2 /* png.c - location for general purpose libpng functions
4 * Last changed in libpng 1.6.35 [July 15, 2018]
5 * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
16 /* Generate a compiler error if there is an old png.h in the search path. */
17 typedef png_libpng_version_1_6_35 Your_png_h_is_not_version_1_6_35
;
20 /* The version tests may need to be added to, but the problem warning has
21 * consistently been fixed in GCC versions which obtain wide-spread release.
22 * The problem is that many versions of GCC rearrange comparison expressions in
23 * the optimizer in such a way that the results of the comparison will change
24 * if signed integer overflow occurs. Such comparisons are not permitted in
25 * ANSI C90, however GCC isn't clever enough to work out that that do not occur
26 * below in png_ascii_from_fp and png_muldiv, so it produces a warning with
27 * -Wextra. Unfortunately this is highly dependent on the optimizer and the
28 * machine architecture so the warning comes and goes unpredictably and is
29 * impossible to "fix", even were that a good idea.
31 #if __GNUC__ == 7 && __GNUC_MINOR__ == 1
32 #define GCC_STRICT_OVERFLOW 1
33 #endif /* GNU 7.1.x */
35 #ifndef GCC_STRICT_OVERFLOW
36 #define GCC_STRICT_OVERFLOW 0
39 /* Tells libpng that we have already handled the first "num_bytes" bytes
40 * of the PNG file signature. If the PNG data is embedded into another
41 * stream we can set num_bytes = 8 so that libpng will not attempt to read
42 * or write any of the magic bytes before it starts on the IHDR.
45 #ifdef PNG_READ_SUPPORTED
47 png_set_sig_bytes(png_structrp png_ptr
, int num_bytes
)
49 unsigned int nb
= (unsigned int)num_bytes
;
51 png_debug(1, "in png_set_sig_bytes");
60 png_error(png_ptr
, "Too many bytes for PNG signature");
62 png_ptr
->sig_bytes
= (png_byte
)nb
;
65 /* Checks whether the supplied bytes match the PNG signature. We allow
66 * checking less than the full 8-byte signature so that those apps that
67 * already read the first few bytes of a file to determine the file type
68 * can simply check the remaining bytes for extra assurance. Returns
69 * an integer less than, equal to, or greater than zero if sig is found,
70 * respectively, to be less than, to match, or be greater than the correct
71 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
74 png_sig_cmp(png_const_bytep sig
, size_t start
, size_t num_to_check
)
76 png_byte png_signature
[8] = {137, 80, 78, 71, 13, 10, 26, 10};
81 else if (num_to_check
< 1)
87 if (start
+ num_to_check
> 8)
88 num_to_check
= 8 - start
;
90 return ((int)(memcmp(&sig
[start
], &png_signature
[start
], num_to_check
)));
95 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
96 /* Function to allocate memory for zlib */
97 PNG_FUNCTION(voidpf
/* PRIVATE */,
98 png_zalloc
,(voidpf png_ptr
, uInt items
, uInt size
),PNG_ALLOCATED
)
100 png_alloc_size_t num_bytes
= size
;
105 if (items
>= (~(png_alloc_size_t
)0)/size
)
107 png_warning (png_voidcast(png_structrp
, png_ptr
),
108 "Potential overflow in png_zalloc()");
113 return png_malloc_warn(png_voidcast(png_structrp
, png_ptr
), num_bytes
);
116 /* Function to free memory for zlib */
118 png_zfree(voidpf png_ptr
, voidpf ptr
)
120 png_free(png_voidcast(png_const_structrp
,png_ptr
), ptr
);
123 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
124 * in case CRC is > 32 bits to leave the top bits 0.
127 png_reset_crc(png_structrp png_ptr
)
129 /* The cast is safe because the crc is a 32-bit value. */
130 png_ptr
->crc
= (png_uint_32
)crc32(0, Z_NULL
, 0);
133 /* Calculate the CRC over a section of data. We can only pass as
134 * much data to this routine as the largest single buffer size. We
135 * also check that this data will actually be used before going to the
136 * trouble of calculating it.
139 png_calculate_crc(png_structrp png_ptr
, png_const_bytep ptr
, size_t length
)
143 if (PNG_CHUNK_ANCILLARY(png_ptr
->chunk_name
) != 0)
145 if ((png_ptr
->flags
& PNG_FLAG_CRC_ANCILLARY_MASK
) ==
146 (PNG_FLAG_CRC_ANCILLARY_USE
| PNG_FLAG_CRC_ANCILLARY_NOWARN
))
152 if ((png_ptr
->flags
& PNG_FLAG_CRC_CRITICAL_IGNORE
) != 0)
156 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
157 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
158 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
159 * necessary to perform a loop here.
161 if (need_crc
!= 0 && length
> 0)
163 uLong crc
= png_ptr
->crc
; /* Should never issue a warning */
167 uInt safe_length
= (uInt
)length
;
169 if (safe_length
== 0)
170 safe_length
= (uInt
)-1; /* evil, but safe */
173 crc
= crc32(crc
, ptr
, safe_length
);
175 /* The following should never issue compiler warnings; if they do the
176 * target system has characteristics that will probably violate other
177 * assumptions within the libpng code.
180 length
-= safe_length
;
184 /* And the following is always safe because the crc is only 32 bits. */
185 png_ptr
->crc
= (png_uint_32
)crc
;
189 /* Check a user supplied version number, called from both read and write
190 * functions that create a png_struct.
193 png_user_version_check(png_structrp png_ptr
, png_const_charp user_png_ver
)
195 /* Libpng versions 1.0.0 and later are binary compatible if the version
196 * string matches through the second '.'; we must recompile any
197 * applications that use any older library version.
200 if (user_png_ver
!= NULL
)
208 if (user_png_ver
[i
] != PNG_LIBPNG_VER_STRING
[i
])
209 png_ptr
->flags
|= PNG_FLAG_LIBRARY_MISMATCH
;
210 if (user_png_ver
[i
] == '.')
212 } while (found_dots
< 2 && user_png_ver
[i
] != 0 &&
213 PNG_LIBPNG_VER_STRING
[i
] != 0);
217 png_ptr
->flags
|= PNG_FLAG_LIBRARY_MISMATCH
;
219 if ((png_ptr
->flags
& PNG_FLAG_LIBRARY_MISMATCH
) != 0)
221 #ifdef PNG_WARNINGS_SUPPORTED
225 pos
= png_safecat(m
, (sizeof m
), pos
,
226 "Application built with libpng-");
227 pos
= png_safecat(m
, (sizeof m
), pos
, user_png_ver
);
228 pos
= png_safecat(m
, (sizeof m
), pos
, " but running with ");
229 pos
= png_safecat(m
, (sizeof m
), pos
, PNG_LIBPNG_VER_STRING
);
232 png_warning(png_ptr
, m
);
235 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
242 /* Success return. */
246 /* Generic function to create a png_struct for either read or write - this
247 * contains the common initialization.
249 PNG_FUNCTION(png_structp
/* PRIVATE */,
250 png_create_png_struct
,(png_const_charp user_png_ver
, png_voidp error_ptr
,
251 png_error_ptr error_fn
, png_error_ptr warn_fn
, png_voidp mem_ptr
,
252 png_malloc_ptr malloc_fn
, png_free_ptr free_fn
),PNG_ALLOCATED
)
254 png_struct create_struct
;
255 # ifdef PNG_SETJMP_SUPPORTED
256 jmp_buf create_jmp_buf
;
259 /* This temporary stack-allocated structure is used to provide a place to
260 * build enough context to allow the user provided memory allocator (if any)
263 memset(&create_struct
, 0, (sizeof create_struct
));
265 /* Added at libpng-1.2.6 */
266 # ifdef PNG_USER_LIMITS_SUPPORTED
267 create_struct
.user_width_max
= PNG_USER_WIDTH_MAX
;
268 create_struct
.user_height_max
= PNG_USER_HEIGHT_MAX
;
270 # ifdef PNG_USER_CHUNK_CACHE_MAX
271 /* Added at libpng-1.2.43 and 1.4.0 */
272 create_struct
.user_chunk_cache_max
= PNG_USER_CHUNK_CACHE_MAX
;
275 # ifdef PNG_USER_CHUNK_MALLOC_MAX
276 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
277 * in png_struct regardless.
279 create_struct
.user_chunk_malloc_max
= PNG_USER_CHUNK_MALLOC_MAX
;
283 /* The following two API calls simply set fields in png_struct, so it is safe
284 * to do them now even though error handling is not yet set up.
286 # ifdef PNG_USER_MEM_SUPPORTED
287 png_set_mem_fn(&create_struct
, mem_ptr
, malloc_fn
, free_fn
);
290 PNG_UNUSED(malloc_fn
)
294 /* (*error_fn) can return control to the caller after the error_ptr is set,
295 * this will result in a memory leak unless the error_fn does something
296 * extremely sophisticated. The design lacks merit but is implicit in the
299 png_set_error_fn(&create_struct
, error_ptr
, error_fn
, warn_fn
);
301 # ifdef PNG_SETJMP_SUPPORTED
302 if (!setjmp(create_jmp_buf
))
305 # ifdef PNG_SETJMP_SUPPORTED
306 /* Temporarily fake out the longjmp information until we have
307 * successfully completed this function. This only works if we have
308 * setjmp() support compiled in, but it is safe - this stuff should
311 create_struct
.jmp_buf_ptr
= &create_jmp_buf
;
312 create_struct
.jmp_buf_size
= 0; /*stack allocation*/
313 create_struct
.longjmp_fn
= longjmp
;
315 /* Call the general version checker (shared with read and write code):
317 if (png_user_version_check(&create_struct
, user_png_ver
) != 0)
319 png_structrp png_ptr
= png_voidcast(png_structrp
,
320 png_malloc_warn(&create_struct
, (sizeof *png_ptr
)));
324 /* png_ptr->zstream holds a back-pointer to the png_struct, so
325 * this can only be done now:
327 create_struct
.zstream
.zalloc
= png_zalloc
;
328 create_struct
.zstream
.zfree
= png_zfree
;
329 create_struct
.zstream
.opaque
= png_ptr
;
331 # ifdef PNG_SETJMP_SUPPORTED
332 /* Eliminate the local error handling: */
333 create_struct
.jmp_buf_ptr
= NULL
;
334 create_struct
.jmp_buf_size
= 0;
335 create_struct
.longjmp_fn
= 0;
338 *png_ptr
= create_struct
;
340 /* This is the successful return point */
346 /* A longjmp because of a bug in the application storage allocator or a
347 * simple failure to allocate the png_struct.
352 /* Allocate the memory for an info_struct for the application. */
353 PNG_FUNCTION(png_infop
,PNGAPI
354 png_create_info_struct
,(png_const_structrp png_ptr
),PNG_ALLOCATED
)
358 png_debug(1, "in png_create_info_struct");
363 /* Use the internal API that does not (or at least should not) error out, so
364 * that this call always returns ok. The application typically sets up the
365 * error handling *after* creating the info_struct because this is the way it
366 * has always been done in 'example.c'.
368 info_ptr
= png_voidcast(png_inforp
, png_malloc_base(png_ptr
,
369 (sizeof *info_ptr
)));
371 if (info_ptr
!= NULL
)
372 memset(info_ptr
, 0, (sizeof *info_ptr
));
377 /* This function frees the memory associated with a single info struct.
378 * Normally, one would use either png_destroy_read_struct() or
379 * png_destroy_write_struct() to free an info struct, but this may be
380 * useful for some applications. From libpng 1.6.0 this function is also used
381 * internally to implement the png_info release part of the 'struct' destroy
382 * APIs. This ensures that all possible approaches free the same data (all of
386 png_destroy_info_struct(png_const_structrp png_ptr
, png_infopp info_ptr_ptr
)
388 png_inforp info_ptr
= NULL
;
390 png_debug(1, "in png_destroy_info_struct");
395 if (info_ptr_ptr
!= NULL
)
396 info_ptr
= *info_ptr_ptr
;
398 if (info_ptr
!= NULL
)
400 /* Do this first in case of an error below; if the app implements its own
401 * memory management this can lead to png_free calling png_error, which
402 * will abort this routine and return control to the app error handler.
403 * An infinite loop may result if it then tries to free the same info
406 *info_ptr_ptr
= NULL
;
408 png_free_data(png_ptr
, info_ptr
, PNG_FREE_ALL
, -1);
409 memset(info_ptr
, 0, (sizeof *info_ptr
));
410 png_free(png_ptr
, info_ptr
);
414 /* Initialize the info structure. This is now an internal function (0.89)
415 * and applications using it are urged to use png_create_info_struct()
416 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
419 * NOTE: it is almost inconceivable that this API is used because it bypasses
420 * the user-memory mechanism and the user error handling/warning mechanisms in
421 * those cases where it does anything other than a memset.
423 PNG_FUNCTION(void,PNGAPI
424 png_info_init_3
,(png_infopp ptr_ptr
, size_t png_info_struct_size
),
427 png_inforp info_ptr
= *ptr_ptr
;
429 png_debug(1, "in png_info_init_3");
431 if (info_ptr
== NULL
)
434 if ((sizeof (png_info
)) > png_info_struct_size
)
437 /* The following line is why this API should not be used: */
439 info_ptr
= png_voidcast(png_inforp
, png_malloc_base(NULL
,
440 (sizeof *info_ptr
)));
441 if (info_ptr
== NULL
)
446 /* Set everything to 0 */
447 memset(info_ptr
, 0, (sizeof *info_ptr
));
450 /* The following API is not called internally */
452 png_data_freer(png_const_structrp png_ptr
, png_inforp info_ptr
,
453 int freer
, png_uint_32 mask
)
455 png_debug(1, "in png_data_freer");
457 if (png_ptr
== NULL
|| info_ptr
== NULL
)
460 if (freer
== PNG_DESTROY_WILL_FREE_DATA
)
461 info_ptr
->free_me
|= mask
;
463 else if (freer
== PNG_USER_WILL_FREE_DATA
)
464 info_ptr
->free_me
&= ~mask
;
467 png_error(png_ptr
, "Unknown freer parameter in png_data_freer");
471 png_free_data(png_const_structrp png_ptr
, png_inforp info_ptr
, png_uint_32 mask
,
474 png_debug(1, "in png_free_data");
476 if (png_ptr
== NULL
|| info_ptr
== NULL
)
479 #ifdef PNG_TEXT_SUPPORTED
480 /* Free text item num or (if num == -1) all text items */
481 if (info_ptr
->text
!= NULL
&&
482 ((mask
& PNG_FREE_TEXT
) & info_ptr
->free_me
) != 0)
486 png_free(png_ptr
, info_ptr
->text
[num
].key
);
487 info_ptr
->text
[num
].key
= NULL
;
494 for (i
= 0; i
< info_ptr
->num_text
; i
++)
495 png_free(png_ptr
, info_ptr
->text
[i
].key
);
497 png_free(png_ptr
, info_ptr
->text
);
498 info_ptr
->text
= NULL
;
499 info_ptr
->num_text
= 0;
500 info_ptr
->max_text
= 0;
505 #ifdef PNG_tRNS_SUPPORTED
506 /* Free any tRNS entry */
507 if (((mask
& PNG_FREE_TRNS
) & info_ptr
->free_me
) != 0)
509 info_ptr
->valid
&= ~PNG_INFO_tRNS
;
510 png_free(png_ptr
, info_ptr
->trans_alpha
);
511 info_ptr
->trans_alpha
= NULL
;
512 info_ptr
->num_trans
= 0;
516 #ifdef PNG_sCAL_SUPPORTED
517 /* Free any sCAL entry */
518 if (((mask
& PNG_FREE_SCAL
) & info_ptr
->free_me
) != 0)
520 png_free(png_ptr
, info_ptr
->scal_s_width
);
521 png_free(png_ptr
, info_ptr
->scal_s_height
);
522 info_ptr
->scal_s_width
= NULL
;
523 info_ptr
->scal_s_height
= NULL
;
524 info_ptr
->valid
&= ~PNG_INFO_sCAL
;
528 #ifdef PNG_pCAL_SUPPORTED
529 /* Free any pCAL entry */
530 if (((mask
& PNG_FREE_PCAL
) & info_ptr
->free_me
) != 0)
532 png_free(png_ptr
, info_ptr
->pcal_purpose
);
533 png_free(png_ptr
, info_ptr
->pcal_units
);
534 info_ptr
->pcal_purpose
= NULL
;
535 info_ptr
->pcal_units
= NULL
;
537 if (info_ptr
->pcal_params
!= NULL
)
541 for (i
= 0; i
< info_ptr
->pcal_nparams
; i
++)
542 png_free(png_ptr
, info_ptr
->pcal_params
[i
]);
544 png_free(png_ptr
, info_ptr
->pcal_params
);
545 info_ptr
->pcal_params
= NULL
;
547 info_ptr
->valid
&= ~PNG_INFO_pCAL
;
551 #ifdef PNG_iCCP_SUPPORTED
552 /* Free any profile entry */
553 if (((mask
& PNG_FREE_ICCP
) & info_ptr
->free_me
) != 0)
555 png_free(png_ptr
, info_ptr
->iccp_name
);
556 png_free(png_ptr
, info_ptr
->iccp_profile
);
557 info_ptr
->iccp_name
= NULL
;
558 info_ptr
->iccp_profile
= NULL
;
559 info_ptr
->valid
&= ~PNG_INFO_iCCP
;
563 #ifdef PNG_sPLT_SUPPORTED
564 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
565 if (info_ptr
->splt_palettes
!= NULL
&&
566 ((mask
& PNG_FREE_SPLT
) & info_ptr
->free_me
) != 0)
570 png_free(png_ptr
, info_ptr
->splt_palettes
[num
].name
);
571 png_free(png_ptr
, info_ptr
->splt_palettes
[num
].entries
);
572 info_ptr
->splt_palettes
[num
].name
= NULL
;
573 info_ptr
->splt_palettes
[num
].entries
= NULL
;
580 for (i
= 0; i
< info_ptr
->splt_palettes_num
; i
++)
582 png_free(png_ptr
, info_ptr
->splt_palettes
[i
].name
);
583 png_free(png_ptr
, info_ptr
->splt_palettes
[i
].entries
);
586 png_free(png_ptr
, info_ptr
->splt_palettes
);
587 info_ptr
->splt_palettes
= NULL
;
588 info_ptr
->splt_palettes_num
= 0;
589 info_ptr
->valid
&= ~PNG_INFO_sPLT
;
594 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
595 if (info_ptr
->unknown_chunks
!= NULL
&&
596 ((mask
& PNG_FREE_UNKN
) & info_ptr
->free_me
) != 0)
600 png_free(png_ptr
, info_ptr
->unknown_chunks
[num
].data
);
601 info_ptr
->unknown_chunks
[num
].data
= NULL
;
608 for (i
= 0; i
< info_ptr
->unknown_chunks_num
; i
++)
609 png_free(png_ptr
, info_ptr
->unknown_chunks
[i
].data
);
611 png_free(png_ptr
, info_ptr
->unknown_chunks
);
612 info_ptr
->unknown_chunks
= NULL
;
613 info_ptr
->unknown_chunks_num
= 0;
618 #ifdef PNG_eXIf_SUPPORTED
619 /* Free any eXIf entry */
620 if (((mask
& PNG_FREE_EXIF
) & info_ptr
->free_me
) != 0)
622 # ifdef PNG_READ_eXIf_SUPPORTED
623 if (info_ptr
->eXIf_buf
)
625 png_free(png_ptr
, info_ptr
->eXIf_buf
);
626 info_ptr
->eXIf_buf
= NULL
;
631 png_free(png_ptr
, info_ptr
->exif
);
632 info_ptr
->exif
= NULL
;
634 info_ptr
->valid
&= ~PNG_INFO_eXIf
;
638 #ifdef PNG_hIST_SUPPORTED
639 /* Free any hIST entry */
640 if (((mask
& PNG_FREE_HIST
) & info_ptr
->free_me
) != 0)
642 png_free(png_ptr
, info_ptr
->hist
);
643 info_ptr
->hist
= NULL
;
644 info_ptr
->valid
&= ~PNG_INFO_hIST
;
648 /* Free any PLTE entry that was internally allocated */
649 if (((mask
& PNG_FREE_PLTE
) & info_ptr
->free_me
) != 0)
651 png_free(png_ptr
, info_ptr
->palette
);
652 info_ptr
->palette
= NULL
;
653 info_ptr
->valid
&= ~PNG_INFO_PLTE
;
654 info_ptr
->num_palette
= 0;
657 #ifdef PNG_INFO_IMAGE_SUPPORTED
658 /* Free any image bits attached to the info structure */
659 if (((mask
& PNG_FREE_ROWS
) & info_ptr
->free_me
) != 0)
661 if (info_ptr
->row_pointers
!= NULL
)
664 for (row
= 0; row
< info_ptr
->height
; row
++)
665 png_free(png_ptr
, info_ptr
->row_pointers
[row
]);
667 png_free(png_ptr
, info_ptr
->row_pointers
);
668 info_ptr
->row_pointers
= NULL
;
670 info_ptr
->valid
&= ~PNG_INFO_IDAT
;
675 mask
&= ~PNG_FREE_MUL
;
677 info_ptr
->free_me
&= ~mask
;
679 #endif /* READ || WRITE */
681 /* This function returns a pointer to the io_ptr associated with the user
682 * functions. The application should free any memory associated with this
683 * pointer before png_write_destroy() or png_read_destroy() are called.
