PALETTE_LENGTH * (sizeof (png_uint_16))));
419
420
0
   if (info_ptr->hist == NULL)
421
0
   {
422
0
      png_warning(png_ptr, "Insufficient memory for hIST chunk data");
423
0
      return;
424
0
   }
425
426
0
   for (i = 0; i < info_ptr->num_palette; i++)
427
0
      info_ptr->hist[i] = hist[i];
428
429
0
   info_ptr->free_me |= PNG_FREE_HIST;
430
0
   info_ptr->valid |= PNG_INFO_hIST;
431
0
}
432
#endif
433
434
void PNGAPI
435
png_set_IHDR(png_const_structrp png_ptr, png_inforp info_ptr,
436
    png_uint_32 width, png_uint_32 height, int bit_depth,
437
    int color_type, int interlace_type, int compression_type,
438
    int filter_type)
439
27.8k
{
440
27.8k
   png_debug1(1, "in %s storage function", "IHDR");
441
442
27.8k
   if (png_ptr == NULL || info_ptr == NULL)
443
0
      return;
444
445
27.8k
   info_ptr->width = width;
446
27.8k
   info_ptr->height = height;
447
27.8k
   info_ptr->bit_depth = (png_byte)bit_depth;
448
27.8k
   info_ptr->color_type = (png_byte)color_type;
449
27.8k
   info_ptr->compression_type = (png_byte)compression_type;
450
27.8k
   info_ptr->filter_type = (png_byte)filter_type;
451
27.8k
   info_ptr->interlace_type = (png_byte)interlace_type;
452
453
27.8k
   png_check_IHDR (png_ptr, info_ptr->width, info_ptr->height,
454
27.8k
       info_ptr->bit_depth, info_ptr->color_type, info_ptr->interlace_type,
455
27.8k
       info_ptr->compression_type, info_ptr->filter_type);
456
457
27.8k
   if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
458
3.57k
      info_ptr->channels = 1;
459
460
24.2k
   else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
461
13.6k
      info_ptr->channels = 3;
462
463
10.6k
   else
464
10.6k
      info_ptr->channels = 1;
465
466
27.8k
   if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
467
7.52k
      info_ptr->channels++;
468
469
27.8k
   info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
470
471
27.8k
   info_ptr->rowbytes = PNG_ROWBYTES(info_ptr->pixel_depth, width);
472
27.8k
}
473
474
#ifdef PNG_oFFs_SUPPORTED
475
void PNGAPI
476
png_set_oFFs(png_const_structrp png_ptr, png_inforp info_ptr,
477
    png_int_32 offset_x, png_int_32 offset_y, int unit_type)
478
63
{
479
63
   png_debug1(1, "in %s storage function", "oFFs");
480
481
63
   if (png_ptr == NULL || info_ptr == NULL)
482
0
      return;
483
484
63
   info_ptr->x_offset = offset_x;
485
63
   info_ptr->y_offset = offset_y;
486
63
   info_ptr->offset_unit_type = (png_byte)unit_type;
487
63
   info_ptr->valid |= PNG_INFO_oFFs;
488
63
}
489
#endif
490
491
#ifdef PNG_pCAL_SUPPORTED
492
void PNGAPI
493
png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
494
    png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
495
    int nparams, png_const_charp units, png_charpp params)
496
148
{
497
148
   size_t length;
498
148
   int i;
499
500
148
   png_debug1(1, "in %s storage function", "pCAL");
501
502
148
   if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
503
148
       || (nparams > 0 && params == NULL))
504
0
      return;
505
506
148
   length = strlen(purpose) + 1;
507
148
   png_debug1(3, "allocating purpose for info (%lu bytes)",
508
148
       (unsigned long)length);
509
510
   /* TODO: validate format of calibration name and unit name */
511
512
   /* Check that the type matches the specification. */
513
148
   if (type < 0 || type > 3)
514
31
   {
515
31
      png_chunk_report(png_ptr, "Invalid pCAL equation type",
516
31
            PNG_CHUNK_WRITE_ERROR);
517
31
      return;
518
31
   }
519
520
117
   if (nparams < 0 || nparams > 255)
521
0
   {
522
0
      png_chunk_report(png_ptr, "Invalid pCAL parameter count",
523
0
            PNG_CHUNK_WRITE_ERROR);
524
0
      return;
525
0
   }
526
527
   /* Validate params[nparams] */
528
411
   for (i=0; i<nparams; ++i)
529
339
   {
530
339
      if (params[i] == NULL ||
531
339
          !png_check_fp_string(params[i], strlen(params[i])))
532
45
      {
533
45
         png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
534
45
               PNG_CHUNK_WRITE_ERROR);
535
45
         return;
536
45
      }
537
339
   }
538
539
72
   info_ptr->pcal_purpose = png_voidcast(png_charp,
540
72
       png_malloc_warn(png_ptr, length));
541
542
72
   if (info_ptr->pcal_purpose == NULL)
543
0
   {
544
0
      png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
545
0
            PNG_CHUNK_WRITE_ERROR);
546
0
      return;
547
0
   }
548
549
72
   memcpy(info_ptr->pcal_purpose, purpose, length);
550
551
72
   info_ptr->free_me |= PNG_FREE_PCAL;
552
553
72
   png_debug(3, "storing X0, X1, type, and nparams in info");
554
72
   info_ptr->pcal_X0 = X0;
555
72
   info_ptr->pcal_X1 = X1;
556
72
   info_ptr->pcal_type = (png_byte)type;
557
72
   info_ptr->pcal_nparams = (png_byte)nparams;
558
559
72
   length = strlen(units) + 1;
560
72
   png_debug1(3, "allocating units for info (%lu bytes)",
561
72
       (unsigned long)length);
562
563
72
   info_ptr->pcal_units = png_voidcast(png_charp,
564
72
       png_malloc_warn(png_ptr, length));
565
566
72
   if (info_ptr->pcal_units == NULL)
567
0
   {
568
0
      png_warning(png_ptr, "Insufficient memory for pCAL units");
569
0
      return;
570
0
   }
571
572
72
   memcpy(info_ptr->pcal_units, units, length);
573
574
72
   info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
575
72
       (size_t)(((unsigned int)nparams + 1) * (sizeof (png_charp)))));
576
577
72
   if (info_ptr->pcal_params == NULL)
578
0
   {
579
0
      png_warning(png_ptr, "Insufficient memory for pCAL params");
580
0
      return;
581
0
   }
582
583
72
   memset(info_ptr->pcal_params, 0, ((unsigned int)nparams + 1) *
584
72
       (sizeof (png_charp)));
585
586
315
   for (i = 0; i < nparams; i++)
587
243
   {
588
243
      length = strlen(params[i]) + 1;
589
243
      png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
590
243
          (unsigned long)length);
591
592
243
      info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
593
594
243
      if (info_ptr->pcal_params[i] == NULL)
595
0
      {
596
0
         png_warning(png_ptr, "Insufficient memory for pCAL parameter");
597
0
         return;
598
0
      }
599
600
243
      memcpy(info_ptr->pcal_params[i], params[i], length);
601
243
   }
602
603
72
   info_ptr->valid |= PNG_INFO_pCAL;
604
72
}
605
#endif
606
607
#ifdef PNG_sCAL_SUPPORTED
608
void PNGAPI
609
png_set_sCAL_s(png_const_structrp png_ptr, png_inforp info_ptr,
610
    int unit, png_const_charp swidth, png_const_charp sheight)
611
317
{
612
317
   size_t lengthw = 0, lengthh = 0;
613
614
317
   png_debug1(1, "in %s storage function", "sCAL");
615
616
317
   if (png_ptr == NULL || info_ptr == NULL)
617
0
      return;
618
619
   /* Double check the unit (should never get here with an invalid
620
    * unit unless this is an API call.)
