f6e353ace0fc443333409394f81eda7f4f94f2c6
[reactos.git] / reactos / dll / 3rdparty / libpng / png.c
1
2 /* png.c - location for general purpose libpng functions
3 *
4 * Last changed in libpng 1.6.18 [July 23, 2015]
5 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
6 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
7 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 */
13
14 #include "pngpriv.h"
15
16 /* Generate a compiler error if there is an old png.h in the search path. */
17 typedef png_libpng_version_1_6_18 Your_png_h_is_not_version_1_6_18;
18
19 /* Tells libpng that we have already handled the first "num_bytes" bytes
20 * of the PNG file signature. If the PNG data is embedded into another
21 * stream we can set num_bytes = 8 so that libpng will not attempt to read
22 * or write any of the magic bytes before it starts on the IHDR.
23 */
24
25 #ifdef PNG_READ_SUPPORTED
26 void PNGAPI
27 png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
28 {
29 png_debug(1, "in png_set_sig_bytes");
30
31 if (png_ptr == NULL)
32 return;
33
34 if (num_bytes > 8)
35 png_error(png_ptr, "Too many bytes for PNG signature");
36
37 png_ptr->sig_bytes = (png_byte)((num_bytes < 0 ? 0 : num_bytes) & 0xff);
38 }
39
40 /* Checks whether the supplied bytes match the PNG signature. We allow
41 * checking less than the full 8-byte signature so that those apps that
42 * already read the first few bytes of a file to determine the file type
43 * can simply check the remaining bytes for extra assurance. Returns
44 * an integer less than, equal to, or greater than zero if sig is found,
45 * respectively, to be less than, to match, or be greater than the correct
46 * PNG signature (this is the same behavior as strcmp, memcmp, etc).
47 */
48 int PNGAPI
49 png_sig_cmp(png_const_bytep sig, png_size_t start, png_size_t num_to_check)
50 {
51 png_byte png_signature[8] = {137, 80, 78, 71, 13, 10, 26, 10};
52
53 if (num_to_check > 8)
54 num_to_check = 8;
55
56 else if (num_to_check < 1)
57 return (-1);
58
59 if (start > 7)
60 return (-1);
61
62 if (start + num_to_check > 8)
63 num_to_check = 8 - start;
64
65 return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
66 }
67
68 #endif /* READ */
69
70 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
71 /* Function to allocate memory for zlib */
72 PNG_FUNCTION(voidpf /* PRIVATE */,
73 png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
74 {
75 png_alloc_size_t num_bytes = size;
76
77 if (png_ptr == NULL)
78 return NULL;
79
80 if (items >= (~(png_alloc_size_t)0)/size)
81 {
82 png_warning (png_voidcast(png_structrp, png_ptr),
83 "Potential overflow in png_zalloc()");
84 return NULL;
85 }
86
87 num_bytes *= items;
88 return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
89 }
90
91 /* Function to free memory for zlib */
92 void /* PRIVATE */
93 png_zfree(voidpf png_ptr, voidpf ptr)
94 {
95 png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
96 }
97
98 /* Reset the CRC variable to 32 bits of 1's. Care must be taken
99 * in case CRC is > 32 bits to leave the top bits 0.
100 */
101 void /* PRIVATE */
102 png_reset_crc(png_structrp png_ptr)
103 {
104 /* The cast is safe because the crc is a 32-bit value. */
105 png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0);
106 }
107
108 /* Calculate the CRC over a section of data. We can only pass as
109 * much data to this routine as the largest single buffer size. We
110 * also check that this data will actually be used before going to the
111 * trouble of calculating it.
112 */
113 void /* PRIVATE */
114 png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, png_size_t length)
115 {
116 int need_crc = 1;
117
118 if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != 0)
119 {
120 if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
121 (PNG_FLAG_CRC_ANCILLARY_USE | PNG_FLAG_CRC_ANCILLARY_NOWARN))
122 need_crc = 0;
123 }
124
125 else /* critical */
126 {
127 if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != 0)
128 need_crc = 0;
129 }
130
131 /* 'uLong' is defined in zlib.h as unsigned long; this means that on some
132 * systems it is a 64-bit value. crc32, however, returns 32 bits so the
133 * following cast is safe. 'uInt' may be no more than 16 bits, so it is
134 * necessary to perform a loop here.
135 */
136 if (need_crc != 0 && length > 0)
137 {
138 uLong crc = png_ptr->crc; /* Should never issue a warning */
139
140 do
141 {
142 uInt safe_length = (uInt)length;
143 #ifndef __COVERITY__
144 if (safe_length == 0)
145 safe_length = (uInt)-1; /* evil, but safe */
146 #endif
147
148 crc = crc32(crc, ptr, safe_length);
149
150 /* The following should never issue compiler warnings; if they do the
151 * target system has characteristics that will probably violate other
152 * assumptions within the libpng code.
153 */
154 ptr += safe_length;
155 length -= safe_length;
156 }
157 while (length > 0);
158
159 /* And the following is always safe because the crc is only 32 bits. */
160 png_ptr->crc = (png_uint_32)crc;
161 }
162 }
163
164 /* Check a user supplied version number, called from both read and write
165 * functions that create a png_struct.
166 */
167 int
168 png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
169 {
170 /* Libpng versions 1.0.0 and later are binary compatible if the version
171 * string matches through the second '.'; we must recompile any
172 * applications that use any older library version.
173 */
174
175 if (user_png_ver != NULL)
176 {
177 int i = -1;
178 int found_dots = 0;
179
180 do
181 {
182 i++;
183 if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
184 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
185 if (user_png_ver[i] == '.')
186 found_dots++;
187 } while (found_dots < 2 && user_png_ver[i] != 0 &&
188 PNG_LIBPNG_VER_STRING[i] != 0);
189 }
190
191 else
192 png_ptr->flags |= PNG_FLAG_LIBRARY_MISMATCH;
193
194 if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != 0)
195 {
196 #ifdef PNG_WARNINGS_SUPPORTED
197 size_t pos = 0;
198 char m[128];
199
200 pos = png_safecat(m, (sizeof m), pos,
201 "Application built with libpng-");
202 pos = png_safecat(m, (sizeof m), pos, user_png_ver);
203 pos = png_safecat(m, (sizeof m), pos, " but running with ");
204 pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
205 PNG_UNUSED(pos)
206
207 png_warning(png_ptr, m);
208 #endif
209
210 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
211 png_ptr->flags = 0;
212 #endif
213
214 return 0;
215 }
216
217 /* Success return. */
218 return 1;
219 }
220
221 /* Generic function to create a png_struct for either read or write - this
222 * contains the common initialization.
223 */
224 PNG_FUNCTION(png_structp /* PRIVATE */,
225 png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
226 png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
227 png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
228 {
229 png_struct create_struct;
230 # ifdef PNG_SETJMP_SUPPORTED
231 jmp_buf create_jmp_buf;
232 # endif
233
234 /* This temporary stack-allocated structure is used to provide a place to
235 * build enough context to allow the user provided memory allocator (if any)
236 * to be called.
237 */
238 memset(&create_struct, 0, (sizeof create_struct));
239
240 /* Added at libpng-1.2.6 */
241 # ifdef PNG_USER_LIMITS_SUPPORTED
242 create_struct.user_width_max = PNG_USER_WIDTH_MAX;
243 create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
244
245 # ifdef PNG_USER_CHUNK_CACHE_MAX
246 /* Added at libpng-1.2.43 and 1.4.0 */
247 create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
248 # endif
249
250 # ifdef PNG_USER_CHUNK_MALLOC_MAX
251 /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists
252 * in png_struct regardless.
253 */
254 create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
255 # endif
256 # endif
257
258 /* The following two API calls simply set fields in png_struct, so it is safe
259 * to do them now even though error handling is not yet set up.
260 */
261 # ifdef PNG_USER_MEM_SUPPORTED
262 png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
263 # else
264 PNG_UNUSED(mem_ptr)
265 PNG_UNUSED(malloc_fn)
266 PNG_UNUSED(free_fn)
267 # endif
268
269 /* (*error_fn) can return control to the caller after the error_ptr is set,
270 * this will result in a memory leak unless the error_fn does something
271 * extremely sophisticated. The design lacks merit but is implicit in the
272 * API.
273 */
274 png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
275
276 # ifdef PNG_SETJMP_SUPPORTED
277 if (!setjmp(create_jmp_buf))
278 # endif
279 {
280 # ifdef PNG_SETJMP_SUPPORTED
281 /* Temporarily fake out the longjmp information until we have
282 * successfully completed this function. This only works if we have
283 * setjmp() support compiled in, but it is safe - this stuff should
284 * never happen.
285 */
286 create_struct.jmp_buf_ptr = &create_jmp_buf;
287 create_struct.jmp_buf_size = 0; /*stack allocation*/
288 create_struct.longjmp_fn = longjmp;
289 # endif
290 /* Call the general version checker (shared with read and write code):
291 */
292 if (png_user_version_check(&create_struct, user_png_ver) != 0)
293 {
294 png_structrp png_ptr = png_voidcast(png_structrp,
295 png_malloc_warn(&create_struct, (sizeof *png_ptr)));
296
297 if (png_ptr != NULL)
298 {
299 /* png_ptr->zstream holds a back-pointer to the png_struct, so
300 * this can only be done now:
301 */
302 create_struct.zstream.zalloc = png_zalloc;
303 create_struct.zstream.zfree = png_zfree;
304 create_struct.zstream.opaque = png_ptr;
305
306 # ifdef PNG_SETJMP_SUPPORTED
307 /* Eliminate the local error handling: */
308 create_struct.jmp_buf_ptr = NULL;
309 create_struct.jmp_buf_size = 0;
310 create_struct.longjmp_fn = 0;
311 # endif
312
313 *png_ptr = create_struct;
314
315 /* This is the successful return point */
316 return png_ptr;
317 }
318 }
319 }
320
321 /* A longjmp because of a bug in the application storage allocator or a
322 * simple failure to allocate the png_struct.
323 */
324 return NULL;
325 }
326
327 /* Allocate the memory for an info_struct for the application. */
328 PNG_FUNCTION(png_infop,PNGAPI
329 png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
330 {
331 png_inforp info_ptr;
332
333 png_debug(1, "in png_create_info_struct");
334
335 if (png_ptr == NULL)
336 return NULL;
337
338 /* Use the internal API that does not (or at least should not) error out, so
339 * that this call always returns ok. The application typically sets up the
340 * error handling *after* creating the info_struct because this is the way it
341 * has always been done in 'example.c'.
342 */
343 info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
344 (sizeof *info_ptr)));
345
346 if (info_ptr != NULL)
347 memset(info_ptr, 0, (sizeof *info_ptr));
348
349 return info_ptr;
350 }
351
352 /* This function frees the memory associated with a single info struct.
353 * Normally, one would use either png_destroy_read_struct() or
354 * png_destroy_write_struct() to free an info struct, but this may be
355 * useful for some applications. From libpng 1.6.0 this function is also used
356 * internally to implement the png_info release part of the 'struct' destroy
357 * APIs. This ensures that all possible approaches free the same data (all of
358 * it).
359 */
360 void PNGAPI
361 png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
362 {
363 png_inforp info_ptr = NULL;
364
365 png_debug(1, "in png_destroy_info_struct");
366
367 if (png_ptr == NULL)
368 return;
369
370 if (info_ptr_ptr != NULL)
371 info_ptr = *info_ptr_ptr;
372
373 if (info_ptr != NULL)
374 {
375 /* Do this first in case of an error below; if the app implements its own
376 * memory management this can lead to png_free calling png_error, which
377 * will abort this routine and return control to the app error handler.
378 * An infinite loop may result if it then tries to free the same info
379 * ptr.
380 */
381 *info_ptr_ptr = NULL;
382
383 png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -1);
384 memset(info_ptr, 0, (sizeof *info_ptr));
385 png_free(png_ptr, info_ptr);
386 }
387 }
388
389 /* Initialize the info structure. This is now an internal function (0.89)
390 * and applications using it are urged to use png_create_info_struct()
391 * instead. Use deprecated in 1.6.0, internal use removed (used internally it
392 * is just a memset).
393 *
394 * NOTE: it is almost inconceivable that this API is used because it bypasses
395 * the user-memory mechanism and the user error handling/warning mechanisms in
396 * those cases where it does anything other than a memset.
