1 /* pngfix.c 2 * 3 * Last changed in libpng 1.6.31 [July 27, 2017] 4 * Copyright (c) 2014-2017 John Cunningham Bowler 5 * 6 * This code is released under the libpng license. 7 * For conditions of distribution and use, see the disclaimer 8 * and license in png.h 9 * 10 * Tool to check and fix the zlib inflate 'too far back' problem. 11 * See the usage message for more information. 12 */ 13 #include <stdlib.h> 14 #include <stdio.h> 15 #include <string.h> 16 #include <ctype.h> 17 #include <limits.h> 18 #include <errno.h> 19 #include <assert.h> 20 21 #define implies(x,y) assert(!(x) || (y)) 22 23 #ifdef __GNUC__ 24 /* This is used to fix the error: 25 * 26 * pngfix.c: 27 * In function 'zlib_advance': 28 * pngfix.c:181:13: error: assuming signed overflow does not 29 * occur when simplifying conditional to constant [-Werror=strict-overflow] 30 */ 31 # define FIX_GCC volatile 32 #else 33 # define FIX_GCC 34 #endif 35 36 #define PROGRAM_NAME "pngfix" 37 38 /* Define the following to use this program against your installed libpng, 39 * rather than the one being built here: 40 */ 41 #ifdef PNG_FREESTANDING_TESTS 42 # include <png.h> 43 #else 44 # include "../../png.h" 45 #endif 46 47 #if PNG_LIBPNG_VER < 10603 /* 1.6.3 */ 48 # error "pngfix will not work with libpng prior to 1.6.3" 49 #endif 50 51 #ifdef PNG_SETJMP_SUPPORTED 52 #include <setjmp.h> 53 54 #if defined(PNG_READ_SUPPORTED) && defined(PNG_EASY_ACCESS_SUPPORTED) &&\ 55 (defined(PNG_READ_DEINTERLACE_SUPPORTED) ||\ 56 defined(PNG_READ_INTERLACING_SUPPORTED)) 57 58 /* zlib.h defines the structure z_stream, an instance of which is included 59 * in this structure and is required for decompressing the LZ compressed 60 * data in PNG files. 61 */ 62 #ifndef ZLIB_CONST 63 /* We must ensure that zlib uses 'const' in declarations. */ 64 # define ZLIB_CONST 65 #endif 66 #include <zlib.h> 67 #ifdef const 68 /* zlib.h sometimes #defines const to nothing, undo this. */ 69 # undef const 70 #endif 71 72 /* zlib.h has mediocre z_const use before 1.2.6, this stuff is for compatibility 73 * with older builds. 74 */ 75 #if ZLIB_VERNUM < 0x1260 76 # define PNGZ_MSG_CAST(s) constcast(char*,s) 77 # define PNGZ_INPUT_CAST(b) constcast(png_bytep,b) 78 #else 79 # define PNGZ_MSG_CAST(s) (s) 80 # define PNGZ_INPUT_CAST(b) (b) 81 #endif 82 83 #ifndef PNG_MAXIMUM_INFLATE_WINDOW 84 # error "pngfix not supported in this libpng version" 85 #endif 86 87 #if ZLIB_VERNUM >= 0x1240 88 89 /* Copied from pngpriv.h */ 90 #ifdef __cplusplus 91 # define voidcast(type, value) static_cast<type>(value) 92 # define constcast(type, value) const_cast<type>(value) 93 # define aligncast(type, value) \ 94 static_cast<type>(static_cast<void*>(value)) 95 # define aligncastconst(type, value) \ 96 static_cast<type>(static_cast<const void*>(value)) 97 #else 98 # define voidcast(type, value) (value) 99 # define constcast(type, value) ((type)(value)) 100 # define aligncast(type, value) ((void*)(value)) 101 # define aligncastconst(type, value) ((const void*)(value)) 102 #endif /* __cplusplus */ 103 104 #if PNG_LIBPNG_VER < 10700 105 /* Chunk tags (copied from pngpriv.h) */ 106 #define PNG_32b(b,s) ((png_uint_32)(b) << (s)) 107 #define PNG_U32(b1,b2,b3,b4) \ 108 (PNG_32b(b1,24) | PNG_32b(b2,16) | PNG_32b(b3,8) | PNG_32b(b4,0)) 109 110 /* Constants for known chunk types. */ 111 #define png_IDAT PNG_U32( 73, 68, 65, 84) 112 #define png_IEND PNG_U32( 73, 69, 78, 68) 113 #define png_IHDR PNG_U32( 73, 72, 68, 82) 114 #define png_PLTE PNG_U32( 80, 76, 84, 69) 115 #define png_bKGD PNG_U32( 98, 75, 71, 68) 116 #define png_cHRM PNG_U32( 99, 72, 82, 77) 117 #define png_fRAc PNG_U32(102, 82, 65, 99) /* registered, not defined */ 118 #define png_gAMA PNG_U32(103, 65, 77, 65) 119 #define png_gIFg PNG_U32(103, 73, 70, 103) 120 #define png_gIFt PNG_U32(103, 73, 70, 116) /* deprecated */ 121 #define png_gIFx PNG_U32(103, 73, 70, 120) 122 #define png_hIST PNG_U32(104, 73, 83, 84) 123 #define png_iCCP PNG_U32(105, 67, 67, 80) 124 #define png_iTXt PNG_U32(105, 84, 88, 116) 125 #define png_oFFs PNG_U32(111, 70, 70, 115) 126 #define png_pCAL PNG_U32(112, 67, 65, 76) 127 #define png_pHYs PNG_U32(112, 72, 89, 115) 128 #define png_sBIT PNG_U32(115, 66, 73, 84) 129 #define png_sCAL PNG_U32(115, 67, 65, 76) 130 #define png_sPLT PNG_U32(115, 80, 76, 84) 131 #define png_sRGB PNG_U32(115, 82, 71, 66) 132 #define png_sTER PNG_U32(115, 84, 69, 82) 133 #define png_tEXt PNG_U32(116, 69, 88, 116) 134 #define png_tIME PNG_U32(116, 73, 77, 69) 135 #define png_tRNS PNG_U32(116, 82, 78, 83) 136 #define png_zTXt PNG_U32(122, 84, 88, 116) 137 #endif 138 139 /* The 8-byte signature as a pair of 32-bit quantities */ 140 #define sig1 PNG_U32(137, 80, 78, 71) 141 #define sig2 PNG_U32( 13, 10, 26, 10) 142 143 /* Is the chunk critical? */ 144 #define CRITICAL(chunk) (((chunk) & PNG_U32(32,0,0,0)) == 0) 145 146 /* Is it safe to copy? */ 147 #define SAFE_TO_COPY(chunk) (((chunk) & PNG_U32(0,0,0,32)) != 0) 148 149 /* Fix ups for builds with limited read support */ 150 #ifndef PNG_ERROR_TEXT_SUPPORTED 151 # define png_error(a,b) png_err(a) 152 #endif 153 154 /********************************* UTILITIES **********************************/ 155 /* UNREACHED is a value to cause an assert to fail. Because of the way the 156 * assert macro is written the string "UNREACHED" is produced in the error 157 * message. 158 */ 159 #define UNREACHED 0 160 161 /* 80-bit number handling - a PNG image can be up to (2^31-1)x(2^31-1) 8-byte 162 * (16-bit RGBA) pixels in size; that's less than 2^65 bytes or 2^68 bits, so 163 * arithmetic of 80-bit numbers is sufficient. This representation uses an 164 * arbitrary length array of png_uint_16 digits (0..65535). The representation 165 * is little endian. 166 * 167 * The arithmetic functions take zero to two uarb values together with the 168 * number of digits in those values and write the result to the given uarb 169 * (always the first argument) returning the number of digits in the result. 170 * If the result is negative the return value is also negative (this would 171 * normally be an error). 172 */ 173 typedef png_uint_16 udigit; /* A 'unum' is an array of these */ 174 typedef png_uint_16p uarb; 175 typedef png_const_uint_16p uarbc; 176 177 #define UDIGITS(unum) ((sizeof unum)/(sizeof (udigit)) 178 /* IMPORTANT: only apply this to an array, applied to a pointer the result 179 * will typically be '2', which is not useful. 180 */ 181 182 static int 183 uarb_set(uarb result, png_alloc_size_t val) 184 /* Set (initialize) 'result' to 'val'. The size required for 'result' must 185 * be determined by the caller from a knowledge of the maximum for 'val'. 