621
    */
622
317
   if (unit != 1 && unit != 2)
623
0
      png_error(png_ptr, "Invalid sCAL unit");
624
625
317
   if (swidth == NULL || (lengthw = strlen(swidth)) == 0 ||
626
317
       swidth[0] == 45 /* '-' */ || !png_check_fp_string(swidth, lengthw))
627
0
      png_error(png_ptr, "Invalid sCAL width");
628
629
317
   if (sheight == NULL || (lengthh = strlen(sheight)) == 0 ||
630
317
       sheight[0] == 45 /* '-' */ || !png_check_fp_string(sheight, lengthh))
631
0
      png_error(png_ptr, "Invalid sCAL height");
632
633
317
   info_ptr->scal_unit = (png_byte)unit;
634
635
317
   ++lengthw;
636
637
317
   png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthw);
638
639
317
   info_ptr->scal_s_width = png_voidcast(png_charp,
640
317
       png_malloc_warn(png_ptr, lengthw));
641
642
317
   if (info_ptr->scal_s_width == NULL)
643
0
   {
644
0
      png_warning(png_ptr, "Memory allocation failed while processing sCAL");
645
646
0
      return;
647
0
   }
648
649
317
   memcpy(info_ptr->scal_s_width, swidth, lengthw);
650
651
317
   ++lengthh;
652
653
317
   png_debug1(3, "allocating unit for info (%u bytes)", (unsigned int)lengthh);
654
655
317
   info_ptr->scal_s_height = png_voidcast(png_charp,
656
317
       png_malloc_warn(png_ptr, lengthh));
657
658
317
   if (info_ptr->scal_s_height == NULL)
659
0
   {
660
0
      png_free(png_ptr, info_ptr->scal_s_width);
661
0
      info_ptr->scal_s_width = NULL;
662
663
0
      png_warning(png_ptr, "Memory allocation failed while processing sCAL");
664
0
      return;
665
0
   }
666
667
317
   memcpy(info_ptr->scal_s_height, sheight, lengthh);
668
669
317
   info_ptr->free_me |= PNG_FREE_SCAL;
670
317
   info_ptr->valid |= PNG_INFO_sCAL;
671
317
}
672
673
#  ifdef PNG_FLOATING_POINT_SUPPORTED
674
void PNGAPI
675
png_set_sCAL(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
676
    double width, double height)
677
0
{
678
0
   png_debug1(1, "in %s storage function", "sCAL");
679
680
   /* Check the arguments. */
681
0
   if (width <= 0)
682
0
      png_warning(png_ptr, "Invalid sCAL width ignored");
683
684
0
   else if (height <= 0)
685
0
      png_warning(png_ptr, "Invalid sCAL height ignored");
686
687
0
   else
688
0
   {
689
      /* Convert 'width' and 'height' to ASCII. */
690
0
      char swidth[PNG_sCAL_MAX_DIGITS+1];
691
0
      char sheight[PNG_sCAL_MAX_DIGITS+1];
692
693
0
      png_ascii_from_fp(png_ptr, swidth, (sizeof swidth), width,
694
0
          PNG_sCAL_PRECISION);
695
0
      png_ascii_from_fp(png_ptr, sheight, (sizeof sheight), height,
696
0
          PNG_sCAL_PRECISION);
697
698
0
      png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
699
0
   }
700
0
}
701
#  endif
702
703
#  ifdef PNG_FIXED_POINT_SUPPORTED
704
void PNGAPI
705
png_set_sCAL_fixed(png_const_structrp png_ptr, png_inforp info_ptr, int unit,
706
    png_fixed_point width, png_fixed_point height)
707
0
{
708
0
   png_debug1(1, "in %s storage function", "sCAL");
709
710
   /* Check the arguments. */
711
0
   if (width <= 0)
712
0
      png_warning(png_ptr, "Invalid sCAL width ignored");
713
714
0
   else if (height <= 0)
715
0
      png_warning(png_ptr, "Invalid sCAL height ignored");
716
717
0
   else
718
0
   {
719
      /* Convert 'width' and 'height' to ASCII. */
720
0
      char swidth[PNG_sCAL_MAX_DIGITS+1];
721
0
      char sheight[PNG_sCAL_MAX_DIGITS+1];
722
723
0
      png_ascii_from_fixed(png_ptr, swidth, (sizeof swidth), width);
724
0
      png_ascii_from_fixed(png_ptr, sheight, (sizeof sheight), height);
725
726
0
      png_set_sCAL_s(png_ptr, info_ptr, unit, swidth, sheight);
727
0
   }
728
0
}
729
#  endif
730
#endif
731
732
#ifdef PNG_pHYs_SUPPORTED
733
void PNGAPI
734
png_set_pHYs(png_const_structrp png_ptr, png_inforp info_ptr,
735
    png_uint_32 res_x, png_uint_32 res_y, int unit_type)
736
37
{
737
37
   png_debug1(1, "in %s storage function", "pHYs");
738
739
37
   if (png_ptr == NULL || info_ptr == NULL)
740
0
      return;
741
742
37
   info_ptr->x_pixels_per_unit = res_x;
743
37
   info_ptr->y_pixels_per_unit = res_y;
744
37
   info_ptr->phys_unit_type = (png_byte)unit_type;
745
37
   info_ptr->valid |= PNG_INFO_pHYs;
746
37
}
747
#endif
748
749
void PNGAPI
750
png_set_PLTE(png_structrp png_ptr, png_inforp info_ptr,
751
    png_const_colorp palette, int num_palette)
752
1.89k
{
753
1.89k
   png_color safe_palette[PNG_MAX_PALETTE_LENGTH];
754
1.89k
   png_uint_32 max_palette_length;
755
756
1.89k
   png_debug1(1, "in %s storage function", "PLTE");
757
758
1.89k
   if (png_ptr == NULL || info_ptr == NULL)
759
0
      return;
760
761
1.89k
   max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
762
1.76k
      (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
763
764
1.89k
   if (num_palette < 0 || num_palette > (int) max_palette_length)
765
0
   {
766
0
      if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
767
0
         png_error(png_ptr, "Invalid palette length");
768
769
0
      else
770
0
      {
771
0
         png_warning(png_ptr, "Invalid palette length");
772
773
0
         return;
774
0
      }
775
0
   }
776
777
1.89k
   if ((num_palette > 0 && palette == NULL) ||
778
1.89k
      (num_palette == 0
779
8
#        ifdef PNG_MNG_FEATURES_SUPPORTED
780
8
            && (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0
781
1.89k
#        endif
782
1.89k
      ))
783
8
   {
784
8
      png_error(png_ptr, "Invalid palette");
785
8
   }
786
787
   /* Snapshot the caller's palette before freeing, in case it points to
788
    * info_ptr->palette (getter-to-setter aliasing).
789
    */
790
1.88k
   if (num_palette > 0)
791
1.88k
      memcpy(safe_palette, palette, (unsigned int)num_palette *
792
1.88k
          (sizeof (png_color)));
793
794
1.88k
   palette = safe_palette;
795
796
1.88k
   png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
797
798
   /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
799
    * of num_palette entries, in case of an invalid PNG file or incorrect
800
    * call to png_set_PLTE() with too-large sample values.
801
    *
802
    * Allocate independent buffers for info_ptr and png_ptr so that the
803
    * lifetime of png_ptr->palette is decoupled from the lifetime of
804
    * info_ptr->palette.  Previously, these two pointers were aliased,
805
    * which caused a use-after-free vulnerability if png_free_data freed
806
    * info_ptr->palette while png_ptr->palette was still in use by the
807
    * row transform functions (e.g. png_do_expand_palette).
808
    *
809
    * Both buffers are allocated with png_calloc to zero-fill, because
810
    * the ARM NEON palette riffle reads all 256 entries unconditionally,
811
    * regardless of num_palette.