397 */
398 PNG_FUNCTION(void,PNGAPI
399 png_info_init_3,(png_infopp ptr_ptr, png_size_t png_info_struct_size),
400 PNG_DEPRECATED)
401 {
402 png_inforp info_ptr = *ptr_ptr;
403
404 png_debug(1, "in png_info_init_3");
405
406 if (info_ptr == NULL)
407 return;
408
409 if ((sizeof (png_info)) > png_info_struct_size)
410 {
411 *ptr_ptr = NULL;
412 /* The following line is why this API should not be used: */
413 free(info_ptr);
414 info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
415 (sizeof *info_ptr)));
416 *ptr_ptr = info_ptr;
417 }
418
419 /* Set everything to 0 */
420 memset(info_ptr, 0, (sizeof *info_ptr));
421 }
422
423 /* The following API is not called internally */
424 void PNGAPI
425 png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
426 int freer, png_uint_32 mask)
427 {
428 png_debug(1, "in png_data_freer");
429
430 if (png_ptr == NULL || info_ptr == NULL)
431 return;
432
433 if (freer == PNG_DESTROY_WILL_FREE_DATA)
434 info_ptr->free_me |= mask;
435
436 else if (freer == PNG_USER_WILL_FREE_DATA)
437 info_ptr->free_me &= ~mask;
438
439 else
440 png_error(png_ptr, "Unknown freer parameter in png_data_freer");
441 }
442
443 void PNGAPI
444 png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
445 int num)
446 {
447 png_debug(1, "in png_free_data");
448
449 if (png_ptr == NULL || info_ptr == NULL)
450 return;
451
452 #ifdef PNG_TEXT_SUPPORTED
453 /* Free text item num or (if num == -1) all text items */
454 if (info_ptr->text != 0 &&
455 ((mask & PNG_FREE_TEXT) & info_ptr->free_me) != 0)
456 {
457 if (num != -1)
458 {
459 png_free(png_ptr, info_ptr->text[num].key);
460 info_ptr->text[num].key = NULL;
461 }
462
463 else
464 {
465 int i;
466
467 for (i = 0; i < info_ptr->num_text; i++)
468 png_free(png_ptr, info_ptr->text[i].key);
469
470 png_free(png_ptr, info_ptr->text);
471 info_ptr->text = NULL;
472 info_ptr->num_text = 0;
473 }
474 }
475 #endif
476
477 #ifdef PNG_tRNS_SUPPORTED
478 /* Free any tRNS entry */
479 if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0)
480 {
481 info_ptr->valid &= ~PNG_INFO_tRNS;
482 png_free(png_ptr, info_ptr->trans_alpha);
483 info_ptr->trans_alpha = NULL;
484 info_ptr->num_trans = 0;
485 }
486 #endif
487
488 #ifdef PNG_sCAL_SUPPORTED
489 /* Free any sCAL entry */
490 if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != 0)
491 {
492 png_free(png_ptr, info_ptr->scal_s_width);
493 png_free(png_ptr, info_ptr->scal_s_height);
494 info_ptr->scal_s_width = NULL;
495 info_ptr->scal_s_height = NULL;
496 info_ptr->valid &= ~PNG_INFO_sCAL;
497 }
498 #endif
499
500 #ifdef PNG_pCAL_SUPPORTED
501 /* Free any pCAL entry */
502 if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != 0)
503 {
504 png_free(png_ptr, info_ptr->pcal_purpose);
505 png_free(png_ptr, info_ptr->pcal_units);
506 info_ptr->pcal_purpose = NULL;
507 info_ptr->pcal_units = NULL;
508
509 if (info_ptr->pcal_params != NULL)
510 {
511 int i;
512
513 for (i = 0; i < info_ptr->pcal_nparams; i++)
514 png_free(png_ptr, info_ptr->pcal_params[i]);
515
516 png_free(png_ptr, info_ptr->pcal_params);
517 info_ptr->pcal_params = NULL;
518 }
519 info_ptr->valid &= ~PNG_INFO_pCAL;
520 }
521 #endif
522
523 #ifdef PNG_iCCP_SUPPORTED
524 /* Free any profile entry */
525 if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != 0)
526 {
527 png_free(png_ptr, info_ptr->iccp_name);
528 png_free(png_ptr, info_ptr->iccp_profile);
529 info_ptr->iccp_name = NULL;
530 info_ptr->iccp_profile = NULL;
531 info_ptr->valid &= ~PNG_INFO_iCCP;
532 }
533 #endif
534
535 #ifdef PNG_sPLT_SUPPORTED
536 /* Free a given sPLT entry, or (if num == -1) all sPLT entries */
537 if (info_ptr->splt_palettes != 0 &&
538 ((mask & PNG_FREE_SPLT) & info_ptr->free_me) != 0)
539 {
540 if (num != -1)
541 {
542 png_free(png_ptr, info_ptr->splt_palettes[num].name);
543 png_free(png_ptr, info_ptr->splt_palettes[num].entries);
544 info_ptr->splt_palettes[num].name = NULL;
545 info_ptr->splt_palettes[num].entries = NULL;
546 }
547
548 else
549 {
550 int i;
551
552 for (i = 0; i < info_ptr->splt_palettes_num; i++)
553 {
554 png_free(png_ptr, info_ptr->splt_palettes[i].name);
555 png_free(png_ptr, info_ptr->splt_palettes[i].entries);
556 }
557
558 png_free(png_ptr, info_ptr->splt_palettes);
559 info_ptr->splt_palettes = NULL;
560 info_ptr->splt_palettes_num = 0;
561 info_ptr->valid &= ~PNG_INFO_sPLT;
562 }
563 }
564 #endif
565
566 #ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
567 if (info_ptr->unknown_chunks != 0 &&
568 ((mask & PNG_FREE_UNKN) & info_ptr->free_me) != 0)
569 {
570 if (num != -1)
571 {
572 png_free(png_ptr, info_ptr->unknown_chunks[num].data);
573 info_ptr->unknown_chunks[num].data = NULL;
574 }
575
576 else
577 {
578 int i;
579
580 for (i = 0; i < info_ptr->unknown_chunks_num; i++)
581 png_free(png_ptr, info_ptr->unknown_chunks[i].data);
582
583 png_free(png_ptr, info_ptr->unknown_chunks);
584 info_ptr->unknown_chunks = NULL;
585 info_ptr->unknown_chunks_num = 0;
586 }
587 }
588 #endif
589
590 #ifdef PNG_hIST_SUPPORTED
591 /* Free any hIST entry */
592 if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != 0)
593 {
594 png_free(png_ptr, info_ptr->hist);
595 info_ptr->hist = NULL;
596 info_ptr->valid &= ~PNG_INFO_hIST;
597 }
598 #endif
599
600 /* Free any PLTE entry that was internally allocated */
601 if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != 0)
602 {
603 png_free(png_ptr, info_ptr->palette);
604 info_ptr->palette = NULL;
605 info_ptr->valid &= ~PNG_INFO_PLTE;
606 info_ptr->num_palette = 0;
607 }
608
609 #ifdef PNG_INFO_IMAGE_SUPPORTED
610 /* Free any image bits attached to the info structure */
611 if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != 0)
612 {
613 if (info_ptr->row_pointers != 0)
614 {
615 png_uint_32 row;
616 for (row = 0; row < info_ptr->height; row++)
617 png_free(png_ptr, info_ptr->row_pointers[row]);
618
619 png_free(png_ptr, info_ptr->row_pointers);
620 info_ptr->row_pointers = NULL;
621 }
622 info_ptr->valid &= ~PNG_INFO_IDAT;
623 }
624 #endif
625
626 if (num != -1)
627 mask &= ~PNG_FREE_MUL;
628
629 info_ptr->free_me &= ~mask;
630 }
631 #endif /* READ || WRITE */
632
633 /* This function returns a pointer to the io_ptr associated with the user
634 * functions. The application should free any memory associated with this
635 * pointer before png_write_destroy() or png_read_destroy() are called.
636 */
637 png_voidp PNGAPI
638 png_get_io_ptr(png_const_structrp png_ptr)
639 {
640 if (png_ptr == NULL)
641 return (NULL);
642
643 return (png_ptr->io_ptr);
644 }
645
646 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
647 # ifdef PNG_STDIO_SUPPORTED
648 /* Initialize the default input/output functions for the PNG file. If you
649 * use your own read or write routines, you can call either png_set_read_fn()
650 * or png_set_write_fn() instead of png_init_io(). If you have defined
651 * PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
652 * function of your own because "FILE *" isn't necessarily available.
653 */
654 void PNGAPI
655 png_init_io(png_structrp png_ptr, png_FILE_p fp)
656 {
657 png_debug(1, "in png_init_io");
658
659 if (png_ptr == NULL)
660 return;
661
662 png_ptr->io_ptr = (png_voidp)fp;
663 }
664 # endif
665
666 # ifdef PNG_SAVE_INT_32_SUPPORTED
667 /* The png_save_int_32 function assumes integers are stored in two's
668 * complement format. If this isn't the case, then this routine needs to
669 * be modified to write data in two's complement format. Note that,
670 * the following works correctly even if png_int_32 has more than 32 bits
671 * (compare the more complex code required on read for sign extension.)
672 */
673 void PNGAPI
674 png_save_int_32(png_bytep buf, png_int_32 i)
675 {
676 buf[0] = (png_byte)((i >> 24) & 0xff);
677 buf[1] = (png_byte)((i >> 16) & 0xff);
678 buf[2] = (png_byte)((i >> 8) & 0xff);
679 buf[3] = (png_byte)(i & 0xff);
680 }
681 # endif
682
683 # ifdef PNG_TIME_RFC1123_SUPPORTED
684 /* Convert the supplied time into an RFC 1123 string suitable for use in
685 * a "Creation Time" or other text-based time string.
686 */
687 int PNGAPI
688 png_convert_to_rfc1123_buffer(char out[29], png_const_timep ptime)
689 {
690 static PNG_CONST char short_months[12][4] =
691 {"Jan", "Feb", "Mar", "Apr", "May", "Jun",
692 "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
693
694 if (out == NULL)
695 return 0;
696
697 if (ptime->year > 9999 /* RFC1123 limitation */ ||
698 ptime->month == 0 || ptime->month > 12 ||
699 ptime->day == 0 || ptime->day > 31 ||
700 ptime->hour > 23 || ptime->minute > 59 ||
701 ptime->second > 60)
702 return 0;
703
704 {
705 size_t pos = 0;
706 char number_buf[5]; /* enough for a four-digit year */
707
708 # define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
709 # define APPEND_NUMBER(format, value)\
710 APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
711 # define APPEND(ch) if (pos < 28) out[pos++] = (ch)
712
713 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
714 APPEND(' ');
715 APPEND_STRING(short_months[(ptime->month - 1)]);
716 APPEND(' ');
717 APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
718 APPEND(' ');
719 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
720 APPEND(':');
721 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
722 APPEND(':');
723 APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
724 APPEND_STRING(" +0000"); /* This reliably terminates the buffer */
725
726 # undef APPEND
727 # undef APPEND_NUMBER
728 # undef APPEND_STRING
729 }
730
731 return 1;
732 }
733
734 # if PNG_LIBPNG_VER < 10700
735 /* To do: remove the following from libpng-1.7 */
736 /* Original API that uses a private buffer in png_struct.
737 * Deprecated because it causes png_struct to carry a spurious temporary
738 * buffer (png_struct::time_buffer), better to have the caller pass this in.
739 */
740 png_const_charp PNGAPI
741 png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
742 {
743 if (png_ptr != NULL)
744 {
745 /* The only failure above if png_ptr != NULL is from an invalid ptime */
746 if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == 0)
747 png_warning(png_ptr, "Ignoring invalid time value");
748
749 else
750 return png_ptr->time_buffer;
751 }
752
753 return NULL;
754 }
755 # endif /* LIBPNG_VER < 10700 */
756 # endif /* TIME_RFC1123 */
757
758 #endif /* READ || WRITE */
759
760 png_const_charp PNGAPI
761 png_get_copyright(png_const_structrp png_ptr)
762 {
763 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
764 #ifdef PNG_STRING_COPYRIGHT
765 return PNG_STRING_COPYRIGHT
766 #else
767 # ifdef __STDC__
768 return PNG_STRING_NEWLINE \
769 "libpng version 1.6.18 - July 23, 2015" PNG_STRING_NEWLINE \
770 "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
771 "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
772 "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
773 PNG_STRING_NEWLINE;
774 # else
775 return "libpng version 1.6.18 - July 23, 2015\
776 Copyright (c) 1998-2015 Glenn Randers-Pehrson\
777 Copyright (c) 1996-1997 Andreas Dilger\
778 Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
779 # endif
780 #endif
781 }
782
783 /* The following return the library version as a short string in the
784 * format 1.0.0 through 99.99.99zz. To get the version of *.h files
785 * used with your application, print out PNG_LIBPNG_VER_STRING, which
786 * is defined in png.h.
787 * Note: now there is no difference between png_get_libpng_ver() and
788 * png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
789 * it is guaranteed that png.c uses the correct version of png.h.
790 */
791 png_const_charp PNGAPI
792 png_get_libpng_ver(png_const_structrp png_ptr)
793 {
794 /* Version of *.c files used when building libpng */
795 return png_get_header_ver(png_ptr);
796 }
797
798 png_const_charp PNGAPI
799 png_get_header_ver(png_const_structrp png_ptr)
800 {
801 /* Version of *.h files used when building libpng */
802 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
803 return PNG_LIBPNG_VER_STRING;
804 }
805
806 png_const_charp PNGAPI
807 png_get_header_version(png_const_structrp png_ptr)
808 {
809 /* Returns longer string containing both version and date */
810 PNG_UNUSED(png_ptr) /* Silence compiler warning about unused png_ptr */
811 #ifdef __STDC__
812 return PNG_HEADER_VERSION_STRING
813 # ifndef PNG_READ_SUPPORTED
814 " (NO READ SUPPORT)"
815 # endif
816 PNG_STRING_NEWLINE;
817 #else
818 return PNG_HEADER_VERSION_STRING;
819 #endif
820 }
821
822 #ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
823 /* NOTE: this routine is not used internally! */
824 /* Build a grayscale palette. Palette is assumed to be 1 << bit_depth
825 * large of png_color. This lets grayscale images be treated as
826 * paletted. Most useful for gamma correction and simplification
827 * of code. This API is not used internally.
828 */
829 void PNGAPI
830 png_build_grayscale_palette(int bit_depth, png_colorp palette)
831 {
832 int num_palette;
833 int color_inc;
834 int i;
835 int v;
836
837 png_debug(1, "in png_do_build_grayscale_palette");
838
839 if (palette == NULL)
840 return;
841
842 switch (bit_depth)
843 {
844 case 1:
845 num_palette = 2;
846 color_inc = 0xff;
847 break;
848
849 case 2:
850 num_palette = 4;
851 color_inc = 0x55;
852 break;
853
854 case 4:
855 num_palette = 16;
856 color_inc = 0x11;
857 break;
858
859 case 8:
860 num_palette = 256;
861 color_inc = 1;
862 break;
863
864 default:
865 num_palette = 0;
866 color_inc = 0;
867 break;
868 }
869
870 for (i = 0, v = 0; i < num_palette; i++, v += color_inc)
871 {
872 palette[i].red = (png_byte)(v & 0xff);
873 palette[i].green = (png_byte)(v & 0xff);
874 palette[i].blue = (png_byte)(v & 0xff);
875 }
876 }
877 #endif
878
879 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
880 int PNGAPI
881 png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
882 {
883 /* Check chunk_name and return "keep" value if it's on the list, else 0 */
884 png_const_bytep p, p_end;
885
886 if (png_ptr == NULL || chunk_name == NULL || png_ptr->num_chunk_list == 0)
887 return PNG_HANDLE_CHUNK_AS_DEFAULT;
888
889 p_end = png_ptr->chunk_list;
890 p = p_end + png_ptr->num_chunk_list*5; /* beyond end */
891
892 /* The code is the fifth byte after each four byte string. Historically this
893 * code was always searched from the end of the list, this is no longer
894 * necessary because the 'set' routine handles duplicate entries correcty.
895 */
896 do /* num_chunk_list > 0, so at least one */
897 {
898 p -= 5;
899
900 if (memcmp(chunk_name, p, 4) == 0)
901 return p[4];
902 }
903 while (p > p_end);
904
905 /* This means that known chunks should be processed and unknown chunks should
906 * be handled according to the value of png_ptr->unknown_default; this can be
907 * confusing because, as a result, there are two levels of defaulting for
908 * unknown chunks.
909 */
910 return PNG_HANDLE_CHUNK_AS_DEFAULT;
911 }
912
913 #if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) ||\
914 defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
915 int /* PRIVATE */
916 png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
917 {
918 png_byte chunk_string[5];
919
920 PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
921 return png_handle_as_unknown(png_ptr, chunk_string);
922 }
923 #endif /* READ_UNKNOWN_CHUNKS || HANDLE_AS_UNKNOWN */
924 #endif /* SET_UNKNOWN_CHUNKS */
925
926 #ifdef PNG_READ_SUPPORTED
927 /* This function, added to libpng-1.0.6g, is untested. */
928 int PNGAPI
929 png_reset_zstream(png_structrp png_ptr)
930 {
931 if (png_ptr == NULL)
932 return Z_STREAM_ERROR;
933
934 /* WARNING: this resets the window bits to the maximum! */
935 return (inflateReset(&png_ptr->zstream));
936 }
937 #endif /* READ */
938
939 /* This function was added to libpng-1.0.7 */
940 png_uint_32 PNGAPI
941 png_access_version_number(void)
942 {
943 /* Version of *.c files used when building libpng */
944 return((png_uint_32)PNG_LIBPNG_VER);
945 }
946
947 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
948 /* Ensure that png_ptr->zstream.msg holds some appropriate error message string.
949 * If it doesn't 'ret' is used to set it to something appropriate, even in cases
950 * like Z_OK or Z_STREAM_END where the error code is apparently a success code.
951 */
952 void /* PRIVATE */
953 png_zstream_error(png_structrp png_ptr, int ret)
954 {
955 /* Translate 'ret' into an appropriate error string, priority is given to the
956 * one in zstream if set. This always returns a string, even in cases like
957 * Z_OK or Z_STREAM_END where the error code is a success code.
958 */
959 if (png_ptr->zstream.msg == NULL) switch (ret)
960 {
961 default:
962 case Z_OK:
963 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
964 break;
965
966 case Z_STREAM_END:
967 /* Normal exit */
968 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
969 break;
970
971 case Z_NEED_DICT:
972 /* This means the deflate stream did not have a dictionary; this
973 * indicates a bogus PNG.
974 */
975 png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
976 break;
977
978 case Z_ERRNO:
979 /* gz APIs only: should not happen */
980 png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
981 break;
982
983 case Z_STREAM_ERROR:
984 /* internal libpng error */
985 png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
986 break;
987
988 case Z_DATA_ERROR:
989 png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
990 break;
991
992 case Z_MEM_ERROR:
993 png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
994 break;
995
996 case Z_BUF_ERROR:
997 /* End of input or output; not a problem if the caller is doing
998 * incremental read or write.
999 */
1000 png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1001 break;
1002
1003 case Z_VERSION_ERROR:
1004 png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1005 break;
1006
1007 case PNG_UNEXPECTED_ZLIB_RETURN:
1008 /* Compile errors here mean that zlib now uses the value co-opted in
1009 * pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1010 * and change pngpriv.h. Note that this message is "... return",
1011 * whereas the default/Z_OK one is "... return code".
1012 */
1013 png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1014 break;
1015 }
1016 }
1017
1018 /* png_convert_size: a PNGAPI but no longer in png.h, so deleted
1019 * at libpng 1.5.5!