686 png_get_io_ptr(png_const_structrp png_ptr
)
691 return (png_ptr
->io_ptr
);
694 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
695 # ifdef PNG_STDIO_SUPPORTED
696 /* Initialize the default input/output functions for the PNG file. If you
697 * use your own read or write routines, you can call either png_set_read_fn()
698 * or png_set_write_fn() instead of png_init_io(). If you have defined
699 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
700 * function of your own because "FILE *" isn't necessarily available.
703 png_init_io(png_structrp png_ptr
, png_FILE_p fp
)
705 png_debug(1, "in png_init_io");
710 png_ptr
->io_ptr
= (png_voidp
)fp
;
714 # ifdef PNG_SAVE_INT_32_SUPPORTED
715 /* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90
716 * defines a cast of a signed integer to an unsigned integer either to preserve
717 * the value, if it is positive, or to calculate:
719 * (UNSIGNED_MAX+1) + integer
721 * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
722 * negative integral value is added the result will be an unsigned value
723 * correspnding to the 2's complement representation.
726 png_save_int_32(png_bytep buf
, png_int_32 i
)
728 png_save_uint_32(buf
, (png_uint_32
)i
);
732 # ifdef PNG_TIME_RFC1123_SUPPORTED
733 /* Convert the supplied time into an RFC 1123 string suitable for use in
734 * a "Creation Time" or other text-based time string.
737 png_convert_to_rfc1123_buffer(char out
[29], png_const_timep ptime
)
739 static PNG_CONST
char short_months
[12][4] =
740 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
741 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
746 if (ptime
->year
> 9999 /* RFC1123 limitation */ ||
747 ptime
->month
== 0 || ptime
->month
> 12 ||
748 ptime
->day
== 0 || ptime
->day
> 31 ||
749 ptime
->hour
> 23 || ptime
->minute
> 59 ||
755 char number_buf
[5]; /* enough for a four-digit year */
757 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
758 # define APPEND_NUMBER(format, value)\
759 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
760 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
762 APPEND_NUMBER(PNG_NUMBER_FORMAT_u
, (unsigned)ptime
->day
);
764 APPEND_STRING(short_months
[(ptime
->month
- 1)]);
766 APPEND_NUMBER(PNG_NUMBER_FORMAT_u
, ptime
->year
);
768 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u
, (unsigned)ptime
->hour
);
770 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u
, (unsigned)ptime
->minute
);
772 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u
, (unsigned)ptime
->second
);
773 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
777 # undef APPEND_NUMBER
778 # undef APPEND_STRING
784 # if PNG_LIBPNG_VER < 10700
785 /* To do: remove the following from libpng-1.7 */
786 /* Original API that uses a private buffer in png_struct.
787 * Deprecated because it causes png_struct to carry a spurious temporary
788 * buffer (png_struct::time_buffer), better to have the caller pass this in.
790 png_const_charp PNGAPI
791 png_convert_to_rfc1123(png_structrp png_ptr
, png_const_timep ptime
)
795 /* The only failure above if png_ptr != NULL is from an invalid ptime */
796 if (png_convert_to_rfc1123_buffer(png_ptr
->time_buffer
, ptime
) == 0)
797 png_warning(png_ptr
, "Ignoring invalid time value");
800 return png_ptr
->time_buffer
;
805 # endif /* LIBPNG_VER < 10700 */
806 # endif /* TIME_RFC1123 */
808 #endif /* READ || WRITE */
810 png_const_charp PNGAPI
811 png_get_copyright(png_const_structrp png_ptr
)
813 PNG_UNUSED(png_ptr
) /* Silence compiler warning about unused png_ptr */
814 #ifdef PNG_STRING_COPYRIGHT
815 return PNG_STRING_COPYRIGHT
818 return PNG_STRING_NEWLINE \
819 "libpng version 1.6.35 - July 15, 2018" PNG_STRING_NEWLINE \
820 "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
822 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
823 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
826 return "libpng version 1.6.35 - July 15, 2018\
827 Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson\
828 Copyright (c) 1996-1997 Andreas Dilger\
829 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
834 /* The following return the library version as a short string in the
835 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
836 * used with your application, print out PNG_LIBPNG_VER_STRING, which
837 * is defined in png.h.
838 * Note: now there is no difference between png_get_libpng_ver() and
839 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
840 * it is guaranteed that png.c uses the correct version of png.h.
842 png_const_charp PNGAPI
843 png_get_libpng_ver(png_const_structrp png_ptr
)
845 /* Version of *.c files used when building libpng */
846 return png_get_header_ver(png_ptr
);
849 png_const_charp PNGAPI
850 png_get_header_ver(png_const_structrp png_ptr
)
852 /* Version of *.h files used when building libpng */
853 PNG_UNUSED(png_ptr
) /* Silence compiler warning about unused png_ptr */
854 return PNG_LIBPNG_VER_STRING
;
857 png_const_charp PNGAPI
858 png_get_header_version(png_const_structrp png_ptr
)
860 /* Returns longer string containing both version and date */
861 PNG_UNUSED(png_ptr
) /* Silence compiler warning about unused png_ptr */
863 return PNG_HEADER_VERSION_STRING
864 # ifndef PNG_READ_SUPPORTED
869 return PNG_HEADER_VERSION_STRING
;
873 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
874 /* NOTE: this routine is not used internally! */
875 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
876 * large of png_color. This lets grayscale images be treated as
877 * paletted. Most useful for gamma correction and simplification
878 * of code. This API is not used internally.
881 png_build_grayscale_palette(int bit_depth
, png_colorp palette
)
888 png_debug(1, "in png_do_build_grayscale_palette");
921 for (i
= 0, v
= 0; i
< num_palette
; i
++, v
+= color_inc
)
923 palette
[i
].red
= (png_byte
)(v
& 0xff);
924 palette
[i
].green
= (png_byte
)(v
& 0xff);
925 palette
[i
].blue
= (png_byte
)(v
& 0xff);
930 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
932 png_handle_as_unknown(png_const_structrp png_ptr
, png_const_bytep chunk_name
)
934 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
935 png_const_bytep p
, p_end
;
937 if (png_ptr
== NULL
|| chunk_name
== NULL
|| png_ptr
->num_chunk_list
== 0)
938 return PNG_HANDLE_CHUNK_AS_DEFAULT
;
940 p_end
= png_ptr
->chunk_list
;
941 p
= p_end
+ png_ptr
->num_chunk_list
*5; /* beyond end */
943 /* The code is the fifth byte after each four byte string. Historically this
944 * code was always searched from the end of the list, this is no longer
945 * necessary because the 'set' routine handles duplicate entries correctly.
947 do /* num_chunk_list > 0, so at least one */
951 if (memcmp(chunk_name
, p
, 4) == 0)
956 /* This means that known chunks should be processed and unknown chunks should
957 * be handled according to the value of png_ptr->unknown_default; this can be
958 * confusing because, as a result, there are two levels of defaulting for
961 return PNG_HANDLE_CHUNK_AS_DEFAULT
;
964 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
965 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
967 png_chunk_unknown_handling(png_const_structrp png_ptr
, png_uint_32 chunk_name
)
969 png_byte chunk_string
[5];
971 PNG_CSTRING_FROM_CHUNK(chunk_string
, chunk_name
);
972 return png_handle_as_unknown(png_ptr
, chunk_string
);
974 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
975 #endif /* SET_UNKNOWN_CHUNKS */
977 #ifdef PNG_READ_SUPPORTED
978 /* This function, added to libpng-1.0.6g, is untested. */
980 png_reset_zstream(png_structrp png_ptr
)
983 return Z_STREAM_ERROR
;
985 /* WARNING: this resets the window bits to the maximum! */
986 return (inflateReset(&png_ptr
->zstream
));
990 /* This function was added to libpng-1.0.7 */
992 png_access_version_number(void)
994 /* Version of *.c files used when building libpng */
995 return((png_uint_32
)PNG_LIBPNG_VER
);
998 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
999 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
1000 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
1001 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
1004 png_zstream_error(png_structrp png_ptr
, int ret
)
1006 /* Translate 'ret' into an appropriate error string, priority is given to the
1007 * one in zstream if set. This always returns a string, even in cases like
1008 * Z_OK or Z_STREAM_END where the error code is a success code.
1010 if (png_ptr
->zstream
.msg
== NULL
) switch (ret
)
1014 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("unexpected zlib return code");
1019 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("unexpected end of LZ stream");
1023 /* This means the deflate stream did not have a dictionary; this
1024 * indicates a bogus PNG.
1026 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("missing LZ dictionary");
1030 /* gz APIs only: should not happen */
1031 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("zlib IO error");
1034 case Z_STREAM_ERROR
:
1035 /* internal libpng error */
1036 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("bad parameters to zlib");
1040 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("damaged LZ stream");
1044 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("insufficient memory");
1048 /* End of input or output; not a problem if the caller is doing
1049 * incremental read or write.
1051 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("truncated");
1054 case Z_VERSION_ERROR
:
1055 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("unsupported zlib version");
1058 case PNG_UNEXPECTED_ZLIB_RETURN
:
1059 /* Compile errors here mean that zlib now uses the value co-opted in
1060 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1061 * and change pngpriv.h. Note that this message is "... return",
1062 * whereas the default/Z_OK one is "... return code".
1064 png_ptr
->zstream
.msg
= PNGZ_MSG_CAST("unexpected zlib return");
1069 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1073 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1074 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1076 png_colorspace_check_gamma(png_const_structrp png_ptr
,
1077 png_colorspacerp colorspace
, png_fixed_point gAMA
, int from
)
1078 /* This is called to check a new gamma value against an existing one. The
1079 * routine returns false if the new gamma value should not be written.
1081 * 'from' says where the new gamma value comes from:
1083 * 0: the new gamma value is the libpng estimate for an ICC profile
1084 * 1: the new gamma value comes from a gAMA chunk
1085 * 2: the new gamma value comes from an sRGB chunk
1088 png_fixed_point gtest
;
1090 if ((colorspace
->flags
& PNG_COLORSPACE_HAVE_GAMMA
) != 0 &&
1091 (png_muldiv(>est
, colorspace
->gamma
, PNG_FP_1
, gAMA
) == 0 ||
1092 png_gamma_significant(gtest
) != 0))
1094 /* Either this is an sRGB image, in which case the calculated gamma
1095 * approximation should match, or this is an image with a profile and the
1096 * value libpng calculates for the gamma of the profile does not match the
1097 * value recorded in the file. The former, sRGB, case is an error, the
1098 * latter is just a warning.
1100 if ((colorspace
->flags
& PNG_COLORSPACE_FROM_sRGB
) != 0 || from
== 2)
1102 png_chunk_report(png_ptr
, "gamma value does not match sRGB",
1104 /* Do not overwrite an sRGB value */
1108 else /* sRGB tag not involved */
1110 png_chunk_report(png_ptr
, "gamma value does not match libpng estimate",
1120 png_colorspace_set_gamma(png_const_structrp png_ptr
,
1121 png_colorspacerp colorspace
, png_fixed_point gAMA
)
1123 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1124 * occur. Since the fixed point representation is asymetrical it is
1125 * possible for 1/gamma to overflow the limit of 21474 and this means the
1126 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1127 * safety the limits here are a little narrower. The values are 0.00016 to
1128 * 6250.0, which are truly ridiculous gamma values (and will produce
1129 * displays that are all black or all white.)
1131 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1132 * handling code, which only required the value to be >0.
1134 png_const_charp errmsg
;
1136 if (gAMA
< 16 || gAMA
> 625000000)
1137 errmsg
= "gamma value out of range";
1139 # ifdef PNG_READ_gAMA_SUPPORTED
1140 /* Allow the application to set the gamma value more than once */
1141 else if ((png_ptr
->mode
& PNG_IS_READ_STRUCT
) != 0 &&
1142 (colorspace
->flags
& PNG_COLORSPACE_FROM_gAMA
) != 0)
1143 errmsg
= "duplicate";
1146 /* Do nothing if the colorspace is already invalid */
1147 else if ((colorspace
->flags
& PNG_COLORSPACE_INVALID
) != 0)
1152 if (png_colorspace_check_gamma(png_ptr
, colorspace
, gAMA
,
1153 1/*from gAMA*/) != 0)
1155 /* Store this gamma value. */
1156 colorspace
->gamma
= gAMA
;
1157 colorspace
->flags
|=
1158 (PNG_COLORSPACE_HAVE_GAMMA
| PNG_COLORSPACE_FROM_gAMA
);
1161 /* At present if the check_gamma test fails the gamma of the colorspace is
1162 * not updated however the colorspace is not invalidated. This
1163 * corresponds to the case where the existing gamma comes from an sRGB
1164 * chunk or profile. An error message has already been output.
1169 /* Error exit - errmsg has been set. */
1170 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1171 png_chunk_report(png_ptr
, errmsg
, PNG_CHUNK_WRITE_ERROR
);
1175 png_colorspace_sync_info(png_const_structrp png_ptr
, png_inforp info_ptr
)
1177 if ((info_ptr
->colorspace
.flags
& PNG_COLORSPACE_INVALID
) != 0)
1179 /* Everything is invalid */
1180 info_ptr
->valid
&= ~(PNG_INFO_gAMA
|PNG_INFO_cHRM
|PNG_INFO_sRGB
|
1183 # ifdef PNG_COLORSPACE_SUPPORTED
1184 /* Clean up the iCCP profile now if it won't be used. */
1185 png_free_data(png_ptr
, info_ptr
, PNG_FREE_ICCP
, -1/*not used*/);
1193 # ifdef PNG_COLORSPACE_SUPPORTED
1194 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1195 * it; this allows a PNG to contain a profile which matches sRGB and
1196 * yet still have that profile retrievable by the application.