812
    */
813
1.88k
   png_free(png_ptr, png_ptr->palette);
814
1.88k
   png_ptr->palette = NULL;
815
1.88k
   png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
816
1.88k
       PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
817
1.88k
   info_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
818
1.88k
       PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
819
1.88k
   png_ptr->num_palette = info_ptr->num_palette = (png_uint_16)num_palette;
820
821
1.88k
   if (num_palette > 0)
822
1.88k
   {
823
1.88k
      memcpy(info_ptr->palette, palette, (unsigned int)num_palette *
824
1.88k
          (sizeof (png_color)));
825
1.88k
      memcpy(png_ptr->palette, palette, (unsigned int)num_palette *
826
1.88k
          (sizeof (png_color)));
827
1.88k
   }
828
829
1.88k
   info_ptr->free_me |= PNG_FREE_PLTE;
830
1.88k
   info_ptr->valid |= PNG_INFO_PLTE;
831
1.88k
}
832
833
#ifdef PNG_sBIT_SUPPORTED
834
void PNGAPI
835
png_set_sBIT(png_const_structrp png_ptr, png_inforp info_ptr,
836
    png_const_color_8p sig_bit)
837
372
{
838
372
   png_debug1(1, "in %s storage function", "sBIT");
839
840
372
   if (png_ptr == NULL || info_ptr == NULL || sig_bit == NULL)
841
0
      return;
842
843
372
   info_ptr->sig_bit = *sig_bit;
844
372
   info_ptr->valid |= PNG_INFO_sBIT;
845
372
}
846
#endif
847
848
#ifdef PNG_sRGB_SUPPORTED
849
void PNGAPI
850
png_set_sRGB(png_const_structrp png_ptr, png_inforp info_ptr, int srgb_intent)
851
82
{
852
82
   png_debug1(1, "in %s storage function", "sRGB");
853
854
82
   if (png_ptr == NULL || info_ptr == NULL)
855
0
      return;
856
857
82
   info_ptr->rendering_intent = srgb_intent;
858
82
   info_ptr->valid |= PNG_INFO_sRGB;
859
82
}
860
861
void PNGAPI
862
png_set_sRGB_gAMA_and_cHRM(png_const_structrp png_ptr, png_inforp info_ptr,
863
    int srgb_intent)
864
0
{
865
0
   png_debug1(1, "in %s storage function", "sRGB_gAMA_and_cHRM");
866
867
0
   if (png_ptr == NULL || info_ptr == NULL)
868
0
      return;
869
870
0
   png_set_sRGB(png_ptr, info_ptr, srgb_intent);
871
872
0
#  ifdef PNG_gAMA_SUPPORTED
873
0
      png_set_gAMA_fixed(png_ptr, info_ptr, PNG_GAMMA_sRGB_INVERSE);
874
0
#  endif /* gAMA */
875
876
0
#  ifdef PNG_cHRM_SUPPORTED
877
0
      png_set_cHRM_fixed(png_ptr, info_ptr,
878
         /* color      x       y */
879
0
         /* white */ 31270, 32900,
880
0
         /* red   */ 64000, 33000,
881
0
         /* green */ 30000, 60000,
882
0
         /* blue  */ 15000,  6000);
883
0
#  endif /* cHRM */
884
0
}
885
#endif /* sRGB */
886
887
888
#ifdef PNG_iCCP_SUPPORTED
889
void PNGAPI
890
png_set_iCCP(png_const_structrp png_ptr, png_inforp info_ptr,
891
    png_const_charp name, int compression_type,
892
    png_const_bytep profile, png_uint_32 proflen)
893
0
{
894
0
   png_charp new_iccp_name;
895
0
   png_bytep new_iccp_profile;
896
0
   size_t length;
897
898
0
   png_debug1(1, "in %s storage function", "iCCP");
899
900
0
   if (png_ptr == NULL || info_ptr == NULL || name == NULL || profile == NULL)
901
0
      return;
902
903
0
   if (compression_type != PNG_COMPRESSION_TYPE_BASE)
904
0
      png_app_error(png_ptr, "Invalid iCCP compression method");
905
906
0
   length = strlen(name)+1;
907
0
   new_iccp_name = png_voidcast(png_charp, png_malloc_warn(png_ptr, length));
908
909
0
   if (new_iccp_name == NULL)
910
0
   {
911
0
      png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
912
913
0
      return;
914
0
   }
915
916
0
   memcpy(new_iccp_name, name, length);
917
0
   new_iccp_profile = png_voidcast(png_bytep,
918
0
       png_malloc_warn(png_ptr, proflen));
919
920
0
   if (new_iccp_profile == NULL)
921
0
   {
922
0
      png_free(png_ptr, new_iccp_name);
923
0
      png_benign_error(png_ptr,
924
0
          "Insufficient memory to process iCCP profile");
925
926
0
      return;
927
0
   }
928
929
0
   memcpy(new_iccp_profile, profile, proflen);
930
931
0
   png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, 0);
932
933
0
   info_ptr->iccp_proflen = proflen;
934
0
   info_ptr->iccp_name = new_iccp_name;
935
0
   info_ptr->iccp_profile = new_iccp_profile;
936
0
   info_ptr->free_me |= PNG_FREE_ICCP;
937
0
   info_ptr->valid |= PNG_INFO_iCCP;
938
0
}
939
#endif
940
941
#ifdef PNG_TEXT_SUPPORTED
942
void PNGAPI
943
png_set_text(png_const_structrp png_ptr, png_inforp info_ptr,
944
    png_const_textp text_ptr, int num_text)
945
0
{
946
0
   int ret;
947
0
   ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
948
949
0
   if (ret != 0)
950
0
      png_error(png_ptr, "Insufficient memory to store text");
951
0
}
952
953
int /* PRIVATE */
954
png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
955
    png_const_textp text_ptr, int num_text)
956
115k
{
957
115k
   int i;
958
115k
   png_textp old_text = NULL;
959
960
115k
   png_debug1(1, "in text storage function, chunk typeid = 0x%lx",
961
115k
      png_ptr == NULL ? 0xabadca11UL : (unsigned long)png_ptr->chunk_name);
962
963
115k
   if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
964
0
      return 0;
965
966
   /* Make sure we have enough space in the "text" array in info_struct
967
    * to hold all of the incoming text_ptr objects.  This compare can't overflow
968
    * because max_text >= num_text (anyway, subtract of two positive integers
969
    * can't overflow in any case.)
970
    */
971
115k
   if (num_text > info_ptr->max_text - info_ptr->num_text)
972
15.3k
   {
973
15.3k
      int old_num_text = info_ptr->num_text;
974
15.3k
      int max_text;
975
15.3k
      png_textp new_text = NULL;
976
977
      /* Calculate an appropriate max_text, checking for overflow. */
978
15.3k
      max_text = old_num_text;
979
15.3k
      if (num_text <= INT_MAX - max_text)
980
15.3k
      {
981
15.3k
         max_text += num_text;
982
983
         /* Round up to a multiple of 8 */
984
15.3k
         if (max_text < INT_MAX-8)
985
15.3k
            max_text = (max_text + 8) & ~0x7;
986
987
0
         else
988
0
            max_text = INT_MAX;
989
990
         /* Now allocate a new array and copy the old members in; this does all
991
          * the overflow checks.
992
          */
993
15.3k
         new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
994
15.3k
             info_ptr->text, old_num_text, max_text-old_num_text,
995
15.3k
             sizeof *new_text));
996
15.3k
      }
997
998
15.3k
      if (new_text == NULL)
999
0
      {
1000
0
         png_chunk_report(png_ptr, "too many text chunks",
1001
0
             PNG_CHUNK_WRITE_ERROR);
1002
1003
0
         return 1;
1004
0
      }
1005
1006
      /* Defer freeing the old array until after the copy loop below,
1007
       * in case text_ptr aliases info_ptr->text (getter-to-setter).