1020 */
1021
1022 /* Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) */
1023 #ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1024 static int
1025 png_colorspace_check_gamma(png_const_structrp png_ptr,
1026 png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1027 /* This is called to check a new gamma value against an existing one. The
1028 * routine returns false if the new gamma value should not be written.
1029 *
1030 * 'from' says where the new gamma value comes from:
1031 *
1032 * 0: the new gamma value is the libpng estimate for an ICC profile
1033 * 1: the new gamma value comes from a gAMA chunk
1034 * 2: the new gamma value comes from an sRGB chunk
1035 */
1036 {
1037 png_fixed_point gtest;
1038
1039 if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != 0 &&
1040 (png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == 0 ||
1041 png_gamma_significant(gtest) != 0))
1042 {
1043 /* Either this is an sRGB image, in which case the calculated gamma
1044 * approximation should match, or this is an image with a profile and the
1045 * value libpng calculates for the gamma of the profile does not match the
1046 * value recorded in the file. The former, sRGB, case is an error, the
1047 * latter is just a warning.
1048 */
1049 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0 || from == 2)
1050 {
1051 png_chunk_report(png_ptr, "gamma value does not match sRGB",
1052 PNG_CHUNK_ERROR);
1053 /* Do not overwrite an sRGB value */
1054 return from == 2;
1055 }
1056
1057 else /* sRGB tag not involved */
1058 {
1059 png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1060 PNG_CHUNK_WARNING);
1061 return from == 1;
1062 }
1063 }
1064
1065 return 1;
1066 }
1067
1068 void /* PRIVATE */
1069 png_colorspace_set_gamma(png_const_structrp png_ptr,
1070 png_colorspacerp colorspace, png_fixed_point gAMA)
1071 {
1072 /* Changed in libpng-1.5.4 to limit the values to ensure overflow can't
1073 * occur. Since the fixed point representation is asymetrical it is
1074 * possible for 1/gamma to overflow the limit of 21474 and this means the
1075 * gamma value must be at least 5/100000 and hence at most 20000.0. For
1076 * safety the limits here are a little narrower. The values are 0.00016 to
1077 * 6250.0, which are truly ridiculous gamma values (and will produce
1078 * displays that are all black or all white.)
1079 *
1080 * In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1081 * handling code, which only required the value to be >0.
1082 */
1083 png_const_charp errmsg;
1084
1085 if (gAMA < 16 || gAMA > 625000000)
1086 errmsg = "gamma value out of range";
1087
1088 # ifdef PNG_READ_gAMA_SUPPORTED
1089 /* Allow the application to set the gamma value more than once */
1090 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
1091 (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0)
1092 errmsg = "duplicate";
1093 # endif
1094
1095 /* Do nothing if the colorspace is already invalid */
1096 else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1097 return;
1098
1099 else
1100 {
1101 if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1102 1/*from gAMA*/) != 0)
1103 {
1104 /* Store this gamma value. */
1105 colorspace->gamma = gAMA;
1106 colorspace->flags |=
1107 (PNG_COLORSPACE_HAVE_GAMMA | PNG_COLORSPACE_FROM_gAMA);
1108 }
1109
1110 /* At present if the check_gamma test fails the gamma of the colorspace is
1111 * not updated however the colorspace is not invalidated. This
1112 * corresponds to the case where the existing gamma comes from an sRGB
1113 * chunk or profile. An error message has already been output.
1114 */
1115 return;
1116 }
1117
1118 /* Error exit - errmsg has been set. */
1119 colorspace->flags |= PNG_COLORSPACE_INVALID;
1120 png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1121 }
1122
1123 void /* PRIVATE */
1124 png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1125 {
1126 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != 0)
1127 {
1128 /* Everything is invalid */
1129 info_ptr->valid &= ~(PNG_INFO_gAMA|PNG_INFO_cHRM|PNG_INFO_sRGB|
1130 PNG_INFO_iCCP);
1131
1132 # ifdef PNG_COLORSPACE_SUPPORTED
1133 /* Clean up the iCCP profile now if it won't be used. */
1134 png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/);
1135 # else
1136 PNG_UNUSED(png_ptr)
1137 # endif
1138 }
1139
1140 else
1141 {
1142 # ifdef PNG_COLORSPACE_SUPPORTED
1143 /* Leave the INFO_iCCP flag set if the pngset.c code has already set
1144 * it; this allows a PNG to contain a profile which matches sRGB and
1145 * yet still have that profile retrievable by the application.
1146 */
1147 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0)
1148 info_ptr->valid |= PNG_INFO_sRGB;
1149
1150 else
1151 info_ptr->valid &= ~PNG_INFO_sRGB;
1152
1153 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1154 info_ptr->valid |= PNG_INFO_cHRM;
1155
1156 else
1157 info_ptr->valid &= ~PNG_INFO_cHRM;
1158 # endif
1159
1160 if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0)
1161 info_ptr->valid |= PNG_INFO_gAMA;
1162
1163 else
1164 info_ptr->valid &= ~PNG_INFO_gAMA;
1165 }
1166 }
1167
1168 #ifdef PNG_READ_SUPPORTED
1169 void /* PRIVATE */
1170 png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1171 {
1172 if (info_ptr == NULL) /* reduce code size; check here not in the caller */
1173 return;
1174
1175 info_ptr->colorspace = png_ptr->colorspace;
1176 png_colorspace_sync_info(png_ptr, info_ptr);
1177 }
1178 #endif
1179 #endif /* GAMMA */
1180
1181 #ifdef PNG_COLORSPACE_SUPPORTED
1182 /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for
1183 * cHRM, as opposed to using chromaticities. These internal APIs return
1184 * non-zero on a parameter error. The X, Y and Z values are required to be
1185 * positive and less than 1.0.
1186 */
1187 static int
1188 png_xy_from_XYZ(png_xy *xy, const png_XYZ *XYZ)
1189 {
1190 png_int_32 d, dwhite, whiteX, whiteY;
1191
1192 d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1193 if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == 0)
1194 return 1;
1195 if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == 0)
1196 return 1;
1197 dwhite = d;
1198 whiteX = XYZ->red_X;
1199 whiteY = XYZ->red_Y;
1200
1201 d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1202 if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == 0)
1203 return 1;
1204 if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == 0)
1205 return 1;
1206 dwhite += d;
1207 whiteX += XYZ->green_X;
1208 whiteY += XYZ->green_Y;
1209
1210 d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1211 if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == 0)
1212 return 1;
1213 if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == 0)
1214 return 1;
1215 dwhite += d;
1216 whiteX += XYZ->blue_X;
1217 whiteY += XYZ->blue_Y;
1218
1219 /* The reference white is simply the sum of the end-point (X,Y,Z) vectors,
1220 * thus:
1221 */
1222 if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == 0)
1223 return 1;
1224 if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == 0)
1225 return 1;
1226
1227 return 0;
1228 }
1229
1230 static int
1231 png_XYZ_from_xy(png_XYZ *XYZ, const png_xy *xy)
1232 {
1233 png_fixed_point red_inverse, green_inverse, blue_scale;
1234 png_fixed_point left, right, denominator;
1235
1236 /* Check xy and, implicitly, z. Note that wide gamut color spaces typically
1237 * have end points with 0 tristimulus values (these are impossible end
1238 * points, but they are used to cover the possible colors). We check
1239 * xy->whitey against 5, not 0, to avoid a possible integer overflow.
1240 */
1241 if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1;
1242 if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1;
1243 if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1;
1244 if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1;
1245 if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1;
1246 if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1;
1247 if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1;
1248 if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1;
1249
1250 /* The reverse calculation is more difficult because the original tristimulus
1251 * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1252 * derived values were recorded in the cHRM chunk;
1253 * (red,green,blue,white)x(x,y). This loses one degree of freedom and
1254 * therefore an arbitrary ninth value has to be introduced to undo the
1255 * original transformations.
1256 *
1257 * Think of the original end-points as points in (X,Y,Z) space. The
1258 * chromaticity values (c) have the property:
1259 *
1260 * C
1261 * c = ---------
1262 * X + Y + Z
1263 *
1264 * For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1265 * three chromaticity values (x,y,z) for each end-point obey the
1266 * relationship:
1267 *
1268 * x + y + z = 1
1269 *
1270 * This describes the plane in (X,Y,Z) space that intersects each axis at the
1271 * value 1.0; call this the chromaticity plane. Thus the chromaticity
1272 * calculation has scaled each end-point so that it is on the x+y+z=1 plane
1273 * and chromaticity is the intersection of the vector from the origin to the
1274 * (X,Y,Z) value with the chromaticity plane.
1275 *
1276 * To fully invert the chromaticity calculation we would need the three
1277 * end-point scale factors, (red-scale, green-scale, blue-scale), but these
1278 * were not recorded. Instead we calculated the reference white (X,Y,Z) and
1279 * recorded the chromaticity of this. The reference white (X,Y,Z) would have
1280 * given all three of the scale factors since:
1281 *
1282 * color-C = color-c * color-scale
1283 * white-C = red-C + green-C + blue-C
1284 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1285 *
1286 * But cHRM records only white-x and white-y, so we have lost the white scale
1287 * factor:
1288 *
1289 * white-C = white-c*white-scale
1290 *
1291 * To handle this the inverse transformation makes an arbitrary assumption
1292 * about white-scale:
1293 *
1294 * Assume: white-Y = 1.0
1295 * Hence: white-scale = 1/white-y
1296 * Or: red-Y + green-Y + blue-Y = 1.0
1297 *
1298 * Notice the last statement of the assumption gives an equation in three of
1299 * the nine values we want to calculate. 8 more equations come from the
1300 * above routine as summarised at the top above (the chromaticity
1301 * calculation):
1302 *
1303 * Given: color-x = color-X / (color-X + color-Y + color-Z)
1304 * Hence: (color-x - 1)*color-X + color.x*color-Y + color.x*color-Z = 0
1305 *
1306 * This is 9 simultaneous equations in the 9 variables "color-C" and can be
1307 * solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1308 * determinants, however this is not as bad as it seems because only 28 of
1309 * the total of 90 terms in the various matrices are non-zero. Nevertheless
1310 * Cramer's rule is notoriously numerically unstable because the determinant
1311 * calculation involves the difference of large, but similar, numbers. It is
1312 * difficult to be sure that the calculation is stable for real world values
1313 * and it is certain that it becomes unstable where the end points are close
1314 * together.
1315 *
1316 * So this code uses the perhaps slightly less optimal but more
1317 * understandable and totally obvious approach of calculating color-scale.
1318 *
1319 * This algorithm depends on the precision in white-scale and that is
1320 * (1/white-y), so we can immediately see that as white-y approaches 0 the
1321 * accuracy inherent in the cHRM chunk drops off substantially.
1322 *
1323 * libpng arithmetic: a simple inversion of the above equations
1324 * ------------------------------------------------------------
1325 *
1326 * white_scale = 1/white-y
1327 * white-X = white-x * white-scale
1328 * white-Y = 1.0
1329 * white-Z = (1 - white-x - white-y) * white_scale
1330 *
1331 * white-C = red-C + green-C + blue-C
1332 * = red-c*red-scale + green-c*green-scale + blue-c*blue-scale
1333 *
1334 * This gives us three equations in (red-scale,green-scale,blue-scale) where
1335 * all the coefficients are now known:
1336 *
1337 * red-x*red-scale + green-x*green-scale + blue-x*blue-scale
1338 * = white-x/white-y
1339 * red-y*red-scale + green-y*green-scale + blue-y*blue-scale = 1
1340 * red-z*red-scale + green-z*green-scale + blue-z*blue-scale
1341 * = (1 - white-x - white-y)/white-y
1342 *
1343 * In the last equation color-z is (1 - color-x - color-y) so we can add all
1344 * three equations together to get an alternative third:
1345 *
1346 * red-scale + green-scale + blue-scale = 1/white-y = white-scale
1347 *
1348 * So now we have a Cramer's rule solution where the determinants are just
1349 * 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1350 * multiplication of three coefficients so we can't guarantee to avoid
1351 * overflow in the libpng fixed point representation. Using Cramer's rule in
1352 * floating point is probably a good choice here, but it's not an option for
1353 * fixed point. Instead proceed to simplify the first two equations by
1354 * eliminating what is likely to be the largest value, blue-scale:
1355 *
1356 * blue-scale = white-scale - red-scale - green-scale
1357 *
1358 * Hence:
1359 *
1360 * (red-x - blue-x)*red-scale + (green-x - blue-x)*green-scale =
1361 * (white-x - blue-x)*white-scale
1362 *
1363 * (red-y - blue-y)*red-scale + (green-y - blue-y)*green-scale =
1364 * 1 - blue-y*white-scale
1365 *
1366 * And now we can trivially solve for (red-scale,green-scale):
1367 *
1368 * green-scale =
1369 * (white-x - blue-x)*white-scale - (red-x - blue-x)*red-scale
1370 * -----------------------------------------------------------
1371 * green-x - blue-x
1372 *
1373 * red-scale =
1374 * 1 - blue-y*white-scale - (green-y - blue-y) * green-scale
1375 * ---------------------------------------------------------
1376 * red-y - blue-y
1377 *
1378 * Hence:
1379 *
1380 * red-scale =
1381 * ( (green-x - blue-x) * (white-y - blue-y) -
1382 * (green-y - blue-y) * (white-x - blue-x) ) / white-y
1383 * -------------------------------------------------------------------------
1384 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1385 *
1386 * green-scale =
1387 * ( (red-y - blue-y) * (white-x - blue-x) -
1388 * (red-x - blue-x) * (white-y - blue-y) ) / white-y
1389 * -------------------------------------------------------------------------
1390 * (green-x - blue-x)*(red-y - blue-y)-(green-y - blue-y)*(red-x - blue-x)
1391 *
1392 * Accuracy:
1393 * The input values have 5 decimal digits of accuracy. The values are all in
1394 * the range 0 < value < 1, so simple products are in the same range but may
1395 * need up to 10 decimal digits to preserve the original precision and avoid
1396 * underflow. Because we are using a 32-bit signed representation we cannot
1397 * match this; the best is a little over 9 decimal digits, less than 10.
1398 *
1399 * The approach used here is to preserve the maximum precision within the
1400 * signed representation. Because the red-scale calculation above uses the
1401 * difference between two products of values that must be in the range -1..+1
1402 * it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1403 * factor is irrelevant in the calculation because it is applied to both
1404 * numerator and denominator.
1405 *
1406 * Note that the values of the differences of the products of the
1407 * chromaticities in the above equations tend to be small, for example for
1408 * the sRGB chromaticities they are:
1409 *
1410 * red numerator: -0.04751
1411 * green numerator: -0.08788
1412 * denominator: -0.2241 (without white-y multiplication)
1413 *
1414 * The resultant Y coefficients from the chromaticities of some widely used
1415 * color space definitions are (to 15 decimal places):
1416 *
1417 * sRGB
1418 * 0.212639005871510 0.715168678767756 0.072192315360734
1419 * Kodak ProPhoto
1420 * 0.288071128229293 0.711843217810102 0.000085653960605
1421 * Adobe RGB
1422 * 0.297344975250536 0.627363566255466 0.075291458493998
1423 * Adobe Wide Gamut RGB
1424 * 0.258728243040113 0.724682314948566 0.016589442011321
1425 */
1426 /* By the argument, above overflow should be impossible here. The return
1427 * value of 2 indicates an internal error to the caller.
1428 */
1429 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, 7) == 0)
1430 return 2;
1431 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, 7) == 0)
1432 return 2;
1433 denominator = left - right;
1434
1435 /* Now find the red numerator. */
1436 if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1437 return 2;
1438 if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1439 return 2;
1440
1441 /* Overflow is possible here and it indicates an extreme set of PNG cHRM
1442 * chunk values. This calculation actually returns the reciprocal of the
1443 * scale value because this allows us to delay the multiplication of white-y
1444 * into the denominator, which tends to produce a small number.