1198 if ((info_ptr
->colorspace
.flags
& PNG_COLORSPACE_MATCHES_sRGB
) != 0)
1199 info_ptr
->valid
|= PNG_INFO_sRGB
;
1202 info_ptr
->valid
&= ~PNG_INFO_sRGB
;
1204 if ((info_ptr
->colorspace
.flags
& PNG_COLORSPACE_HAVE_ENDPOINTS
) != 0)
1205 info_ptr
->valid
|= PNG_INFO_cHRM
;
1208 info_ptr
->valid
&= ~PNG_INFO_cHRM
;
1211 if ((info_ptr
->colorspace
.flags
& PNG_COLORSPACE_HAVE_GAMMA
) != 0)
1212 info_ptr
->valid
|= PNG_INFO_gAMA
;
1215 info_ptr
->valid
&= ~PNG_INFO_gAMA
;
1219 #ifdef PNG_READ_SUPPORTED
1221 png_colorspace_sync(png_const_structrp png_ptr
, png_inforp info_ptr
)
1223 if (info_ptr
== NULL
) /* reduce code size; check here not in the caller */
1226 info_ptr
->colorspace
= png_ptr
->colorspace
;
1227 png_colorspace_sync_info(png_ptr
, info_ptr
);
1232 #ifdef PNG_COLORSPACE_SUPPORTED
1233 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1234 * cHRM, as opposed to using chromaticities. These internal APIs return
1235 * non-zero on a parameter error. The X, Y and Z values are required to be
1236 * positive and less than 1.0.
1239 png_xy_from_XYZ(png_xy
*xy
, const png_XYZ
*XYZ
)
1241 png_int_32 d
, dwhite
, whiteX
, whiteY
;
1243 d
= XYZ
->red_X
+ XYZ
->red_Y
+ XYZ
->red_Z
;
1244 if (png_muldiv(&xy
->redx
, XYZ
->red_X
, PNG_FP_1
, d
) == 0)
1246 if (png_muldiv(&xy
->redy
, XYZ
->red_Y
, PNG_FP_1
, d
) == 0)
1249 whiteX
= XYZ
->red_X
;
1250 whiteY
= XYZ
->red_Y
;
1252 d
= XYZ
->green_X
+ XYZ
->green_Y
+ XYZ
->green_Z
;
1253 if (png_muldiv(&xy
->greenx
, XYZ
->green_X
, PNG_FP_1
, d
) == 0)
1255 if (png_muldiv(&xy
->greeny
, XYZ
->green_Y
, PNG_FP_1
, d
) == 0)
1258 whiteX
+= XYZ
->green_X
;
1259 whiteY
+= XYZ
->green_Y
;
1261 d
= XYZ
->blue_X
+ XYZ
->blue_Y
+ XYZ
->blue_Z
;
1262 if (png_muldiv(&xy
->bluex
, XYZ
->blue_X
, PNG_FP_1
, d
) == 0)
1264 if (png_muldiv(&xy
->bluey
, XYZ
->blue_Y
, PNG_FP_1
, d
) == 0)
1267 whiteX
+= XYZ
->blue_X
;
1268 whiteY
+= XYZ
->blue_Y
;
1270 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1273 if (png_muldiv(&xy
->whitex
, whiteX
, PNG_FP_1
, dwhite
) == 0)
1275 if (png_muldiv(&xy
->whitey
, whiteY
, PNG_FP_1
, dwhite
) == 0)
1282 png_XYZ_from_xy(png_XYZ
*XYZ
, const png_xy
*xy
)
1284 png_fixed_point red_inverse
, green_inverse
, blue_scale
;
1285 png_fixed_point left
, right
, denominator
;
1287 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1288 * have end points with 0 tristimulus values (these are impossible end
1289 * points, but they are used to cover the possible colors). We check
1290 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1292 if (xy
->redx
< 0 || xy
->redx
> PNG_FP_1
) return 1;
1293 if (xy
->redy
< 0 || xy
->redy
> PNG_FP_1
-xy
->redx
) return 1;
1294 if (xy
->greenx
< 0 || xy
->greenx
> PNG_FP_1
) return 1;
1295 if (xy
->greeny
< 0 || xy
->greeny
> PNG_FP_1
-xy
->greenx
) return 1;
1296 if (xy
->bluex
< 0 || xy
->bluex
> PNG_FP_1
) return 1;
1297 if (xy
->bluey
< 0 || xy
->bluey
> PNG_FP_1
-xy
->bluex
) return 1;
1298 if (xy
->whitex
< 0 || xy
->whitex
> PNG_FP_1
) return 1;
1299 if (xy
->whitey
< 5 || xy
->whitey
> PNG_FP_1
-xy
->whitex
) return 1;
1301 /* The reverse calculation is more difficult because the original tristimulus
1302 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1303 * derived values were recorded in the cHRM chunk;
1304 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1305 * therefore an arbitrary ninth value has to be introduced to undo the
1306 * original transformations.
1308 * Think of the original end-points as points in (X,Y,Z) space. The
1309 * chromaticity values (c) have the property:
1315 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1316 * three chromaticity values (x,y,z) for each end-point obey the
1321 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1322 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1323 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1324 * and chromaticity is the intersection of the vector from the origin to the
1325 * (X,Y,Z) value with the chromaticity plane.
1327 * To fully invert the chromaticity calculation we would need the three
1328 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1329 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1330 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1331 * given all three of the scale factors since:
1333 * color-C = color-c * color-scale
1334 * white-C = red-C + green-C + blue-C
1335 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1337 * But cHRM records only white-x and white-y, so we have lost the white scale
1340 * white-C = white-c*white-scale
1342 * To handle this the inverse transformation makes an arbitrary assumption
1343 * about white-scale:
1345 * Assume: white-Y = 1.0
1346 * Hence: white-scale = 1/white-y
1347 * Or: red-Y + green-Y + blue-Y = 1.0
1349 * Notice the last statement of the assumption gives an equation in three of
1350 * the nine values we want to calculate. 8 more equations come from the
1351 * above routine as summarised at the top above (the chromaticity
1354 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1355 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1357 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1358 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1359 * determinants, however this is not as bad as it seems because only 28 of
1360 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1361 * Cramer's rule is notoriously numerically unstable because the determinant
1362 * calculation involves the difference of large, but similar, numbers. It is
1363 * difficult to be sure that the calculation is stable for real world values
1364 * and it is certain that it becomes unstable where the end points are close
1367 * So this code uses the perhaps slightly less optimal but more
1368 * understandable and totally obvious approach of calculating color-scale.
1370 * This algorithm depends on the precision in white-scale and that is
1371 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1372 * accuracy inherent in the cHRM chunk drops off substantially.
1374 * libpng arithmetic: a simple inversion of the above equations
1375 * ------------------------------------------------------------
1377 * white_scale = 1/white-y
1378 * white-X = white-x * white-scale
1380 * white-Z = (1 - white-x - white-y) * white_scale
1382 * white-C = red-C + green-C + blue-C
1383 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1385 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1386 * all the coefficients are now known:
1388 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1390 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1391 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1392 * = (1 - white-x - white-y)/white-y
1394 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1395 * three equations together to get an alternative third:
1397 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1399 * So now we have a Cramer's rule solution where the determinants are just
1400 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1401 * multiplication of three coefficients so we can't guarantee to avoid
1402 * overflow in the libpng fixed point representation. Using Cramer's rule in
1403 * floating point is probably a good choice here, but it's not an option for
1404 * fixed point. Instead proceed to simplify the first two equations by
1405 * eliminating what is likely to be the largest value, blue-scale:
1407 * blue-scale = white-scale - red-scale - green-scale
1411 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1412 * (white-x - blue-x)*white-scale
1414 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1415 * 1 - blue-y*white-scale
1417 * And now we can trivially solve for (red-scale,green-scale):
1420 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1421 * -----------------------------------------------------------
1425 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1426 * ---------------------------------------------------------
1432 * ( (green-x - blue-x) * (white-y - blue-y) -
1433 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1434 * -------------------------------------------------------------------------
1435 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1438 * ( (red-y - blue-y) * (white-x - blue-x) -
1439 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1440 * -------------------------------------------------------------------------
1441 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1444 * The input values have 5 decimal digits of accuracy. The values are all in
1445 * the range 0 < value < 1, so simple products are in the same range but may
1446 * need up to 10 decimal digits to preserve the original precision and avoid
1447 * underflow. Because we are using a 32-bit signed representation we cannot
1448 * match this; the best is a little over 9 decimal digits, less than 10.
1450 * The approach used here is to preserve the maximum precision within the
1451 * signed representation. Because the red-scale calculation above uses the
1452 * difference between two products of values that must be in the range -1..+1
1453 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1454 * factor is irrelevant in the calculation because it is applied to both
1455 * numerator and denominator.
1457 * Note that the values of the differences of the products of the
1458 * chromaticities in the above equations tend to be small, for example for
1459 * the sRGB chromaticities they are:
1461 * red numerator: -0.04751
1462 * green numerator: -0.08788
1463 * denominator: -0.2241 (without white-y multiplication)
1465 * The resultant Y coefficients from the chromaticities of some widely used
1466 * color space definitions are (to 15 decimal places):
1469 * 0.212639005871510 0.715168678767756 0.072192315360734
1471 * 0.288071128229293 0.711843217810102 0.000085653960605
1473 * 0.297344975250536 0.627363566255466 0.075291458493998
1474 * Adobe Wide Gamut RGB
1475 * 0.258728243040113 0.724682314948566 0.016589442011321
1477 /* By the argument, above overflow should be impossible here. The return
1478 * value of 2 indicates an internal error to the caller.
1480 if (png_muldiv(&left
, xy
->greenx
-xy
->bluex
, xy
->redy
- xy
->bluey
, 7) == 0)
1482 if (png_muldiv(&right
, xy
->greeny
-xy
->bluey
, xy
->redx
- xy
->bluex
, 7) == 0)
1484 denominator
= left
- right
;
1486 /* Now find the red numerator. */
1487 if (png_muldiv(&left
, xy
->greenx
-xy
->bluex
, xy
->whitey
-xy
->bluey
, 7) == 0)
1489 if (png_muldiv(&right
, xy
->greeny
-xy
->bluey
, xy
->whitex
-xy
->bluex
, 7) == 0)
1492 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1493 * chunk values. This calculation actually returns the reciprocal of the
1494 * scale value because this allows us to delay the multiplication of white-y
1495 * into the denominator, which tends to produce a small number.
1497 if (png_muldiv(&red_inverse
, xy
->whitey
, denominator
, left
-right
) == 0 ||
1498 red_inverse
<= xy
->whitey
/* r+g+b scales = white scale */)
1501 /* Similarly for green_inverse: */
1502 if (png_muldiv(&left
, xy
->redy
-xy
->bluey
, xy
->whitex
-xy
->bluex
, 7) == 0)
1504 if (png_muldiv(&right
, xy
->redx
-xy
->bluex
, xy
->whitey
-xy
->bluey
, 7) == 0)
1506 if (png_muldiv(&green_inverse
, xy
->whitey
, denominator
, left
-right
) == 0 ||
1507 green_inverse
<= xy
->whitey
)
1510 /* And the blue scale, the checks above guarantee this can't overflow but it
1511 * can still produce 0 for extreme cHRM values.
1513 blue_scale
= png_reciprocal(xy
->whitey
) - png_reciprocal(red_inverse
) -
1514 png_reciprocal(green_inverse
);
1515 if (blue_scale
<= 0)
1519 /* And fill in the png_XYZ: */
1520 if (png_muldiv(&XYZ
->red_X
, xy
->redx
, PNG_FP_1
, red_inverse
) == 0)
1522 if (png_muldiv(&XYZ
->red_Y
, xy
->redy
, PNG_FP_1
, red_inverse
) == 0)
1524 if (png_muldiv(&XYZ
->red_Z
, PNG_FP_1
- xy
->redx
- xy
->redy
, PNG_FP_1
,
1528 if (png_muldiv(&XYZ
->green_X
, xy
->greenx
, PNG_FP_1
, green_inverse
) == 0)
1530 if (png_muldiv(&XYZ
->green_Y
, xy
->greeny
, PNG_FP_1
, green_inverse
) == 0)
1532 if (png_muldiv(&XYZ
->green_Z
, PNG_FP_1
- xy
->greenx
- xy
->greeny
, PNG_FP_1
,
1533 green_inverse
) == 0)
1536 if (png_muldiv(&XYZ
->blue_X
, xy
->bluex
, blue_scale
, PNG_FP_1
) == 0)
1538 if (png_muldiv(&XYZ
->blue_Y
, xy
->bluey
, blue_scale
, PNG_FP_1
) == 0)
1540 if (png_muldiv(&XYZ
->blue_Z
, PNG_FP_1
- xy
->bluex
- xy
->bluey
, blue_scale
,
1544 return 0; /*success*/
1548 png_XYZ_normalize(png_XYZ
*XYZ
)
1552 if (XYZ
->red_Y
< 0 || XYZ
->green_Y
< 0 || XYZ
->blue_Y
< 0 ||
1553 XYZ
->red_X
< 0 || XYZ
->green_X
< 0 || XYZ
->blue_X
< 0 ||
1554 XYZ
->red_Z
< 0 || XYZ
->green_Z
< 0 || XYZ
->blue_Z
< 0)
1557 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1558 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1559 * relying on addition of two positive values producing a negative one is not
1563 if (0x7fffffff - Y
< XYZ
->green_X
)
1566 if (0x7fffffff - Y
< XYZ
->blue_X
)
1572 if (png_muldiv(&XYZ
->red_X
, XYZ
->red_X
, PNG_FP_1
, Y
) == 0)
1574 if (png_muldiv(&XYZ
->red_Y
, XYZ
->red_Y
, PNG_FP_1
, Y
) == 0)
1576 if (png_muldiv(&XYZ
->red_Z
, XYZ
->red_Z
, PNG_FP_1
, Y
) == 0)
1579 if (png_muldiv(&XYZ
->green_X
, XYZ
->green_X
, PNG_FP_1
, Y
) == 0)
1581 if (png_muldiv(&XYZ
->green_Y
, XYZ
->green_Y
, PNG_FP_1
, Y
) == 0)
1583 if (png_muldiv(&XYZ
->green_Z
, XYZ
->green_Z
, PNG_FP_1
, Y
) == 0)
1586 if (png_muldiv(&XYZ
->blue_X
, XYZ
->blue_X
, PNG_FP_1
, Y
) == 0)
1588 if (png_muldiv(&XYZ
->blue_Y
, XYZ
->blue_Y
, PNG_FP_1
, Y
) == 0)
1590 if (png_muldiv(&XYZ
->blue_Z
, XYZ
->blue_Z
, PNG_FP_1
, Y
) == 0)
1598 png_colorspace_endpoints_match(const png_xy
*xy1
, const png_xy
*xy2
, int delta
)
1600 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1601 if (PNG_OUT_OF_RANGE(xy1
->whitex
, xy2
->whitex
,delta
) ||
1602 PNG_OUT_OF_RANGE(xy1
->whitey
, xy2
->whitey
,delta
) ||
1603 PNG_OUT_OF_RANGE(xy1
->redx
, xy2
->redx
, delta
) ||
1604 PNG_OUT_OF_RANGE(xy1
->redy
, xy2
->redy
, delta
) ||
1605 PNG_OUT_OF_RANGE(xy1
->greenx
, xy2
->greenx
,delta
) ||
1606 PNG_OUT_OF_RANGE(xy1
->greeny
, xy2
->greeny
,delta
) ||
1607 PNG_OUT_OF_RANGE(xy1
->bluex
, xy2
->bluex
, delta
) ||
1608 PNG_OUT_OF_RANGE(xy1
->bluey
, xy2
->bluey
, delta
))
1613 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1614 * chunk chromaticities. Earlier checks used to simply look for the overflow
1615 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1616 * because the chromaticity values are not all distinct.) Despite this it is
1617 * theoretically possible to produce chromaticities that are apparently valid
1618 * but that rapidly degrade to invalid, potentially crashing, sets because of
1619 * arithmetic inaccuracies when calculations are performed on them. The new
1620 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1621 * within a small percentage of the original.
1624 png_colorspace_check_xy(png_XYZ
*XYZ
, const png_xy
*xy
)
1629 /* As a side-effect this routine also returns the XYZ endpoints. */
1630 result
= png_XYZ_from_xy(XYZ
, xy
);
1634 result
= png_xy_from_XYZ(&xy_test
, XYZ
);
1638 if (png_colorspace_endpoints_match(xy
, &xy_test
,
1639 5/*actually, the math is pretty accurate*/) != 0)
1646 /* This is the check going the other way. The XYZ is modified to normalize it
1647 * (another side-effect) and the xy chromaticities are returned.
1650 png_colorspace_check_XYZ(png_xy
*xy
, png_XYZ
*XYZ
)
1655 result
= png_XYZ_normalize(XYZ
);
1659 result
= png_xy_from_XYZ(xy
, XYZ
);
1664 return png_colorspace_check_xy(&XYZtemp
, xy
);
1667 /* Used to check for an endpoint match against sRGB */
1668 static const png_xy sRGB_xy
= /* From ITU-R BT.709-3 */
1671 /* red */ 64000, 33000,
1672 /* green */ 30000, 60000,
1673 /* blue */ 15000, 6000,
1674 /* white */ 31270, 32900
1678 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr
,
1679 png_colorspacerp colorspace
, const png_xy
*xy
, const png_XYZ
*XYZ
,
1682 if ((colorspace
->flags
& PNG_COLORSPACE_INVALID
) != 0)
1685 /* The consistency check is performed on the chromaticities; this factors out
1686 * variations because of the normalization (or not) of the end point Y
1689 if (preferred
< 2 &&
1690 (colorspace
->flags
& PNG_COLORSPACE_HAVE_ENDPOINTS
) != 0)
1692 /* The end points must be reasonably close to any we already have. The
1693 * following allows an error of up to +/-.001
1695 if (png_colorspace_endpoints_match(xy
, &colorspace
->end_points_xy
,
1698 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1699 png_benign_error(png_ptr
, "inconsistent chromaticities");
1700 return 0; /* failed */
1703 /* Only overwrite with preferred values */
1705 return 1; /* ok, but no change */
1708 colorspace
->end_points_xy
= *xy
;
1709 colorspace
->end_points_XYZ
= *XYZ
;
1710 colorspace
->flags
|= PNG_COLORSPACE_HAVE_ENDPOINTS
;
1712 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1715 if (png_colorspace_endpoints_match(xy
, &sRGB_xy
, 1000) != 0)
1716 colorspace
->flags
|= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB
;
1719 colorspace
->flags
&= PNG_COLORSPACE_CANCEL(
1720 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB
);
1722 return 2; /* ok and changed */
1726 png_colorspace_set_chromaticities(png_const_structrp png_ptr
,
1727 png_colorspacerp colorspace
, const png_xy
*xy
, int preferred
)
1729 /* We must check the end points to ensure they are reasonable - in the past
1730 * color management systems have crashed as a result of getting bogus
1731 * colorant values, while this isn't the fault of libpng it is the
1732 * responsibility of libpng because PNG carries the bomb and libpng is in a
1733 * position to protect against it.