1008
       */
1009
15.3k
      old_text = info_ptr->text;
1010
1011
15.3k
      info_ptr->text = new_text;
1012
15.3k
      info_ptr->free_me |= PNG_FREE_TEXT;
1013
15.3k
      info_ptr->max_text = max_text;
1014
      /* num_text is adjusted below as the entries are copied in */
1015
1016
15.3k
      png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
1017
15.3k
   }
1018
1019
231k
   for (i = 0; i < num_text; i++)
1020
115k
   {
1021
115k
      size_t text_length, key_len;
1022
115k
      size_t lang_len, lang_key_len;
1023
115k
      png_textp textp = &(info_ptr->text[info_ptr->num_text]);
1024
1025
115k
      if (text_ptr[i].key == NULL)
1026
0
          continue;
1027
1028
115k
      if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
1029
115k
          text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
1030
0
      {
1031
0
         png_chunk_report(png_ptr, "text compression mode is out of range",
1032
0
             PNG_CHUNK_WRITE_ERROR);
1033
0
         continue;
1034
0
      }
1035
1036
115k
      key_len = strlen(text_ptr[i].key);
1037
1038
115k
      if (text_ptr[i].compression <= 0)
1039
113k
      {
1040
113k
         lang_len = 0;
1041
113k
         lang_key_len = 0;
1042
113k
      }
1043
1044
2.47k
      else
1045
2.47k
#  ifdef PNG_iTXt_SUPPORTED
1046
2.47k
      {
1047
         /* Set iTXt data */
1048
1049
2.47k
         if (text_ptr[i].lang != NULL)
1050
2.47k
            lang_len = strlen(text_ptr[i].lang);
1051
1052
0
         else
1053
0
            lang_len = 0;
1054
1055
2.47k
         if (text_ptr[i].lang_key != NULL)
1056
2.47k
            lang_key_len = strlen(text_ptr[i].lang_key);
1057
1058
0
         else
1059
0
            lang_key_len = 0;
1060
2.47k
      }
1061
#  else /* iTXt */
1062
      {
1063
         png_chunk_report(png_ptr, "iTXt chunk not supported",
1064
             PNG_CHUNK_WRITE_ERROR);
1065
         continue;
1066
      }
1067
#  endif
1068
1069
115k
      if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
1070
71.1k
      {
1071
71.1k
         text_length = 0;
1072
71.1k
#  ifdef PNG_iTXt_SUPPORTED
1073
71.1k
         if (text_ptr[i].compression > 0)
1074
2.28k
            textp->compression = PNG_ITXT_COMPRESSION_NONE;
1075
1076
68.8k
         else
1077
68.8k
#  endif
1078
68.8k
            textp->compression = PNG_TEXT_COMPRESSION_NONE;
1079
71.1k
      }
1080
1081
44.8k
      else
1082
44.8k
      {
1083
44.8k
         text_length = strlen(text_ptr[i].text);
1084
44.8k
         textp->compression = text_ptr[i].compression;
1085
44.8k
      }
1086
1087
115k
      textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
1088
115k
          key_len + text_length + lang_len + lang_key_len + 4));
1089
1090
115k
      if (textp->key == NULL)
1091
0
      {
1092
0
         png_chunk_report(png_ptr, "text chunk: out of memory",
1093
0
             PNG_CHUNK_WRITE_ERROR);
1094
0
         png_free(png_ptr, old_text);
1095
1096
0
         return 1;
1097
0
      }
1098
1099
115k
      png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
1100
115k
          (unsigned long)(png_uint_32)
1101
115k
          (key_len + lang_len + lang_key_len + text_length + 4),
1102
115k
          textp->key);
1103
1104
115k
      memcpy(textp->key, text_ptr[i].key, key_len);
1105
115k
      *(textp->key + key_len) = '\0';
1106
1107
115k
      if (text_ptr[i].compression > 0)
1108
2.47k
      {
1109
2.47k
         textp->lang = textp->key + key_len + 1;
1110
2.47k
         memcpy(textp->lang, text_ptr[i].lang, lang_len);
1111
2.47k
         *(textp->lang + lang_len) = '\0';
1112
2.47k
         textp->lang_key = textp->lang + lang_len + 1;
1113
2.47k
         memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
1114
2.47k
         *(textp->lang_key + lang_key_len) = '\0';
1115
2.47k
         textp->text = textp->lang_key + lang_key_len + 1;
1116
2.47k
      }
1117
1118
113k
      else
1119
113k
      {
1120
113k
         textp->lang=NULL;
1121
113k
         textp->lang_key=NULL;
1122
113k
         textp->text = textp->key + key_len + 1;
1123
113k
      }
1124
1125
115k
      if (text_length != 0)
1126
44.8k
         memcpy(textp->text, text_ptr[i].text, text_length);
1127
1128
115k
      *(textp->text + text_length) = '\0';
1129
1130
115k
#  ifdef PNG_iTXt_SUPPORTED
1131
115k
      if (textp->compression > 0)
1132
2.47k
      {
1133
2.47k
         textp->text_length = 0;
1134
2.47k
         textp->itxt_length = text_length;
1135
2.47k
      }
1136
1137
113k
      else
1138
113k
#  endif
1139
113k
      {
1140
113k
         textp->text_length = text_length;
1141
113k
         textp->itxt_length = 0;
1142
113k
      }
1143
1144
115k
      info_ptr->num_text++;
1145
115k
      png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
1146
115k
   }
1147
1148
115k
   png_free(png_ptr, old_text);
1149
1150
115k
   return 0;
1151
115k
}
1152
#endif
1153
1154
#ifdef PNG_tIME_SUPPORTED
1155
void PNGAPI
1156
png_set_tIME(png_const_structrp png_ptr, png_inforp info_ptr,
1157
    png_const_timep mod_time)
1158
128
{
1159
128
   png_debug1(1, "in %s storage function", "tIME");
1160
1161
128
   if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
1162
128
       (png_ptr->mode & PNG_WROTE_tIME) != 0)
1163
0
      return;
1164
1165
128
   if (mod_time->month == 0   || mod_time->month > 12  ||
1166
92
       mod_time->day   == 0   || mod_time->day   > 31  ||
1167
62
       mod_time->hour  > 23   || mod_time->minute > 59 ||
1168
45
       mod_time->second > 60)
1169
102
   {
1170
102
      png_warning(png_ptr, "Ignoring invalid time value");
1171
1172
102
      return;
1173
102
   }
1174
1175
26
   info_ptr->mod_time = *mod_time;
1176
26
   info_ptr->valid |= PNG_INFO_tIME;
1177
26
}
1178
#endif
1179
1180
#ifdef PNG_tRNS_SUPPORTED
1181
void PNGAPI
1182
png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr,
1183
    png_const_bytep trans_alpha, int num_trans, png_const_color_16p trans_color)
1184
2.16k
{
1185
2.16k
   png_debug1(1, "in %s storage function", "tRNS");
1186
1187
2.16k
   if (png_ptr == NULL || info_ptr == NULL)
1188
1189
0
      return;
1190
1191
2.16k
   if (trans_alpha != NULL)
1192
2.16k
   {
1193
       /* Snapshot the caller's trans_alpha before freeing, in case it
1194
        * points to info_ptr->trans_alpha (getter-to-setter aliasing).
1195
        */
1196
2.16k
       png_byte safe_trans[PNG_MAX_PALETTE_LENGTH];
1197
1198
2.16k
       if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
1199
2.16k
          memcpy(safe_trans, trans_alpha, (size_t)num_trans);
1200
1201
2.16k
       trans_alpha = safe_trans;
1202
1203
2.16k
       png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
1204
1205
2.16k
       if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH)
1206
2.16k
       {
1207
          /* Allocate info_ptr's copy of the transparency data.
1208
           * Initialize all entries to fully opaque (0xff), then overwrite
1209
           * the first num_trans entries with the actual values.
1210
           */
1211
2.16k
          info_ptr->trans_alpha = png_voidcast(png_bytep,
1212
2.16k
              png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
1213
2.16k
          memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
1214
2.16k
          memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
1215
2.16k
          info_ptr->free_me |= PNG_FREE_TRNS;
1216
2.16k
          info_ptr->valid |= PNG_INFO_tRNS;
1217
1218
          /* Allocate an independent copy for png_struct, so that the
1219
           * lifetime of png_ptr->trans_alpha is decoupled from the
1220
           * lifetime of info_ptr->trans_alpha.  Previously these two
1221
           * pointers were aliased, which caused a use-after-free if
1222
           * png_free_data freed info_ptr->trans_alpha while
1223
           * png_ptr->trans_alpha was still in use by the row transform
1224
           * functions (e.g. png_do_expand_palette).