1445 */
1446 if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == 0 ||
1447 red_inverse <= xy->whitey /* r+g+b scales = white scale */)
1448 return 1;
1449
1450 /* Similarly for green_inverse: */
1451 if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, 7) == 0)
1452 return 2;
1453 if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, 7) == 0)
1454 return 2;
1455 if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == 0 ||
1456 green_inverse <= xy->whitey)
1457 return 1;
1458
1459 /* And the blue scale, the checks above guarantee this can't overflow but it
1460 * can still produce 0 for extreme cHRM values.
1461 */
1462 blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1463 png_reciprocal(green_inverse);
1464 if (blue_scale <= 0)
1465 return 1;
1466
1467
1468 /* And fill in the png_XYZ: */
1469 if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == 0)
1470 return 1;
1471 if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == 0)
1472 return 1;
1473 if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1474 red_inverse) == 0)
1475 return 1;
1476
1477 if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == 0)
1478 return 1;
1479 if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == 0)
1480 return 1;
1481 if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1482 green_inverse) == 0)
1483 return 1;
1484
1485 if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == 0)
1486 return 1;
1487 if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == 0)
1488 return 1;
1489 if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1490 PNG_FP_1) == 0)
1491 return 1;
1492
1493 return 0; /*success*/
1494 }
1495
1496 static int
1497 png_XYZ_normalize(png_XYZ *XYZ)
1498 {
1499 png_int_32 Y;
1500
1501 if (XYZ->red_Y < 0 || XYZ->green_Y < 0 || XYZ->blue_Y < 0 ||
1502 XYZ->red_X < 0 || XYZ->green_X < 0 || XYZ->blue_X < 0 ||
1503 XYZ->red_Z < 0 || XYZ->green_Z < 0 || XYZ->blue_Z < 0)
1504 return 1;
1505
1506 /* Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.
1507 * IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1508 * relying on addition of two positive values producing a negative one is not
1509 * safe.
1510 */
1511 Y = XYZ->red_Y;
1512 if (0x7fffffff - Y < XYZ->green_X)
1513 return 1;
1514 Y += XYZ->green_Y;
1515 if (0x7fffffff - Y < XYZ->blue_X)
1516 return 1;
1517 Y += XYZ->blue_Y;
1518
1519 if (Y != PNG_FP_1)
1520 {
1521 if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == 0)
1522 return 1;
1523 if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == 0)
1524 return 1;
1525 if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == 0)
1526 return 1;
1527
1528 if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == 0)
1529 return 1;
1530 if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == 0)
1531 return 1;
1532 if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == 0)
1533 return 1;
1534
1535 if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == 0)
1536 return 1;
1537 if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == 0)
1538 return 1;
1539 if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == 0)
1540 return 1;
1541 }
1542
1543 return 0;
1544 }
1545
1546 static int
1547 png_colorspace_endpoints_match(const png_xy *xy1, const png_xy *xy2, int delta)
1548 {
1549 /* Allow an error of +/-0.01 (absolute value) on each chromaticity */
1550 if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) ||
1551 PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) ||
1552 PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) ||
1553 PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) ||
1554 PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) ||
1555 PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) ||
1556 PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) ||
1557 PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1558 return 0;
1559 return 1;
1560 }
1561
1562 /* Added in libpng-1.6.0, a different check for the validity of a set of cHRM
1563 * chunk chromaticities. Earlier checks used to simply look for the overflow
1564 * condition (where the determinant of the matrix to solve for XYZ ends up zero
1565 * because the chromaticity values are not all distinct.) Despite this it is
1566 * theoretically possible to produce chromaticities that are apparently valid
1567 * but that rapidly degrade to invalid, potentially crashing, sets because of
1568 * arithmetic inaccuracies when calculations are performed on them. The new
1569 * check is to round-trip xy -> XYZ -> xy and then check that the result is
1570 * within a small percentage of the original.
1571 */
1572 static int
1573 png_colorspace_check_xy(png_XYZ *XYZ, const png_xy *xy)
1574 {
1575 int result;
1576 png_xy xy_test;
1577
1578 /* As a side-effect this routine also returns the XYZ endpoints. */
1579 result = png_XYZ_from_xy(XYZ, xy);
1580 if (result != 0)
1581 return result;
1582
1583 result = png_xy_from_XYZ(&xy_test, XYZ);
1584 if (result != 0)
1585 return result;
1586
1587 if (png_colorspace_endpoints_match(xy, &xy_test,
1588 5/*actually, the math is pretty accurate*/) != 0)
1589 return 0;
1590
1591 /* Too much slip */
1592 return 1;
1593 }
1594
1595 /* This is the check going the other way. The XYZ is modified to normalize it
1596 * (another side-effect) and the xy chromaticities are returned.
1597 */
1598 static int
1599 png_colorspace_check_XYZ(png_xy *xy, png_XYZ *XYZ)
1600 {
1601 int result;
1602 png_XYZ XYZtemp;
1603
1604 result = png_XYZ_normalize(XYZ);
1605 if (result != 0)
1606 return result;
1607
1608 result = png_xy_from_XYZ(xy, XYZ);
1609 if (result != 0)
1610 return result;
1611
1612 XYZtemp = *XYZ;
1613 return png_colorspace_check_xy(&XYZtemp, xy);
1614 }
1615
1616 /* Used to check for an endpoint match against sRGB */
1617 static const png_xy sRGB_xy = /* From ITU-R BT.709-3 */
1618 {
1619 /* color x y */
1620 /* red */ 64000, 33000,
1621 /* green */ 30000, 60000,
1622 /* blue */ 15000, 6000,
1623 /* white */ 31270, 32900
1624 };
1625
1626 static int
1627 png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1628 png_colorspacerp colorspace, const png_xy *xy, const png_XYZ *XYZ,
1629 int preferred)
1630 {
1631 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1632 return 0;
1633
1634 /* The consistency check is performed on the chromaticities; this factors out
1635 * variations because of the normalization (or not) of the end point Y
1636 * values.
1637 */
1638 if (preferred < 2 &&
1639 (colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
1640 {
1641 /* The end points must be reasonably close to any we already have. The
1642 * following allows an error of up to +/-.001
1643 */
1644 if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1645 100) == 0)
1646 {
1647 colorspace->flags |= PNG_COLORSPACE_INVALID;
1648 png_benign_error(png_ptr, "inconsistent chromaticities");
1649 return 0; /* failed */
1650 }
1651
1652 /* Only overwrite with preferred values */
1653 if (preferred == 0)
1654 return 1; /* ok, but no change */
1655 }
1656
1657 colorspace->end_points_xy = *xy;
1658 colorspace->end_points_XYZ = *XYZ;
1659 colorspace->flags |= PNG_COLORSPACE_HAVE_ENDPOINTS;
1660
1661 /* The end points are normally quoted to two decimal digits, so allow +/-0.01
1662 * on this test.
1663 */
1664 if (png_colorspace_endpoints_match(xy, &sRGB_xy, 1000) != 0)
1665 colorspace->flags |= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1666
1667 else
1668 colorspace->flags &= PNG_COLORSPACE_CANCEL(
1669 PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1670
1671 return 2; /* ok and changed */
1672 }
1673
1674 int /* PRIVATE */
1675 png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1676 png_colorspacerp colorspace, const png_xy *xy, int preferred)
1677 {
1678 /* We must check the end points to ensure they are reasonable - in the past
1679 * color management systems have crashed as a result of getting bogus
1680 * colorant values, while this isn't the fault of libpng it is the
1681 * responsibility of libpng because PNG carries the bomb and libpng is in a
1682 * position to protect against it.
1683 */
1684 png_XYZ XYZ;
1685
1686 switch (png_colorspace_check_xy(&XYZ, xy))
1687 {
1688 case 0: /* success */
1689 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1690 preferred);
1691
1692 case 1:
1693 /* We can't invert the chromaticities so we can't produce value XYZ
1694 * values. Likely as not a color management system will fail too.
1695 */
1696 colorspace->flags |= PNG_COLORSPACE_INVALID;
1697 png_benign_error(png_ptr, "invalid chromaticities");
1698 break;
1699
1700 default:
1701 /* libpng is broken; this should be a warning but if it happens we
1702 * want error reports so for the moment it is an error.
1703 */
1704 colorspace->flags |= PNG_COLORSPACE_INVALID;
1705 png_error(png_ptr, "internal error checking chromaticities");
1706 break;
1707 }
1708
1709 return 0; /* failed */
1710 }
1711
1712 int /* PRIVATE */
1713 png_colorspace_set_endpoints(png_const_structrp png_ptr,
1714 png_colorspacerp colorspace, const png_XYZ *XYZ_in, int preferred)
1715 {
1716 png_XYZ XYZ = *XYZ_in;
1717 png_xy xy;
1718
1719 switch (png_colorspace_check_XYZ(&xy, &XYZ))
1720 {
1721 case 0:
1722 return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1723 preferred);
1724
1725 case 1:
1726 /* End points are invalid. */
1727 colorspace->flags |= PNG_COLORSPACE_INVALID;
1728 png_benign_error(png_ptr, "invalid end points");
1729 break;
1730
1731 default:
1732 colorspace->flags |= PNG_COLORSPACE_INVALID;
1733 png_error(png_ptr, "internal error checking chromaticities");
1734 break;
1735 }
1736
1737 return 0; /* failed */
1738 }
1739
1740 #if defined(PNG_sRGB_SUPPORTED) || defined(PNG_iCCP_SUPPORTED)
1741 /* Error message generation */
1742 static char
1743 png_icc_tag_char(png_uint_32 byte)
1744 {
1745 byte &= 0xff;
1746 if (byte >= 32 && byte <= 126)
1747 return (char)byte;
1748 else
1749 return '?';
1750 }
1751
1752 static void
1753 png_icc_tag_name(char *name, png_uint_32 tag)
1754 {
1755 name[0] = '\'';
1756 name[1] = png_icc_tag_char(tag >> 24);
1757 name[2] = png_icc_tag_char(tag >> 16);
1758 name[3] = png_icc_tag_char(tag >> 8);
1759 name[4] = png_icc_tag_char(tag );
1760 name[5] = '\'';
1761 }
1762
1763 static int
1764 is_ICC_signature_char(png_alloc_size_t it)
1765 {
1766 return it == 32 || (it >= 48 && it <= 57) || (it >= 65 && it <= 90) ||
1767 (it >= 97 && it <= 122);
1768 }
1769
1770 static int
1771 is_ICC_signature(png_alloc_size_t it)
1772 {
1773 return is_ICC_signature_char(it >> 24) /* checks all the top bits */ &&
1774 is_ICC_signature_char((it >> 16) & 0xff) &&
1775 is_ICC_signature_char((it >> 8) & 0xff) &&
1776 is_ICC_signature_char(it & 0xff);
1777 }
1778
1779 static int
1780 png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1781 png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1782 {
1783 size_t pos;
1784 char message[196]; /* see below for calculation */
1785
1786 if (colorspace != NULL)
1787 colorspace->flags |= PNG_COLORSPACE_INVALID;
1788
1789 pos = png_safecat(message, (sizeof message), 0, "profile '"); /* 9 chars */
1790 pos = png_safecat(message, pos+79, pos, name); /* Truncate to 79 chars */
1791 pos = png_safecat(message, (sizeof message), pos, "': "); /* +2 = 90 */
1792 if (is_ICC_signature(value) != 0)
1793 {
1794 /* So 'value' is at most 4 bytes and the following cast is safe */
1795 png_icc_tag_name(message+pos, (png_uint_32)value);
1796 pos += 6; /* total +8; less than the else clause */
1797 message[pos++] = ':';
1798 message[pos++] = ' ';
1799 }
1800 # ifdef PNG_WARNINGS_SUPPORTED
1801 else
1802 {
1803 char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/
1804
1805 pos = png_safecat(message, (sizeof message), pos,
1806 png_format_number(number, number+(sizeof number),
1807 PNG_NUMBER_FORMAT_x, value));
1808 pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/
1809 }
1810 # endif
1811 /* The 'reason' is an arbitrary message, allow +79 maximum 195 */
1812 pos = png_safecat(message, (sizeof message), pos, reason);
1813 PNG_UNUSED(pos)
1814
1815 /* This is recoverable, but make it unconditionally an app_error on write to
1816 * avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1817 * on read, with a warning, but on write unless the app turns off
1818 * application errors the PNG won't be written.)
1819 */
1820 png_chunk_report(png_ptr, message,
1821 (colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1822
1823 return 0;
1824 }
1825 #endif /* sRGB || iCCP */
1826
1827 #ifdef PNG_sRGB_SUPPORTED
1828 int /* PRIVATE */
1829 png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1830 int intent)
1831 {
1832 /* sRGB sets known gamma, end points and (from the chunk) intent. */
1833 /* IMPORTANT: these are not necessarily the values found in an ICC profile
1834 * because ICC profiles store values adapted to a D50 environment; it is
1835 * expected that the ICC profile mediaWhitePointTag will be D50; see the
1836 * checks and code elsewhere to understand this better.
1837 *
1838 * These XYZ values, which are accurate to 5dp, produce rgb to gray
1839 * coefficients of (6968,23435,2366), which are reduced (because they add up
1840 * to 32769 not 32768) to (6968,23434,2366). These are the values that
1841 * libpng has traditionally used (and are the best values given the 15bit
1842 * algorithm used by the rgb to gray code.)
1843 */
1844 static const png_XYZ sRGB_XYZ = /* D65 XYZ (*not* the D50 adapted values!) */
1845 {
1846 /* color X Y Z */
1847 /* red */ 41239, 21264, 1933,
1848 /* green */ 35758, 71517, 11919,
1849 /* blue */ 18048, 7219, 95053
1850 };
1851
1852 /* Do nothing if the colorspace is already invalidated. */
1853 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
1854 return 0;
1855
1856 /* Check the intent, then check for existing settings. It is valid for the
1857 * PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1858 * be consistent with the correct values. If, however, this function is
1859 * called below because an iCCP chunk matches sRGB then it is quite
1860 * conceivable that an older app recorded incorrect gAMA and cHRM because of
1861 * an incorrect calculation based on the values in the profile - this does
1862 * *not* invalidate the profile (though it still produces an error, which can
1863 * be ignored.)
1864 */
1865 if (intent < 0 || intent >= PNG_sRGB_INTENT_LAST)
1866 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1867 (unsigned)intent, "invalid sRGB rendering intent");
1868
1869 if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != 0 &&
1870 colorspace->rendering_intent != intent)
1871 return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1872 (unsigned)intent, "inconsistent rendering intents");
1873
1874 if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != 0)
1875 {
1876 png_benign_error(png_ptr, "duplicate sRGB information ignored");
1877 return 0;
1878 }
1879
1880 /* If the standard sRGB cHRM chunk does not match the one from the PNG file
1881 * warn but overwrite the value with the correct one.
1882 */
1883 if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0 &&
1884 !png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1885 100))
1886 png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1887 PNG_CHUNK_ERROR);
1888
1889 /* This check is just done for the error reporting - the routine always
1890 * returns true when the 'from' argument corresponds to sRGB (2).
1891 */
1892 (void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1893 2/*from sRGB*/);
1894
1895 /* intent: bugs in GCC force 'int' to be used as the parameter type. */
1896 colorspace->rendering_intent = (png_uint_16)intent;
1897 colorspace->flags |= PNG_COLORSPACE_HAVE_INTENT;
1898
1899 /* endpoints */
1900 colorspace->end_points_xy = sRGB_xy;
1901 colorspace->end_points_XYZ = sRGB_XYZ;
1902 colorspace->flags |=
1903 (PNG_COLORSPACE_HAVE_ENDPOINTS|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1904
1905 /* gamma */
1906 colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1907 colorspace->flags |= PNG_COLORSPACE_HAVE_GAMMA;
1908
1909 /* Finally record that we have an sRGB profile */
1910 colorspace->flags |=
1911 (PNG_COLORSPACE_MATCHES_sRGB|PNG_COLORSPACE_FROM_sRGB);
1912
1913 return 1; /* set */
1914 }
1915 #endif /* sRGB */
1916
1917 #ifdef PNG_iCCP_SUPPORTED
1918 /* Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value
1919 * is XYZ(0.9642,1.0,0.8249), which scales to:
1920 *
1921 * (63189.8112, 65536, 54060.6464)
1922 */
1923 static const png_byte D50_nCIEXYZ[12] =
1924 { 0x00, 0x00, 0xf6, 0xd6, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0xd3, 0x2d };
1925
1926 int /* PRIVATE */
1927 png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1928 png_const_charp name, png_uint_32 profile_length)
1929 {
1930 if (profile_length < 132)
1931 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1932 "too short");
1933
1934 return 1;
1935 }
1936
1937 int /* PRIVATE */
1938 png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
1939 png_const_charp name, png_uint_32 profile_length,
1940 png_const_bytep profile/* first 132 bytes only */, int color_type)
1941 {
1942 png_uint_32 temp;
1943
1944 /* Length check; this cannot be ignored in this code because profile_length
1945 * is used later to check the tag table, so even if the profile seems over
1946 * long profile_length from the caller must be correct. The caller can fix
1947 * this up on read or write by just passing in the profile header length.