1737 switch (png_colorspace_check_xy(&XYZ
, xy
))
1739 case 0: /* success */
1740 return png_colorspace_set_xy_and_XYZ(png_ptr
, colorspace
, xy
, &XYZ
,
1744 /* We can't invert the chromaticities so we can't produce value XYZ
1745 * values. Likely as not a color management system will fail too.
1747 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1748 png_benign_error(png_ptr
, "invalid chromaticities");
1752 /* libpng is broken; this should be a warning but if it happens we
1753 * want error reports so for the moment it is an error.
1755 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1756 png_error(png_ptr
, "internal error checking chromaticities");
1759 return 0; /* failed */
1763 png_colorspace_set_endpoints(png_const_structrp png_ptr
,
1764 png_colorspacerp colorspace
, const png_XYZ
*XYZ_in
, int preferred
)
1766 png_XYZ XYZ
= *XYZ_in
;
1769 switch (png_colorspace_check_XYZ(&xy
, &XYZ
))
1772 return png_colorspace_set_xy_and_XYZ(png_ptr
, colorspace
, &xy
, &XYZ
,
1776 /* End points are invalid. */
1777 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1778 png_benign_error(png_ptr
, "invalid end points");
1782 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1783 png_error(png_ptr
, "internal error checking chromaticities");
1786 return 0; /* failed */
1789 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1790 /* Error message generation */
1792 png_icc_tag_char(png_uint_32 byte
)
1795 if (byte
>= 32 && byte
<= 126)
1802 png_icc_tag_name(char *name
, png_uint_32 tag
)
1805 name
[1] = png_icc_tag_char(tag
>> 24);
1806 name
[2] = png_icc_tag_char(tag
>> 16);
1807 name
[3] = png_icc_tag_char(tag
>> 8);
1808 name
[4] = png_icc_tag_char(tag
);
1813 is_ICC_signature_char(png_alloc_size_t it
)
1815 return it
== 32 || (it
>= 48 && it
<= 57) || (it
>= 65 && it
<= 90) ||
1816 (it
>= 97 && it
<= 122);
1820 is_ICC_signature(png_alloc_size_t it
)
1822 return is_ICC_signature_char(it
>> 24) /* checks all the top bits */ &&
1823 is_ICC_signature_char((it
>> 16) & 0xff) &&
1824 is_ICC_signature_char((it
>> 8) & 0xff) &&
1825 is_ICC_signature_char(it
& 0xff);
1829 png_icc_profile_error(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
1830 png_const_charp name
, png_alloc_size_t value
, png_const_charp reason
)
1833 char message
[196]; /* see below for calculation */
1835 if (colorspace
!= NULL
)
1836 colorspace
->flags
|= PNG_COLORSPACE_INVALID
;
1838 pos
= png_safecat(message
, (sizeof message
), 0, "profile '"); /* 9 chars */
1839 pos
= png_safecat(message
, pos
+79, pos
, name
); /* Truncate to 79 chars */
1840 pos
= png_safecat(message
, (sizeof message
), pos
, "': "); /* +2 = 90 */
1841 if (is_ICC_signature(value
) != 0)
1843 /* So 'value' is at most 4 bytes and the following cast is safe */
1844 png_icc_tag_name(message
+pos
, (png_uint_32
)value
);
1845 pos
+= 6; /* total +8; less than the else clause */
1846 message
[pos
++] = ':';
1847 message
[pos
++] = ' ';
1849 # ifdef PNG_WARNINGS_SUPPORTED
1852 char number
[PNG_NUMBER_BUFFER_SIZE
]; /* +24 = 114*/
1854 pos
= png_safecat(message
, (sizeof message
), pos
,
1855 png_format_number(number
, number
+(sizeof number
),
1856 PNG_NUMBER_FORMAT_x
, value
));
1857 pos
= png_safecat(message
, (sizeof message
), pos
, "h: "); /*+2 = 116*/
1860 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1861 pos
= png_safecat(message
, (sizeof message
), pos
, reason
);
1864 /* This is recoverable, but make it unconditionally an app_error on write to
1865 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1866 * on read, with a warning, but on write unless the app turns off
1867 * application errors the PNG won't be written.)
1869 png_chunk_report(png_ptr
, message
,
1870 (colorspace
!= NULL
) ? PNG_CHUNK_ERROR
: PNG_CHUNK_WRITE_ERROR
);
1874 #endif /* sRGB || iCCP */
1876 #ifdef PNG_sRGB_SUPPORTED
1878 png_colorspace_set_sRGB(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
1881 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1882 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1883 * because ICC profiles store values adapted to a D50 environment; it is
1884 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1885 * checks and code elsewhere to understand this better.
1887 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1888 * coefficients of (6968,23435,2366), which are reduced (because they add up
1889 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1890 * libpng has traditionally used (and are the best values given the 15bit
1891 * algorithm used by the rgb to gray code.)
1893 static const png_XYZ sRGB_XYZ
= /* D65 XYZ (*not* the D50 adapted values!) */
1896 /* red */ 41239, 21264, 1933,
1897 /* green */ 35758, 71517, 11919,
1898 /* blue */ 18048, 7219, 95053
1901 /* Do nothing if the colorspace is already invalidated. */
1902 if ((colorspace
->flags
& PNG_COLORSPACE_INVALID
) != 0)
1905 /* Check the intent, then check for existing settings. It is valid for the
1906 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1907 * be consistent with the correct values. If, however, this function is
1908 * called below because an iCCP chunk matches sRGB then it is quite
1909 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1910 * an incorrect calculation based on the values in the profile - this does
1911 * *not* invalidate the profile (though it still produces an error, which can
1914 if (intent
< 0 || intent
>= PNG_sRGB_INTENT_LAST
)
1915 return png_icc_profile_error(png_ptr
, colorspace
, "sRGB",
1916 (png_alloc_size_t
)intent
, "invalid sRGB rendering intent");
1918 if ((colorspace
->flags
& PNG_COLORSPACE_HAVE_INTENT
) != 0 &&
1919 colorspace
->rendering_intent
!= intent
)
1920 return png_icc_profile_error(png_ptr
, colorspace
, "sRGB",
1921 (png_alloc_size_t
)intent
, "inconsistent rendering intents");
1923 if ((colorspace
->flags
& PNG_COLORSPACE_FROM_sRGB
) != 0)
1925 png_benign_error(png_ptr
, "duplicate sRGB information ignored");
1929 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1930 * warn but overwrite the value with the correct one.
1932 if ((colorspace
->flags
& PNG_COLORSPACE_HAVE_ENDPOINTS
) != 0 &&
1933 !png_colorspace_endpoints_match(&sRGB_xy
, &colorspace
->end_points_xy
,
1935 png_chunk_report(png_ptr
, "cHRM chunk does not match sRGB",
1938 /* This check is just done for the error reporting - the routine always
1939 * returns true when the 'from' argument corresponds to sRGB (2).
1941 (void)png_colorspace_check_gamma(png_ptr
, colorspace
, PNG_GAMMA_sRGB_INVERSE
,
1944 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1945 colorspace
->rendering_intent
= (png_uint_16
)intent
;
1946 colorspace
->flags
|= PNG_COLORSPACE_HAVE_INTENT
;
1949 colorspace
->end_points_xy
= sRGB_xy
;
1950 colorspace
->end_points_XYZ
= sRGB_XYZ
;
1951 colorspace
->flags
|=
1952 (PNG_COLORSPACE_HAVE_ENDPOINTS
|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB
);
1955 colorspace
->gamma
= PNG_GAMMA_sRGB_INVERSE
;
1956 colorspace
->flags
|= PNG_COLORSPACE_HAVE_GAMMA
;
1958 /* Finally record that we have an sRGB profile */
1959 colorspace
->flags
|=
1960 (PNG_COLORSPACE_MATCHES_sRGB
|PNG_COLORSPACE_FROM_sRGB
);
1966 #ifdef PNG_iCCP_SUPPORTED
1967 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1968 * is XYZ(0.9642,1.0,0.8249), which scales to:
1970 * (63189.8112, 65536, 54060.6464)
1972 static const png_byte D50_nCIEXYZ
[12] =
1973 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1975 static int /* bool */
1976 icc_check_length(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
1977 png_const_charp name
, png_uint_32 profile_length
)
1979 if (profile_length
< 132)
1980 return png_icc_profile_error(png_ptr
, colorspace
, name
, profile_length
,
1985 #ifdef PNG_READ_iCCP_SUPPORTED
1987 png_icc_check_length(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
1988 png_const_charp name
, png_uint_32 profile_length
)
1990 if (!icc_check_length(png_ptr
, colorspace
, name
, profile_length
))
1993 /* This needs to be here because the 'normal' check is in
1994 * png_decompress_chunk, yet this happens after the attempt to
1995 * png_malloc_base the required data. We only need this on read; on write
1996 * the caller supplies the profile buffer so libpng doesn't allocate it. See
1997 * the call to icc_check_length below (the write case).
1999 # ifdef PNG_SET_USER_LIMITS_SUPPORTED
2000 else if (png_ptr
->user_chunk_malloc_max
> 0 &&
2001 png_ptr
->user_chunk_malloc_max
< profile_length
)
2002 return png_icc_profile_error(png_ptr
, colorspace
, name
, profile_length
,
2003 "exceeds application limits");
2004 # elif PNG_USER_CHUNK_MALLOC_MAX > 0
2005 else if (PNG_USER_CHUNK_MALLOC_MAX
< profile_length
)
2006 return png_icc_profile_error(png_ptr
, colorspace
, name
, profile_length
,
2007 "exceeds libpng limits");
2008 # else /* !SET_USER_LIMITS */
2009 /* This will get compiled out on all 32-bit and better systems. */
2010 else if (PNG_SIZE_MAX
< profile_length
)
2011 return png_icc_profile_error(png_ptr
, colorspace
, name
, profile_length
,
2012 "exceeds system limits");
2013 # endif /* !SET_USER_LIMITS */
2017 #endif /* READ_iCCP */
2020 png_icc_check_header(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
2021 png_const_charp name
, png_uint_32 profile_length
,
2022 png_const_bytep profile
/* first 132 bytes only */, int color_type
)
2026 /* Length check; this cannot be ignored in this code because profile_length
2027 * is used later to check the tag table, so even if the profile seems over
2028 * long profile_length from the caller must be correct. The caller can fix
2029 * this up on read or write by just passing in the profile header length.
2031 temp
= png_get_uint_32(profile
);
2032 if (temp
!= profile_length
)
2033 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2034 "length does not match profile");
2036 temp
= (png_uint_32
) (*(profile
+8));
2037 if (temp
> 3 && (profile_length
& 3))
2038 return png_icc_profile_error(png_ptr
, colorspace
, name
, profile_length
,
2041 temp
= png_get_uint_32(profile
+128); /* tag count: 12 bytes/tag */
2042 if (temp
> 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
2043 profile_length
< 132+12*temp
) /* truncated tag table */
2044 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2045 "tag count too large");
2047 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
2050 temp
= png_get_uint_32(profile
+64);
2051 if (temp
>= 0xffff) /* The ICC limit */
2052 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2053 "invalid rendering intent");
2055 /* This is just a warning because the profile may be valid in future
2058 if (temp
>= PNG_sRGB_INTENT_LAST
)
2059 (void)png_icc_profile_error(png_ptr
, NULL
, name
, temp
,
2060 "intent outside defined range");
2062 /* At this point the tag table can't be checked because it hasn't necessarily
2063 * been loaded; however, various header fields can be checked. These checks
2064 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
2065 * restricts the profiles that can be passed in an iCCP chunk (they must be
2066 * appropriate to processing PNG data!)
2069 /* Data checks (could be skipped). These checks must be independent of the
2070 * version number; however, the version number doesn't accommodate changes in
2071 * the header fields (just the known tags and the interpretation of the
2074 temp
= png_get_uint_32(profile
+36); /* signature 'ascp' */
2075 if (temp
!= 0x61637370)
2076 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2077 "invalid signature");
2079 /* Currently the PCS illuminant/adopted white point (the computational
2080 * white point) are required to be D50,
2081 * however the profile contains a record of the illuminant so perhaps ICC
2082 * expects to be able to change this in the future (despite the rationale in
2083 * the introduction for using a fixed PCS adopted white.) Consequently the
2084 * following is just a warning.
2086 if (memcmp(profile
+68, D50_nCIEXYZ
, 12) != 0)
2087 (void)png_icc_profile_error(png_ptr
, NULL
, name
, 0/*no tag value*/,
2088 "PCS illuminant is not D50");
2090 /* The PNG spec requires this:
2091 * "If the iCCP chunk is present, the image samples conform to the colour
2092 * space represented by the embedded ICC profile as defined by the
2093 * International Color Consortium [ICC]. The colour space of the ICC profile
2094 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2095 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2098 * This checking code ensures the embedded profile (on either read or write)
2099 * conforms to the specification requirements. Notice that an ICC 'gray'
2100 * color-space profile contains the information to transform the monochrome
2101 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2102 * should be used in preference to the standard libpng K channel replication
2103 * into R, G and B channels.
2105 * Previously it was suggested that an RGB profile on grayscale data could be
2106 * handled. However it it is clear that using an RGB profile in this context
2107 * must be an error - there is no specification of what it means. Thus it is
2108 * almost certainly more correct to ignore the profile.
2110 temp
= png_get_uint_32(profile
+16); /* data colour space field */
2113 case 0x52474220: /* 'RGB ' */
2114 if ((color_type
& PNG_COLOR_MASK_COLOR
) == 0)
2115 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2116 "RGB color space not permitted on grayscale PNG");
2119 case 0x47524159: /* 'GRAY' */
2120 if ((color_type
& PNG_COLOR_MASK_COLOR
) != 0)
2121 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2122 "Gray color space not permitted on RGB PNG");
2126 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2127 "invalid ICC profile color space");
2130 /* It is up to the application to check that the profile class matches the
2131 * application requirements; the spec provides no guidance, but it's pretty
2132 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2133 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2134 * cases. Issue an error for device link or abstract profiles - these don't
2135 * contain the records necessary to transform the color-space to anything
2136 * other than the target device (and not even that for an abstract profile).
2137 * Profiles of these classes may not be embedded in images.
2139 temp
= png_get_uint_32(profile
+12); /* profile/device class */
2142 case 0x73636e72: /* 'scnr' */
2143 case 0x6d6e7472: /* 'mntr' */
2144 case 0x70727472: /* 'prtr' */
2145 case 0x73706163: /* 'spac' */
2149 case 0x61627374: /* 'abst' */
2150 /* May not be embedded in an image */
2151 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2152 "invalid embedded Abstract ICC profile");
2154 case 0x6c696e6b: /* 'link' */
2155 /* DeviceLink profiles cannot be interpreted in a non-device specific
2156 * fashion, if an app uses the AToB0Tag in the profile the results are
2157 * undefined unless the result is sent to the intended device,
2158 * therefore a DeviceLink profile should not be found embedded in a
2161 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2162 "unexpected DeviceLink ICC profile class");
2164 case 0x6e6d636c: /* 'nmcl' */
2165 /* A NamedColor profile is also device specific, however it doesn't
2166 * contain an AToB0 tag that is open to misinterpretation. Almost
2167 * certainly it will fail the tests below.
2169 (void)png_icc_profile_error(png_ptr
, NULL
, name
, temp
,
2170 "unexpected NamedColor ICC profile class");
2174 /* To allow for future enhancements to the profile accept unrecognized
2175 * profile classes with a warning, these then hit the test below on the
2176 * tag content to ensure they are backward compatible with one of the
2177 * understood profiles.
2179 (void)png_icc_profile_error(png_ptr
, NULL
, name
, temp
,
2180 "unrecognized ICC profile class");
2184 /* For any profile other than a device link one the PCS must be encoded
2185 * either in XYZ or Lab.
2187 temp
= png_get_uint_32(profile
+20);
2190 case 0x58595a20: /* 'XYZ ' */
2191 case 0x4c616220: /* 'Lab ' */
2195 return png_icc_profile_error(png_ptr
, colorspace
, name
, temp
,
2196 "unexpected ICC PCS encoding");
2203 png_icc_check_tag_table(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
2204 png_const_charp name
, png_uint_32 profile_length
,
2205 png_const_bytep profile
/* header plus whole tag table */)
2207 png_uint_32 tag_count
= png_get_uint_32(profile
+128);
2209 png_const_bytep tag
= profile
+132; /* The first tag */
2211 /* First scan all the tags in the table and add bits to the icc_info value
2212 * (temporarily in 'tags').
2214 for (itag
=0; itag
< tag_count
; ++itag
, tag
+= 12)
2216 png_uint_32 tag_id
= png_get_uint_32(tag
+0);
2217 png_uint_32 tag_start
= png_get_uint_32(tag
+4); /* must be aligned */
2218 png_uint_32 tag_length
= png_get_uint_32(tag
+8);/* not padded */
2220 /* The ICC specification does not exclude zero length tags, therefore the
2221 * start might actually be anywhere if there is no data, but this would be
2222 * a clear abuse of the intent of the standard so the start is checked for
2223 * being in range. All defined tag types have an 8 byte header - a 4 byte
2224 * type signature then 0.