186 */ 187 { 188 int ndigits = 0; 189 190 while (val > 0) 191 { 192 result[ndigits++] = (png_uint_16)(val & 0xffff); 193 val >>= 16; 194 } 195 196 return ndigits; 197 } 198 199 static int 200 uarb_copy(uarb to, uarb from, int idigits) 201 /* Copy a uarb, may reduce the digit count */ 202 { 203 int d, odigits; 204 205 for (d=odigits=0; d<idigits; ++d) 206 if ((to[d] = from[d]) != 0) 207 odigits = d+1; 208 209 return odigits; 210 } 211 212 static int 213 uarb_inc(uarb num, int in_digits, png_int_32 add) 214 /* This is a signed 32-bit add, except that to avoid overflow the value added 215 * or subtracted must be no more than 2^31-65536. A negative result 216 * indicates a negative number (which is an error below). The size of 217 * 'num' should be max(in_digits+1,2) for arbitrary 'add' but can be just 218 * in_digits+1 if add is known to be in the range -65535..65535. 219 */ 220 { 221 FIX_GCC int out_digits = 0; 222 223 while (out_digits < in_digits) 224 { 225 add += num[out_digits]; 226 num[out_digits++] = (png_uint_16)(add & 0xffff); 227 add >>= 16; 228 } 229 230 while (add != 0 && add != (-1)) 231 { 232 num[out_digits++] = (png_uint_16)(add & 0xffff); 233 add >>= 16; 234 } 235 236 if (add == 0) 237 { 238 while (out_digits > 0 && num[out_digits-1] == 0) 239 --out_digits; 240 return out_digits; /* may be 0 */ 241 } 242 243 else /* negative result */ 244 { 245 while (out_digits > 1 && num[out_digits-1] == 0xffff) 246 --out_digits; 247 248 return -out_digits; 249 } 250 } 251 252 static int 253 uarb_add32(uarb num, int in_digits, png_uint_32 add) 254 /* As above but this works with any 32-bit value and only does 'add' */ 255 { 256 if (in_digits > 0) 257 { 258 in_digits = uarb_inc(num, in_digits, add & 0xffff); 259 return uarb_inc(num+1, in_digits-1, add >> 16)+1; 260 } 261 262 return uarb_set(num, add); 263 } 264 265 static int 266 uarb_mult_digit(uarb acc, int a_digits, uarb num, FIX_GCC int n_digits, 267 png_uint_16 val) 268 /* Primitive one-digit multiply - 'val' must be 0..65535. Note that this 269 * primitive is a multiply and accumulate - the result of *num * val is added 270 * to *acc. 271 * 272 * This is a one-digit multiply, so the product may be up to one digit longer 273 * than 'num', however the add to 'acc' means that the caller must ensure 274 * that 'acc' is at least one digit longer than this *and* at least one digit 275 * longer than the current length of 'acc'. (Or the caller must otherwise 276 * ensure 'adigits' is adequate from knowledge of the values.) 277 */ 278 { 279 /* The digits in *acc, *num and val are in the range 0..65535, so the 280 * result below is at most (65535*65535)+2*65635 = 65535*(65535+2), which is 281 * exactly 0xffffffff. 282 */ 283 if (val > 0 && n_digits > 0) /* Else the product is 0 */ 284 { 285 png_uint_32 carry = 0; 286 int out_digits = 0; 287 288 while (out_digits < n_digits || carry > 0) 289 { 290 if (out_digits < a_digits) 291 carry += acc[out_digits]; 292 293 if (out_digits < n_digits) 294 carry += (png_uint_32)num[out_digits] * val; 295 296 acc[out_digits++] = (png_uint_16)(carry & 0xffff); 297 carry >>= 16; 298 } 299 300 /* So carry is 0 and all the input digits have been consumed. This means 301 * that it is possible to skip any remaining digits in acc. 302 */ 303 if (out_digits > a_digits) 304 return out_digits; 305 } 306 307 return a_digits; 308 } 309 310 static int 311 uarb_mult32(uarb acc, int a_digits, uarb num, int n_digits, png_uint_32 val) 312 /* calculate acc += num * val, 'val' may be any 32-bit value, 'acc' and 'num' 313 * may be any value, returns the number of digits in 'acc'. 314 */ 315 { 316 if (n_digits > 0 && val > 0) 317 { 318 a_digits = uarb_mult_digit(acc, a_digits, num, n_digits, 319 (png_uint_16)(val & 0xffff)); 320 321 val >>= 16; 322 if (val > 0) 323 a_digits = uarb_mult_digit(acc+1, a_digits-1, num, n_digits, 324 (png_uint_16)val) + 1; 325 326 /* Because n_digits and val are >0 the following must be true: */ 327 assert(a_digits > 0); 328 } 329 330 return a_digits; 331 } 332 333 static int 334 uarb_shift(uarb inout, int ndigits, unsigned int right_shift) 335 /* Shift inout right by right_shift bits, right_shift must be in the range 336 * 1..15 337 */ 338 { 339 FIX_GCC int i = ndigits; 340 png_uint_16 carry = 0; 341 342 assert(right_shift >= 1 && right_shift <= 15); 343 344 while (--i >= 0) 345 { 346 png_uint_16 temp = (png_uint_16)(carry | (inout[i] >> right_shift)); 347 348 /* Bottom bits to top bits of carry */ 349 carry = (png_uint_16)((inout[i] << (16-right_shift)) & 0xffff); 350 351 inout[i] = temp; 352 353 /* The shift may reduce ndigits */ 354 if (i == ndigits-1 && temp == 0) 355 ndigits = i; 356 } 357 358 return ndigits; 359 } 360 361 static int 362 uarb_cmp(uarb a, int adigits, uarb b, int bdigits) 363 /* Return -1/0/+1 according as a<b/a==b/a>b */ 364 { 365 if (adigits < bdigits) 366 return -1; 367 368 if (adigits > bdigits) 369 return 1; 370 371 while (adigits-- > 0) 372 if (a[adigits] < b[adigits]) 373 return -1; 374 375 else if (a[adigits] > b[adigits]) 376 return 1; 377 378 return 0; 379 } 380 381 #if 0 /*UNUSED*/ 382 static int 383 uarb_eq32(uarb num, int digits, png_uint_32 val) 384 /* Return true if the uarb is equal to 'val' */ 385 { 386 switch (digits) 387 { 388 case 0: return val == 0; 389 case 1: return val == num[0]; 390 case 2: return (val & 0xffff) == num[0] && (val >> 16) == num[1]; 391 default: return 0; 392 } 393 } 394 #endif 395 396 static void 397 uarb_printx(uarb num, int digits, FILE *out) 398 /* Print 'num' as a hexadecimal number (easier than decimal!) */ 399 { 400 while (digits > 0) 401 if (num[--digits] > 0) 402 { 403 fprintf(out, "0x%x", num[digits]); 404 405 while (digits > 0) 406 fprintf(out, "%.4x", num[--digits]); 407 } 408 409 else if (digits == 0) /* the number is 0 */ 410 fputs("0x0", out); 411 } 412 413 static void 414 uarb_print(uarb num, int digits, FILE *out) 415 /* Prints 'num' as a decimal if it will fit in an unsigned long, else as a 416 * hexadecimal number. Notice that the results vary for images over 4GByte 417 * in a system dependent way, and the hexadecimal form doesn't work very well 418 * in awk script input. 419 * 420 * 421 * TODO: write uarb_div10 422 */ 423 { 424 if (digits * sizeof (udigit) > sizeof (unsigned long)) 425 uarb_printx(num, digits, out); 426 427 else 428 { 429 unsigned long n = 0; 430 431 while (digits > 0) 432 n = (n << 16) + num[--digits]; 433 434 fprintf(out, "%lu", n); 435 } 436 } 437 438 /* Generate random bytes. This uses a boring repeatable algorithm and it 439 * is implemented here so that it gives the same set of numbers on every 440 * architecture. It's a linear congruential generator (Knuth or Sedgewick 441 * "Algorithms") but it comes from the 'feedback taps' table in Horowitz and 442 * Hill, "The Art of Electronics" (Pseudo-Random Bit Sequences and Noise 443 * Generation.) 444 * 445 * (Copied from contrib/libtests/pngvalid.c) 446 */ 447 static void 448 make_random_bytes(png_uint_32* seed, void* pv, size_t size) 449 { 450 png_uint_32 u0 = seed[0], u1 = seed[1]; 451 png_bytep bytes = voidcast(png_bytep, pv); 452 453 /* There are thirty-three bits; the next bit in the sequence is bit-33 XOR 454 * bit-20. The top 1 bit is in u1, the bottom 32 are in u0. 