1948 */
1949 temp = png_get_uint_32(profile);
1950 if (temp != profile_length)
1951 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1952 "length does not match profile");
1953
1954 temp = (png_uint_32) (*(profile+8));
1955 if (temp > 3 && (profile_length & 3))
1956 return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1957 "invalid length");
1958
1959 temp = png_get_uint_32(profile+128); /* tag count: 12 bytes/tag */
1960 if (temp > 357913930 || /* (2^32-4-132)/12: maximum possible tag count */
1961 profile_length < 132+12*temp) /* truncated tag table */
1962 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1963 "tag count too large");
1964
1965 /* The 'intent' must be valid or we can't store it, ICC limits the intent to
1966 * 16 bits.
1967 */
1968 temp = png_get_uint_32(profile+64);
1969 if (temp >= 0xffff) /* The ICC limit */
1970 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1971 "invalid rendering intent");
1972
1973 /* This is just a warning because the profile may be valid in future
1974 * versions.
1975 */
1976 if (temp >= PNG_sRGB_INTENT_LAST)
1977 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
1978 "intent outside defined range");
1979
1980 /* At this point the tag table can't be checked because it hasn't necessarily
1981 * been loaded; however, various header fields can be checked. These checks
1982 * are for values permitted by the PNG spec in an ICC profile; the PNG spec
1983 * restricts the profiles that can be passed in an iCCP chunk (they must be
1984 * appropriate to processing PNG data!)
1985 */
1986
1987 /* Data checks (could be skipped). These checks must be independent of the
1988 * version number; however, the version number doesn't accomodate changes in
1989 * the header fields (just the known tags and the interpretation of the
1990 * data.)
1991 */
1992 temp = png_get_uint_32(profile+36); /* signature 'ascp' */
1993 if (temp != 0x61637370)
1994 return png_icc_profile_error(png_ptr, colorspace, name, temp,
1995 "invalid signature");
1996
1997 /* Currently the PCS illuminant/adopted white point (the computational
1998 * white point) are required to be D50,
1999 * however the profile contains a record of the illuminant so perhaps ICC
2000 * expects to be able to change this in the future (despite the rationale in
2001 * the introduction for using a fixed PCS adopted white.) Consequently the
2002 * following is just a warning.
2003 */
2004 if (memcmp(profile+68, D50_nCIEXYZ, 12) != 0)
2005 (void)png_icc_profile_error(png_ptr, NULL, name, 0/*no tag value*/,
2006 "PCS illuminant is not D50");
2007
2008 /* The PNG spec requires this:
2009 * "If the iCCP chunk is present, the image samples conform to the colour
2010 * space represented by the embedded ICC profile as defined by the
2011 * International Color Consortium [ICC]. The colour space of the ICC profile
2012 * shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2013 * 6), or a greyscale colour space for greyscale images (PNG colour types 0
2014 * and 4)."
2015 *
2016 * This checking code ensures the embedded profile (on either read or write)
2017 * conforms to the specification requirements. Notice that an ICC 'gray'
2018 * color-space profile contains the information to transform the monochrome
2019 * data to XYZ or L*a*b (according to which PCS the profile uses) and this
2020 * should be used in preference to the standard libpng K channel replication
2021 * into R, G and B channels.
2022 *
2023 * Previously it was suggested that an RGB profile on grayscale data could be
2024 * handled. However it it is clear that using an RGB profile in this context
2025 * must be an error - there is no specification of what it means. Thus it is
2026 * almost certainly more correct to ignore the profile.
2027 */
2028 temp = png_get_uint_32(profile+16); /* data colour space field */
2029 switch (temp)
2030 {
2031 case 0x52474220: /* 'RGB ' */
2032 if ((color_type & PNG_COLOR_MASK_COLOR) == 0)
2033 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2034 "RGB color space not permitted on grayscale PNG");
2035 break;
2036
2037 case 0x47524159: /* 'GRAY' */
2038 if ((color_type & PNG_COLOR_MASK_COLOR) != 0)
2039 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2040 "Gray color space not permitted on RGB PNG");
2041 break;
2042
2043 default:
2044 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2045 "invalid ICC profile color space");
2046 }
2047
2048 /* It is up to the application to check that the profile class matches the
2049 * application requirements; the spec provides no guidance, but it's pretty
2050 * weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2051 * ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2052 * cases. Issue an error for device link or abstract profiles - these don't
2053 * contain the records necessary to transform the color-space to anything
2054 * other than the target device (and not even that for an abstract profile).
2055 * Profiles of these classes may not be embedded in images.
2056 */
2057 temp = png_get_uint_32(profile+12); /* profile/device class */
2058 switch (temp)
2059 {
2060 case 0x73636E72: /* 'scnr' */
2061 case 0x6D6E7472: /* 'mntr' */
2062 case 0x70727472: /* 'prtr' */
2063 case 0x73706163: /* 'spac' */
2064 /* All supported */
2065 break;
2066
2067 case 0x61627374: /* 'abst' */
2068 /* May not be embedded in an image */
2069 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2070 "invalid embedded Abstract ICC profile");
2071
2072 case 0x6C696E6B: /* 'link' */
2073 /* DeviceLink profiles cannot be interpreted in a non-device specific
2074 * fashion, if an app uses the AToB0Tag in the profile the results are
2075 * undefined unless the result is sent to the intended device,
2076 * therefore a DeviceLink profile should not be found embedded in a
2077 * PNG.
2078 */
2079 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2080 "unexpected DeviceLink ICC profile class");
2081
2082 case 0x6E6D636C: /* 'nmcl' */
2083 /* A NamedColor profile is also device specific, however it doesn't
2084 * contain an AToB0 tag that is open to misinterpretation. Almost
2085 * certainly it will fail the tests below.
2086 */
2087 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2088 "unexpected NamedColor ICC profile class");
2089 break;
2090
2091 default:
2092 /* To allow for future enhancements to the profile accept unrecognized
2093 * profile classes with a warning, these then hit the test below on the
2094 * tag content to ensure they are backward compatible with one of the
2095 * understood profiles.
2096 */
2097 (void)png_icc_profile_error(png_ptr, NULL, name, temp,
2098 "unrecognized ICC profile class");
2099 break;
2100 }
2101
2102 /* For any profile other than a device link one the PCS must be encoded
2103 * either in XYZ or Lab.
2104 */
2105 temp = png_get_uint_32(profile+20);
2106 switch (temp)
2107 {
2108 case 0x58595A20: /* 'XYZ ' */
2109 case 0x4C616220: /* 'Lab ' */
2110 break;
2111
2112 default:
2113 return png_icc_profile_error(png_ptr, colorspace, name, temp,
2114 "unexpected ICC PCS encoding");
2115 }
2116
2117 return 1;
2118 }
2119
2120 int /* PRIVATE */
2121 png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2122 png_const_charp name, png_uint_32 profile_length,
2123 png_const_bytep profile /* header plus whole tag table */)
2124 {
2125 png_uint_32 tag_count = png_get_uint_32(profile+128);
2126 png_uint_32 itag;
2127 png_const_bytep tag = profile+132; /* The first tag */
2128
2129 /* First scan all the tags in the table and add bits to the icc_info value
2130 * (temporarily in 'tags').
2131 */
2132 for (itag=0; itag < tag_count; ++itag, tag += 12)
2133 {
2134 png_uint_32 tag_id = png_get_uint_32(tag+0);
2135 png_uint_32 tag_start = png_get_uint_32(tag+4); /* must be aligned */
2136 png_uint_32 tag_length = png_get_uint_32(tag+8);/* not padded */
2137
2138 /* The ICC specification does not exclude zero length tags, therefore the
2139 * start might actually be anywhere if there is no data, but this would be
2140 * a clear abuse of the intent of the standard so the start is checked for
2141 * being in range. All defined tag types have an 8 byte header - a 4 byte
2142 * type signature then 0.
2143 */
2144 if ((tag_start & 3) != 0)
2145 {
2146 /* CNHP730S.icc shipped with Microsoft Windows 64 violates this, it is
2147 * only a warning here because libpng does not care about the
2148 * alignment.
2149 */
2150 (void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2151 "ICC profile tag start not a multiple of 4");
2152 }
2153
2154 /* This is a hard error; potentially it can cause read outside the
2155 * profile.
2156 */
2157 if (tag_start > profile_length || tag_length > profile_length - tag_start)
2158 return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2159 "ICC profile tag outside profile");
2160 }
2161
2162 return 1; /* success, maybe with warnings */
2163 }
2164
2165 #ifdef PNG_sRGB_SUPPORTED
2166 #if PNG_sRGB_PROFILE_CHECKS >= 0
2167 /* Information about the known ICC sRGB profiles */
2168 static const struct
2169 {
2170 png_uint_32 adler, crc, length;
2171 png_uint_32 md5[4];
2172 png_byte have_md5;
2173 png_byte is_broken;
2174 png_uint_16 intent;
2175
2176 # define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)||(b!=0)||(c!=0)||(d!=0)
2177 # define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2178 { adler, crc, length, md5, broke, intent },
2179
2180 } png_sRGB_checks[] =
2181 {
2182 /* This data comes from contrib/tools/checksum-icc run on downloads of
2183 * all four ICC sRGB profiles from www.color.org.
2184 */
2185 /* adler32, crc32, MD5[4], intent, date, length, file-name */
2186 PNG_ICC_CHECKSUM(0x0a3fd9f6, 0x3b8772b9,
2187 PNG_MD5(0x29f83dde, 0xaff255ae, 0x7842fae4, 0xca83390d), 0, 0,
2188 "2009/03/27 21:36:31", 3048, "sRGB_IEC61966-2-1_black_scaled.icc")
2189
2190 /* ICC sRGB v2 perceptual no black-compensation: */
2191 PNG_ICC_CHECKSUM(0x4909e5e1, 0x427ebb21,
2192 PNG_MD5(0xc95bd637, 0xe95d8a3b, 0x0df38f99, 0xc1320389), 1, 0,
2193 "2009/03/27 21:37:45", 3052, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2194
2195 PNG_ICC_CHECKSUM(0xfd2144a1, 0x306fd8ae,
2196 PNG_MD5(0xfc663378, 0x37e2886b, 0xfd72e983, 0x8228f1b8), 0, 0,
2197 "2009/08/10 17:28:01", 60988, "sRGB_v4_ICC_preference_displayclass.icc")
2198
2199 /* ICC sRGB v4 perceptual */
2200 PNG_ICC_CHECKSUM(0x209c35d2, 0xbbef7812,
2201 PNG_MD5(0x34562abf, 0x994ccd06, 0x6d2c5721, 0xd0d68c5d), 0, 0,
2202 "2007/07/25 00:05:37", 60960, "sRGB_v4_ICC_preference.icc")
2203
2204 /* The following profiles have no known MD5 checksum. If there is a match
2205 * on the (empty) MD5 the other fields are used to attempt a match and
2206 * a warning is produced. The first two of these profiles have a 'cprt' tag
2207 * which suggests that they were also made by Hewlett Packard.
2208 */
2209 PNG_ICC_CHECKSUM(0xa054d762, 0x5d5129ce,
2210 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 0,
2211 "2004/07/21 18:57:42", 3024, "sRGB_IEC61966-2-1_noBPC.icc")
2212
2213 /* This is a 'mntr' (display) profile with a mediaWhitePointTag that does not
2214 * match the D50 PCS illuminant in the header (it is in fact the D65 values,
2215 * so the white point is recorded as the un-adapted value.) The profiles
2216 * below only differ in one byte - the intent - and are basically the same as
2217 * the previous profile except for the mediaWhitePointTag error and a missing
2218 * chromaticAdaptationTag.
2219 */
2220 PNG_ICC_CHECKSUM(0xf784f3fb, 0x182ea552,
2221 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 0, 1/*broken*/,
2222 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 perceptual")
2223
2224 PNG_ICC_CHECKSUM(0x0398f3fc, 0xf29e526d,
2225 PNG_MD5(0x00000000, 0x00000000, 0x00000000, 0x00000000), 1, 1/*broken*/,
2226 "1998/02/09 06:49:00", 3144, "HP-Microsoft sRGB v2 media-relative")
2227 };
2228
2229 static int
2230 png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2231 png_const_bytep profile, uLong adler)
2232 {
2233 /* The quick check is to verify just the MD5 signature and trust the
2234 * rest of the data. Because the profile has already been verified for
2235 * correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2236 * field too, so if the profile has been edited with an intent not defined
2237 * by sRGB (but maybe defined by a later ICC specification) the read of
2238 * the profile will fail at that point.
2239 */
2240
2241 png_uint_32 length = 0;
2242 png_uint_32 intent = 0x10000; /* invalid */
2243 #if PNG_sRGB_PROFILE_CHECKS > 1
2244 uLong crc = 0; /* the value for 0 length data */
2245 #endif
2246 unsigned int i;
2247
2248 #ifdef PNG_SET_OPTION_SUPPORTED
2249 /* First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" */
2250 if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & 3) ==
2251 PNG_OPTION_ON)
2252 return 0;
2253 #endif
2254
2255 for (i=0; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[0]); ++i)
2256 {
2257 if (png_get_uint_32(profile+84) == png_sRGB_checks[i].md5[0] &&
2258 png_get_uint_32(profile+88) == png_sRGB_checks[i].md5[1] &&
2259 png_get_uint_32(profile+92) == png_sRGB_checks[i].md5[2] &&
2260 png_get_uint_32(profile+96) == png_sRGB_checks[i].md5[3])
2261 {
2262 /* This may be one of the old HP profiles without an MD5, in that
2263 * case we can only use the length and Adler32 (note that these
2264 * are not used by default if there is an MD5!)
2265 */
2266 # if PNG_sRGB_PROFILE_CHECKS == 0
2267 if (png_sRGB_checks[i].have_md5 != 0)
2268 return 1+png_sRGB_checks[i].is_broken;
2269 # endif
2270
2271 /* Profile is unsigned or more checks have been configured in. */
2272 if (length == 0)
2273 {
2274 length = png_get_uint_32(profile);
2275 intent = png_get_uint_32(profile+64);
2276 }
2277
2278 /* Length *and* intent must match */
2279 if (length == png_sRGB_checks[i].length &&
2280 intent == (png_uint_32) png_sRGB_checks[i].intent)
2281 {
2282 /* Now calculate the adler32 if not done already. */
2283 if (adler == 0)
2284 {
2285 adler = adler32(0, NULL, 0);
2286 adler = adler32(adler, profile, length);
2287 }
2288
2289 if (adler == png_sRGB_checks[i].adler)
2290 {
2291 /* These basic checks suggest that the data has not been
2292 * modified, but if the check level is more than 1 perform
2293 * our own crc32 checksum on the data.
2294 */
2295 # if PNG_sRGB_PROFILE_CHECKS > 1
2296 if (crc == 0)
2297 {
2298 crc = crc32(0, NULL, 0);
2299 crc = crc32(crc, profile, length);
2300 }
2301
2302 /* So this check must pass for the 'return' below to happen.
2303 */
2304 if (crc == png_sRGB_checks[i].crc)
2305 # endif
2306 {
2307 if (png_sRGB_checks[i].is_broken != 0)
2308 {
2309 /* These profiles are known to have bad data that may cause
2310 * problems if they are used, therefore attempt to
2311 * discourage their use, skip the 'have_md5' warning below,
2312 * which is made irrelevant by this error.