2227 /* This is a hard error; potentially it can cause read outside the
2230 if (tag_start
> profile_length
|| tag_length
> profile_length
- tag_start
)
2231 return png_icc_profile_error(png_ptr
, colorspace
, name
, tag_id
,
2232 "ICC profile tag outside profile");
2234 if ((tag_start
& 3) != 0)
2236 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is
2237 * only a warning here because libpng does not care about the
2240 (void)png_icc_profile_error(png_ptr
, NULL
, name
, tag_id
,
2241 "ICC profile tag start not a multiple of 4");
2245 return 1; /* success, maybe with warnings */
2248 #ifdef PNG_sRGB_SUPPORTED
2249 #if PNG_sRGB_PROFILE_CHECKS >= 0
2250 /* Information about the known ICC sRGB profiles */
2253 png_uint_32 adler
, crc
, length
;
2259 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2260 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2261 { adler, crc, length, md5, broke, intent },
2263 } png_sRGB_checks
[] =
2265 /* This data comes from contrib/tools/checksum-icc run on downloads of
2266 * all four ICC sRGB profiles from www.color.org.
2268 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2269 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2270 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2271 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2273 /* ICC sRGB v2 perceptual no black-compensation: */
2274 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2275 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2276 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2278 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2279 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2280 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2282 /* ICC sRGB v4 perceptual */
2283 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2284 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2285 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2287 /* The following profiles have no known MD5 checksum. If there is a match
2288 * on the (empty) MD5 the other fields are used to attempt a match and
2289 * a warning is produced. The first two of these profiles have a 'cprt' tag
2290 * which suggests that they were also made by Hewlett Packard.
2292 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2293 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2294 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2296 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2297 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2298 * so the white point is recorded as the un-adapted value.) The profiles
2299 * below only differ in one byte - the intent - and are basically the same as
2300 * the previous profile except for the mediaWhitePointTag error and a missing
2301 * chromaticAdaptationTag.
2303 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2304 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2305 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2307 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2308 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2309 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2313 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr
,
2314 png_const_bytep profile
, uLong adler
)
2316 /* The quick check is to verify just the MD5 signature and trust the
2317 * rest of the data. Because the profile has already been verified for
2318 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2319 * field too, so if the profile has been edited with an intent not defined
2320 * by sRGB (but maybe defined by a later ICC specification) the read of
2321 * the profile will fail at that point.
2324 png_uint_32 length
= 0;
2325 png_uint_32 intent
= 0x10000; /* invalid */
2326 #if PNG_sRGB_PROFILE_CHECKS > 1
2327 uLong crc
= 0; /* the value for 0 length data */
2331 #ifdef PNG_SET_OPTION_SUPPORTED
2332 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2333 if (((png_ptr
->options
>> PNG_SKIP_sRGB_CHECK_PROFILE
) & 3) ==
2338 for (i
=0; i
< (sizeof png_sRGB_checks
) / (sizeof png_sRGB_checks
[0]); ++i
)
2340 if (png_get_uint_32(profile
+84) == png_sRGB_checks
[i
].md5
[0] &&
2341 png_get_uint_32(profile
+88) == png_sRGB_checks
[i
].md5
[1] &&
2342 png_get_uint_32(profile
+92) == png_sRGB_checks
[i
].md5
[2] &&
2343 png_get_uint_32(profile
+96) == png_sRGB_checks
[i
].md5
[3])
2345 /* This may be one of the old HP profiles without an MD5, in that
2346 * case we can only use the length and Adler32 (note that these
2347 * are not used by default if there is an MD5!)
2349 # if PNG_sRGB_PROFILE_CHECKS == 0
2350 if (png_sRGB_checks
[i
].have_md5
!= 0)
2351 return 1+png_sRGB_checks
[i
].is_broken
;
2354 /* Profile is unsigned or more checks have been configured in. */
2357 length
= png_get_uint_32(profile
);
2358 intent
= png_get_uint_32(profile
+64);
2361 /* Length *and* intent must match */
2362 if (length
== (png_uint_32
) png_sRGB_checks
[i
].length
&&
2363 intent
== (png_uint_32
) png_sRGB_checks
[i
].intent
)
2365 /* Now calculate the adler32 if not done already. */
2368 adler
= adler32(0, NULL
, 0);
2369 adler
= adler32(adler
, profile
, length
);
2372 if (adler
== png_sRGB_checks
[i
].adler
)
2374 /* These basic checks suggest that the data has not been
2375 * modified, but if the check level is more than 1 perform
2376 * our own crc32 checksum on the data.
2378 # if PNG_sRGB_PROFILE_CHECKS > 1
2381 crc
= crc32(0, NULL
, 0);
2382 crc
= crc32(crc
, profile
, length
);
2385 /* So this check must pass for the 'return' below to happen.
2387 if (crc
== png_sRGB_checks
[i
].crc
)
2390 if (png_sRGB_checks
[i
].is_broken
!= 0)
2392 /* These profiles are known to have bad data that may cause
2393 * problems if they are used, therefore attempt to
2394 * discourage their use, skip the 'have_md5' warning below,
2395 * which is made irrelevant by this error.
2397 png_chunk_report(png_ptr
, "known incorrect sRGB profile",
2401 /* Warn that this being done; this isn't even an error since
2402 * the profile is perfectly valid, but it would be nice if
2403 * people used the up-to-date ones.
2405 else if (png_sRGB_checks
[i
].have_md5
== 0)
2407 png_chunk_report(png_ptr
,
2408 "out-of-date sRGB profile with no signature",
2412 return 1+png_sRGB_checks
[i
].is_broken
;
2416 # if PNG_sRGB_PROFILE_CHECKS > 0
2417 /* The signature matched, but the profile had been changed in some
2418 * way. This probably indicates a data error or uninformed hacking.
2419 * Fall through to "no match".
2421 png_chunk_report(png_ptr
,
2422 "Not recognizing known sRGB profile that has been edited",
2430 return 0; /* no match */
2434 png_icc_set_sRGB(png_const_structrp png_ptr
,
2435 png_colorspacerp colorspace
, png_const_bytep profile
, uLong adler
)
2437 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2438 * the sRGB information.
2440 if (png_compare_ICC_profile_with_sRGB(png_ptr
, profile
, adler
) != 0)
2441 (void)png_colorspace_set_sRGB(png_ptr
, colorspace
,
2442 (int)/*already checked*/png_get_uint_32(profile
+64));
2444 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2448 png_colorspace_set_ICC(png_const_structrp png_ptr
, png_colorspacerp colorspace
,
2449 png_const_charp name
, png_uint_32 profile_length
, png_const_bytep profile
,
2452 if ((colorspace
->flags
& PNG_COLORSPACE_INVALID
) != 0)
2455 if (icc_check_length(png_ptr
, colorspace
, name
, profile_length
) != 0 &&
2456 png_icc_check_header(png_ptr
, colorspace
, name
, profile_length
, profile
,
2458 png_icc_check_tag_table(png_ptr
, colorspace
, name
, profile_length
,
2461 # if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2462 /* If no sRGB support, don't try storing sRGB information */
2463 png_icc_set_sRGB(png_ptr
, colorspace
, profile
, 0);
2473 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2475 png_colorspace_set_rgb_coefficients(png_structrp png_ptr
)
2477 /* Set the rgb_to_gray coefficients from the colorspace. */
2478 if (png_ptr
->rgb_to_gray_coefficients_set
== 0 &&
2479 (png_ptr
->colorspace
.flags
& PNG_COLORSPACE_HAVE_ENDPOINTS
) != 0)
2481 /* png_set_background has not been called, get the coefficients from the Y
2482 * values of the colorspace colorants.
2484 png_fixed_point r
= png_ptr
->colorspace
.end_points_XYZ
.red_Y
;
2485 png_fixed_point g
= png_ptr
->colorspace
.end_points_XYZ
.green_Y
;
2486 png_fixed_point b
= png_ptr
->colorspace
.end_points_XYZ
.blue_Y
;
2487 png_fixed_point total
= r
+g
+b
;
2490 r
>= 0 && png_muldiv(&r
, r
, 32768, total
) && r
>= 0 && r
<= 32768 &&
2491 g
>= 0 && png_muldiv(&g
, g
, 32768, total
) && g
>= 0 && g
<= 32768 &&
2492 b
>= 0 && png_muldiv(&b
, b
, 32768, total
) && b
>= 0 && b
<= 32768 &&
2495 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2496 * all of the coefficients were rounded up. Handle this by
2497 * reducing the *largest* coefficient by 1; this matches the
2498 * approach used for the default coefficients in pngrtran.c
2504 else if (r
+g
+b
< 32768)
2509 if (g
>= r
&& g
>= b
)
2511 else if (r
>= g
&& r
>= b
)
2517 /* Check for an internal error. */
2520 "internal error handling cHRM coefficients");
2524 png_ptr
->rgb_to_gray_red_coeff
= (png_uint_16
)r
;
2525 png_ptr
->rgb_to_gray_green_coeff
= (png_uint_16
)g
;
2529 /* This is a png_error at present even though it could be ignored -
2530 * it should never happen, but it is important that if it does, the
2534 png_error(png_ptr
, "internal error handling cHRM->XYZ");
2537 #endif /* READ_RGB_TO_GRAY */
2539 #endif /* COLORSPACE */
2542 /* This exists solely to work round a warning from GNU C. */
2543 static int /* PRIVATE */
2544 png_gt(size_t a
, size_t b
)
2549 # define png_gt(a,b) ((a) > (b))
2553 png_check_IHDR(png_const_structrp png_ptr
,
2554 png_uint_32 width
, png_uint_32 height
, int bit_depth
,
2555 int color_type
, int interlace_type
, int compression_type
,
2560 /* Check for width and height valid values */
2563 png_warning(png_ptr
, "Image width is zero in IHDR");
2567 if (width
> PNG_UINT_31_MAX
)
2569 png_warning(png_ptr
, "Invalid image width in IHDR");
2573 if (png_gt(((width
+ 7) & (~7U)),
2575 - 48 /* big_row_buf hack */
2576 - 1) /* filter byte */
2577 / 8) /* 8-byte RGBA pixels */
2578 - 1)) /* extra max_pixel_depth pad */
2580 /* The size of the row must be within the limits of this architecture.
2581 * Because the read code can perform arbitrary transformations the
2582 * maximum size is checked here. Because the code in png_read_start_row
2583 * adds extra space "for safety's sake" in several places a conservative
2584 * limit is used here.
2586 * NOTE: it would be far better to check the size that is actually used,
2587 * but the effect in the real world is minor and the changes are more
2588 * extensive, therefore much more dangerous and much more difficult to
2589 * write in a way that avoids compiler warnings.
2591 png_warning(png_ptr
, "Image width is too large for this architecture");
2595 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2596 if (width
> png_ptr
->user_width_max
)
2598 if (width
> PNG_USER_WIDTH_MAX
)
2601 png_warning(png_ptr
, "Image width exceeds user limit in IHDR");
2607 png_warning(png_ptr
, "Image height is zero in IHDR");
2611 if (height
> PNG_UINT_31_MAX
)
2613 png_warning(png_ptr
, "Invalid image height in IHDR");
2617 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2618 if (height
> png_ptr
->user_height_max
)
2620 if (height
> PNG_USER_HEIGHT_MAX
)
2623 png_warning(png_ptr
, "Image height exceeds user limit in IHDR");
2627 /* Check other values */
2628 if (bit_depth
!= 1 && bit_depth
!= 2 && bit_depth
!= 4 &&
2629 bit_depth
!= 8 && bit_depth
!= 16)
2631 png_warning(png_ptr
, "Invalid bit depth in IHDR");
2635 if (color_type
< 0 || color_type
== 1 ||
2636 color_type
== 5 || color_type
> 6)
2638 png_warning(png_ptr
, "Invalid color type in IHDR");
2642 if (((color_type
== PNG_COLOR_TYPE_PALETTE
) && bit_depth
> 8) ||
2643 ((color_type
== PNG_COLOR_TYPE_RGB
||
2644 color_type
== PNG_COLOR_TYPE_GRAY_ALPHA
||
2645 color_type
== PNG_COLOR_TYPE_RGB_ALPHA
) && bit_depth
< 8))
2647 png_warning(png_ptr
, "Invalid color type/bit depth combination in IHDR");
2651 if (interlace_type
>= PNG_INTERLACE_LAST
)
2653 png_warning(png_ptr
, "Unknown interlace method in IHDR");
2657 if (compression_type
!= PNG_COMPRESSION_TYPE_BASE
)
2659 png_warning(png_ptr
, "Unknown compression method in IHDR");
2663 #ifdef PNG_MNG_FEATURES_SUPPORTED
2664 /* Accept filter_method 64 (intrapixel differencing) only if
2665 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2666 * 2. Libpng did not read a PNG signature (this filter_method is only
2667 * used in PNG datastreams that are embedded in MNG datastreams) and
2668 * 3. The application called png_permit_mng_features with a mask that
2669 * included PNG_FLAG_MNG_FILTER_64 and
2670 * 4. The filter_method is 64 and
2671 * 5. The color_type is RGB or RGBA
2673 if ((png_ptr
->mode
& PNG_HAVE_PNG_SIGNATURE
) != 0 &&
2674 png_ptr
->mng_features_permitted
!= 0)
2675 png_warning(png_ptr
, "MNG features are not allowed in a PNG datastream");
2677 if (filter_type
!= PNG_FILTER_TYPE_BASE
)
2679 if (!((png_ptr
->mng_features_permitted
& PNG_FLAG_MNG_FILTER_64
) != 0 &&
2680 (filter_type
== PNG_INTRAPIXEL_DIFFERENCING
) &&
2681 ((png_ptr
->mode
& PNG_HAVE_PNG_SIGNATURE
) == 0) &&
2682 (color_type
== PNG_COLOR_TYPE_RGB
||
2683 color_type
== PNG_COLOR_TYPE_RGB_ALPHA
)))
2685 png_warning(png_ptr
, "Unknown filter method in IHDR");
2689 if ((png_ptr
->mode
& PNG_HAVE_PNG_SIGNATURE
) != 0)
2691 png_warning(png_ptr
, "Invalid filter method in IHDR");
2697 if (filter_type
!= PNG_FILTER_TYPE_BASE
)
2699 png_warning(png_ptr
, "Unknown filter method in IHDR");
2705 png_error(png_ptr
, "Invalid IHDR data");
2708 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2709 /* ASCII to fp functions */
2710 /* Check an ASCII formatted floating point value, see the more detailed
2711 * comments in pngpriv.h
2713 /* The following is used internally to preserve the sticky flags */
2714 #define png_fp_add(state, flags) ((state) |= (flags))
2715 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2718 png_check_fp_number(png_const_charp string
, size_t size
, int *statep
,
2719 png_size_tp whereami
)
2721 int state
= *statep
;
2722 size_t i
= *whereami
;
2727 /* First find the type of the next character */
2730 case 43: type
= PNG_FP_SAW_SIGN
; break;
2731 case 45: type
= PNG_FP_SAW_SIGN
+ PNG_FP_NEGATIVE
; break;
2732 case 46: type
= PNG_FP_SAW_DOT
; break;
2733 case 48: type
= PNG_FP_SAW_DIGIT
; break;
2734 case 49: case 50: case 51: case 52:
2735 case 53: case 54: case 55: case 56:
2736 case 57: type
= PNG_FP_SAW_DIGIT
+ PNG_FP_NONZERO
; break;
2738 case 101: type
= PNG_FP_SAW_E
; break;
2739 default: goto PNG_FP_End
;
2742 /* Now deal with this type according to the current
2743 * state, the type is arranged to not overlap the
2744 * bits of the PNG_FP_STATE.
2746 switch ((state
& PNG_FP_STATE
) + (type
& PNG_FP_SAW_ANY
))
2748 case PNG_FP_INTEGER
+ PNG_FP_SAW_SIGN
:
2749 if ((state
& PNG_FP_SAW_ANY
) != 0)
2750 goto PNG_FP_End
; /* not a part of the number */
2752 png_fp_add(state
, type
);
2755 case PNG_FP_INTEGER
+ PNG_FP_SAW_DOT
:
2756 /* Ok as trailer, ok as lead of fraction. */
2757 if ((state
& PNG_FP_SAW_DOT
) != 0) /* two dots */
2760 else if ((state
& PNG_FP_SAW_DIGIT
) != 0) /* trailing dot? */
2761 png_fp_add(state
, type
);
2764 png_fp_set(state
, PNG_FP_FRACTION
| type
);
2768 case PNG_FP_INTEGER
+ PNG_FP_SAW_DIGIT
:
2769 if ((state
& PNG_FP_SAW_DOT
) != 0) /* delayed fraction */
2770 png_fp_set(state
, PNG_FP_FRACTION
| PNG_FP_SAW_DOT
);
2772 png_fp_add(state
, type
| PNG_FP_WAS_VALID
);
2776 case PNG_FP_INTEGER
+ PNG_FP_SAW_E
:
2777 if ((state
& PNG_FP_SAW_DIGIT
) == 0)
2780 png_fp_set(state
, PNG_FP_EXPONENT
);
2784 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2785 goto PNG_FP_End; ** no sign in fraction */
2787 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2788 goto PNG_FP_End; ** Because SAW_DOT is always set */
2790 case PNG_FP_FRACTION
+ PNG_FP_SAW_DIGIT
:
2791 png_fp_add(state
, type
| PNG_FP_WAS_VALID
);
2794 case PNG_FP_FRACTION
+ PNG_FP_SAW_E
:
2795 /* This is correct because the trailing '.' on an
2796 * integer is handled above - so we can only get here
2797 * with the sequence ".E" (with no preceding digits).