455 */ 456 size_t i; 457 for (i=0; i<size; ++i) 458 { 459 /* First generate 8 new bits then shift them in at the end. */ 460 png_uint_32 u = ((u0 >> (20-8)) ^ ((u1 << 7) | (u0 >> (32-7)))) & 0xff; 461 u1 <<= 8; 462 u1 |= u0 >> 24; 463 u0 <<= 8; 464 u0 |= u; 465 *bytes++ = (png_byte)u; 466 } 467 468 seed[0] = u0; 469 seed[1] = u1; 470 } 471 472 /* Clear an object to a random value. */ 473 static void 474 clear(void *pv, size_t size) 475 { 476 static png_uint_32 clear_seed[2] = { 0x12345678, 0x9abcdef0 }; 477 make_random_bytes(clear_seed, pv, size); 478 } 479 480 #define CLEAR(object) clear(&(object), sizeof (object)) 481 482 /* Copied from unreleased 1.7 code. 483 * 484 * CRC checking uses a local pre-built implementation of the Ethernet CRC32. 485 * This is to avoid a function call to the zlib DLL and to optimize the 486 * byte-by-byte case. 487 */ 488 static png_uint_32 crc_table[256] = 489 { 490 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 491 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 492 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 493 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 494 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 495 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 496 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 497 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 498 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 499 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 500 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 501 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 502 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 503 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 504 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 505 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 506 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 507 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 508 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 509 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 510 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 511 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 512 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 513 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 514 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 515 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 516 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 517 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 518 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 519 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 520 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 521 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 522 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 523 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 524 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 525 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 526 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 527 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 528 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 529 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 530 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 531 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 532 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 533 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 534 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 535 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 536 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 537 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 538 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 539 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 540 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 541 0x2d02ef8d 542 }; 543 544 /* The CRC calculated here *IS* conditioned, the corresponding value used by 545 * zlib and the result value is obtained by XORing with CRC_INIT, which is also 546 * the first value that must be passed in (for the first byte) to crc_one_byte. 547 */ 548 #define CRC_INIT 0xffffffff 549 550 static png_uint_32 551 crc_one_byte(png_uint_32 crc, int b) 552 { 553 return crc_table[(crc ^ b) & 0xff] ^ (crc >> 8); 554 } 555 556 static png_uint_32 557 crc_init_4(png_uint_32 value) 558 { 559 /* This is an alternative to the algorithm used in zlib, which requires four 560 * separate tables to parallelize the four byte operations, it only works for 561 * a CRC of the first four bytes of the stream, but this is what happens in 562 * the parser below where length+chunk-name is read and chunk-name used to 563 * initialize the CRC. Notice that the calculation here avoids repeated 564 * conditioning (xor with 0xffffffff) by storing the conditioned value. 565 */ 566 png_uint_32 crc = crc_table[(~value >> 24)] ^ 0xffffff; 567 568 crc = crc_table[(crc ^ (value >> 16)) & 0xff] ^ (crc >> 8); 569 crc = crc_table[(crc ^ (value >> 8)) & 0xff] ^ (crc >> 8); 570 return crc_table[(crc ^ value) & 0xff] ^ (crc >> 8); 571 } 572 573 static int 574 chunk_type_valid(png_uint_32 c) 575 /* Bit whacking approach to chunk name validation that is intended to avoid 576 * branches. The cost is that it uses a lot of 32-bit constants, which might 577 * be bad on some architectures. 578 */ 579 { 580 png_uint_32 t; 581 582 /* Remove bit 5 from all but the reserved byte; this means every 583 * 8-bit unit must be in the range 65-90 to be valid. So bit 5 584 * must be zero, bit 6 must be set and bit 7 zero. 585 */ 586 c &= ~PNG_U32(32,32,0,32); 587 t = (c & ~0x1f1f1f1f) ^ 0x40404040; 588 589 /* Subtract 65 for each 8-bit quantity, this must not overflow 590 * and each byte must then be in the range 0-25. 591 */ 592 c -= PNG_U32(65,65,65,65); 593 t |=c ; 594 595 /* Subtract 26, handling the overflow which should set the top 596 * three bits of each byte. 597 */ 598 c -= PNG_U32(25,25,25,26); 599 t |= ~c; 600 601 return (t & 0xe0e0e0e0) == 0; 602 } 603 604 /**************************** CONTROL INFORMATION *****************************/ 605 606 /* Information about a sequence of IDAT chunks, the chunks have been re-synced 607 * using sync_stream below and the new lengths are recorded here. Because the 608 * number of chunks is unlimited this is handled using a linked list of these 609 * structures. 