2313 */
2314 png_chunk_report(png_ptr, "known incorrect sRGB profile",
2315 PNG_CHUNK_ERROR);
2316 }
2317
2318 /* Warn that this being done; this isn't even an error since
2319 * the profile is perfectly valid, but it would be nice if
2320 * people used the up-to-date ones.
2321 */
2322 else if (png_sRGB_checks[i].have_md5 == 0)
2323 {
2324 png_chunk_report(png_ptr,
2325 "out-of-date sRGB profile with no signature",
2326 PNG_CHUNK_WARNING);
2327 }
2328
2329 return 1+png_sRGB_checks[i].is_broken;
2330 }
2331 }
2332
2333 # if PNG_sRGB_PROFILE_CHECKS > 0
2334 /* The signature matched, but the profile had been changed in some
2335 * way. This probably indicates a data error or uninformed hacking.
2336 * Fall through to "no match".
2337 */
2338 png_chunk_report(png_ptr,
2339 "Not recognizing known sRGB profile that has been edited",
2340 PNG_CHUNK_WARNING);
2341 break;
2342 # endif
2343 }
2344 }
2345 }
2346
2347 return 0; /* no match */
2348 }
2349 #endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2350
2351 void /* PRIVATE */
2352 png_icc_set_sRGB(png_const_structrp png_ptr,
2353 png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2354 {
2355 /* Is this profile one of the known ICC sRGB profiles? If it is, just set
2356 * the sRGB information.
2357 */
2358 #if PNG_sRGB_PROFILE_CHECKS >= 0
2359 if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != 0)
2360 #endif
2361 (void)png_colorspace_set_sRGB(png_ptr, colorspace,
2362 (int)/*already checked*/png_get_uint_32(profile+64));
2363 }
2364 #endif /* sRGB */
2365
2366 int /* PRIVATE */
2367 png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2368 png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2369 int color_type)
2370 {
2371 if ((colorspace->flags & PNG_COLORSPACE_INVALID) != 0)
2372 return 0;
2373
2374 if (png_icc_check_length(png_ptr, colorspace, name, profile_length) != 0 &&
2375 png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2376 color_type) != 0 &&
2377 png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2378 profile) != 0)
2379 {
2380 # ifdef PNG_sRGB_SUPPORTED
2381 /* If no sRGB support, don't try storing sRGB information */
2382 png_icc_set_sRGB(png_ptr, colorspace, profile, 0);
2383 # endif
2384 return 1;
2385 }
2386
2387 /* Failure case */
2388 return 0;
2389 }
2390 #endif /* iCCP */
2391
2392 #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2393 void /* PRIVATE */
2394 png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2395 {
2396 /* Set the rgb_to_gray coefficients from the colorspace. */
2397 if (png_ptr->rgb_to_gray_coefficients_set == 0 &&
2398 (png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0)
2399 {
2400 /* png_set_background has not been called, get the coefficients from the Y
2401 * values of the colorspace colorants.
2402 */
2403 png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2404 png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2405 png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2406 png_fixed_point total = r+g+b;
2407
2408 if (total > 0 &&
2409 r >= 0 && png_muldiv(&r, r, 32768, total) && r >= 0 && r <= 32768 &&
2410 g >= 0 && png_muldiv(&g, g, 32768, total) && g >= 0 && g <= 32768 &&
2411 b >= 0 && png_muldiv(&b, b, 32768, total) && b >= 0 && b <= 32768 &&
2412 r+g+b <= 32769)
2413 {
2414 /* We allow 0 coefficients here. r+g+b may be 32769 if two or
2415 * all of the coefficients were rounded up. Handle this by
2416 * reducing the *largest* coefficient by 1; this matches the
2417 * approach used for the default coefficients in pngrtran.c
2418 */
2419 int add = 0;
2420
2421 if (r+g+b > 32768)
2422 add = -1;
2423 else if (r+g+b < 32768)
2424 add = 1;
2425
2426 if (add != 0)
2427 {
2428 if (g >= r && g >= b)
2429 g += add;
2430 else if (r >= g && r >= b)
2431 r += add;
2432 else
2433 b += add;
2434 }
2435
2436 /* Check for an internal error. */
2437 if (r+g+b != 32768)
2438 png_error(png_ptr,
2439 "internal error handling cHRM coefficients");
2440
2441 else
2442 {
2443 png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2444 png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2445 }
2446 }
2447
2448 /* This is a png_error at present even though it could be ignored -
2449 * it should never happen, but it is important that if it does, the
2450 * bug is fixed.
2451 */
2452 else
2453 png_error(png_ptr, "internal error handling cHRM->XYZ");
2454 }
2455 }
2456 #endif /* READ_RGB_TO_GRAY */
2457
2458 #endif /* COLORSPACE */
2459
2460 #ifdef __GNUC__
2461 /* This exists solely to work round a warning from GNU C. */
2462 static int /* PRIVATE */
2463 png_gt(size_t a, size_t b)
2464 {
2465 return a > b;
2466 }
2467 #else
2468 # define png_gt(a,b) ((a) > (b))
2469 #endif
2470
2471 void /* PRIVATE */
2472 png_check_IHDR(png_const_structrp png_ptr,
2473 png_uint_32 width, png_uint_32 height, int bit_depth,
2474 int color_type, int interlace_type, int compression_type,
2475 int filter_type)
2476 {
2477 int error = 0;
2478
2479 /* Check for width and height valid values */
2480 if (width == 0)
2481 {
2482 png_warning(png_ptr, "Image width is zero in IHDR");
2483 error = 1;
2484 }
2485
2486 if (width > PNG_UINT_31_MAX)
2487 {
2488 png_warning(png_ptr, "Invalid image width in IHDR");
2489 error = 1;
2490 }
2491
2492 if (png_gt(((width + 7) & (~7)),
2493 ((PNG_SIZE_MAX
2494 - 48 /* big_row_buf hack */
2495 - 1) /* filter byte */
2496 / 8) /* 8-byte RGBA pixels */
2497 - 1)) /* extra max_pixel_depth pad */
2498 {
2499 /* The size of the row must be within the limits of this architecture.
2500 * Because the read code can perform arbitrary transformations the
2501 * maximum size is checked here. Because the code in png_read_start_row
2502 * adds extra space "for safety's sake" in several places a conservative
2503 * limit is used here.
2504 *
2505 * NOTE: it would be far better to check the size that is actually used,
2506 * but the effect in the real world is minor and the changes are more
2507 * extensive, therefore much more dangerous and much more difficult to
2508 * write in a way that avoids compiler warnings.
2509 */
2510 png_warning(png_ptr, "Image width is too large for this architecture");
2511 error = 1;
2512 }
2513
2514 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2515 if (width > png_ptr->user_width_max)
2516 #else
2517 if (width > PNG_USER_WIDTH_MAX)
2518 #endif
2519 {
2520 png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2521 error = 1;
2522 }
2523
2524 if (height == 0)
2525 {
2526 png_warning(png_ptr, "Image height is zero in IHDR");
2527 error = 1;
2528 }
2529
2530 if (height > PNG_UINT_31_MAX)
2531 {
2532 png_warning(png_ptr, "Invalid image height in IHDR");
2533 error = 1;
2534 }
2535
2536 #ifdef PNG_SET_USER_LIMITS_SUPPORTED
2537 if (height > png_ptr->user_height_max)
2538 #else
2539 if (height > PNG_USER_HEIGHT_MAX)
2540 #endif
2541 {
2542 png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2543 error = 1;
2544 }
2545
2546 /* Check other values */
2547 if (bit_depth != 1 && bit_depth != 2 && bit_depth != 4 &&
2548 bit_depth != 8 && bit_depth != 16)
2549 {
2550 png_warning(png_ptr, "Invalid bit depth in IHDR");
2551 error = 1;
2552 }
2553
2554 if (color_type < 0 || color_type == 1 ||
2555 color_type == 5 || color_type > 6)
2556 {
2557 png_warning(png_ptr, "Invalid color type in IHDR");
2558 error = 1;
2559 }
2560
2561 if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > 8) ||
2562 ((color_type == PNG_COLOR_TYPE_RGB ||
2563 color_type == PNG_COLOR_TYPE_GRAY_ALPHA ||
2564 color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < 8))
2565 {
2566 png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2567 error = 1;
2568 }
2569
2570 if (interlace_type >= PNG_INTERLACE_LAST)
2571 {
2572 png_warning(png_ptr, "Unknown interlace method in IHDR");
2573 error = 1;
2574 }
2575
2576 if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2577 {
2578 png_warning(png_ptr, "Unknown compression method in IHDR");
2579 error = 1;
2580 }
2581
2582 #ifdef PNG_MNG_FEATURES_SUPPORTED
2583 /* Accept filter_method 64 (intrapixel differencing) only if
2584 * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2585 * 2. Libpng did not read a PNG signature (this filter_method is only
2586 * used in PNG datastreams that are embedded in MNG datastreams) and
2587 * 3. The application called png_permit_mng_features with a mask that
2588 * included PNG_FLAG_MNG_FILTER_64 and
2589 * 4. The filter_method is 64 and
2590 * 5. The color_type is RGB or RGBA
2591 */
2592 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 &&
2593 png_ptr->mng_features_permitted != 0)
2594 png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2595
2596 if (filter_type != PNG_FILTER_TYPE_BASE)
2597 {
2598 if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != 0 &&
2599 (filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2600 ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == 0) &&
2601 (color_type == PNG_COLOR_TYPE_RGB ||
2602 color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2603 {
2604 png_warning(png_ptr, "Unknown filter method in IHDR");
2605 error = 1;
2606 }
2607
2608 if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0)
2609 {
2610 png_warning(png_ptr, "Invalid filter method in IHDR");
2611 error = 1;
2612 }
2613 }
2614
2615 #else
2616 if (filter_type != PNG_FILTER_TYPE_BASE)
2617 {
2618 png_warning(png_ptr, "Unknown filter method in IHDR");
2619 error = 1;
2620 }
2621 #endif
2622
2623 if (error == 1)
2624 png_error(png_ptr, "Invalid IHDR data");
2625 }
2626
2627 #if defined(PNG_sCAL_SUPPORTED) || defined(PNG_pCAL_SUPPORTED)
2628 /* ASCII to fp functions */
2629 /* Check an ASCII formated floating point value, see the more detailed
2630 * comments in pngpriv.h
2631 */
2632 /* The following is used internally to preserve the sticky flags */
2633 #define png_fp_add(state, flags) ((state) |= (flags))
2634 #define png_fp_set(state, value) ((state) = (value) | ((state) & PNG_FP_STICKY))
2635
2636 int /* PRIVATE */
2637 png_check_fp_number(png_const_charp string, png_size_t size, int *statep,
2638 png_size_tp whereami)
2639 {
2640 int state = *statep;
2641 png_size_t i = *whereami;
2642
2643 while (i < size)
2644 {
2645 int type;
2646 /* First find the type of the next character */
2647 switch (string[i])
2648 {
2649 case 43: type = PNG_FP_SAW_SIGN; break;
2650 case 45: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2651 case 46: type = PNG_FP_SAW_DOT; break;
2652 case 48: type = PNG_FP_SAW_DIGIT; break;
2653 case 49: case 50: case 51: case 52:
2654 case 53: case 54: case 55: case 56:
2655 case 57: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2656 case 69:
2657 case 101: type = PNG_FP_SAW_E; break;
2658 default: goto PNG_FP_End;
2659 }
2660
2661 /* Now deal with this type according to the current
2662 * state, the type is arranged to not overlap the
2663 * bits of the PNG_FP_STATE.
2664 */
2665 switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2666 {
2667 case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2668 if ((state & PNG_FP_SAW_ANY) != 0)
2669 goto PNG_FP_End; /* not a part of the number */
2670
2671 png_fp_add(state, type);
2672 break;
2673
2674 case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2675 /* Ok as trailer, ok as lead of fraction. */
2676 if ((state & PNG_FP_SAW_DOT) != 0) /* two dots */
2677 goto PNG_FP_End;
2678
2679 else if ((state & PNG_FP_SAW_DIGIT) != 0) /* trailing dot? */
2680 png_fp_add(state, type);
2681
2682 else
2683 png_fp_set(state, PNG_FP_FRACTION | type);
2684
2685 break;
2686
2687 case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2688 if ((state & PNG_FP_SAW_DOT) != 0) /* delayed fraction */
2689 png_fp_set(state, PNG_FP_FRACTION | PNG_FP_SAW_DOT);
2690
2691 png_fp_add(state, type | PNG_FP_WAS_VALID);
2692
2693 break;
2694
2695 case PNG_FP_INTEGER + PNG_FP_SAW_E:
2696 if ((state & PNG_FP_SAW_DIGIT) == 0)
2697 goto PNG_FP_End;
2698
2699 png_fp_set(state, PNG_FP_EXPONENT);
2700
2701 break;
2702
2703 /* case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:
2704 goto PNG_FP_End; ** no sign in fraction */
2705
2706 /* case PNG_FP_FRACTION + PNG_FP_SAW_DOT:
2707 goto PNG_FP_End; ** Because SAW_DOT is always set */
2708
2709 case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2710 png_fp_add(state, type | PNG_FP_WAS_VALID);
2711 break;
2712
2713 case PNG_FP_FRACTION + PNG_FP_SAW_E:
2714 /* This is correct because the trailing '.' on an
2715 * integer is handled above - so we can only get here
2716 * with the sequence ".E" (with no preceding digits).
2717 */
2718 if ((state & PNG_FP_SAW_DIGIT) == 0)
2719 goto PNG_FP_End;
2720
2721 png_fp_set(state, PNG_FP_EXPONENT);
2722
2723 break;
2724
2725 case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2726 if ((state & PNG_FP_SAW_ANY) != 0)
2727 goto PNG_FP_End; /* not a part of the number */
2728
2729 png_fp_add(state, PNG_FP_SAW_SIGN);
2730
2731 break;
2732
2733 /* case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:
2734 goto PNG_FP_End; */
2735
2736 case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2737 png_fp_add(state, PNG_FP_SAW_DIGIT | PNG_FP_WAS_VALID);
2738
2739 break;
2740
2741 /* case PNG_FP_EXPONEXT + PNG_FP_SAW_E:
2742 goto PNG_FP_End; */
2743
2744 default: goto PNG_FP_End; /* I.e. break 2 */
2745 }
2746
2747 /* The character seems ok, continue. */
2748 ++i;
2749 }
2750
2751 PNG_FP_End:
2752 /* Here at the end, update the state and return the correct
2753 * return code.
2754 */
2755 *statep = state;
2756 *whereami = i;
2757
2758 return (state & PNG_FP_SAW_DIGIT) != 0;
2759 }
2760
2761
2762 /* The same but for a complete string. */
2763 int
2764 png_check_fp_string(png_const_charp string, png_size_t size)
2765 {
2766 int state=0;
2767 png_size_t char_index=0;
2768
2769 if (png_check_fp_number(string, size, &state, &char_index) != 0 &&
2770 (char_index == size || string[char_index] == 0))
2771 return state /* must be non-zero - see above */;
2772
2773 return 0; /* i.e. fail */
2774 }
2775 #endif /* pCAL || sCAL */
2776
2777 #ifdef PNG_sCAL_SUPPORTED
2778 # ifdef PNG_FLOATING_POINT_SUPPORTED
2779 /* Utility used below - a simple accurate power of ten from an integral
2780 * exponent.
2781 */
2782 static double
2783 png_pow10(int power)
2784 {
2785 int recip = 0;
2786 double d = 1;
2787
2788 /* Handle negative exponent with a reciprocal at the end because
2789 * 10 is exact whereas .1 is inexact in base 2
2790 */
2791 if (power < 0)
2792 {
2793 if (power < DBL_MIN_10_EXP) return 0;
2794 recip = 1, power = -power;
2795 }
2796
2797 if (power > 0)
2798 {
2799 /* Decompose power bitwise. */
2800 double mult = 10;
2801 do
2802 {
2803 if (power & 1) d *= mult;
2804 mult *= mult;
2805 power >>= 1;
2806 }
2807 while (power > 0);
2808
2809 if (recip != 0) d = 1/d;
2810 }
2811 /* else power is 0 and d is 1 */
2812
2813 return d;
2814 }
2815
2816 /* Function to format a floating point value in ASCII with a given
2817 * precision.