2799 if ((state
& PNG_FP_SAW_DIGIT
) == 0)
2802 png_fp_set(state
, PNG_FP_EXPONENT
);
2806 case PNG_FP_EXPONENT
+ PNG_FP_SAW_SIGN
:
2807 if ((state
& PNG_FP_SAW_ANY
) != 0)
2808 goto PNG_FP_End
; /* not a part of the number */
2810 png_fp_add(state
, PNG_FP_SAW_SIGN
);
2814 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2817 case PNG_FP_EXPONENT
+ PNG_FP_SAW_DIGIT
:
2818 png_fp_add(state
, PNG_FP_SAW_DIGIT
| PNG_FP_WAS_VALID
);
2822 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2825 default: goto PNG_FP_End
; /* I.e. break 2 */
2828 /* The character seems ok, continue. */
2833 /* Here at the end, update the state and return the correct
2839 return (state
& PNG_FP_SAW_DIGIT
) != 0;
2843 /* The same but for a complete string. */
2845 png_check_fp_string(png_const_charp string
, size_t size
)
2848 size_t char_index
=0;
2850 if (png_check_fp_number(string
, size
, &state
, &char_index
) != 0 &&
2851 (char_index
== size
|| string
[char_index
] == 0))
2852 return state
/* must be non-zero - see above */;
2854 return 0; /* i.e. fail */
2856 #endif /* pCAL || sCAL */
2858 #ifdef PNG_sCAL_SUPPORTED
2859 # ifdef PNG_FLOATING_POINT_SUPPORTED
2860 /* Utility used below - a simple accurate power of ten from an integral
2864 png_pow10(int power
)
2869 /* Handle negative exponent with a reciprocal at the end because
2870 * 10 is exact whereas .1 is inexact in base 2
2874 if (power
< DBL_MIN_10_EXP
) return 0;
2875 recip
= 1; power
= -power
;
2880 /* Decompose power bitwise. */
2884 if (power
& 1) d
*= mult
;
2890 if (recip
!= 0) d
= 1/d
;
2892 /* else power is 0 and d is 1 */
2897 /* Function to format a floating point value in ASCII with a given
2900 #if GCC_STRICT_OVERFLOW
2901 #pragma GCC diagnostic push
2902 /* The problem arises below with exp_b10, which can never overflow because it
2903 * comes, originally, from frexp and is therefore limited to a range which is
2904 * typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2906 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
2907 #endif /* GCC_STRICT_OVERFLOW */
2909 png_ascii_from_fp(png_const_structrp png_ptr
, png_charp ascii
, size_t size
,
2910 double fp
, unsigned int precision
)
2912 /* We use standard functions from math.h, but not printf because
2913 * that would require stdio. The caller must supply a buffer of
2914 * sufficient size or we will png_error. The tests on size and
2915 * the space in ascii[] consumed are indicated below.
2918 precision
= DBL_DIG
;
2920 /* Enforce the limit of the implementation precision too. */
2921 if (precision
> DBL_DIG
+1)
2922 precision
= DBL_DIG
+1;
2924 /* Basic sanity checks */
2925 if (size
>= precision
+5) /* See the requirements below. */
2930 *ascii
++ = 45; /* '-' PLUS 1 TOTAL 1 */
2934 if (fp
>= DBL_MIN
&& fp
<= DBL_MAX
)
2936 int exp_b10
; /* A base 10 exponent */
2937 double base
; /* 10^exp_b10 */
2939 /* First extract a base 10 exponent of the number,
2940 * the calculation below rounds down when converting
2941 * from base 2 to base 10 (multiply by log10(2) -
2942 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2943 * be increased. Note that the arithmetic shift
2944 * performs a floor() unlike C arithmetic - using a
2945 * C multiply would break the following for negative
2948 (void)frexp(fp
, &exp_b10
); /* exponent to base 2 */
2950 exp_b10
= (exp_b10
* 77) >> 8; /* <= exponent to base 10 */
2952 /* Avoid underflow here. */
2953 base
= png_pow10(exp_b10
); /* May underflow */
2955 while (base
< DBL_MIN
|| base
< fp
)
2957 /* And this may overflow. */
2958 double test
= png_pow10(exp_b10
+1);
2960 if (test
<= DBL_MAX
)
2962 ++exp_b10
; base
= test
;
2969 /* Normalize fp and correct exp_b10, after this fp is in the
2970 * range [.1,1) and exp_b10 is both the exponent and the digit
2971 * *before* which the decimal point should be inserted
2972 * (starting with 0 for the first digit). Note that this
2973 * works even if 10^exp_b10 is out of range because of the
2974 * test on DBL_MAX above.
2979 fp
/= 10; ++exp_b10
;
2982 /* Because of the code above fp may, at this point, be
2983 * less than .1, this is ok because the code below can
2984 * handle the leading zeros this generates, so no attempt
2985 * is made to correct that here.
2989 unsigned int czero
, clead
, cdigits
;
2992 /* Allow up to two leading zeros - this will not lengthen
2993 * the number compared to using E-n.
2995 if (exp_b10
< 0 && exp_b10
> -3) /* PLUS 3 TOTAL 4 */
2997 czero
= 0U-exp_b10
; /* PLUS 2 digits: TOTAL 3 */
2998 exp_b10
= 0; /* Dot added below before first output. */
3001 czero
= 0; /* No zeros to add */
3003 /* Generate the digit list, stripping trailing zeros and
3004 * inserting a '.' before a digit if the exponent is 0.
3006 clead
= czero
; /* Count of leading zeros */
3007 cdigits
= 0; /* Count of digits in list. */
3014 /* Use modf here, not floor and subtract, so that
3015 * the separation is done in one step. At the end
3016 * of the loop don't break the number into parts so
3017 * that the final digit is rounded.
3019 if (cdigits
+czero
+1 < precision
+clead
)
3028 /* Rounding up to 10, handle that here. */
3032 if (cdigits
== 0) --clead
;
3036 while (cdigits
> 0 && d
> 9)
3040 if (exp_b10
!= (-1))
3045 ch
= *--ascii
; ++size
;
3046 /* Advance exp_b10 to '1', so that the
3047 * decimal point happens after the
3054 d
= ch
- 47; /* I.e. 1+(ch-48) */
3057 /* Did we reach the beginning? If so adjust the
3058 * exponent but take into account the leading
3061 if (d
> 9) /* cdigits == 0 */
3063 if (exp_b10
== (-1))
3065 /* Leading decimal point (plus zeros?), if
3066 * we lose the decimal point here it must
3067 * be reentered below.
3073 ++size
; exp_b10
= 1;
3076 /* Else lost a leading zero, so 'exp_b10' is
3083 /* In all cases we output a '1' */
3088 fp
= 0; /* Guarantees termination below. */
3094 if (cdigits
== 0) ++clead
;
3098 /* Included embedded zeros in the digit count. */
3099 cdigits
+= czero
- clead
;
3104 /* exp_b10 == (-1) means we just output the decimal
3105 * place - after the DP don't adjust 'exp_b10' any
3108 if (exp_b10
!= (-1))
3112 *ascii
++ = 46; --size
;
3114 /* PLUS 1: TOTAL 4 */
3117 *ascii
++ = 48; --czero
;
3120 if (exp_b10
!= (-1))
3124 *ascii
++ = 46; --size
; /* counted above */
3129 *ascii
++ = (char)(48 + (int)d
); ++cdigits
;
3132 while (cdigits
+czero
< precision
+clead
&& fp
> DBL_MIN
);
3134 /* The total output count (max) is now 4+precision */
3136 /* Check for an exponent, if we don't need one we are
3137 * done and just need to terminate the string. At
3138 * this point exp_b10==(-1) is effectively a flag - it got
3139 * to '-1' because of the decrement after outputting
3140 * the decimal point above (the exponent required is
3143 if (exp_b10
>= (-1) && exp_b10
<= 2)
3145 /* The following only happens if we didn't output the
3146 * leading zeros above for negative exponent, so this
3147 * doesn't add to the digit requirement. Note that the
3148 * two zeros here can only be output if the two leading
3149 * zeros were *not* output, so this doesn't increase
3152 while (exp_b10
-- > 0) *ascii
++ = 48;
3156 /* Total buffer requirement (including the '\0') is
3157 * 5+precision - see check at the start.
3162 /* Here if an exponent is required, adjust size for
3163 * the digits we output but did not count. The total
3164 * digit output here so far is at most 1+precision - no
3165 * decimal point and no leading or trailing zeros have
3170 *ascii
++ = 69; --size
; /* 'E': PLUS 1 TOTAL 2+precision */
3172 /* The following use of an unsigned temporary avoids ambiguities in
3173 * the signed arithmetic on exp_b10 and permits GCC at least to do
3174 * better optimization.
3177 unsigned int uexp_b10
;
3181 *ascii
++ = 45; --size
; /* '-': PLUS 1 TOTAL 3+precision */
3182 uexp_b10
= 0U-exp_b10
;
3186 uexp_b10
= 0U+exp_b10
;
3190 while (uexp_b10
> 0)
3192 exponent
[cdigits
++] = (char)(48 + uexp_b10
% 10);
3197 /* Need another size check here for the exponent digits, so
3198 * this need not be considered above.
3202 while (cdigits
> 0) *ascii
++ = exponent
[--cdigits
];
3210 else if (!(fp
>= DBL_MIN
))
3212 *ascii
++ = 48; /* '0' */
3218 *ascii
++ = 105; /* 'i' */
3219 *ascii
++ = 110; /* 'n' */
3220 *ascii
++ = 102; /* 'f' */
3226 /* Here on buffer too small. */
3227 png_error(png_ptr
, "ASCII conversion buffer too small");
3229 #if GCC_STRICT_OVERFLOW
3230 #pragma GCC diagnostic pop
3231 #endif /* GCC_STRICT_OVERFLOW */
3233 # endif /* FLOATING_POINT */
3235 # ifdef PNG_FIXED_POINT_SUPPORTED
3236 /* Function to format a fixed point value in ASCII.
3239 png_ascii_from_fixed(png_const_structrp png_ptr
, png_charp ascii
,
3240 size_t size
, png_fixed_point fp
)
3242 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3243 * trailing \0, 13 characters:
3249 /* Avoid overflow here on the minimum integer. */
3252 *ascii
++ = 45; num
= (png_uint_32
)(-fp
);
3255 num
= (png_uint_32
)fp
;
3257 if (num
<= 0x80000000) /* else overflowed */
3259 unsigned int ndigits
= 0, first
= 16 /* flag value */;
3264 /* Split the low digit off num: */
3265 unsigned int tmp
= num
/10;
3267 digits
[ndigits
++] = (char)(48 + num
);
3268 /* Record the first non-zero digit, note that this is a number
3269 * starting at 1, it's not actually the array index.
3271 if (first
== 16 && num
> 0)
3278 while (ndigits
> 5) *ascii
++ = digits
[--ndigits
];
3279 /* The remaining digits are fractional digits, ndigits is '5' or
3280 * smaller at this point. It is certainly not zero. Check for a
3281 * non-zero fractional digit:
3286 *ascii
++ = 46; /* decimal point */
3287 /* ndigits may be <5 for small numbers, output leading zeros
3288 * then ndigits digits to first:
3295 while (ndigits
>= first
) *ascii
++ = digits
[--ndigits
];
3296 /* Don't output the trailing zeros! */
3302 /* And null terminate the string: */
3308 /* Here on buffer too small. */
3309 png_error(png_ptr
, "ASCII conversion buffer too small");
3311 # endif /* FIXED_POINT */
3314 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3315 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3316 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3317 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3318 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3319 (defined(PNG_sCAL_SUPPORTED) && \
3320 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3322 png_fixed(png_const_structrp png_ptr
, double fp
, png_const_charp text
)
3324 double r
= floor(100000 * fp
+ .5);
3326 if (r
> 2147483647. || r
< -2147483648.)
3327 png_fixed_error(png_ptr
, text
);
3329 # ifndef PNG_ERROR_TEXT_SUPPORTED
3333 return (png_fixed_point
)r
;
3337 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3338 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3339 /* muldiv functions */
3340 /* This API takes signed arguments and rounds the result to the nearest
3341 * integer (or, for a fixed point number - the standard argument - to
3342 * the nearest .00001). Overflow and divide by zero are signalled in
3343 * the result, a boolean - true on success, false on overflow.
3345 #if GCC_STRICT_OVERFLOW /* from above */
3346 /* It is not obvious which comparison below gets optimized in such a way that
3347 * signed overflow would change the result; looking through the code does not
3348 * reveal any tests which have the form GCC complains about, so presumably the
3349 * optimizer is moving an add or subtract into the 'if' somewhere.
3351 #pragma GCC diagnostic push
3352 #pragma GCC diagnostic warning "-Wstrict-overflow=2"
3353 #endif /* GCC_STRICT_OVERFLOW */
3355 png_muldiv(png_fixed_point_p res
, png_fixed_point a
, png_int_32 times
,
3358 /* Return a * times / divisor, rounded. */
3361 if (a
== 0 || times
== 0)
3368 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3374 /* A png_fixed_point is a 32-bit integer. */
3375 if (r
<= 2147483647. && r
>= -2147483648.)
3377 *res
= (png_fixed_point
)r
;
3382 png_uint_32 A
, T
, D
;
3383 png_uint_32 s16
, s32
, s00
;
3386 negative
= 1, A
= -a
;
3391 negative
= !negative
, T
= -times
;
3396 negative
= !negative
, D
= -divisor
;
3400 /* Following can't overflow because the arguments only
3401 * have 31 bits each, however the result may be 32 bits.
3403 s16
= (A
>> 16) * (T
& 0xffff) +
3404 (A
& 0xffff) * (T
>> 16);
3405 /* Can't overflow because the a*times bit is only 30
3408 s32
= (A
>> 16) * (T
>> 16) + (s16
>> 16);
3409 s00
= (A
& 0xffff) * (T
& 0xffff);
3411 s16
= (s16
& 0xffff) << 16;
3417 if (s32
< D
) /* else overflow */
3419 /* s32.s00 is now the 64-bit product, do a standard
3420 * division, we know that s32 < D, so the maximum
3421 * required shift is 31.
3424 png_fixed_point result
= 0; /* NOTE: signed */
3426 while (--bitshift
>= 0)
3428 png_uint_32 d32
, d00
;
3431 d32
= D
>> (32-bitshift
), d00
= D
<< bitshift
;
3438 if (s00
< d00
) --s32
; /* carry */
3439 s32
-= d32
, s00
-= d00
, result
+= 1<<bitshift
;
3443 if (s32
== d32
&& s00
>= d00
)
3444 s32
= 0, s00
-= d00
, result
+= 1<<bitshift
;
3447 /* Handle the rounding. */
3448 if (s00
>= (D
>> 1))
3454 /* Check for overflow. */
3455 if ((negative
!= 0 && result
<= 0) ||
3456 (negative
== 0 && result
>= 0))
3468 #if GCC_STRICT_OVERFLOW
3469 #pragma GCC diagnostic pop
3470 #endif /* GCC_STRICT_OVERFLOW */
3471 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3473 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3474 /* The following is for when the caller doesn't much care about the
3478 png_muldiv_warn(png_const_structrp png_ptr
, png_fixed_point a
, png_int_32 times
,
3481 png_fixed_point result
;
3483 if (png_muldiv(&result
, a
, times
, divisor
) != 0)
3486 png_warning(png_ptr
, "fixed point overflow ignored");
3491 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3492 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3494 png_reciprocal(png_fixed_point a
)
3496 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3497 double r
= floor(1E10
/a
+.5);
3499 if (r
<= 2147483647. && r
>= -2147483648.)
3500 return (png_fixed_point
)r
;
3502 png_fixed_point res
;
3504 if (png_muldiv(&res
, 100000, 100000, a
) != 0)
3508 return 0; /* error/overflow */
3511 /* This is the shared test on whether a gamma value is 'significant' - whether
3512 * it is worth doing gamma correction.
3515 png_gamma_significant(png_fixed_point gamma_val
)
3517 return gamma_val
< PNG_FP_1
- PNG_GAMMA_THRESHOLD_FIXED
||
3518 gamma_val
> PNG_FP_1
+ PNG_GAMMA_THRESHOLD_FIXED
;
3522 #ifdef PNG_READ_GAMMA_SUPPORTED
3523 #ifdef PNG_16BIT_SUPPORTED
3524 /* A local convenience routine. */
3525 static png_fixed_point
3526 png_product2(png_fixed_point a
, png_fixed_point b
)
3528 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3529 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3530 double r
= a
* 1E-5;
3534 if (r
<= 2147483647. && r
>= -2147483648.)
3535 return (png_fixed_point
)r
;
3537 png_fixed_point res
;
3539 if (png_muldiv(&res
, a
, b
, 100000) != 0)
3543 return 0; /* overflow */
3547 /* The inverse of the above. */
3549 png_reciprocal2(png_fixed_point a
, png_fixed_point b
)
3551 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3552 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3553 if (a
!= 0 && b
!= 0)
3559 if (r
<= 2147483647. && r
>= -2147483648.)
3560 return (png_fixed_point
)r
;
3563 /* This may overflow because the range of png_fixed_point isn't symmetric,
3564 * but this API is only used for the product of file and screen gamma so it
3565 * doesn't matter that the smallest number it can produce is 1/21474, not
3568 png_fixed_point res
= png_product2(a
, b
);
3571 return png_reciprocal(res
);
3574 return 0; /* overflow */
3576 #endif /* READ_GAMMA */
3578 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3579 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3580 /* Fixed point gamma.
3582 * The code to calculate the tables used below can be found in the shell script
3583 * contrib/tools/intgamma.sh
3585 * To calculate gamma this code implements fast log() and exp() calls using only
3586 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3587 * or 16-bit sample values.
3589 * The tables used here were calculated using simple 'bc' programs, but C double
3590 * precision floating point arithmetic would work fine.
3593 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3594 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3595 * mantissa. The numbers are 32-bit fractions.
3597 static const png_uint_32
3600 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3601 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3602 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3603 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3604 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3605 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3606 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3607 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3608 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3609 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3610 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3611 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3612 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3613 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3614 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3615 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3616 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3617 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3618 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3619 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3620 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3624 /* The following are the values for 16-bit tables - these work fine for the
3625 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3626 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3627 * use these all the shifts below must be adjusted appropriately.