610 */ 611 struct IDAT_list 612 { 613 struct IDAT_list *next; /* Linked list */ 614 unsigned int length; /* Actual length of the array below */ 615 unsigned int count; /* Number of entries that are valid */ 616 # define IDAT_INIT_LENGTH 16 617 png_uint_32 lengths[IDAT_INIT_LENGTH]; 618 }; 619 620 static void 621 IDAT_list_init(struct IDAT_list *list) 622 { 623 CLEAR(*list); 624 625 list->next = NULL; 626 list->length = IDAT_INIT_LENGTH; 627 } 628 629 static size_t 630 IDAT_list_size(struct IDAT_list *list, unsigned int length) 631 /* Return the size in bytes of an IDAT_list of the given length. */ 632 { 633 if (list != NULL) 634 length = list->length; 635 636 return sizeof *list - sizeof list->lengths + 637 length * sizeof list->lengths[0]; 638 } 639 640 static void 641 IDAT_list_end(struct IDAT_list *IDAT_list) 642 { 643 struct IDAT_list *list = IDAT_list->next; 644 645 CLEAR(*IDAT_list); 646 647 while (list != NULL) 648 { 649 struct IDAT_list *next = list->next; 650 651 clear(list, IDAT_list_size(list, 0)); 652 free(list); 653 list = next; 654 } 655 } 656 657 static struct IDAT_list * 658 IDAT_list_extend(struct IDAT_list *tail) 659 { 660 /* Use the previous cached value if available. */ 661 struct IDAT_list *next = tail->next; 662 663 if (next == NULL) 664 { 665 /* Insert a new, malloc'ed, block of IDAT information buffers, this 666 * one twice as large as the previous one: 667 */ 668 unsigned int length = 2 * tail->length; 669 670 if (length < tail->length) /* arithmetic overflow */ 671 length = tail->length; 672 673 next = voidcast(IDAT_list*, malloc(IDAT_list_size(NULL, length))); 674 CLEAR(*next); 675 676 /* The caller must handle this: */ 677 if (next == NULL) 678 return NULL; 679 680 next->next = NULL; 681 next->length = length; 682 tail->next = next; 683 } 684 685 return next; 686 } 687 688 /* GLOBAL CONTROL STRUCTURE */ 689 struct global 690 { 691 /* PUBLIC GLOBAL VARIABLES: OWNER INITIALIZE */ 692 unsigned int errors :1; /* print file errors to stderr */ 693 unsigned int warnings :1; /* print libpng warnings to stderr */ 694 unsigned int optimize_zlib :1; /* Run optimization search */ 695 unsigned int quiet :2; /* don't output summaries */ 696 unsigned int verbose :3; /* various internal tracking */ 697 unsigned int skip :3; /* Non-critical chunks to skip */ 698 # define SKIP_NONE 0 699 # define SKIP_BAD_CRC 1 /* Chunks with a bad CRC */ 700 # define SKIP_UNSAFE 2 /* Chunks not safe to copy */ 701 # define SKIP_UNUSED 3 /* Chunks not used by libpng */ 702 # define SKIP_TRANSFORM 4 /* Chunks only used in transforms */ 703 # define SKIP_COLOR 5 /* Everything but tRNS, sBIT, gAMA and sRGB */ 704 # define SKIP_ALL 6 /* Everything but tRNS and sBIT */ 705 706 png_uint_32 idat_max; /* 0 to perform no re-chunking */ 707 708 int status_code; /* Accumulated status code */ 709 # define TOO_FAR_BACK 0x01 /* found a too-far-back error */ 710 # define CRC_ERROR 0x02 /* fixed an invalid CRC */ 711 # define STREAM_ERROR 0x04 /* damaged PNG stream (may be fixable) */ 712 # define TRUNCATED 0x08 /* truncated but still readable */ 713 # define FILE_ERROR 0x10 /* could not read the file */ 714 # define WRITE_ERROR 0x20 /* write error (this terminates the read) */ 715 # define INTERNAL_ERROR 0x40 /* internal limits/errors encountered */ 716 717 /* PUBLIC GLOBAL VARIABLES: USED INTERNALLY BY IDAT READ CODE */ 718 struct IDAT_list idat_cache; /* Cache of file IDAT information buffers */ 719 /* The structure is shared across all uses of this global control 720 * structure to avoid reallocation between IDAT streams. 721 */ 722 }; 723 724 static int 725 global_end(struct global *global) 726 { 727 728 int rc; 729 730 IDAT_list_end(&global->idat_cache); 731 rc = global->status_code; 732 CLEAR(*global); 733 return rc; 734 } 735 736 static void 737 global_init(struct global *global) 738 /* Call this once (and only once) to initialize the control */ 739 { 740 CLEAR(*global); 741 742 /* Globals */ 743 global->errors = 0; 744 global->warnings = 0; 745 global->quiet = 0; 746 global->verbose = 0; 747 global->idat_max = 0; /* no re-chunking of IDAT */ 748 global->optimize_zlib = 0; 749 global->skip = SKIP_NONE; 750 global->status_code = 0; 751 752 IDAT_list_init(&global->idat_cache); 753 } 754 755 static int 756 skip_chunk_type(const struct global *global, png_uint_32 type) 757 /* Return true if this chunk is to be skipped according to the --strip 758 * option. This code needs to recognize all known ancillary chunks in order 759 * to handle the --strip=unsafe option. 760 */ 761 { 762 /* Never strip critical chunks: */ 763 if (CRITICAL(type)) 764 return 0; 765 766 switch (type) 767 { 768 /* Chunks that are treated as, effectively, critical because they affect 769 * correct interpretation of the pixel values: 770 */ 771 case png_tRNS: case png_sBIT: 772 return 0; 773 774 /* Chunks that specify gamma encoding which should therefore only be 775 * removed the the user insists: 776 */ 777 case png_gAMA: case png_sRGB: 778 if (global->skip >= SKIP_ALL) 779 return 1; 780 return 0; 781 782 /* Chunks that affect color interpretation - not used by libpng and rarely 783 * used by applications, but technically still required for correct 784 * interpretation of the image data: 785 */ 786 case png_cHRM: case png_iCCP: 787 if (global->skip >= SKIP_COLOR) 788 return 1; 789 return 0; 790 791 /* Other chunks that are used by libpng in image transformations (as 792 * opposed to known chunks that have get/set APIs but are not otherwise 793 * used.) 794 */ 795 case png_bKGD: 796 if (global->skip >= SKIP_TRANSFORM) 797 return 1; 798 return 0; 799 800 /* All other chunks that libpng knows about and affect neither image 801 * interpretation nor libpng transforms - chunks that are effectively 802 * unused by libpng even though libpng might recognize and store them. 803 */ 804 case png_fRAc: case png_gIFg: case png_gIFt: case png_gIFx: case png_hIST: 805 case png_iTXt: case png_oFFs: case png_pCAL: case png_pHYs: case png_sCAL: 806 case png_sPLT: case png_sTER: case png_tEXt: case png_tIME: case png_zTXt: 807 if (global->skip >= SKIP_UNUSED) 808 return 1; 809 return 0; 810 811 /* Chunks that libpng does not know about (notice that this depends on the 812 * list above including all known chunks!) The decision here depends on 813 * whether the safe-to-copy bit is set in the chunk type. 814 */ 815 default: 816 if (SAFE_TO_COPY(type)) 817 { 818 if (global->skip >= SKIP_UNUSED) /* as above */ 819 return 1; 820 } 821 822 else if (global->skip >= SKIP_UNSAFE) 823 return 1; 824 825 return 0; 826 } 827 } 828 829 /* PER-FILE CONTROL STRUCTURE */ 830 struct chunk; 831 struct IDAT; 832 struct file 833 { 834 /* ANCESTORS */ 835 struct global *global; 836 837 /* PUBLIC PER-FILE VARIABLES: CALLER INITIALIZE */ 838 const char * file_name; 839 const char * out_name; /* Name of output file (if required) */ 840 841 /* PUBLIC PER-FILE VARIABLES: SET BY PNG READ CODE */ 842 /* File specific result codes */ 843 int status_code; /* Set to a bit mask of the following: */ 844 int read_errno; /* Records a read error errno */ 845 int write_errno; /* Records a write error errno */ 846 847 /* IHDR information */ 848 png_uint_32 width; 849 png_uint_32 height; 850 png_byte bit_depth; 851 png_byte color_type; 852 png_byte compression_method; 853 png_byte filter_method; 854 png_byte interlace_method; 855 856 udigit image_bytes[5]; 857 int image_digits; 858 859 /* PROTECTED PER-FILE VARIABLES: USED BY THE READ CODE */ 860 FILE * file; /* Original PNG file */ 861 FILE * out; /* If a new one is being written */ 862 jmp_buf jmpbuf; /* Set while reading a PNG */ 863 864 /* PROTECTED CHUNK SPECIFIC VARIABLES: USED BY CHUNK CODE */ 865 /* The following variables are used during reading to record the length, type 866 * and data position of the *next* chunk or, right at the start, the 867 * signature (in length,type). 