2818 */
2819 void /* PRIVATE */
2820 png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, png_size_t size,
2821 double fp, unsigned int precision)
2822 {
2823 /* We use standard functions from math.h, but not printf because
2824 * that would require stdio. The caller must supply a buffer of
2825 * sufficient size or we will png_error. The tests on size and
2826 * the space in ascii[] consumed are indicated below.
2827 */
2828 if (precision < 1)
2829 precision = DBL_DIG;
2830
2831 /* Enforce the limit of the implementation precision too. */
2832 if (precision > DBL_DIG+1)
2833 precision = DBL_DIG+1;
2834
2835 /* Basic sanity checks */
2836 if (size >= precision+5) /* See the requirements below. */
2837 {
2838 if (fp < 0)
2839 {
2840 fp = -fp;
2841 *ascii++ = 45; /* '-' PLUS 1 TOTAL 1 */
2842 --size;
2843 }
2844
2845 if (fp >= DBL_MIN && fp <= DBL_MAX)
2846 {
2847 int exp_b10; /* A base 10 exponent */
2848 double base; /* 10^exp_b10 */
2849
2850 /* First extract a base 10 exponent of the number,
2851 * the calculation below rounds down when converting
2852 * from base 2 to base 10 (multiply by log10(2) -
2853 * 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2854 * be increased. Note that the arithmetic shift
2855 * performs a floor() unlike C arithmetic - using a
2856 * C multiply would break the following for negative
2857 * exponents.
2858 */
2859 (void)frexp(fp, &exp_b10); /* exponent to base 2 */
2860
2861 exp_b10 = (exp_b10 * 77) >> 8; /* <= exponent to base 10 */
2862
2863 /* Avoid underflow here. */
2864 base = png_pow10(exp_b10); /* May underflow */
2865
2866 while (base < DBL_MIN || base < fp)
2867 {
2868 /* And this may overflow. */
2869 double test = png_pow10(exp_b10+1);
2870
2871 if (test <= DBL_MAX)
2872 ++exp_b10, base = test;
2873
2874 else
2875 break;
2876 }
2877
2878 /* Normalize fp and correct exp_b10, after this fp is in the
2879 * range [.1,1) and exp_b10 is both the exponent and the digit
2880 * *before* which the decimal point should be inserted
2881 * (starting with 0 for the first digit). Note that this
2882 * works even if 10^exp_b10 is out of range because of the
2883 * test on DBL_MAX above.
2884 */
2885 fp /= base;
2886 while (fp >= 1) fp /= 10, ++exp_b10;
2887
2888 /* Because of the code above fp may, at this point, be
2889 * less than .1, this is ok because the code below can
2890 * handle the leading zeros this generates, so no attempt
2891 * is made to correct that here.
2892 */
2893
2894 {
2895 unsigned int czero, clead, cdigits;
2896 char exponent[10];
2897
2898 /* Allow up to two leading zeros - this will not lengthen
2899 * the number compared to using E-n.
2900 */
2901 if (exp_b10 < 0 && exp_b10 > -3) /* PLUS 3 TOTAL 4 */
2902 {
2903 czero = -exp_b10; /* PLUS 2 digits: TOTAL 3 */
2904 exp_b10 = 0; /* Dot added below before first output. */
2905 }
2906 else
2907 czero = 0; /* No zeros to add */
2908
2909 /* Generate the digit list, stripping trailing zeros and
2910 * inserting a '.' before a digit if the exponent is 0.
2911 */
2912 clead = czero; /* Count of leading zeros */
2913 cdigits = 0; /* Count of digits in list. */
2914
2915 do
2916 {
2917 double d;
2918
2919 fp *= 10;
2920 /* Use modf here, not floor and subtract, so that
2921 * the separation is done in one step. At the end
2922 * of the loop don't break the number into parts so
2923 * that the final digit is rounded.
2924 */
2925 if (cdigits+czero+1 < precision+clead)
2926 fp = modf(fp, &d);
2927
2928 else
2929 {
2930 d = floor(fp + .5);
2931
2932 if (d > 9)
2933 {
2934 /* Rounding up to 10, handle that here. */
2935 if (czero > 0)
2936 {
2937 --czero, d = 1;
2938 if (cdigits == 0) --clead;
2939 }
2940 else
2941 {
2942 while (cdigits > 0 && d > 9)
2943 {
2944 int ch = *--ascii;
2945
2946 if (exp_b10 != (-1))
2947 ++exp_b10;
2948
2949 else if (ch == 46)
2950 {
2951 ch = *--ascii, ++size;
2952 /* Advance exp_b10 to '1', so that the
2953 * decimal point happens after the
2954 * previous digit.
2955 */
2956 exp_b10 = 1;
2957 }
2958
2959 --cdigits;
2960 d = ch - 47; /* I.e. 1+(ch-48) */
2961 }
2962
2963 /* Did we reach the beginning? If so adjust the
2964 * exponent but take into account the leading
2965 * decimal point.
2966 */
2967 if (d > 9) /* cdigits == 0 */
2968 {
2969 if (exp_b10 == (-1))
2970 {
2971 /* Leading decimal point (plus zeros?), if
2972 * we lose the decimal point here it must
2973 * be reentered below.
2974 */
2975 int ch = *--ascii;
2976
2977 if (ch == 46)
2978 ++size, exp_b10 = 1;
2979
2980 /* Else lost a leading zero, so 'exp_b10' is
2981 * still ok at (-1)
2982 */
2983 }
2984 else
2985 ++exp_b10;
2986
2987 /* In all cases we output a '1' */
2988 d = 1;
2989 }
2990 }
2991 }
2992 fp = 0; /* Guarantees termination below. */
2993 }
2994
2995 if (d == 0)
2996 {
2997 ++czero;
2998 if (cdigits == 0) ++clead;
2999 }
3000 else
3001 {
3002 /* Included embedded zeros in the digit count. */
3003 cdigits += czero - clead;
3004 clead = 0;
3005
3006 while (czero > 0)
3007 {
3008 /* exp_b10 == (-1) means we just output the decimal
3009 * place - after the DP don't adjust 'exp_b10' any
3010 * more!
3011 */
3012 if (exp_b10 != (-1))
3013 {
3014 if (exp_b10 == 0) *ascii++ = 46, --size;
3015 /* PLUS 1: TOTAL 4 */
3016 --exp_b10;
3017 }
3018 *ascii++ = 48, --czero;
3019 }
3020
3021 if (exp_b10 != (-1))
3022 {
3023 if (exp_b10 == 0)
3024 *ascii++ = 46, --size; /* counted above */
3025
3026 --exp_b10;
3027 }
3028 *ascii++ = (char)(48 + (int)d), ++cdigits;
3029 }
3030 }
3031 while (cdigits+czero < precision+clead && fp > DBL_MIN);
3032
3033 /* The total output count (max) is now 4+precision */
3034
3035 /* Check for an exponent, if we don't need one we are
3036 * done and just need to terminate the string. At
3037 * this point exp_b10==(-1) is effectively if flag - it got
3038 * to '-1' because of the decrement after outputting
3039 * the decimal point above (the exponent required is
3040 * *not* -1!)
3041 */
3042 if (exp_b10 >= (-1) && exp_b10 <= 2)
3043 {
3044 /* The following only happens if we didn't output the
3045 * leading zeros above for negative exponent, so this
3046 * doesn't add to the digit requirement. Note that the
3047 * two zeros here can only be output if the two leading
3048 * zeros were *not* output, so this doesn't increase
3049 * the output count.
3050 */
3051 while (--exp_b10 >= 0) *ascii++ = 48;
3052
3053 *ascii = 0;
3054
3055 /* Total buffer requirement (including the '\0') is
3056 * 5+precision - see check at the start.
3057 */
3058 return;
3059 }
3060
3061 /* Here if an exponent is required, adjust size for
3062 * the digits we output but did not count. The total
3063 * digit output here so far is at most 1+precision - no
3064 * decimal point and no leading or trailing zeros have
3065 * been output.
3066 */
3067 size -= cdigits;
3068
3069 *ascii++ = 69, --size; /* 'E': PLUS 1 TOTAL 2+precision */
3070
3071 /* The following use of an unsigned temporary avoids ambiguities in
3072 * the signed arithmetic on exp_b10 and permits GCC at least to do
3073 * better optimization.
3074 */
3075 {
3076 unsigned int uexp_b10;
3077
3078 if (exp_b10 < 0)
3079 {
3080 *ascii++ = 45, --size; /* '-': PLUS 1 TOTAL 3+precision */
3081 uexp_b10 = -exp_b10;
3082 }
3083
3084 else
3085 uexp_b10 = exp_b10;
3086
3087 cdigits = 0;
3088
3089 while (uexp_b10 > 0)
3090 {
3091 exponent[cdigits++] = (char)(48 + uexp_b10 % 10);
3092 uexp_b10 /= 10;
3093 }
3094 }
3095
3096 /* Need another size check here for the exponent digits, so
3097 * this need not be considered above.
3098 */
3099 if (size > cdigits)
3100 {
3101 while (cdigits > 0) *ascii++ = exponent[--cdigits];
3102
3103 *ascii = 0;
3104
3105 return;
3106 }
3107 }
3108 }
3109 else if (!(fp >= DBL_MIN))
3110 {
3111 *ascii++ = 48; /* '0' */
3112 *ascii = 0;
3113 return;
3114 }
3115 else
3116 {
3117 *ascii++ = 105; /* 'i' */
3118 *ascii++ = 110; /* 'n' */
3119 *ascii++ = 102; /* 'f' */
3120 *ascii = 0;
3121 return;
3122 }
3123 }
3124
3125 /* Here on buffer too small. */
3126 png_error(png_ptr, "ASCII conversion buffer too small");
3127 }
3128
3129 # endif /* FLOATING_POINT */
3130
3131 # ifdef PNG_FIXED_POINT_SUPPORTED
3132 /* Function to format a fixed point value in ASCII.
3133 */
3134 void /* PRIVATE */
3135 png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3136 png_size_t size, png_fixed_point fp)
3137 {
3138 /* Require space for 10 decimal digits, a decimal point, a minus sign and a
3139 * trailing \0, 13 characters:
3140 */
3141 if (size > 12)
3142 {
3143 png_uint_32 num;
3144
3145 /* Avoid overflow here on the minimum integer. */
3146 if (fp < 0)
3147 *ascii++ = 45, --size, num = -fp;
3148 else
3149 num = fp;
3150
3151 if (num <= 0x80000000) /* else overflowed */
3152 {
3153 unsigned int ndigits = 0, first = 16 /* flag value */;
3154 char digits[10];
3155
3156 while (num)
3157 {
3158 /* Split the low digit off num: */
3159 unsigned int tmp = num/10;
3160 num -= tmp*10;
3161 digits[ndigits++] = (char)(48 + num);
3162 /* Record the first non-zero digit, note that this is a number
3163 * starting at 1, it's not actually the array index.
3164 */
3165 if (first == 16 && num > 0)
3166 first = ndigits;
3167 num = tmp;
3168 }
3169
3170 if (ndigits > 0)
3171 {
3172 while (ndigits > 5) *ascii++ = digits[--ndigits];
3173 /* The remaining digits are fractional digits, ndigits is '5' or
3174 * smaller at this point. It is certainly not zero. Check for a
3175 * non-zero fractional digit:
3176 */
3177 if (first <= 5)
3178 {
3179 unsigned int i;
3180 *ascii++ = 46; /* decimal point */
3181 /* ndigits may be <5 for small numbers, output leading zeros
3182 * then ndigits digits to first:
3183 */
3184 i = 5;
3185 while (ndigits < i) *ascii++ = 48, --i;
3186 while (ndigits >= first) *ascii++ = digits[--ndigits];
3187 /* Don't output the trailing zeros! */
3188 }
3189 }
3190 else
3191 *ascii++ = 48;
3192
3193 /* And null terminate the string: */
3194 *ascii = 0;
3195 return;
3196 }
3197 }
3198
3199 /* Here on buffer too small. */
3200 png_error(png_ptr, "ASCII conversion buffer too small");
3201 }
3202 # endif /* FIXED_POINT */
3203 #endif /* SCAL */
3204
3205 #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3206 !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3207 (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
3208 defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
3209 defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
3210 (defined(PNG_sCAL_SUPPORTED) && \
3211 defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3212 png_fixed_point
3213 png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3214 {
3215 double r = floor(100000 * fp + .5);
3216
3217 if (r > 2147483647. || r < -2147483648.)
3218 png_fixed_error(png_ptr, text);
3219
3220 # ifndef PNG_ERROR_TEXT_SUPPORTED
3221 PNG_UNUSED(text)
3222 # endif
3223
3224 return (png_fixed_point)r;
3225 }
3226 #endif
3227
3228 #if defined(PNG_GAMMA_SUPPORTED) || defined(PNG_COLORSPACE_SUPPORTED) ||\
3229 defined(PNG_INCH_CONVERSIONS_SUPPORTED) || defined(PNG_READ_pHYs_SUPPORTED)
3230 /* muldiv functions */
3231 /* This API takes signed arguments and rounds the result to the nearest
3232 * integer (or, for a fixed point number - the standard argument - to
3233 * the nearest .00001). Overflow and divide by zero are signalled in
3234 * the result, a boolean - true on success, false on overflow.
3235 */
3236 int
3237 png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3238 png_int_32 divisor)
3239 {
3240 /* Return a * times / divisor, rounded. */
3241 if (divisor != 0)
3242 {
3243 if (a == 0 || times == 0)
3244 {
3245 *res = 0;
3246 return 1;
3247 }
3248 else
3249 {
3250 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3251 double r = a;
3252 r *= times;
3253 r /= divisor;
3254 r = floor(r+.5);
3255
3256 /* A png_fixed_point is a 32-bit integer. */
3257 if (r <= 2147483647. && r >= -2147483648.)
3258 {
3259 *res = (png_fixed_point)r;
3260 return 1;
3261 }
3262 #else
3263 int negative = 0;
3264 png_uint_32 A, T, D;
3265 png_uint_32 s16, s32, s00;
3266
3267 if (a < 0)
3268 negative = 1, A = -a;
3269 else
3270 A = a;
3271
3272 if (times < 0)
3273 negative = !negative, T = -times;
3274 else
3275 T = times;
3276
3277 if (divisor < 0)
3278 negative = !negative, D = -divisor;
3279 else
3280 D = divisor;
3281
3282 /* Following can't overflow because the arguments only
3283 * have 31 bits each, however the result may be 32 bits.
3284 */
3285 s16 = (A >> 16) * (T & 0xffff) +
3286 (A & 0xffff) * (T >> 16);
3287 /* Can't overflow because the a*times bit is only 30
3288 * bits at most.
3289 */
3290 s32 = (A >> 16) * (T >> 16) + (s16 >> 16);
3291 s00 = (A & 0xffff) * (T & 0xffff);
3292
3293 s16 = (s16 & 0xffff) << 16;
3294 s00 += s16;
3295
3296 if (s00 < s16)
3297 ++s32; /* carry */
3298
3299 if (s32 < D) /* else overflow */
3300 {
3301 /* s32.s00 is now the 64-bit product, do a standard
3302 * division, we know that s32 < D, so the maximum
3303 * required shift is 31.