3629 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3630 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3631 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3632 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3633 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3634 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3635 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3636 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3637 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3638 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3639 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3645 png_log8bit(unsigned int x
)
3647 unsigned int lg2
= 0;
3648 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3649 * because the log is actually negate that means adding 1. The final
3650 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3651 * input), return -1 for the overflow (log 0) case, - so the result is
3652 * always at most 19 bits.
3654 if ((x
&= 0xff) == 0)
3657 if ((x
& 0xf0) == 0)
3660 if ((x
& 0xc0) == 0)
3663 if ((x
& 0x80) == 0)
3666 /* result is at most 19 bits, so this cast is safe: */
3667 return (png_int_32
)((lg2
<< 16) + ((png_8bit_l2
[x
-128]+32768)>>16));
3670 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3671 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3672 * get an approximation then multiply the approximation by a correction factor
3673 * determined by the remaining up to 8 bits. This requires an additional step
3674 * in the 16-bit case.
3676 * We want log2(value/65535), we have log2(v'/255), where:
3678 * value = v' * 256 + v''
3681 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3682 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3683 * than 258. The final factor also needs to correct for the fact that our 8-bit
3684 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3686 * This gives a final formula using a calculated value 'x' which is value/v' and
3687 * scaling by 65536 to match the above table:
3689 * log2(x/257) * 65536
3691 * Since these numbers are so close to '1' we can use simple linear
3692 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3693 * (result 367.179). The values used below are scaled by a further 64 to give
3694 * 16-bit precision in the interpolation:
3696 * Start (256): -23591
3700 #ifdef PNG_16BIT_SUPPORTED
3702 png_log16bit(png_uint_32 x
)
3704 unsigned int lg2
= 0;
3706 /* As above, but now the input has 16 bits. */
3707 if ((x
&= 0xffff) == 0)
3710 if ((x
& 0xff00) == 0)
3713 if ((x
& 0xf000) == 0)
3716 if ((x
& 0xc000) == 0)
3719 if ((x
& 0x8000) == 0)
3722 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3726 lg2
+= (png_8bit_l2
[(x
>>8)-128]+8) >> 4;
3728 /* Now we need to interpolate the factor, this requires a division by the top
3729 * 8 bits. Do this with maximum precision.
3731 x
= ((x
<< 16) + (x
>> 9)) / (x
>> 8);
3733 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3734 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3735 * 16 bits to interpolate to get the low bits of the result. Round the
3736 * answer. Note that the end point values are scaled by 64 to retain overall
3737 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3738 * the overall scaling by 6-12. Round at every step.
3742 if (x
<= 65536U) /* <= '257' */
3743 lg2
+= ((23591U * (65536U-x
)) + (1U << (16+6-12-1))) >> (16+6-12);
3746 lg2
-= ((23499U * (x
-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3748 /* Safe, because the result can't have more than 20 bits: */
3749 return (png_int_32
)((lg2
+ 2048) >> 12);
3753 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3754 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3755 * each case only the low 16 bits are relevant - the fraction - since the
3756 * integer bits (the top 4) simply determine a shift.
3758 * The worst case is the 16-bit distinction between 65535 and 65534. This
3759 * requires perhaps spurious accuracy in the decoding of the logarithm to
3760 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3761 * of getting this accuracy in practice.
3763 * To deal with this the following exp() function works out the exponent of the
3764 * fractional part of the logarithm by using an accurate 32-bit value from the
3765 * top four fractional bits then multiplying in the remaining bits.
3767 static const png_uint_32
3770 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3771 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3772 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3773 2553802834U, 2445529972U, 2341847524U, 2242560872U
3776 /* Adjustment table; provided to explain the numbers in the code below. */
3778 for (i
=11;i
>=0;--i
){ print i
, " ", (1 - e(-(2^i
)/65536*l(2))) * 2^(32-i
), "\n"}
3779 11 44937.64284865548751208448
3780 10 45180.98734845585101160448
3781 9 45303.31936980687359311872
3782 8 45364.65110595323018870784
3783 7 45395.35850361789624614912
3784 6 45410.72259715102037508096
3785 5 45418.40724413220722311168
3786 4 45422.25021786898173001728
3787 3 45424.17186732298419044352
3788 2 45425.13273269940811464704
3789 1 45425.61317555035558641664
3790 0 45425.85339951654943850496
3794 png_exp(png_fixed_point x
)
3796 if (x
> 0 && x
<= 0xfffff) /* Else overflow or zero (underflow) */
3798 /* Obtain a 4-bit approximation */
3799 png_uint_32 e
= png_32bit_exp
[(x
>> 12) & 0x0f];
3801 /* Incorporate the low 12 bits - these decrease the returned value by
3802 * multiplying by a number less than 1 if the bit is set. The multiplier
3803 * is determined by the above table and the shift. Notice that the values
3804 * converge on 45426 and this is used to allow linear interpolation of the
3808 e
-= (((e
>> 16) * 44938U) + 16U) >> 5;
3811 e
-= (((e
>> 16) * 45181U) + 32U) >> 6;
3814 e
-= (((e
>> 16) * 45303U) + 64U) >> 7;
3817 e
-= (((e
>> 16) * 45365U) + 128U) >> 8;
3820 e
-= (((e
>> 16) * 45395U) + 256U) >> 9;
3823 e
-= (((e
>> 16) * 45410U) + 512U) >> 10;
3825 /* And handle the low 6 bits in a single block. */
3826 e
-= (((e
>> 16) * 355U * (x
& 0x3fU
)) + 256U) >> 9;
3828 /* Handle the upper bits of x. */
3833 /* Check for overflow */
3835 return png_32bit_exp
[0];
3837 /* Else underflow */
3842 png_exp8bit(png_fixed_point lg2
)
3844 /* Get a 32-bit value: */
3845 png_uint_32 x
= png_exp(lg2
);
3847 /* Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the
3848 * second, rounding, step can't overflow because of the first, subtraction,
3852 return (png_byte
)(((x
+ 0x7fffffU
) >> 24) & 0xff);
3855 #ifdef PNG_16BIT_SUPPORTED
3857 png_exp16bit(png_fixed_point lg2
)
3859 /* Get a 32-bit value: */
3860 png_uint_32 x
= png_exp(lg2
);
3862 /* Convert the 32-bit value to 0..65535 by multiplying by 65536-1: */
3864 return (png_uint_16
)((x
+ 32767U) >> 16);
3867 #endif /* FLOATING_ARITHMETIC */
3870 png_gamma_8bit_correct(unsigned int value
, png_fixed_point gamma_val
)
3872 if (value
> 0 && value
< 255)
3874 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3875 /* 'value' is unsigned, ANSI-C90 requires the compiler to correctly
3876 * convert this to a floating point value. This includes values that
3877 * would overflow if 'value' were to be converted to 'int'.
3879 * Apparently GCC, however, does an intermediate conversion to (int)
3880 * on some (ARM) but not all (x86) platforms, possibly because of
3881 * hardware FP limitations. (E.g. if the hardware conversion always
3882 * assumes the integer register contains a signed value.) This results
3883 * in ANSI-C undefined behavior for large values.
3885 * Other implementations on the same machine might actually be ANSI-C90
3886 * conformant and therefore compile spurious extra code for the large
3889 * We can be reasonably sure that an unsigned to float conversion
3890 * won't be faster than an int to float one. Therefore this code
3891 * assumes responsibility for the undefined behavior, which it knows
3892 * can't happen because of the check above.
3894 * Note the argument to this routine is an (unsigned int) because, on
3895 * 16-bit platforms, it is assigned a value which might be out of
3896 * range for an (int); that would result in undefined behavior in the
3897 * caller if the *argument* ('value') were to be declared (int).
3899 double r
= floor(255*pow((int)/*SAFE*/value
/255.,gamma_val
*.00001)+.5);
3902 png_int_32 lg2
= png_log8bit(value
);
3903 png_fixed_point res
;
3905 if (png_muldiv(&res
, gamma_val
, lg2
, PNG_FP_1
) != 0)
3906 return png_exp8bit(res
);
3913 return (png_byte
)(value
& 0xff);
3916 #ifdef PNG_16BIT_SUPPORTED
3918 png_gamma_16bit_correct(unsigned int value
, png_fixed_point gamma_val
)
3920 if (value
> 0 && value
< 65535)
3922 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3923 /* The same (unsigned int)->(double) constraints apply here as above,
3924 * however in this case the (unsigned int) to (int) conversion can
3925 * overflow on an ANSI-C90 compliant system so the cast needs to ensure
3926 * that this is not possible.
3928 double r
= floor(65535*pow((png_int_32
)value
/65535.,
3929 gamma_val
*.00001)+.5);
3930 return (png_uint_16
)r
;
3932 png_int_32 lg2
= png_log16bit(value
);
3933 png_fixed_point res
;
3935 if (png_muldiv(&res
, gamma_val
, lg2
, PNG_FP_1
) != 0)
3936 return png_exp16bit(res
);
3943 return (png_uint_16
)value
;
3947 /* This does the right thing based on the bit_depth field of the
3948 * png_struct, interpreting values as 8-bit or 16-bit. While the result
3949 * is nominally a 16-bit value if bit depth is 8 then the result is
3950 * 8-bit (as are the arguments.)
3952 png_uint_16
/* PRIVATE */
3953 png_gamma_correct(png_structrp png_ptr
, unsigned int value
,
3954 png_fixed_point gamma_val
)
3956 if (png_ptr
->bit_depth
== 8)
3957 return png_gamma_8bit_correct(value
, gamma_val
);
3959 #ifdef PNG_16BIT_SUPPORTED
3961 return png_gamma_16bit_correct(value
, gamma_val
);
3963 /* should not reach this */
3968 #ifdef PNG_16BIT_SUPPORTED
3969 /* Internal function to build a single 16-bit table - the table consists of
3970 * 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3971 * to shift the input values right (or 16-number_of_signifiant_bits).
3973 * The caller is responsible for ensuring that the table gets cleaned up on
3974 * png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3975 * should be somewhere that will be cleaned.
3978 png_build_16bit_table(png_structrp png_ptr
, png_uint_16pp
*ptable
,
3979 PNG_CONST
unsigned int shift
, PNG_CONST png_fixed_point gamma_val
)
3981 /* Various values derived from 'shift': */
3982 PNG_CONST
unsigned int num
= 1U << (8U - shift
);
3983 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3984 /* CSE the division and work round wacky GCC warnings (see the comments
3985 * in png_gamma_8bit_correct for where these come from.)
3987 PNG_CONST
double fmax
= 1./(((png_int_32
)1 << (16U - shift
))-1);
3989 PNG_CONST
unsigned int max
= (1U << (16U - shift
))-1U;
3990 PNG_CONST
unsigned int max_by_2
= 1U << (15U-shift
);
3993 png_uint_16pp table
= *ptable
=
3994 (png_uint_16pp
)png_calloc(png_ptr
, num
* (sizeof (png_uint_16p
)));
3996 for (i
= 0; i
< num
; i
++)
3998 png_uint_16p sub_table
= table
[i
] =
3999 (png_uint_16p
)png_malloc(png_ptr
, 256 * (sizeof (png_uint_16
)));
4001 /* The 'threshold' test is repeated here because it can arise for one of
4002 * the 16-bit tables even if the others don't hit it.
4004 if (png_gamma_significant(gamma_val
) != 0)
4006 /* The old code would overflow at the end and this would cause the
4007 * 'pow' function to return a result >1, resulting in an
4008 * arithmetic error. This code follows the spec exactly; ig is
4009 * the recovered input sample, it always has 8-16 bits.
4011 * We want input * 65535/max, rounded, the arithmetic fits in 32
4012 * bits (unsigned) so long as max <= 32767.
4015 for (j
= 0; j
< 256; j
++)
4017 png_uint_32 ig
= (j
<< (8-shift
)) + i
;
4018 # ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4019 /* Inline the 'max' scaling operation: */
4020 /* See png_gamma_8bit_correct for why the cast to (int) is
4023 double d
= floor(65535.*pow(ig
*fmax
, gamma_val
*.00001)+.5);
4024 sub_table
[j
] = (png_uint_16
)d
;
4027 ig
= (ig
* 65535U + max_by_2
)/max
;
4029 sub_table
[j
] = png_gamma_16bit_correct(ig
, gamma_val
);
4035 /* We must still build a table, but do it the fast way. */
4038 for (j
= 0; j
< 256; j
++)
4040 png_uint_32 ig
= (j
<< (8-shift
)) + i
;
4043 ig
= (ig
* 65535U + max_by_2
)/max
;
4045 sub_table
[j
] = (png_uint_16
)ig
;
4051 /* NOTE: this function expects the *inverse* of the overall gamma transformation
4055 png_build_16to8_table(png_structrp png_ptr
, png_uint_16pp
*ptable
,
4056 PNG_CONST
unsigned int shift
, PNG_CONST png_fixed_point gamma_val
)
4058 PNG_CONST
unsigned int num
= 1U << (8U - shift
);
4059 PNG_CONST
unsigned int max
= (1U << (16U - shift
))-1U;
4063 png_uint_16pp table
= *ptable
=
4064 (png_uint_16pp
)png_calloc(png_ptr
, num
* (sizeof (png_uint_16p
)));
4066 /* 'num' is the number of tables and also the number of low bits of low
4067 * bits of the input 16-bit value used to select a table. Each table is
4068 * itself indexed by the high 8 bits of the value.
4070 for (i
= 0; i
< num
; i
++)
4071 table
[i
] = (png_uint_16p
)png_malloc(png_ptr
,
4072 256 * (sizeof (png_uint_16
)));
4074 /* 'gamma_val' is set to the reciprocal of the value calculated above, so
4075 * pow(out,g) is an *input* value. 'last' is the last input value set.
4077 * In the loop 'i' is used to find output values. Since the output is
4078 * 8-bit there are only 256 possible values. The tables are set up to
4079 * select the closest possible output value for each input by finding
4080 * the input value at the boundary between each pair of output values
4081 * and filling the table up to that boundary with the lower output
4084 * The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4085 * values the code below uses a 16-bit value in i; the values start at
4086 * 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4087 * entries are filled with 255). Start i at 128 and fill all 'last'
4088 * table entries <= 'max'
4091 for (i
= 0; i
< 255; ++i
) /* 8-bit output value */
4093 /* Find the corresponding maximum input value */
4094 png_uint_16 out
= (png_uint_16
)(i
* 257U); /* 16-bit output value */
4096 /* Find the boundary value in 16 bits: */
4097 png_uint_32 bound
= png_gamma_16bit_correct(out
+128U, gamma_val
);
4099 /* Adjust (round) to (16-shift) bits: */
4100 bound
= (bound
* max
+ 32768U)/65535U + 1U;
4102 while (last
< bound
)
4104 table
[last
& (0xffU
>> shift
)][last
>> (8U - shift
)] = out
;
4109 /* And fill in the final entries. */
4110 while (last
< (num
<< 8))
4112 table
[last
& (0xff >> shift
)][last
>> (8U - shift
)] = 65535U;
4118 /* Build a single 8-bit table: same as the 16-bit case but much simpler (and
4119 * typically much faster). Note that libpng currently does no sBIT processing
4120 * (apparently contrary to the spec) so a 256-entry table is always generated.
4123 png_build_8bit_table(png_structrp png_ptr
, png_bytepp ptable
,
4124 PNG_CONST png_fixed_point gamma_val
)
4127 png_bytep table
= *ptable
= (png_bytep
)png_malloc(png_ptr
, 256);
4129 if (png_gamma_significant(gamma_val
) != 0)
4130 for (i
=0; i
<256; i
++)
4131 table
[i
] = png_gamma_8bit_correct(i
, gamma_val
);
4134 for (i
=0; i
<256; ++i
)
4135 table
[i
] = (png_byte
)(i
& 0xff);
4138 /* Used from png_read_destroy and below to release the memory used by the gamma
4142 png_destroy_gamma_table(png_structrp png_ptr
)
4144 png_free(png_ptr
, png_ptr
->gamma_table
);
4145 png_ptr
->gamma_table
= NULL
;
4147 #ifdef PNG_16BIT_SUPPORTED
4148 if (png_ptr
->gamma_16_table
!= NULL
)
4151 int istop
= (1 << (8 - png_ptr
->gamma_shift
));
4152 for (i
= 0; i
< istop
; i
++)
4154 png_free(png_ptr
, png_ptr
->gamma_16_table
[i
]);
4156 png_free(png_ptr
, png_ptr
->gamma_16_table
);
4157 png_ptr
->gamma_16_table
= NULL
;
4161 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4162 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4163 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4164 png_free(png_ptr
, png_ptr
->gamma_from_1
);
4165 png_ptr
->gamma_from_1
= NULL
;
4166 png_free(png_ptr
, png_ptr
->gamma_to_1
);
4167 png_ptr
->gamma_to_1
= NULL
;
4169 #ifdef PNG_16BIT_SUPPORTED
4170 if (png_ptr
->gamma_16_from_1
!= NULL
)
4173 int istop
= (1 << (8 - png_ptr
->gamma_shift
));
4174 for (i
= 0; i
< istop
; i
++)
4176 png_free(png_ptr
, png_ptr
->gamma_16_from_1
[i
]);
4178 png_free(png_ptr
, png_ptr
->gamma_16_from_1
);
4179 png_ptr
->gamma_16_from_1
= NULL
;
4181 if (png_ptr
->gamma_16_to_1
!= NULL
)
4184 int istop
= (1 << (8 - png_ptr
->gamma_shift
));
4185 for (i
= 0; i
< istop
; i
++)
4187 png_free(png_ptr
, png_ptr
->gamma_16_to_1
[i
]);
4189 png_free(png_ptr
, png_ptr
->gamma_16_to_1
);
4190 png_ptr
->gamma_16_to_1
= NULL
;
4193 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4196 /* We build the 8- or 16-bit gamma tables here. Note that for 16-bit
4197 * tables, we don't make a full table if we are reducing to 8-bit in
4198 * the future. Note also how the gamma_16 tables are segmented so that
4199 * we don't need to allocate > 64K chunks for a full 16-bit table.