868 * 869 * When a chunk control structure is instantiated these values are copied 870 * into the structure and can then be overritten with the data for the next 871 * chunk. 872 */ 873 fpos_t data_pos; /* Position of first byte of chunk data */ 874 png_uint_32 length; /* First word (length or signature start) */ 875 png_uint_32 type; /* Second word (type or signature end) */ 876 png_uint_32 crc; /* Running chunk CRC (used by read_chunk) */ 877 878 /* These counts are maintained by the read and write routines below and are 879 * reset by the chunk handling code. They record the total number of bytes 880 * read or written for the chunk, including the header (length,type) bytes. 881 */ 882 png_uint_32 read_count; /* Count of bytes read (in the chunk) */ 883 png_uint_32 write_count; /* Count of bytes written (in the chunk) */ 884 int state; /* As defined here: */ 885 # define STATE_SIGNATURE 0 /* The signature is being written */ 886 # define STATE_CHUNKS 1 /* Non-IDAT chunks are being written */ 887 # define STATE_IDAT 2 /* An IDAT stream is being written */ 888 889 /* Two pointers used to enable clean-up in the event of fatal errors and to 890 * hold state about the parser process (only one of each at present.) 891 */ 892 struct chunk * chunk; 893 struct IDAT * idat; 894 895 /* Interface to allocate a new chunk or IDAT control structure. The result 896 * is returned by setting one or other of the above variables. Note that the 897 * relevant initializer is called by the allocator function. The alloc_ptr 898 * is used only by the implementation of the allocate function. 899 */ 900 void * alloc_ptr; 901 void (*alloc)(struct file*,int idat); 902 /* idat: allocate IDAT not chunk */ 903 }; 904 905 /* Valid longjmp (stop) codes are: */ 906 #define LIBPNG_WARNING_CODE 1 /* generic png_error */ 907 #define LIBPNG_ERROR_CODE 2 /* generic png_error */ 908 #define ZLIB_ERROR_CODE 3 /* generic zlib error */ 909 #define INVALID_ERROR_CODE 4 /* detected an invalid PNG */ 910 #define READ_ERROR_CODE 5 /* read failed */ 911 #define WRITE_ERROR_CODE 6 /* error in write */ 912 #define UNEXPECTED_ERROR_CODE 7 /* unexpected (internal?) error */ 913 914 static void 915 emit_string(const char *str, FILE *out) 916 /* Print a string with spaces replaced by '_' and non-printing characters by 917 * an octal escape. 918 */ 919 { 920 for (; *str; ++str) 921 if (isgraph(UCHAR_MAX & *str)) 922 putc(*str, out); 923 924 else if (isspace(UCHAR_MAX & *str)) 925 putc('_', out); 926 927 else 928 fprintf(out, "\\%.3o", *str); 929 } 930 931 static const char * 932 strcode(int code) 933 { 934 switch (code) 935 { 936 case LIBPNG_WARNING_CODE: return "warning"; 937 case LIBPNG_ERROR_CODE: return "libpng"; 938 case ZLIB_ERROR_CODE: return "zlib"; 939 case INVALID_ERROR_CODE: return "invalid"; 940 case READ_ERROR_CODE: return "read"; 941 case WRITE_ERROR_CODE: return "write"; 942 case UNEXPECTED_ERROR_CODE: return "unexpected"; 943 default: return "INVALID"; 944 } 945 } 946 947 static void 948 emit_error(struct file *file, int code, const char *what) 949 /* Generic error message routine, takes a 'stop' code but can be used 950 * elsewhere. Always outputs a message. 951 */ 952 { 953 const char *reason; 954 int err = 0; 955 956 switch (code) 957 { 958 case LIBPNG_WARNING_CODE: reason = "libpng warning:"; break; 959 case LIBPNG_ERROR_CODE: reason = "libpng error:"; break; 960 case ZLIB_ERROR_CODE: reason = "zlib error:"; break; 961 case INVALID_ERROR_CODE: reason = "invalid"; break; 962 case READ_ERROR_CODE: reason = "read failure:"; 963 err = file->read_errno; 964 break; 965 case WRITE_ERROR_CODE: reason = "write error"; 966 err = file->write_errno; 967 break; 968 case UNEXPECTED_ERROR_CODE: reason = "unexpected error:"; 969 err = file->read_errno; 970 if (err == 0) 971 err = file->write_errno; 972 break; 973 default: reason = "INVALID (internal error):"; break; 974 } 975 976 if (err != 0) 977 fprintf(stderr, "%s: %s %s [%s]\n", file->file_name, reason, what, 978 strerror(err)); 979 980 else 981 fprintf(stderr, "%s: %s %s\n", file->file_name, reason, what); 982 } 983 984 static void chunk_end(struct chunk **); 985 static void IDAT_end(struct IDAT **); 986 987 static int 988 file_end(struct file *file) 989 { 990 int rc; 991 992 /* If either of the chunk pointers are set end them here, the IDAT structure 993 * must be deallocated first as it may deallocate the chunk structure. 994 */ 995 if (file->idat != NULL) 996 IDAT_end(&file->idat); 997 998 if (file->chunk != NULL) 999 chunk_end(&file->chunk); 1000 1001 rc = file->status_code; 1002 1003 if (file->file != NULL) 1004 (void)fclose(file->file); 1005 1006 if (file->out != NULL) 1007 { 1008 /* NOTE: this is bitwise |, all the following functions must execute and 1009 * must succeed. 1010 */ 1011 if (ferror(file->out) | fflush(file->out) | fclose(file->out)) 1012 { 1013 perror(file->out_name); 1014 emit_error(file, READ_ERROR_CODE, "output write error"); 1015 rc |= WRITE_ERROR; 1016 } 1017 } 1018 1019 /* Accumulate the result codes */ 1020 file->global->status_code |= rc; 1021 1022 CLEAR(*file); 1023 1024 return rc; /* status code: non-zero on read or write error */ 1025 } 1026 1027 static int 1028 file_init(struct file *file, struct global *global, const char *file_name, 1029 const char *out_name, void *alloc_ptr, void (*alloc)(struct file*,int)) 1030 /* Initialize a file control structure. This will open the given files as 1031 * well. The status code returned is 0 on success, non zero (using the flags 1032 * above) on a file open error. 1033 */ 1034 { 1035 CLEAR(*file); 1036 file->global = global; 1037 1038 file->file_name = file_name; 1039 file->out_name = out_name; 1040 file->status_code = 0; 1041 file->read_errno = 0; 1042 file->write_errno = 0; 1043 1044 file->file = NULL; 1045 file->out = NULL; 1046 /* jmpbuf is garbage: must be set by read_png */ 1047 1048 file->read_count = 0; 1049 file->state = STATE_SIGNATURE; 1050 1051 file->chunk = NULL; 1052 file->idat = NULL; 1053 1054 file->alloc_ptr = alloc_ptr; 1055 file->alloc = alloc; 1056 1057 /* Open the files: */ 1058 assert(file_name != NULL); 1059 file->file = fopen(file_name, "rb"); 1060 1061 if (file->file == NULL) 1062 { 1063 file->read_errno = errno; 1064 file->status_code |= FILE_ERROR; 1065 /* Always output: please give a readable file! */ 1066 perror(file_name); 1067 return FILE_ERROR; 1068 } 1069 1070 if (out_name != NULL) 1071 { 1072 file->out = fopen(out_name, "wb"); 1073 1074 if (file->out == NULL) 1075 { 1076 file->write_errno = errno; 1077 file->status_code |= WRITE_ERROR; 1078 perror(out_name); 1079 return WRITE_ERROR; 1080 } 1081 } 1082 1083 return 0; 1084 } 1085 