3304 */
3305 int bitshift = 32;
3306 png_fixed_point result = 0; /* NOTE: signed */
3307
3308 while (--bitshift >= 0)
3309 {
3310 png_uint_32 d32, d00;
3311
3312 if (bitshift > 0)
3313 d32 = D >> (32-bitshift), d00 = D << bitshift;
3314
3315 else
3316 d32 = 0, d00 = D;
3317
3318 if (s32 > d32)
3319 {
3320 if (s00 < d00) --s32; /* carry */
3321 s32 -= d32, s00 -= d00, result += 1<<bitshift;
3322 }
3323
3324 else
3325 if (s32 == d32 && s00 >= d00)
3326 s32 = 0, s00 -= d00, result += 1<<bitshift;
3327 }
3328
3329 /* Handle the rounding. */
3330 if (s00 >= (D >> 1))
3331 ++result;
3332
3333 if (negative != 0)
3334 result = -result;
3335
3336 /* Check for overflow. */
3337 if ((negative != 0 && result <= 0) ||
3338 (negative == 0 && result >= 0))
3339 {
3340 *res = result;
3341 return 1;
3342 }
3343 }
3344 #endif
3345 }
3346 }
3347
3348 return 0;
3349 }
3350 #endif /* READ_GAMMA || INCH_CONVERSIONS */
3351
3352 #if defined(PNG_READ_GAMMA_SUPPORTED) || defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3353 /* The following is for when the caller doesn't much care about the
3354 * result.
3355 */
3356 png_fixed_point
3357 png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3358 png_int_32 divisor)
3359 {
3360 png_fixed_point result;
3361
3362 if (png_muldiv(&result, a, times, divisor) != 0)
3363 return result;
3364
3365 png_warning(png_ptr, "fixed point overflow ignored");
3366 return 0;
3367 }
3368 #endif
3369
3370 #ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3371 /* Calculate a reciprocal, return 0 on div-by-zero or overflow. */
3372 png_fixed_point
3373 png_reciprocal(png_fixed_point a)
3374 {
3375 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3376 double r = floor(1E10/a+.5);
3377
3378 if (r <= 2147483647. && r >= -2147483648.)
3379 return (png_fixed_point)r;
3380 #else
3381 png_fixed_point res;
3382
3383 if (png_muldiv(&res, 100000, 100000, a) != 0)
3384 return res;
3385 #endif
3386
3387 return 0; /* error/overflow */
3388 }
3389
3390 /* This is the shared test on whether a gamma value is 'significant' - whether
3391 * it is worth doing gamma correction.
3392 */
3393 int /* PRIVATE */
3394 png_gamma_significant(png_fixed_point gamma_val)
3395 {
3396 return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED ||
3397 gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3398 }
3399 #endif
3400
3401 #ifdef PNG_READ_GAMMA_SUPPORTED
3402 #ifdef PNG_16BIT_SUPPORTED
3403 /* A local convenience routine. */
3404 static png_fixed_point
3405 png_product2(png_fixed_point a, png_fixed_point b)
3406 {
3407 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3408 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3409 double r = a * 1E-5;
3410 r *= b;
3411 r = floor(r+.5);
3412
3413 if (r <= 2147483647. && r >= -2147483648.)
3414 return (png_fixed_point)r;
3415 #else
3416 png_fixed_point res;
3417
3418 if (png_muldiv(&res, a, b, 100000) != 0)
3419 return res;
3420 #endif
3421
3422 return 0; /* overflow */
3423 }
3424 #endif /* 16BIT */
3425
3426 /* The inverse of the above. */
3427 png_fixed_point
3428 png_reciprocal2(png_fixed_point a, png_fixed_point b)
3429 {
3430 /* The required result is 1/a * 1/b; the following preserves accuracy. */
3431 #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3432 if (a != 0 && b != 0)
3433 {
3434 double r = 1E15/a;
3435 r /= b;
3436 r = floor(r+.5);
3437
3438 if (r <= 2147483647. && r >= -2147483648.)
3439 return (png_fixed_point)r;
3440 }
3441 #else
3442 /* This may overflow because the range of png_fixed_point isn't symmetric,
3443 * but this API is only used for the product of file and screen gamma so it
3444 * doesn't matter that the smallest number it can produce is 1/21474, not
3445 * 1/100000
3446 */
3447 png_fixed_point res = png_product2(a, b);
3448
3449 if (res != 0)
3450 return png_reciprocal(res);
3451 #endif
3452
3453 return 0; /* overflow */
3454 }
3455 #endif /* READ_GAMMA */
3456
3457 #ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3458 #ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3459 /* Fixed point gamma.
3460 *
3461 * The code to calculate the tables used below can be found in the shell script
3462 * contrib/tools/intgamma.sh
3463 *
3464 * To calculate gamma this code implements fast log() and exp() calls using only
3465 * fixed point arithmetic. This code has sufficient precision for either 8-bit
3466 * or 16-bit sample values.
3467 *
3468 * The tables used here were calculated using simple 'bc' programs, but C double
3469 * precision floating point arithmetic would work fine.
3470 *
3471 * 8-bit log table
3472 * This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3473 * 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3474 * mantissa. The numbers are 32-bit fractions.
3475 */
3476 static const png_uint_32
3477 png_8bit_l2[128] =
3478 {
3479 4270715492U, 4222494797U, 4174646467U, 4127164793U, 4080044201U, 4033279239U,
3480 3986864580U, 3940795015U, 3895065449U, 3849670902U, 3804606499U, 3759867474U,
3481 3715449162U, 3671346997U, 3627556511U, 3584073329U, 3540893168U, 3498011834U,
3482 3455425220U, 3413129301U, 3371120137U, 3329393864U, 3287946700U, 3246774933U,
3483 3205874930U, 3165243125U, 3124876025U, 3084770202U, 3044922296U, 3005329011U,
3484 2965987113U, 2926893432U, 2888044853U, 2849438323U, 2811070844U, 2772939474U,
3485 2735041326U, 2697373562U, 2659933400U, 2622718104U, 2585724991U, 2548951424U,
3486 2512394810U, 2476052606U, 2439922311U, 2404001468U, 2368287663U, 2332778523U,
3487 2297471715U, 2262364947U, 2227455964U, 2192742551U, 2158222529U, 2123893754U,
3488 2089754119U, 2055801552U, 2022034013U, 1988449497U, 1955046031U, 1921821672U,
3489 1888774511U, 1855902668U, 1823204291U, 1790677560U, 1758320682U, 1726131893U,
3490 1694109454U, 1662251657U, 1630556815U, 1599023271U, 1567649391U, 1536433567U,
3491 1505374214U, 1474469770U, 1443718700U, 1413119487U, 1382670639U, 1352370686U,
3492 1322218179U, 1292211689U, 1262349810U, 1232631153U, 1203054352U, 1173618059U,
3493 1144320946U, 1115161701U, 1086139034U, 1057251672U, 1028498358U, 999877854U,
3494 971388940U, 943030410U, 914801076U, 886699767U, 858725327U, 830876614U,
3495 803152505U, 775551890U, 748073672U, 720716771U, 693480120U, 666362667U,
3496 639363374U, 612481215U, 585715177U, 559064263U, 532527486U, 506103872U,
3497 479792461U, 453592303U, 427502463U, 401522014U, 375650043U, 349885648U,
3498 324227938U, 298676034U, 273229066U, 247886176U, 222646516U, 197509248U,
3499 172473545U, 147538590U, 122703574U, 97967701U, 73330182U, 48790236U,
3500 24347096U, 0U
3501
3502 #if 0
3503 /* The following are the values for 16-bit tables - these work fine for the
3504 * 8-bit conversions but produce very slightly larger errors in the 16-bit
3505 * log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3506 * use these all the shifts below must be adjusted appropriately.
3507 */
3508 65166, 64430, 63700, 62976, 62257, 61543, 60835, 60132, 59434, 58741, 58054,
3509 57371, 56693, 56020, 55352, 54689, 54030, 53375, 52726, 52080, 51439, 50803,
3510 50170, 49542, 48918, 48298, 47682, 47070, 46462, 45858, 45257, 44661, 44068,
3511 43479, 42894, 42312, 41733, 41159, 40587, 40020, 39455, 38894, 38336, 37782,
3512 37230, 36682, 36137, 35595, 35057, 34521, 33988, 33459, 32932, 32408, 31887,
3513 31369, 30854, 30341, 29832, 29325, 28820, 28319, 27820, 27324, 26830, 26339,
3514 25850, 25364, 24880, 24399, 23920, 23444, 22970, 22499, 22029, 21562, 21098,
3515 20636, 20175, 19718, 19262, 18808, 18357, 17908, 17461, 17016, 16573, 16132,
3516 15694, 15257, 14822, 14390, 13959, 13530, 13103, 12678, 12255, 11834, 11415,
3517 10997, 10582, 10168, 9756, 9346, 8937, 8531, 8126, 7723, 7321, 6921, 6523,
3518 6127, 5732, 5339, 4947, 4557, 4169, 3782, 3397, 3014, 2632, 2251, 1872, 1495,
3519 1119, 744, 372
3520 #endif
3521 };
3522
3523 static png_int_32
3524 png_log8bit(unsigned int x)
3525 {
3526 unsigned int lg2 = 0;
3527 /* Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,
3528 * because the log is actually negate that means adding 1. The final
3529 * returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3530 * input), return -1 for the overflow (log 0) case, - so the result is
3531 * always at most 19 bits.
3532 */
3533 if ((x &= 0xff) == 0)
3534 return -1;
3535
3536 if ((x & 0xf0) == 0)
3537 lg2 = 4, x <<= 4;
3538
3539 if ((x & 0xc0) == 0)
3540 lg2 += 2, x <<= 2;
3541
3542 if ((x & 0x80) == 0)
3543 lg2 += 1, x <<= 1;
3544
3545 /* result is at most 19 bits, so this cast is safe: */
3546 return (png_int_32)((lg2 << 16) + ((png_8bit_l2[x-128]+32768)>>16));
3547 }
3548
3549 /* The above gives exact (to 16 binary places) log2 values for 8-bit images,
3550 * for 16-bit images we use the most significant 8 bits of the 16-bit value to
3551 * get an approximation then multiply the approximation by a correction factor
3552 * determined by the remaining up to 8 bits. This requires an additional step
3553 * in the 16-bit case.
3554 *
3555 * We want log2(value/65535), we have log2(v'/255), where:
3556 *
3557 * value = v' * 256 + v''
3558 * = v' * f
3559 *
3560 * So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3561 * to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3562 * than 258. The final factor also needs to correct for the fact that our 8-bit
3563 * value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3564 *
3565 * This gives a final formula using a calculated value 'x' which is value/v' and
3566 * scaling by 65536 to match the above table:
3567 *
3568 * log2(x/257) * 65536
3569 *
3570 * Since these numbers are so close to '1' we can use simple linear
3571 * interpolation between the two end values 256/257 (result -368.61) and 258/257
3572 * (result 367.179). The values used below are scaled by a further 64 to give
3573 * 16-bit precision in the interpolation:
3574 *
3575 * Start (256): -23591
3576 * Zero (257): 0
3577 * End (258): 23499
3578 */
3579 #ifdef PNG_16BIT_SUPPORTED
3580 static png_int_32
3581 png_log16bit(png_uint_32 x)
3582 {
3583 unsigned int lg2 = 0;
3584
3585 /* As above, but now the input has 16 bits. */
3586 if ((x &= 0xffff) == 0)
3587 return -1;
3588
3589 if ((x & 0xff00) == 0)
3590 lg2 = 8, x <<= 8;
3591
3592 if ((x & 0xf000) == 0)
3593 lg2 += 4, x <<= 4;
3594
3595 if ((x & 0xc000) == 0)
3596 lg2 += 2, x <<= 2;
3597
3598 if ((x & 0x8000) == 0)
3599 lg2 += 1, x <<= 1;
3600
3601 /* Calculate the base logarithm from the top 8 bits as a 28-bit fractional
3602 * value.
3603 */
3604 lg2 <<= 28;
3605 lg2 += (png_8bit_l2[(x>>8)-128]+8) >> 4;
3606
3607 /* Now we need to interpolate the factor, this requires a division by the top
3608 * 8 bits. Do this with maximum precision.
3609 */
3610 x = ((x << 16) + (x >> 9)) / (x >> 8);
3611
3612 /* Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,
3613 * the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3614 * 16 bits to interpolate to get the low bits of the result. Round the
3615 * answer. Note that the end point values are scaled by 64 to retain overall
3616 * precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3617 * the overall scaling by 6-12. Round at every step.
3618 */
3619 x -= 1U << 24;
3620
3621 if (x <= 65536U) /* <= '257' */
3622 lg2 += ((23591U * (65536U-x)) + (1U << (16+6-12-1))) >> (16+6-12);
3623
3624 else
3625 lg2 -= ((23499U * (x-65536U)) + (1U << (16+6-12-1))) >> (16+6-12);
3626
3627 /* Safe, because the result can't have more than 20 bits: */
3628 return (png_int_32)((lg2 + 2048) >> 12);
3629 }
3630 #endif /* 16BIT */
3631
3632 /* The 'exp()' case must invert the above, taking a 20-bit fixed point
3633 * logarithmic value and returning a 16 or 8-bit number as appropriate. In
3634 * each case only the low 16 bits are relevant - the fraction - since the
3635 * integer bits (the top 4) simply determine a shift.
3636 *
3637 * The worst case is the 16-bit distinction between 65535 and 65534. This
3638 * requires perhaps spurious accuracy in the decoding of the logarithm to
3639 * distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3640 * of getting this accuracy in practice.
3641 *
3642 * To deal with this the following exp() function works out the exponent of the
3643 * frational part of the logarithm by using an accurate 32-bit value from the
3644 * top four fractional bits then multiplying in the remaining bits.
3645 */
3646 static const png_uint_32
3647 png_32bit_exp[16] =
3648 {
3649 /* NOTE: the first entry is deliberately set to the maximum 32-bit value. */
3650 4294967295U, 4112874773U, 3938502376U, 3771522796U, 3611622603U, 3458501653U,
3651 3311872529U, 3171459999U, 3037000500U, 2908241642U, 2784941738U, 2666869345U,
3652 2553802834U, 2445529972U, 2341847524U, 2242560872U
3653 };
3654
3655 /* Adjustment table; provided to explain the numbers in the code below. */
3656 #if 0
3657 for (i=11;i>=0;--i){ print i, " ", (1 - e(-(2^i)/65536*l(2))) * 2^(32-i), "\n"}
3658 11 44937.64284865548751208448
3659 10 45180.98734845585101160448
3660 9 45303.31936980687359311872
3661 8 45364.65110595323018870784
3662 7 45395.35850361789624614912
3663 6 45410.72259715102037508096
3664 5 45418.40724413220722311168
3665 4 45422.25021786898173001728
3666 3 45424.17186732298419044352
3667 2 45425.13273269940811464704
3668 1 45425.61317555035558641664
3669 0 45425.85339951654943850496
3670 #endif
3671
3672 static png_uint_32
3673 png_exp(png_fixed_point x)
3674 {
3675 if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */
3676 {
3677 /* Obtain a 4-bit approximation */
3678 png_uint_32 e = png_32bit_exp[(x >> 12) & 0xf];
3679
3680 /* Incorporate the low 12 bits - these decrease the returned value by
3681 * multiplying by a number less than 1 if the bit is set. The multiplier
3682 * is determined by the above table and the shift. Notice that the values
3683 * converge on 45426 and this is used to allow linear interpolation of the
3684 * low bits.
3685 */
3686 if (x & 0x800)
3687 e -= (((e >> 16) * 44938U) + 16U) >> 5;
3688
3689 if (x & 0x400)
3690 e -= (((e >> 16) * 45181U) + 32U) >> 6;
3691
3692 if (x & 0x200)
3693 e -= (((e >> 16) * 45303U) + 64U) >> 7;
3694
3695 if (x & 0x100)
3696 e -= (((e >> 16) * 45365U) + 128U) >> 8;
3697
3698 if (x & 0x080)
3699 e -= (((e >> 16) * 45395U) + 256U) >> 9;
3700
3701 if (x & 0x040)
3702 e -= (((e >> 16) * 45410U) + 512U) >> 10;
3703
3704 /* And handle the low 6 bits in a single block. */
3705 e -= (((e >> 16) * 355U * (x & 0x3fU)) + 256U) >> 9;
3706
3707 /* Handle the upper bits of x. */
3708 e >>= x >> 16;
3709 return e;
3710 }
3711
3712 /* Check for overflow */
3713 if (x <= 0)
3714 return png_32bit_exp[0];
3715
3716