1225
           */
1226
2.16k
          png_free(png_ptr, png_ptr->trans_alpha);
1227
2.16k
          png_ptr->trans_alpha = NULL;
1228
2.16k
          png_ptr->trans_alpha = png_voidcast(png_bytep,
1229
2.16k
              png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
1230
2.16k
          memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH);
1231
2.16k
          memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
1232
2.16k
       }
1233
0
       else
1234
0
       {
1235
0
          png_free(png_ptr, png_ptr->trans_alpha);
1236
0
          png_ptr->trans_alpha = NULL;
1237
0
       }
1238
2.16k
   }
1239
1240
2.16k
   if (trans_color != NULL)
1241
2.16k
   {
1242
2.16k
#ifdef PNG_WARNINGS_SUPPORTED
1243
2.16k
      if (info_ptr->bit_depth < 16)
1244
1.43k
      {
1245
1.43k
         int sample_max = (1 << info_ptr->bit_depth) - 1;
1246
1247
1.43k
         if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
1248
352
             trans_color->gray > sample_max) ||
1249
1.21k
             (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
1250
441
             (trans_color->red > sample_max ||
1251
337
             trans_color->green > sample_max ||
1252
212
             trans_color->blue > sample_max)))
1253
588
            png_warning(png_ptr,
1254
588
                "tRNS chunk has out-of-range samples for bit_depth");
1255
1.43k
      }
1256
2.16k
#endif
1257
1258
2.16k
      info_ptr->trans_color = *trans_color;
1259
1260
2.16k
      if (num_trans == 0)
1261
0
         num_trans = 1;
1262
2.16k
   }
1263
1264
2.16k
   info_ptr->num_trans = (png_uint_16)num_trans;
1265
1266
2.16k
   if (num_trans != 0)
1267
1.97k
   {
1268
1.97k
      info_ptr->free_me |= PNG_FREE_TRNS;
1269
1.97k
      info_ptr->valid |= PNG_INFO_tRNS;
1270
1.97k
   }
1271
2.16k
}
1272
#endif
1273
1274
#ifdef PNG_sPLT_SUPPORTED
1275
void PNGAPI
1276
png_set_sPLT(png_const_structrp png_ptr,
1277
    png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
1278
/*
1279
 *  entries        - array of png_sPLT_t structures
1280
 *                   to be added to the list of palettes
1281
 *                   in the info structure.
1282
 *
1283
 *  nentries       - number of palette structures to be
1284
 *                   added.
1285
 */
1286
6.79k
{
1287
6.79k
   png_sPLT_tp np;
1288
6.79k
   png_sPLT_tp old_spalettes;
1289
1290
6.79k
   png_debug1(1, "in %s storage function", "sPLT");
1291
1292
6.79k
   if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
1293
0
      return;
1294
1295
   /* Use the internal realloc function, which checks for all the possible
1296
    * overflows.  Notice that the parameters are (int) and (size_t)
1297
    */
1298
6.79k
   np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
1299
6.79k
       info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
1300
6.79k
       sizeof *np));
1301
1302
6.79k
   if (np == NULL)
1303
0
   {
1304
      /* Out of memory or too many chunks */
1305
0
      png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
1306
0
      return;
1307
0
   }
1308
1309
   /* Defer freeing the old array until after the copy loop below,
1310
    * in case entries aliases info_ptr->splt_palettes (getter-to-setter).
1311
    */
1312
6.79k
   old_spalettes = info_ptr->splt_palettes;
1313
1314
6.79k
   info_ptr->splt_palettes = np;
1315
6.79k
   info_ptr->free_me |= PNG_FREE_SPLT;
1316
1317
6.79k
   np += info_ptr->splt_palettes_num;
1318
1319
6.79k
   do
1320
6.79k
   {
1321
6.79k
      size_t length;
1322
1323
      /* Skip invalid input entries */
1324
6.79k
      if (entries->name == NULL || entries->entries == NULL)
1325
0
      {
1326
         /* png_handle_sPLT doesn't do this, so this is an app error */
1327
0
         png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
1328
         /* Just skip the invalid entry */
1329
0
         continue;
1330
0
      }
1331
1332
6.79k
      np->depth = entries->depth;
1333
1334
      /* In the event of out-of-memory just return - there's no point keeping
1335
       * on trying to add sPLT chunks.
1336
       */
1337
6.79k
      length = strlen(entries->name) + 1;
1338
6.79k
      np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
1339
1340
6.79k
      if (np->name == NULL)
1341
0
         break;
1342
1343
6.79k
      memcpy(np->name, entries->name, length);
1344
1345
      /* IMPORTANT: we have memory now that won't get freed if something else
1346
       * goes wrong; this code must free it.  png_malloc_array produces no
1347
       * warnings; use a png_chunk_report (below) if there is an error.
1348
       */
1349
6.79k
      np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
1350
6.79k
          entries->nentries, sizeof (png_sPLT_entry)));
1351
1352
6.79k
      if (np->entries == NULL)
1353
0
      {
1354
0
         png_free(png_ptr, np->name);
1355
0
         np->name = NULL;
1356
0
         break;
1357
0
      }
1358
1359
6.79k
      np->nentries = entries->nentries;
1360
      /* This multiply can't overflow because png_malloc_array has already
1361
       * checked it when doing the allocation.
1362
       */
1363
6.79k
      memcpy(np->entries, entries->entries,
1364
6.79k
          (unsigned int)entries->nentries * sizeof (png_sPLT_entry));
1365
1366
      /* Note that 'continue' skips the advance of the out pointer and out
1367
       * count, so an invalid entry is not added.
1368
       */
1369
6.79k
      info_ptr->valid |= PNG_INFO_sPLT;
1370
6.79k
      ++(info_ptr->splt_palettes_num);
1371
6.79k
      ++np;
1372
6.79k
      ++entries;
1373
6.79k
   }
1374
6.79k
   while (--nentries);
1375
1376
6.79k
   png_free(png_ptr, old_spalettes);
1377
1378
6.79k
   if (nentries > 0)
1379
0
      png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
1380
6.79k
}
1381
#endif /* sPLT */
1382
1383
#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
1384
static png_byte
1385
check_location(png_const_structrp png_ptr, int location)
1386
0
{
1387
0
   location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
1388
1389
   /* New in 1.6.0; copy the location and check it.  This is an API
1390
    * change; previously the app had to use the
1391
    * png_set_unknown_chunk_location API below for each chunk.
1392
    */
1393
0
   if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1394
0
   {
1395
      /* Write struct, so unknown chunks come from the app */
1396
0
      png_app_warning(png_ptr,
1397
0
          "png_set_unknown_chunks now expects a valid location");
1398
      /* Use the old behavior */
1399
0
      location = (png_byte)(png_ptr->mode &
1400
0
          (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT));
1401
0
   }
1402
1403
   /* This need not be an internal error - if the app calls
1404
    * png_set_unknown_chunks on a read pointer it must get the location right.
1405
    */
1406
0
   if (location == 0)
1407
0
      png_error(png_ptr, "invalid location in png_set_unknown_chunks");
1408
1409
   /* Now reduce the location to the top-most set bit by removing each least
1410
    * significant bit in turn.
1411
    */
1412
0
   while (location != (location & -location))
1413
0
      location &= ~(location & -location);
1414
1415
   /* The cast is safe because 'location' is a bit mask and only the low four
1416
    * bits are significant.
1417
    */
1418
0
   return (png_byte)location;
1419
0
}
1420
1421
void PNGAPI
1422
png_set_unknown_chunks(png_const_structrp png_ptr,
1423
    png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
1424
0
{
1425
0
   png_unknown_chunkp np;
1426
0
   png_unknown_chunkp old_unknowns;
1427
1428
0
   if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
1429
0
       unknowns == NULL)
1430
0
      return;
1431
1432
   /* Check for the failure cases where support has been disabled at compile
1433
    * time.  This code is hardly ever compiled - it's here because
1434
    * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
1435
    * code) but may be meaningless if the read or write handling of unknown
1436
    * chunks is not compiled in.