1086 static void 1087 log_error(struct file *file, int code, const char *what) 1088 /* Like emit_error but checks the global 'errors' flag */ 1089 { 1090 if (file->global->errors) 1091 emit_error(file, code, what); 1092 } 1093 1094 static char 1095 type_char(png_uint_32 v) 1096 { 1097 /* In fact because chunk::chunk_type is validated prior to any call to this 1098 * function it will always return a-zA-Z, but the extra codes are just there 1099 * to help in finding internal (programming) errors. Note that the code only 1100 * ever considers the low 7 bits of the value (so it is not necessary for the 1101 * type_name function to mask of the byte.) 1102 */ 1103 if (v & 32) 1104 return "!abcdefghijklmnopqrstuvwxyz56789"[(v-96)&31]; 1105 1106 else 1107 return "@ABCDEFGHIJKLMNOPQRSTUVWXYZ01234"[(v-64)&31]; 1108 } 1109 1110 static void 1111 type_name(png_uint_32 type, FILE *out) 1112 { 1113 putc(type_char(type >> 24), out); 1114 putc(type_char(type >> 16), out); 1115 putc(type_char(type >> 8), out); 1116 putc(type_char(type ), out); 1117 } 1118 1119 static void 1120 type_sep(FILE *out) 1121 { 1122 putc(':', out); 1123 putc(' ', out); 1124 } 1125 1126 static png_uint_32 current_type(struct file *file, int code); 1127 1128 PNG_NORETURN static void 1129 stop(struct file *file, int code, const char *what) 1130 /* Return control when a PNG file cannot be read. This outputs an 'ERR' 1131 * summary line too. 1132 */ 1133 { 1134 log_error(file, code, what); 1135 1136 /* The chunk being read is typically identified by file->chunk or, if this is 1137 * NULL, by file->type. This may be wrong if libpng reads ahead, but this 1138 * only happens with IDAT where libpng reads the header then jumps around 1139 * finding errors in the previous chunks. We know that is happening because 1140 * we are at the start of the IDAT (i.e. no IDAT data has yet been written.) 1141 * 1142 * SUMMARY FORMAT (stop): 1143 * 1144 * IDAT ERR status code read-errno write-errno message file 1145 * 1146 * 'uncompressed' will be 0 if there was a problem in the IHDR. The errno 1147 * values are emit_string(strerror(errno)). 1148 */ 1149 if (file->global->quiet < 2) /* need two quiets to stop this. */ 1150 { 1151 png_uint_32 type; 1152 1153 if (file->chunk != NULL) 1154 type = current_type(file, code); /* Gropes in struct chunk and IDAT */ 1155 1156 else 1157 type = file->type; 1158 1159 if (type) 1160 type_name(type, stdout); 1161 1162 else /* magic: an IDAT header, produces bogons for too many IDATs */ 1163 fputs("HEAD", stdout); /* not a registered chunk! */ 1164 1165 printf(" ERR %.2x %s ", file->status_code, strcode(code)); 1166 /* This only works one strerror at a time, because of the way strerror is 1167 * implemented. 1168 */ 1169 emit_string(strerror(file->read_errno), stdout); 1170 putc(' ', stdout); 1171 emit_string(strerror(file->write_errno), stdout); 1172 putc(' ', stdout); 1173 emit_string(what, stdout); 1174 putc(' ', stdout); 1175 fputs(file->file_name, stdout); 1176 putc('\n', stdout); 1177 } 1178 1179 file->status_code |= FILE_ERROR; 1180 longjmp(file->jmpbuf, code); 1181 } 1182 1183 PNG_NORETURN static void 1184 stop_invalid(struct file *file, const char *what) 1185 { 1186 stop(file, INVALID_ERROR_CODE, what); 1187 } 1188 1189 static void 1190 type_message(struct file *file, png_uint_32 type, const char *what) 1191 /* Error message for a chunk; the chunk name comes from 'type' */ 1192 { 1193 if (file->global->errors) 1194 { 1195 fputs(file->file_name, stderr); 1196 type_sep(stderr); 1197 type_name(type, stderr); 1198 type_sep(stderr); 1199 fputs(what, stderr); 1200 putc('\n', stderr); 1201 } 1202 } 1203 1204 /* Input file positioning - we jump around in the input file while reading 1205 * stuff, these wrappers deal with the error handling. 1206 */ 1207 static void 1208 file_getpos(struct file *file, fpos_t *pos) 1209 { 1210 if (fgetpos(file->file, pos)) 1211 { 1212 /* This is unexpected, so perror it */ 1213 perror(file->file_name); 1214 stop(file, READ_ERROR_CODE, "fgetpos"); 1215 } 1216 } 1217 1218 static void 1219 file_setpos(struct file *file, const fpos_t *pos) 1220 { 1221 if (fsetpos(file->file, pos)) 1222 { 1223 perror(file->file_name); 1224 stop(file, READ_ERROR_CODE, "fsetpos"); 1225 } 1226 } 1227 1228 static void 1229 getpos(struct file *file) 1230 /* Get the current position and store it in 'data_pos'. The corresponding 1231 * setpos() function is chunk specific because it uses the copy of the 1232 * position for the specific chunk. 1233 */ 1234 { 1235 file_getpos(file, &file->data_pos); 1236 } 1237 1238 1239 /* Read utility - read a single byte, returns a value in the range 0..255 or EOF 1240 * on a read error. In the latter case status_code and read_errno are updated 1241 * appropriately. 1242 */ 1243 static int 1244 read_byte(struct file *file) 1245 { 1246 int ch = getc(file->file); 1247 1248 if (ch >= 0 && ch <= 255) 1249 { 1250 ++(file->read_count); 1251 return ch; 1252 } 1253 1254 else if (ch != EOF) 1255 { 1256 file->status_code |= INTERNAL_ERROR; 1257 file->read_errno = ERANGE; /* out of range character */ 1258 1259 /* This is very unexpected; an error message is always output: */ 1260 emit_error(file, UNEXPECTED_ERROR_CODE, "file read"); 1261 } 1262 1263 # ifdef EINTR 1264 else if (errno == EINTR) /* Interrupted, try again */ 1265 { 1266 errno = 0; 1267 return read_byte(file); 1268 } 1269 # endif 1270 1271 else 1272 { 1273 /* An error, it doesn't really matter what the error is but it gets 1274 * recorded anyway. 1275 */ 1276 if (ferror(file->file)) 1277 file->read_errno = errno; 1278 1279 else if (feof(file->file)) 1280 file->read_errno = 0; /* I.e. a regular EOF, no error */ 1281 1282 else /* unexpected */ 1283 file->read_errno = EDOM; 1284 } 1285 1286 /* 'TRUNCATED' is used for all cases of failure to read a byte, because of 1287 * the way libpng works a byte read is never attempted unless the byte is 1288 * expected to be there, so EOF should not occur. 1289 */ 1290 file->status_code |= TRUNCATED; 1291 return EOF; 1292 } 1293 1294 static png_byte 1295 reread_byte(struct file *file) 1296 /* Read a byte when an error is not expected to happen because the byte has 1297 * been read before without error. 1298 */ 1299 { 1300 int ch = getc(file->file); 1301 1302 if (errno != 0) 1303 file->read_errno = errno; 1304 1305 if (ch < 0 || ch > 255) 1306 stop(file, UNEXPECTED_ERROR_CODE, "reread"); 1307 1308 return (png_byte)ch; 1309 } 1310 1311 static png_uint_32 1312 reread_4(struct file *file) 1313 /* The same but for a four byte quantity */ 1314 { 1315 png_uint_32 result = 0; 1316 int i = 0; 1317 1318 while (++i <= 4) 1319 result = (result << 8) + reread_byte(file); 1320 1321 return result; 1322 } 1323 1324 static void 1325 skip_12(struct file *file) 1326 /* Skip exactly 12 bytes in the input stream - used to skip a CRC and chunk 1327 * header that has been read before. 