4202 png_build_gamma_table(png_structrp png_ptr
, int bit_depth
)
4204 png_debug(1, "in png_build_gamma_table");
4206 /* Remove any existing table; this copes with multiple calls to
4207 * png_read_update_info. The warning is because building the gamma tables
4208 * multiple times is a performance hit - it's harmless but the ability to
4209 * call png_read_update_info() multiple times is new in 1.5.6 so it seems
4210 * sensible to warn if the app introduces such a hit.
4212 if (png_ptr
->gamma_table
!= NULL
|| png_ptr
->gamma_16_table
!= NULL
)
4214 png_warning(png_ptr
, "gamma table being rebuilt");
4215 png_destroy_gamma_table(png_ptr
);
4220 png_build_8bit_table(png_ptr
, &png_ptr
->gamma_table
,
4221 png_ptr
->screen_gamma
> 0 ?
4222 png_reciprocal2(png_ptr
->colorspace
.gamma
,
4223 png_ptr
->screen_gamma
) : PNG_FP_1
);
4225 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4226 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4227 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4228 if ((png_ptr
->transformations
& (PNG_COMPOSE
| PNG_RGB_TO_GRAY
)) != 0)
4230 png_build_8bit_table(png_ptr
, &png_ptr
->gamma_to_1
,
4231 png_reciprocal(png_ptr
->colorspace
.gamma
));
4233 png_build_8bit_table(png_ptr
, &png_ptr
->gamma_from_1
,
4234 png_ptr
->screen_gamma
> 0 ?
4235 png_reciprocal(png_ptr
->screen_gamma
) :
4236 png_ptr
->colorspace
.gamma
/* Probably doing rgb_to_gray */);
4238 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4240 #ifdef PNG_16BIT_SUPPORTED
4243 png_byte shift
, sig_bit
;
4245 if ((png_ptr
->color_type
& PNG_COLOR_MASK_COLOR
) != 0)
4247 sig_bit
= png_ptr
->sig_bit
.red
;
4249 if (png_ptr
->sig_bit
.green
> sig_bit
)
4250 sig_bit
= png_ptr
->sig_bit
.green
;
4252 if (png_ptr
->sig_bit
.blue
> sig_bit
)
4253 sig_bit
= png_ptr
->sig_bit
.blue
;
4256 sig_bit
= png_ptr
->sig_bit
.gray
;
4258 /* 16-bit gamma code uses this equation:
4260 * ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4262 * Where 'iv' is the input color value and 'ov' is the output value -
4265 * Thus the gamma table consists of up to 256 256-entry tables. The table
4266 * is selected by the (8-gamma_shift) most significant of the low 8 bits
4267 * of the color value then indexed by the upper 8 bits:
4269 * table[low bits][high 8 bits]
4271 * So the table 'n' corresponds to all those 'iv' of:
4273 * <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4276 if (sig_bit
> 0 && sig_bit
< 16U)
4277 /* shift == insignificant bits */
4278 shift
= (png_byte
)((16U - sig_bit
) & 0xff);
4281 shift
= 0; /* keep all 16 bits */
4283 if ((png_ptr
->transformations
& (PNG_16_TO_8
| PNG_SCALE_16_TO_8
)) != 0)
4285 /* PNG_MAX_GAMMA_8 is the number of bits to keep - effectively
4286 * the significant bits in the *input* when the output will
4287 * eventually be 8 bits. By default it is 11.
4289 if (shift
< (16U - PNG_MAX_GAMMA_8
))
4290 shift
= (16U - PNG_MAX_GAMMA_8
);
4294 shift
= 8U; /* Guarantees at least one table! */
4296 png_ptr
->gamma_shift
= shift
;
4298 /* NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now
4299 * PNG_COMPOSE). This effectively smashed the background calculation for
4300 * 16-bit output because the 8-bit table assumes the result will be
4301 * reduced to 8 bits.
4303 if ((png_ptr
->transformations
& (PNG_16_TO_8
| PNG_SCALE_16_TO_8
)) != 0)
4304 png_build_16to8_table(png_ptr
, &png_ptr
->gamma_16_table
, shift
,
4305 png_ptr
->screen_gamma
> 0 ? png_product2(png_ptr
->colorspace
.gamma
,
4306 png_ptr
->screen_gamma
) : PNG_FP_1
);
4309 png_build_16bit_table(png_ptr
, &png_ptr
->gamma_16_table
, shift
,
4310 png_ptr
->screen_gamma
> 0 ? png_reciprocal2(png_ptr
->colorspace
.gamma
,
4311 png_ptr
->screen_gamma
) : PNG_FP_1
);
4313 #if defined(PNG_READ_BACKGROUND_SUPPORTED) || \
4314 defined(PNG_READ_ALPHA_MODE_SUPPORTED) || \
4315 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4316 if ((png_ptr
->transformations
& (PNG_COMPOSE
| PNG_RGB_TO_GRAY
)) != 0)
4318 png_build_16bit_table(png_ptr
, &png_ptr
->gamma_16_to_1
, shift
,
4319 png_reciprocal(png_ptr
->colorspace
.gamma
));
4321 /* Notice that the '16 from 1' table should be full precision, however
4322 * the lookup on this table still uses gamma_shift, so it can't be.
4325 png_build_16bit_table(png_ptr
, &png_ptr
->gamma_16_from_1
, shift
,
4326 png_ptr
->screen_gamma
> 0 ? png_reciprocal(png_ptr
->screen_gamma
) :
4327 png_ptr
->colorspace
.gamma
/* Probably doing rgb_to_gray */);
4329 #endif /* READ_BACKGROUND || READ_ALPHA_MODE || RGB_TO_GRAY */
4333 #endif /* READ_GAMMA */
4335 /* HARDWARE OR SOFTWARE OPTION SUPPORT */
4336 #ifdef PNG_SET_OPTION_SUPPORTED
4338 png_set_option(png_structrp png_ptr
, int option
, int onoff
)
4340 if (png_ptr
!= NULL
&& option
>= 0 && option
< PNG_OPTION_NEXT
&&
4343 png_uint_32 mask
= 3U << option
;
4344 png_uint_32 setting
= (2U + (onoff
!= 0)) << option
;
4345 png_uint_32 current
= png_ptr
->options
;
4347 png_ptr
->options
= (png_uint_32
)((current
& ~mask
) | setting
);
4349 return (int)(current
& mask
) >> option
;
4352 return PNG_OPTION_INVALID
;
4357 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4358 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4359 /* sRGB conversion tables; these are machine generated with the code in
4360 * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4361 * specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4362 * is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4363 * The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4364 * The inverse (linear to sRGB) table has accuracies as follows:
4366 * For all possible (255*65535+1) input values:
4368 * error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4370 * For the input values corresponding to the 65536 16-bit values:
4372 * error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4374 * In all cases the inexact readings are only off by one.
4377 #ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4378 /* The convert-to-sRGB table is only currently required for read. */
4379 const png_uint_16 png_sRGB_table
[256] =
4381 0,20,40,60,80,99,119,139,
4382 159,179,199,219,241,264,288,313,
4383 340,367,396,427,458,491,526,562,
4384 599,637,677,718,761,805,851,898,
4385 947,997,1048,1101,1156,1212,1270,1330,
4386 1391,1453,1517,1583,1651,1720,1790,1863,
4387 1937,2013,2090,2170,2250,2333,2418,2504,
4388 2592,2681,2773,2866,2961,3058,3157,3258,
4389 3360,3464,3570,3678,3788,3900,4014,4129,
4390 4247,4366,4488,4611,4736,4864,4993,5124,
4391 5257,5392,5530,5669,5810,5953,6099,6246,
4392 6395,6547,6700,6856,7014,7174,7335,7500,
4393 7666,7834,8004,8177,8352,8528,8708,8889,
4394 9072,9258,9445,9635,9828,10022,10219,10417,
4395 10619,10822,11028,11235,11446,11658,11873,12090,
4396 12309,12530,12754,12980,13209,13440,13673,13909,
4397 14146,14387,14629,14874,15122,15371,15623,15878,
4398 16135,16394,16656,16920,17187,17456,17727,18001,
4399 18277,18556,18837,19121,19407,19696,19987,20281,
4400 20577,20876,21177,21481,21787,22096,22407,22721,
4401 23038,23357,23678,24002,24329,24658,24990,25325,
4402 25662,26001,26344,26688,27036,27386,27739,28094,
4403 28452,28813,29176,29542,29911,30282,30656,31033,
4404 31412,31794,32179,32567,32957,33350,33745,34143,
4405 34544,34948,35355,35764,36176,36591,37008,37429,
4406 37852,38278,38706,39138,39572,40009,40449,40891,
4407 41337,41785,42236,42690,43147,43606,44069,44534,
4408 45002,45473,45947,46423,46903,47385,47871,48359,
4409 48850,49344,49841,50341,50844,51349,51858,52369,
4410 52884,53401,53921,54445,54971,55500,56032,56567,
4411 57105,57646,58190,58737,59287,59840,60396,60955,
4412 61517,62082,62650,63221,63795,64372,64952,65535
4414 #endif /* SIMPLIFIED_READ */
4416 /* The base/delta tables are required for both read and write (but currently
4417 * only the simplified versions.)
4419 const png_uint_16 png_sRGB_base
[512] =
4421 128,1782,3383,4644,5675,6564,7357,8074,
4422 8732,9346,9921,10463,10977,11466,11935,12384,
4423 12816,13233,13634,14024,14402,14769,15125,15473,
4424 15812,16142,16466,16781,17090,17393,17690,17981,
4425 18266,18546,18822,19093,19359,19621,19879,20133,
4426 20383,20630,20873,21113,21349,21583,21813,22041,
4427 22265,22487,22707,22923,23138,23350,23559,23767,
4428 23972,24175,24376,24575,24772,24967,25160,25352,
4429 25542,25730,25916,26101,26284,26465,26645,26823,
4430 27000,27176,27350,27523,27695,27865,28034,28201,
4431 28368,28533,28697,28860,29021,29182,29341,29500,
4432 29657,29813,29969,30123,30276,30429,30580,30730,
4433 30880,31028,31176,31323,31469,31614,31758,31902,
4434 32045,32186,32327,32468,32607,32746,32884,33021,
4435 33158,33294,33429,33564,33697,33831,33963,34095,
4436 34226,34357,34486,34616,34744,34873,35000,35127,
4437 35253,35379,35504,35629,35753,35876,35999,36122,
4438 36244,36365,36486,36606,36726,36845,36964,37083,
4439 37201,37318,37435,37551,37668,37783,37898,38013,
4440 38127,38241,38354,38467,38580,38692,38803,38915,
4441 39026,39136,39246,39356,39465,39574,39682,39790,
4442 39898,40005,40112,40219,40325,40431,40537,40642,
4443 40747,40851,40955,41059,41163,41266,41369,41471,
4444 41573,41675,41777,41878,41979,42079,42179,42279,
4445 42379,42478,42577,42676,42775,42873,42971,43068,
4446 43165,43262,43359,43456,43552,43648,43743,43839,
4447 43934,44028,44123,44217,44311,44405,44499,44592,
4448 44685,44778,44870,44962,45054,45146,45238,45329,
4449 45420,45511,45601,45692,45782,45872,45961,46051,
4450 46140,46229,46318,46406,46494,46583,46670,46758,
4451 46846,46933,47020,47107,47193,47280,47366,47452,
4452 47538,47623,47709,47794,47879,47964,48048,48133,
4453 48217,48301,48385,48468,48552,48635,48718,48801,
4454 48884,48966,49048,49131,49213,49294,49376,49458,
4455 49539,49620,49701,49782,49862,49943,50023,50103,
4456 50183,50263,50342,50422,50501,50580,50659,50738,
4457 50816,50895,50973,51051,51129,51207,51285,51362,
4458 51439,51517,51594,51671,51747,51824,51900,51977,
4459 52053,52129,52205,52280,52356,52432,52507,52582,
4460 52657,52732,52807,52881,52956,53030,53104,53178,
4461 53252,53326,53400,53473,53546,53620,53693,53766,
4462 53839,53911,53984,54056,54129,54201,54273,54345,
4463 54417,54489,54560,54632,54703,54774,54845,54916,
4464 54987,55058,55129,55199,55269,55340,55410,55480,
4465 55550,55620,55689,55759,55828,55898,55967,56036,
4466 56105,56174,56243,56311,56380,56448,56517,56585,
4467 56653,56721,56789,56857,56924,56992,57059,57127,
4468 57194,57261,57328,57395,57462,57529,57595,57662,
4469 57728,57795,57861,57927,57993,58059,58125,58191,
4470 58256,58322,58387,58453,58518,58583,58648,58713,
4471 58778,58843,58908,58972,59037,59101,59165,59230,
4472 59294,59358,59422,59486,59549,59613,59677,59740,
4473 59804,59867,59930,59993,60056,60119,60182,60245,
4474 60308,60370,60433,60495,60558,60620,60682,60744,
4475 60806,60868,60930,60992,61054,61115,61177,61238,
4476 61300,61361,61422,61483,61544,61605,61666,61727,
4477 61788,61848,61909,61969,62030,62090,62150,62211,
4478 62271,62331,62391,62450,62510,62570,62630,62689,
4479 62749,62808,62867,62927,62986,63045,63104,63163,
4480 63222,63281,63340,63398,63457,63515,63574,63632,
4481 63691,63749,63807,63865,63923,63981,64039,64097,
4482 64155,64212,64270,64328,64385,64443,64500,64557,
4483 64614,64672,64729,64786,64843,64900,64956,65013,
4484 65070,65126,65183,65239,65296,65352,65409,65465
4487 const png_byte png_sRGB_delta
[512] =
4489 207,201,158,129,113,100,90,82,77,72,68,64,61,59,56,54,
4490 52,50,49,47,46,45,43,42,41,40,39,39,38,37,36,36,
4491 35,34,34,33,33,32,32,31,31,30,30,30,29,29,28,28,
4492 28,27,27,27,27,26,26,26,25,25,25,25,24,24,24,24,
4493 23,23,23,23,23,22,22,22,22,22,22,21,21,21,21,21,
4494 21,20,20,20,20,20,20,20,20,19,19,19,19,19,19,19,
4495 19,18,18,18,18,18,18,18,18,18,18,17,17,17,17,17,
4496 17,17,17,17,17,17,16,16,16,16,16,16,16,16,16,16,
4497 16,16,16,16,15,15,15,15,15,15,15,15,15,15,15,15,
4498 15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,
4499 14,14,14,14,14,14,14,13,13,13,13,13,13,13,13,13,
4500 13,13,13,13,13,13,13,13,13,13,13,13,13,13,12,12,
4501 12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,12,
4502 12,12,12,12,12,12,12,12,12,12,12,12,11,11,11,11,
4503 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4504 11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,
4505 11,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4506 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4507 10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,10,
4508 10,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4509 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4510 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4511 9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,9,
4512 9,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4513 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4514 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4515 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4516 8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,8,
4517 8,8,8,8,8,8,8,8,8,7,7,7,7,7,7,7,
4518 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4519 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,
4520 7,7,7,7,7,7,7,7,7,7,7,7,7,7,7,7
4522 #endif /* SIMPLIFIED READ/WRITE sRGB support */
4524 /* SIMPLIFIED READ/WRITE SUPPORT */
4525 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
4526 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4528 png_image_free_function(png_voidp argument
)
4530 png_imagep image
= png_voidcast(png_imagep
, argument
);
4531 png_controlp cp
= image
->opaque
;
4534 /* Double check that we have a png_ptr - it should be impossible to get here
4537 if (cp
->png_ptr
== NULL
)
4540 /* First free any data held in the control structure. */
4541 # ifdef PNG_STDIO_SUPPORTED
4542 if (cp
->owned_file
!= 0)
4544 FILE *fp
= png_voidcast(FILE*, cp
->png_ptr
->io_ptr
);
4547 /* Ignore errors here. */
4550 cp
->png_ptr
->io_ptr
= NULL
;
4556 /* Copy the control structure so that the original, allocated, version can be
4557 * safely freed. Notice that a png_error here stops the remainder of the
4558 * cleanup, but this is probably fine because that would indicate bad memory
4563 png_free(c
.png_ptr
, cp
);
4565 /* Then the structures, calling the correct API. */
4566 if (c
.for_write
!= 0)
4568 # ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4569 png_destroy_write_struct(&c
.png_ptr
, &c
.info_ptr
);
4571 png_error(c
.png_ptr
, "simplified write not supported");
4576 # ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4577 png_destroy_read_struct(&c
.png_ptr
, &c
.info_ptr
, NULL
);
4579 png_error(c
.png_ptr
, "simplified read not supported");
4588 png_image_free(png_imagep image
)
4590 /* Safely call the real function, but only if doing so is safe at this point
4591 * (if not inside an error handling context). Otherwise assume
4592 * png_safe_execute will call this API after the return.
4594 if (image
!= NULL
&& image
->opaque
!= NULL
&&
4595 image
->opaque
->error_buf
== NULL
)
4597 /* Ignore errors here: */
4598 (void)png_safe_execute(image
, png_image_free_function
, image
);
4599 image
->opaque
= NULL
;
4604 png_image_error(png_imagep image
, png_const_charp error_message
)
4606 /* Utility to log an error. */
4607 png_safecat(image
->message
, (sizeof image
->message
), 0, error_message
);
4608 image
->warning_or_error
|= PNG_IMAGE_ERROR
;
4609 png_image_free(image
);
4613 #endif /* SIMPLIFIED READ/WRITE */
4614 #endif /* READ || WRITE */