1437
    */
1438
#  if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
1439
      defined(PNG_READ_SUPPORTED)
1440
      if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1441
      {
1442
         png_app_error(png_ptr, "no unknown chunk support on read");
1443
1444
         return;
1445
      }
1446
#  endif
1447
#  if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
1448
      defined(PNG_WRITE_SUPPORTED)
1449
      if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1450
      {
1451
         png_app_error(png_ptr, "no unknown chunk support on write");
1452
1453
         return;
1454
      }
1455
#  endif
1456
1457
   /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
1458
    * unknown critical chunks could be lost with just a warning resulting in
1459
    * undefined behavior.  Now png_chunk_report is used to provide behavior
1460
    * appropriate to read or write.
1461
    */
1462
0
   np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
1463
0
       info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
1464
0
       sizeof *np));
1465
1466
0
   if (np == NULL)
1467
0
   {
1468
0
      png_chunk_report(png_ptr, "too many unknown chunks",
1469
0
          PNG_CHUNK_WRITE_ERROR);
1470
0
      return;
1471
0
   }
1472
1473
   /* Defer freeing the old array until after the copy loop below,
1474
    * in case unknowns aliases info_ptr->unknown_chunks (getter-to-setter).
1475
    */
1476
0
   old_unknowns = info_ptr->unknown_chunks;
1477
1478
0
   info_ptr->unknown_chunks = np; /* safe because it is initialized */
1479
0
   info_ptr->free_me |= PNG_FREE_UNKN;
1480
1481
0
   np += info_ptr->unknown_chunks_num;
1482
1483
   /* Increment unknown_chunks_num each time round the loop to protect the
1484
    * just-allocated chunk data.
1485
    */
1486
0
   for (; num_unknowns > 0; --num_unknowns, ++unknowns)
1487
0
   {
1488
0
      memcpy(np->name, unknowns->name, (sizeof np->name));
1489
0
      np->name[(sizeof np->name)-1] = '\0';
1490
0
      np->location = check_location(png_ptr, unknowns->location);
1491
1492
0
      if (unknowns->size == 0)
1493
0
      {
1494
0
         np->data = NULL;
1495
0
         np->size = 0;
1496
0
      }
1497
1498
0
      else
1499
0
      {
1500
0
         np->data = png_voidcast(png_bytep,
1501
0
             png_malloc_base(png_ptr, unknowns->size));
1502
1503
0
         if (np->data == NULL)
1504
0
         {
1505
0
            png_chunk_report(png_ptr, "unknown chunk: out of memory",
1506
0
                PNG_CHUNK_WRITE_ERROR);
1507
            /* But just skip storing the unknown chunk */
1508
0
            continue;
1509
0
         }
1510
1511
0
         memcpy(np->data, unknowns->data, unknowns->size);
1512
0
         np->size = unknowns->size;
1513
0
      }
1514
1515
      /* These increments are skipped on out-of-memory for the data - the
1516
       * unknown chunk entry gets overwritten if the png_chunk_report returns.
1517
       * This is correct in the read case (the chunk is just dropped.)
1518
       */
1519
0
      ++np;
1520
0
      ++(info_ptr->unknown_chunks_num);
1521
0
   }
1522
1523
0
   png_free(png_ptr, old_unknowns);
1524
0
}
1525
1526
void PNGAPI
1527
png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr,
1528
    int chunk, int location)
1529
0
{
1530
   /* This API is pretty pointless in 1.6.0 because the location can be set
1531
    * before the call to png_set_unknown_chunks.
1532
    *
1533
    * TODO: add a png_app_warning in 1.7
1534
    */
1535
0
   if (png_ptr != NULL && info_ptr != NULL && chunk >= 0 &&
1536
0
      chunk < info_ptr->unknown_chunks_num)
1537
0
   {
1538
0
      if ((location & (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT)) == 0)
1539
0
      {
1540
0
         png_app_error(png_ptr, "invalid unknown chunk location");
1541
         /* Fake out the pre 1.6.0 behavior: */
1542
0
         if (((unsigned int)location & PNG_HAVE_IDAT) != 0) /* undocumented! */
1543
0
            location = PNG_AFTER_IDAT;
1544
1545
0
         else
1546
0
            location = PNG_HAVE_IHDR; /* also undocumented */
1547
0
      }
1548
1549
0
      info_ptr->unknown_chunks[chunk].location =
1550
0
         check_location(png_ptr, location);
1551
0
   }
1552
0
}
1553
#endif /* STORE_UNKNOWN_CHUNKS */
1554
1555
#ifdef PNG_MNG_FEATURES_SUPPORTED
1556
png_uint_32 PNGAPI
1557
png_permit_mng_features(png_structrp png_ptr, png_uint_32 mng_features)
1558
0
{
1559
0
   png_debug(1, "in png_permit_mng_features");
1560
1561
0
   if (png_ptr == NULL)
1562
0
      return 0;
1563
1564
0
   png_ptr->mng_features_permitted = mng_features & PNG_ALL_MNG_FEATURES;
1565
1566
0
   return png_ptr->mng_features_permitted;
1567
0
}
1568
#endif
1569
1570
#ifdef PNG_HANDLE_AS_UNKNOWN_SUPPORTED
1571
static unsigned int
1572
add_one_chunk(png_bytep list, unsigned int count, png_const_bytep add, int keep)
1573
195k
{
1574
195k
   unsigned int i;
1575
1576
   /* Utility function: update the 'keep' state of a chunk if it is already in
1577
    * the list, otherwise add it to the list.
1578
    */
1579
1.98M
   for (i=0; i<count; ++i, list += 5)
1580
1.84M
   {
1581
1.84M
      if (memcmp(list, add, 4) == 0)
1582
48.8k
      {
1583
48.8k
         list[4] = (png_byte)keep;
1584
1585
48.8k
         return count;
1586
48.8k
      }
1587
1.84M
   }
1588
1589
146k
   if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
1590
146k
   {
1591
146k
      ++count;
1592
146k
      memcpy(list, add, 4);
1593
146k
      list[4] = (png_byte)keep;
1594
146k
   }
1595
1596
146k
   return count;
1597
195k
}
1598
1599
void PNGAPI
1600
png_set_keep_unknown_chunks(png_structrp png_ptr, int keep,
1601
    png_const_bytep chunk_list, int num_chunks_in)
1602
13.9k
{
1603
13.9k
   png_bytep new_list;
1604
13.9k
   unsigned int num_chunks, old_num_chunks;
1605
1606
13.9k
   if (png_ptr == NULL)
1607
0
      return;
1608
1609
13.9k
   if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
1610
0
   {
1611
0
      png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
1612
1613
0
      return;
1614
0
   }
1615
1616
13.9k
   if (num_chunks_in <= 0)
1617
6.97k
   {
1618
6.97k
      png_ptr->unknown_default = keep;
1619
1620
      /* '0' means just set the flags, so stop here */
1621
6.97k
      if (num_chunks_in == 0)
1622
0
        return;
1623
6.97k
   }
1624
1625
13.9k
   if (num_chunks_in < 0)
1626
6.97k
   {
1627
      /* Ignore all unknown chunks and all chunks recognized by
1628
       * libpng except for IHDR, PLTE, tRNS, IDAT, and IEND
1629
       */
1630
6.97k
      static const png_byte chunks_to_ignore[] = {
1631
6.97k
         98,  75,  71,  68, '\0',  /* bKGD */
1632
6.97k
         99,  72,  82,  77, '\0',  /* cHRM */
1633
6.97k
         99,  73,  67,  80, '\0',  /* cICP */
1634
6.97k
         99,  76,  76,  73, '\0',  /* cLLI */
1635
6.97k
        101,  88,  73, 102, '\0',  /* eXIf */
1636
6.97k
        103,  65,  77,  65, '\0',  /* gAMA */
1637
6.97k
        104,  73,  83,  84, '\0',  /* hIST */
1638
6.97k
        105,  67,  67,  80, '\0',  /* iCCP */
1639
6.97k
        105,  84,  88, 116, '\0',  /* iTXt */
1640
6.97k
        109,  68,  67,  86, '\0',  /* mDCV */
1641
6.97k
        111,  70,  70, 115, '\0',  /* oFFs */
1642
6.97k
        112,  67,  65,  76, '\0',  /* pCAL */
1643
6.97k
        112,  72,  89, 115, '\0',  /* pHYs */
1644
6.97k
        115,  66,  73,  84, '\0',  /* sBIT */
1645
6.97k
        115,  67,  65,  76, '\0',  /* sCAL */
1646
6.97k
        115,  80,  76,  84, '\0',  /* sPLT */
1647
6.97k
        115,  84,  69,  82, '\0',  /* sTER */
1648
6.97k
        115,  82,  71,  66, '\0',  /* sRGB */
1649
6.97k
        116,  69,  88, 116, '\0',  /* tEXt */
1650
6.97k
        116,  73,  77,  69, '\0',  /* tIME */
1651
6.97k
        122,  84,  88, 116, '\0'   /* zTXt */
1652
6.97k
      };
1653
1654
6.97k
      chunk_list = chunks_to_ignore;
1655
6.97k
      num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
1656
6.97k
   }
1657
1658
6.97k
   else /* num_chunks_in > 0 */
1659
6.97k
   {
1660
6.97k
      if (chunk_list == NULL)
1661
0
      {
1662
         /* Prior to 1.6.0 this was silently ignored, now it is an app_error
1663
          * which can be switched off.