1328 */ 1329 { 1330 /* Since the chunks were read before this shouldn't fail: */ 1331 if (fseek(file->file, 12, SEEK_CUR) != 0) 1332 { 1333 if (errno != 0) 1334 file->read_errno = errno; 1335 1336 stop(file, UNEXPECTED_ERROR_CODE, "reskip"); 1337 } 1338 } 1339 1340 static void 1341 write_byte(struct file *file, int b) 1342 /* Write one byte to the output - this causes a fatal error if the write 1343 * fails and the read of this PNG file immediately terminates. Just 1344 * increments the write count if there is no output file. 1345 */ 1346 { 1347 if (file->out != NULL) 1348 { 1349 if (putc(b, file->out) != b) 1350 { 1351 file->write_errno = errno; 1352 file->status_code |= WRITE_ERROR; 1353 stop(file, WRITE_ERROR_CODE, "write byte"); 1354 } 1355 } 1356 1357 ++(file->write_count); 1358 } 1359 1360 /* Derivatives of the read/write functions. */ 1361 static unsigned int 1362 read_4(struct file *file, png_uint_32 *pu) 1363 /* Read four bytes, returns the number of bytes read successfully and, if all 1364 * four bytes are read, assigns the result to *pu. 1365 */ 1366 { 1367 unsigned int i = 0; 1368 png_uint_32 val = 0; 1369 1370 do 1371 { 1372 int ch = read_byte(file); 1373 1374 if (ch == EOF) 1375 return i; 1376 1377 val = (val << 8) + ch; 1378 } while (++i < 4); 1379 1380 *pu = val; 1381 return i; 1382 } 1383 1384 /* CRC handling - read but calculate the CRC while doing so. */ 1385 static int 1386 crc_read_many(struct file *file, png_uint_32 length) 1387 /* Reads 'length' bytes and updates the CRC, returns true on success, false 1388 * if the input is truncated. 1389 */ 1390 { 1391 if (length > 0) 1392 { 1393 png_uint_32 crc = file->crc; 1394 1395 do 1396 { 1397 int ch = read_byte(file); 1398 1399 if (ch == EOF) 1400 return 0; /* Truncated */ 1401 1402 crc = crc_one_byte(crc, ch); 1403 } 1404 while (--length > 0); 1405 1406 file->crc = crc; 1407 } 1408 1409 return 1; /* OK */ 1410 } 1411 1412 static int 1413 calc_image_size(struct file *file) 1414 /* Fill in the image_bytes field given the IHDR information, calls stop on 1415 * error. 1416 */ 1417 { 1418 png_uint_16 pd = file->bit_depth; 1419 1420 switch (file->color_type) 1421 { 1422 default: 1423 stop_invalid(file, "IHDR: colour type"); 1424 1425 invalid_bit_depth: 1426 stop_invalid(file, "IHDR: bit depth"); 1427 1428 case 0: /* g */ 1429 if (pd != 1 && pd != 2 && pd != 4 && pd != 8 && pd != 16) 1430 goto invalid_bit_depth; 1431 break; 1432 1433 case 3: 1434 if (pd != 1 && pd != 2 && pd != 4 && pd != 8) 1435 goto invalid_bit_depth; 1436 break; 1437 1438 case 2: /* rgb */ 1439 if (pd != 8 && pd != 16) 1440 goto invalid_bit_depth; 1441 1442 pd = (png_uint_16)(pd * 3); 1443 break; 1444 1445 case 4: /* ga */ 1446 if (pd != 8 && pd != 16) 1447 goto invalid_bit_depth; 1448 1449 pd = (png_uint_16)(pd * 2); 1450 break; 1451 1452 case 6: /* rgba */ 1453 if (pd != 8 && pd != 16) 1454 goto invalid_bit_depth; 1455 1456 pd = (png_uint_16)(pd * 4); 1457 break; 1458 } 1459 1460 if (file->width < 1 || file->width > 0x7fffffff) 1461 stop_invalid(file, "IHDR: width"); 1462 1463 else if (file->height < 1 || file->height > 0x7fffffff) 1464 stop_invalid(file, "IHDR: height"); 1465 1466 else if (file->compression_method != 0) 1467 stop_invalid(file, "IHDR: compression method"); 1468 1469 else if (file->filter_method != 0) 1470 stop_invalid(file, "IHDR: filter method"); 1471 1472 else switch (file->interlace_method) 1473 { 1474 case PNG_INTERLACE_ADAM7: 1475 /* Interlacing makes the image larger because of the replication of 1476 * both the filter byte and the padding to a byte boundary. 1477 */ 1478 { 1479 int pass; 1480 int image_digits = 0; 1481 udigit row_width[2], row_bytes[3]; 1482 1483 for (pass=0; pass<=6; ++pass) 1484 { 1485 png_uint_32 pw = PNG_PASS_COLS(file->width, pass); 1486 1487 if (pw > 0) 1488 { 1489 int digits; 1490 1491 /* calculate 1+((pw*pd+7)>>3) in row_bytes */ 1492 digits = uarb_mult_digit(row_bytes, uarb_set(row_bytes, 7), 1493 row_width, uarb_set(row_width, pw), pd); 1494 digits = uarb_shift(row_bytes, digits, 3); 1495 digits = uarb_inc(row_bytes, digits, 1); 1496 1497 /* Add row_bytes * pass-height to the file image_bytes field 1498 */ 1499 image_digits = uarb_mult32(file->image_bytes, image_digits, 1500 row_bytes, digits, 1501 PNG_PASS_ROWS(file->height, pass)); 1502 } 1503 } 1504 1505 file->image_digits = image_digits; 1506 } 1507 break; 1508 1509 case PNG_INTERLACE_NONE: 1510 { 1511 int digits; 1512 udigit row_width[2], row_bytes[3]; 1513 1514 /* As above, but use image_width in place of the pass width: */ 1515 digits = uarb_mult_digit(row_bytes, uarb_set(row_bytes, 7), 1516 row_width, uarb_set(row_width, file->width), pd); 1517 digits = uarb_shift(row_bytes, digits, 3); 1518 digits = uarb_inc(row_bytes, digits, 1); 1519 1520 /* Set row_bytes * image-height to the file image_bytes field */ 1521 file->image_digits = uarb_mult32(file->image_bytes, 0, 1522 row_bytes, digits, file->height); 1523 } 1524 break; 1525 1526 default: 1527 stop_invalid(file, "IHDR: interlace method"); 1528 } 1529 1530 assert(file->image_digits >= 1 && file->image_digits <= 5); 1531 return 1; 1532 } 1533 1534 /* PER-CHUNK CONTROL STRUCTURE 1535 * This structure is instantiated for each chunk, except for the IDAT chunks 1536 * where one chunk control structure is used for the whole of a single stream of 1537 * IDAT chunks (see the IDAT control structure below). 1538 */ 1539 struct chunk 1540 { 1541 /* ANCESTORS */ 1542 struct file * file; 1543 struct global * global; 1544 1545 /* PUBLIC IDAT INFORMATION: SET BY THE ZLIB CODE */ 1546 udigit uncompressed_bytes[5]; 1547 int uncompressed_digits; 1548 udigit compressed_bytes[5]; 1549 int compressed_digits; 1550 1551 /* PUBLIC PER-CHUNK INFORMATION: USED BY CHUNK READ CODE */ 1552 /* This information is filled in by chunk_init from the data in the file 1553 * control structure, but chunk_length may be changed later. 1554 */ 1555 fpos_t chunk_data_pos; /* Position of first byte of chunk data */ 1556 png_uint_32 chunk_length; /* From header (or modified below) */ 1557 png_uint_32 chunk_type; /* From header */ 1558 1559 /* PUBLIC PER-CHUNK INFORMATION: FOR THE CHUNK WRITE CODE */ 1560 png_uint_32 write_crc; /* Output CRC (may differ from read_crc) */ 1561 png_uint_32 rewrite_offset; /* Count of bytes before rewrite. */ 1562 int rewrite_length; /* Number of bytes left to change */ 1563 png_byte rewrite_buffer[2]; /* Buffer of new byte values */ 1564 }; 1565 1566 static void 1567 chunk_message(struct chunk *chunk, const char *message) 1568 { 1569 type_message(chunk->file, chunk->chunk_type, message); 1570 } 1571 1572 static void 1573 chunk_end(struct chunk **chunk_var) 1574 { 1575 struct chunk *chunk = *chunk_var; 1576 1577 *chunk_var = NULL; 1578 CLEAR(*chunk); 1579 } 1580 1581 static void 1582 chunk_init(struct chunk * const chunk, struct file * const file) 1583 /* When a chunk is initialized the file length/type/pos are copied into the 1584 * corresponding chunk fields and the new chunk is registered in the file 1585 * structure. There can only be one chunk at a time. 1586 * 1587 * NOTE: this routine must onely be called from the file alloc routine! 