1664
          */
1665
0
         png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
1666
1667
0
         return;
1668
0
      }
1669
1670
6.97k
      num_chunks = (unsigned int)num_chunks_in;
1671
6.97k
   }
1672
1673
13.9k
   old_num_chunks = png_ptr->num_chunk_list;
1674
13.9k
   if (png_ptr->chunk_list == NULL)
1675
6.97k
      old_num_chunks = 0;
1676
1677
   /* Since num_chunks is always restricted to UINT_MAX/5 this can't overflow.
1678
    */
1679
13.9k
   if (num_chunks + old_num_chunks > UINT_MAX/5)
1680
0
   {
1681
0
      png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
1682
1683
0
      return;
1684
0
   }
1685
1686
   /* If these chunks are being reset to the default then no more memory is
1687
    * required because add_one_chunk above doesn't extend the list if the 'keep'
1688
    * parameter is the default.
1689
    */
1690
13.9k
   if (keep != 0)
1691
6.97k
   {
1692
6.97k
      new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
1693
6.97k
          5 * (num_chunks + old_num_chunks)));
1694
1695
6.97k
      if (old_num_chunks > 0)
1696
0
         memcpy(new_list, png_ptr->chunk_list, 5*old_num_chunks);
1697
6.97k
   }
1698
1699
6.97k
   else if (old_num_chunks > 0)
1700
6.97k
      new_list = png_ptr->chunk_list;
1701
1702
0
   else
1703
0
      new_list = NULL;
1704
1705
   /* Add the new chunks together with each one's handling code.  If the chunk
1706
    * already exists the code is updated, otherwise the chunk is added to the
1707
    * end.  (In libpng 1.6.0 order no longer matters because this code enforces
1708
    * the earlier convention that the last setting is the one that is used.)
1709
    */
1710
13.9k
   if (new_list != NULL)
1711
13.9k
   {
1712
13.9k
      png_const_bytep inlist;
1713
13.9k
      png_bytep outlist;
1714
13.9k
      unsigned int i;
1715
1716
209k
      for (i=0; i<num_chunks; ++i)
1717
195k
      {
1718
195k
         old_num_chunks = add_one_chunk(new_list, old_num_chunks,
1719
195k
             chunk_list+5*i, keep);
1720
195k
      }
1721
1722
      /* Now remove any spurious 'default' entries. */
1723
13.9k
      num_chunks = 0;
1724
306k
      for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
1725
292k
      {
1726
292k
         if (inlist[4])
1727
244k
         {
1728
244k
            if (outlist != inlist)
1729
97.6k
               memcpy(outlist, inlist, 5);
1730
244k
            outlist += 5;
1731
244k
            ++num_chunks;
1732
244k
         }
1733
292k
      }
1734
1735
      /* This means the application has removed all the specialized handling. */
1736
13.9k
      if (num_chunks == 0)
1737
0
      {
1738
0
         if (png_ptr->chunk_list != new_list)
1739
0
            png_free(png_ptr, new_list);
1740
1741
0
         new_list = NULL;
1742
0
      }
1743
13.9k
   }
1744
1745
0
   else
1746
0
      num_chunks = 0;
1747
1748
13.9k
   png_ptr->num_chunk_list = num_chunks;
1749
1750
13.9k
   if (png_ptr->chunk_list != new_list)
1751
6.97k
   {
1752
6.97k
      if (png_ptr->chunk_list != NULL)
1753
0
         png_free(png_ptr, png_ptr->chunk_list);
1754
1755
6.97k
      png_ptr->chunk_list = new_list;
1756
6.97k
   }
1757
13.9k
}
1758
#endif
1759
1760
#ifdef PNG_READ_USER_CHUNKS_SUPPORTED
1761
void PNGAPI
1762
png_set_read_user_chunk_fn(png_structrp png_ptr, png_voidp user_chunk_ptr,
1763
    png_user_chunk_ptr read_user_chunk_fn)
1764
0
{
1765
0
   png_debug(1, "in png_set_read_user_chunk_fn");
1766
1767
0
   if (png_ptr == NULL)
1768
0
      return;
1769
1770
0
   png_ptr->read_user_chunk_fn = read_user_chunk_fn;
1771
0
   png_ptr->user_chunk_ptr = user_chunk_ptr;
1772
0
}
1773
#endif
1774
1775
#ifdef PNG_INFO_IMAGE_SUPPORTED
1776
void PNGAPI
1777
png_set_rows(png_const_structrp png_ptr, png_inforp info_ptr,
1778
    png_bytepp row_pointers)
1779
0
{
1780
0
   png_debug(1, "in png_set_rows");
1781
1782
0
   if (png_ptr == NULL || info_ptr == NULL)
1783
0
      return;
1784
1785
0
   if (info_ptr->row_pointers != NULL &&
1786
0
       (info_ptr->row_pointers != row_pointers))
1787
0
      png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
1788
1789
0
   info_ptr->row_pointers = row_pointers;
1790
1791
0
   if (row_pointers != NULL)
1792
0
      info_ptr->valid |= PNG_INFO_IDAT;
1793
0
}
1794
#endif
1795
1796
void PNGAPI
1797
png_set_compression_buffer_size(png_structrp png_ptr, size_t size)
1798
0
{
1799
0
   png_debug(1, "in png_set_compression_buffer_size");
1800
1801
0
   if (png_ptr == NULL)
1802
0
      return;
1803
1804
0
   if (size == 0 || size > PNG_UINT_31_MAX)
1805
0
      png_error(png_ptr, "invalid compression buffer size");
1806
1807
0
#  ifdef PNG_SEQUENTIAL_READ_SUPPORTED
1808
0
   if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
1809
0
   {
1810
0
      png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
1811
0
      return;
1812
0
   }
1813
0
#  endif
1814
1815
#  ifdef PNG_WRITE_SUPPORTED
1816
   if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
1817
   {
1818
      if (png_ptr->zowner != 0)
1819
      {
1820
         png_warning(png_ptr,
1821
             "Compression buffer size cannot be changed because it is in use");
1822
1823
         return;
1824
      }
1825
1826
#ifndef __COVERITY__
1827
      /* Some compilers complain that this is always false.  However, it
1828
       * can be true when integer overflow happens.
1829
       */
1830
      if (size > ZLIB_IO_MAX)
1831
      {
1832
         png_warning(png_ptr,
1833
             "Compression buffer size limited to system maximum");
1834
         size = ZLIB_IO_MAX; /* must fit */
1835
      }
1836
#endif
1837
1838
      if (size < 6)
1839
      {
1840
         /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
1841
          * if this is permitted.
1842
          */
1843
         png_warning(png_ptr,
1844
             "Compression buffer size cannot be reduced below 6");
1845
1846
         return;
1847
      }
1848
1849
      if (png_ptr->zbuffer_size != size)
1850
      {
1851
         png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
1852
         png_ptr->zbuffer_size = (uInt)size;
1853
      }
1854
   }
1855
#  endif
1856
0
}
1857
1858
void PNGAPI
1859
png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
1860
0
{
1861
0
   if (png_ptr != NULL && info_ptr != NULL)
1862
0
      info_ptr->valid &= (unsigned int)(~mask);
1863
0
}
1864
1865
1866
#ifdef PNG_SET_USER_LIMITS_SUPPORTED
1867
/* This function was added to libpng 1.2.6 */
1868
void PNGAPI
1869
png_set_user_limits(png_structrp png_ptr, png_uint_32 user_width_max,
1870
    png_uint_32 user_height_max)
1871
0
{
1872
0
   png_debug(1, "in png_set_user_limits");
1873
1874
   /* Images with dimensions larger than these limits will be
1875
    * rejected by png_set_IHDR().  To accept any PNG datastream
1876
    * regardless of dimensions, set both limits to 0x7fffffff.
1877
    */
1878
0
   if (png_ptr == NULL)
1879
0
      return;
1880
1881
0
   png_ptr->user_width_max = user_width_max;
1882
0
   png_ptr->user_height_max = user_height_max;
1883
0
}
1884
1885
/* This function was added to libpng 1.4.0 */
1886
void PNGAPI
1887
png_set_chunk_cache_max(png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
1888
0
{
1889
0
   png_debug(1, "in png_set_chunk_cache_max");
1890
1891
0
   if (png_ptr != NULL)
1892
0
      png_ptr->user_chunk_cache_max = user_chunk_cache_max;
1893
0
}
1894
1895
/* This function was added to libpng 1.4.1 */
1896
void PNGAPI
1897
png_set_chunk_malloc_max(png_structrp png_ptr,
1898
    png_alloc_size_t user_chunk_malloc_max)
1899
0
{
1900
0
   png_debug(1, "in png_set_chunk_malloc_max");
1901
1902
   /* pngstruct::user_chunk_malloc_max is initialized to a non-zero value in
1903
    * png.c.  This API supports '0' for unlimited, make sure the correct
1904
    * (unlimited) value is set here to avoid a need to check for 0 everywhere
1905
    * the parameter is used.
1906
    */
1907
0
   if (png_ptr != NULL)
1908
0
   {
1909
0
      if (user_chunk_malloc_max == 0U) /* unlimited */
1910
0
      {
1911
#        ifdef PNG_MAX_MALLOC_64K
1912
            png_ptr->user_chunk_malloc_max = 65536U;
1913
#        else
1914
0
            png_ptr->user_chunk_malloc_max = PNG_SIZE_MAX;
1915
0
#        endif
1916
0
      }
1917
0
      else
1918
0
         png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
1919
0
   }
1920
0
}
1921
#endif /* ?SET_USER_LIMITS */
1922
1923
1924
#ifdef PNG_BENIGN_ERRORS_SUPPORTED
1925
void PNGAPI
1926
png_set_benign_errors(png_structrp png_ptr, int allowed)
1927
12.2k
{
1928
12.2k
   png_debug(1, "in png_set_benign_errors");
1929
1930
   /* If allowed is 1, png_benign_error() is treated as a warning.
1931
    *
1932
    * If allowed is 0, png_benign_error() is treated as an error (which
1933
    * is the default behavior if png_set_benign_errors() is not called).
1934
    */
1935
1936
12.2k
   if (allowed != 0)
1937
12.2k
      png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
1938
12.2k
         PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
1939
1940
0
   else
1941
0
      png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
1942
0
         PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
1943
12.2k
}
1944
#endif /* BENIGN_ERRORS */
1945
1946
#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
1947
   /* Whether to report invalid palette index; added at libpng-1.5.10.
1948
    * It is possible for an indexed (color-type==3) PNG file to contain
1949
    * pixels with invalid (out-of-range) indexes if the PLTE chunk has
1950
    * fewer entries than the image's bit-depth would allow. We recover
1951
    * from this gracefully by filling any incomplete palette with zeros
1952
    * (opaque black).  By default, when this occurs libpng will issue
1953
    * a benign error.  This API can be used to override that behavior.
1954
    */
1955
void PNGAPI
1956
png_set_check_for_invalid_index(png_structrp png_ptr, int allowed)
1957
0
{
1958
0
   png_debug(1, "in png_set_check_for_invalid_index");
1959
1960
0
   if (allowed > 0)
1961
0
      png_ptr->num_palette_max = 0;
1962
1963
0
   else
1964
0
      png_ptr->num_palette_max = -1;
1965
0
}
1966
#endif
1967
1968
#if defined(PNG_TEXT_SUPPORTED) || defined(PNG_pCAL_SUPPORTED) || \
1969
    defined(PNG_iCCP_SUPPORTED) || defined(PNG_sPLT_SUPPORTED)
1970
/* Check that the tEXt or zTXt keyword is valid per PNG 1.0 specification,
1971
 * and if invalid, correct the keyword rather than discarding the entire
1972
 * chunk.  The PNG 1.0 specification requires keywords 1-79 characters in
1973
 * length, forbids leading or trailing whitespace, multiple internal spaces,
1974
 * and the non-break space (0x80) from ISO 8859-1.  Returns keyword length.
1975
 *
1976
 * The 'new_key' buffer must be 80 characters in size (for the keyword plus a
1977
 * trailing '\0').  If this routine returns 0 then there was no keyword, or a
1978
 * valid one could not be generated, and the caller must png_error.
1979
 */
1980
png_uint_32 /* PRIVATE */
1981
png_check_keyword(png_structrp png_ptr, png_const_charp key, png_bytep new_key)
1982
0
{
1983
0
#ifdef PNG_WARNINGS_SUPPORTED
1984
0
   png_const_charp orig_key = key;
1985
0
#endif
1986
0
   png_uint_32 key_len = 0;
1987
0
   int bad_character = 0;
1988
0
   int space = 1;
1989
1990
0
   png_debug(1, "in png_check_keyword");
1991
1992
0
   if (key == NULL)
1993
0
   {
1994
0
      *new_key = 0;
1995
0
      return 0;
1996
0
   }
1997
1998
0
   while (*key && key_len < 79)
1999
0
   {
2000
0
      png_byte ch = (png_byte)*key++;
2001
2002
0
      if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/))
2003
0
      {
2004
0
         *new_key++ = ch; ++key_len; space = 0;
2005
0
      }
2006
2007
0
      else if (space == 0)
2008
0
      {
2009
         /* A space or an invalid character when one wasn't seen immediately
2010
          * before; output just a space.
2011
          */
2012
0
         *new_key++ = 32; ++key_len; space = 1;
2013
2014
         /* If the character was not a space then it is invalid. */
2015
0
         if (ch != 32)
2016
0
            bad_character = ch;
2017
0
      }
2018
2019
0
      else if (bad_character == 0)
2020
0
         bad_character = ch; /* just skip it, record the first error */
2021
0
   }
2022
2023
0
   if (key_len > 0 && space != 0) /* trailing space */
2024
0
   {
2025
0
      --key_len; --new_key;
2026
0
      if (bad_character == 0)
2027
0
         bad_character = 32;
2028
0
   }
2029
2030
   /* Terminate the keyword */
2031
0
   *new_key = 0;
2032
2033
0
   if (key_len == 0)
2034
0
      return 0;
2035
2036
0
#ifdef PNG_WARNINGS_SUPPORTED
2037
   /* Try to only output one warning per keyword: */
2038
0
   if (*key != 0) /* keyword too long */
2039
0
      png_warning(png_ptr, "keyword truncated");
2040
2041
0
   else if (bad_character != 0)
2042
0
   {
2043
0
      PNG_WARNING_PARAMETERS(p)
2044
2045
0
      png_warning_parameter(p, 1, orig_key);
2046
0
      png_warning_parameter_signed(p, 2, PNG_NUMBER_FORMAT_02x, bad_character);
2047
2048
0
      png_formatted_warning(png_ptr, p, "keyword \"@1\": bad character '0x@2'");
2049
0
   }
2050
#else /* !WARNINGS */
2051
   PNG_UNUSED(png_ptr)
2052
#endif /* !WARNINGS */
2053
2054
0
   return key_len;
2055
0
}
2056
#endif /* TEXT || pCAL || iCCP || sPLT */
2057
#endif /* READ || WRITE */