1588 */ 1589 { 1590 assert(file->chunk == NULL); 1591 1592 CLEAR(*chunk); 1593 1594 chunk->file = file; 1595 chunk->global = file->global; 1596 1597 chunk->chunk_data_pos = file->data_pos; 1598 chunk->chunk_length = file->length; 1599 chunk->chunk_type = file->type; 1600 1601 /* Compresssed/uncompressed size information (from the zlib control structure 1602 * that is used to check the compressed data in a chunk.) 1603 */ 1604 chunk->uncompressed_digits = 0; 1605 chunk->compressed_digits = 0; 1606 1607 file->chunk = chunk; 1608 } 1609 1610 static png_uint_32 1611 current_type(struct file *file, int code) 1612 /* Guess the actual chunk type that causes a stop() */ 1613 { 1614 /* This may return png_IDAT for errors detected (late) in the header; that 1615 * includes any inter-chunk consistency check that libpng performs. Assume 1616 * that if the chunk_type is png_IDAT and the file write count is 8 this is 1617 * what is happening. 1618 */ 1619 if (file->chunk != NULL) 1620 { 1621 png_uint_32 type = file->chunk->chunk_type; 1622 1623 /* This is probably wrong for the excess IDATs case, because then libpng 1624 * whines about too many of them (apparently in some cases erroneously) 1625 * when the header is read. 1626 */ 1627 if (code <= LIBPNG_ERROR_CODE && type == png_IDAT && 1628 file->write_count == 8) 1629 type = 0; /* magic */ 1630 1631 return type; 1632 } 1633 1634 else 1635 return file->type; 1636 } 1637 1638 static void 1639 setpos(struct chunk *chunk) 1640 /* Reset the position to 'chunk_data_pos' - the start of the data for this 1641 * chunk. As a side effect the read_count in the file is reset to 8, just 1642 * after the length/type header. 1643 */ 1644 { 1645 chunk->file->read_count = 8; 1646 file_setpos(chunk->file, &chunk->chunk_data_pos); 1647 } 1648 1649 /* Specific chunk handling - called for each chunk header, all special chunk 1650 * processing is initiated in these functions. 1651 */ 1652 /* The next functions handle special processing for those chunks with LZ data, 1653 * the data is identified and checked for validity. If there are problems which 1654 * cannot be corrected the routines return false, otherwise true (although 1655 * modification to the zlib header may be required.) 1656 * 1657 * The compressed data is in zlib format (RFC1950) and consequently has a 1658 * minimum length of 7 bytes. 1659 */ 1660 static int zlib_check(struct file *file, png_uint_32 offset); 1661 1662 static int 1663 process_zTXt_iCCP(struct file *file) 1664 /* zTXt and iCCP have exactly the same form - keyword, null, compression 1665 * method then compressed data. 1666 */ 1667 { 1668 struct chunk *chunk = file->chunk; 1669 png_uint_32 length; 1670 png_uint_32 index = 0; 1671 1672 assert(chunk != NULL && file->idat == NULL); 1673 length = chunk->chunk_length; 1674 setpos(chunk); 1675 1676 while (length >= 9) 1677 { 1678 --length; 1679 ++index; 1680 if (reread_byte(file) == 0) /* keyword null terminator */ 1681 { 1682 --length; 1683 ++index; 1684 (void)reread_byte(file); /* compression method */ 1685 return zlib_check(file, index); 1686 } 1687 } 1688 1689 chunk_message(chunk, "too short"); 1690 return 0; /* skip */ 1691 } 1692 1693 static int 1694 process_iTXt(struct file *file) 1695 { 1696 /* Like zTXt but more fields. */ 1697 struct chunk *chunk = file->chunk; 1698 png_uint_32 length; 1699 png_uint_32 index = 0; 1700 1701 assert(chunk != NULL && file->idat == NULL); 1702 length = chunk->chunk_length; 1703 setpos(chunk); 1704 1705 while (length >= 5) 1706 { 1707 --length; 1708 ++index; 1709 if (reread_byte(file) == 0) /* keyword null terminator */ 1710 { 1711 --length; 1712 ++index; 1713 if (reread_byte(file) == 0) /* uncompressed text */ 1714 return 1; /* nothing to check */ 1715 1716 --length; 1717 ++index; 1718 (void)reread_byte(file); /* compression method */ 1719 1720 /* Skip the language tag (null terminated). */ 1721 while (length >= 9) 1722 { 1723 --length; 1724 ++index; 1725 if (reread_byte(file) == 0) /* terminator */ 1726 { 1727 /* Skip the translated keyword */ 1728 while (length >= 8) 1729 { 1730 --length; 1731 ++index; 1732 if (reread_byte(file) == 0) /* terminator */ 1733 return zlib_check(file, index); 1734 } 1735 } 1736 } 1737 1738 /* Ran out of bytes in the compressed case. */ 1739 break; 1740 } 1741 } 1742 1743 log_error(file, INVALID_ERROR_CODE, "iTXt chunk length"); 1744 1745 return 0; /* skip */ 1746 } 1747 1748 /* IDAT READ/WRITE CONTROL STRUCTURE */ 1749 struct IDAT 1750 { 1751 /* ANCESTORS */ 1752 struct file * file; 1753 struct global * global; 1754 1755 /* PROTECTED IDAT INFORMATION: SET BY THE IDAT READ CODE */ 1756 struct IDAT_list *idat_list_head; /* START of the list of IDAT information */ 1757 struct IDAT_list *idat_list_tail; /* *END* of the list of IDAT information */ 1758 1759 /* PROTECTED IDAT INFORMATION: USED BY THE IDAT WRITE CODE */ 1760 struct IDAT_list *idat_cur; /* Current list entry */ 1761 unsigned int idat_count; /* And the *current* index into the list */ 1762 png_uint_32 idat_index; /* Index of *next* input byte to write */ 1763 png_uint_32 idat_length; /* Cache of current chunk length */ 1764 }; 1765 1766 /* NOTE: there is currently no IDAT_reset, so a stream cannot contain more than 1767 * one IDAT sequence (i.e. MNG is not supported). 1768 */ 1769 1770 static void 1771 IDAT_end(struct IDAT **idat_var) 1772 { 1773 struct IDAT *idat = *idat_var; 1774 struct file *file = idat->file; 1775 1776 *idat_var = NULL; 1777 1778 CLEAR(*idat); 1779 1780 assert(file->chunk != NULL); 1781 chunk_end(&file->chunk); 1782 1783 /* Regardless of why the IDAT was killed set the state back to CHUNKS (it may 1784 * already be CHUNKS because the state isn't changed until process_IDAT 1785 * returns; a stop will cause IDAT_end to be entered in state CHUNKS!) 1786 */ 1787 file->state = STATE_CHUNKS; 1788 } 1789 1790 static void 1791 IDAT_init(struct IDAT * const idat, struct file * const file) 1792 /* When the chunk is png_IDAT instantiate an IDAT control structure in place 1793 * of a chunk control structure. The IDAT will instantiate a chunk control 1794 * structure using the file alloc routine. 1795 * 1796 * NOTE: this routine must only be called from the file alloc routine! 1797 */ 1798 { 1799 assert(file->chunk == NULL); 1800 assert(file->idat == NULL); 1801 1802 CLEAR(*idat); 1803 1804 idat->file = file; 1805 idat->global = file->global; 1806 1807 /* Initialize the tail to the pre-allocated buffer and set the count to 0 1808 * (empty.) 1809 */ 1810 idat->global->idat_cache.count = 0; 1811 idat->idat_list_head = idat->idat_list_tail = &idat->global->idat_cache; 1812 1813 /* Now the chunk. The allocator calls the initializer of the new chunk and 1814 * stores the result in file->chunk: 1815 */ 1816 file->alloc(file, 0/*chunk*/); 1817 assert(file->chunk != NULL); 1818 1819 /* And store this for cleanup (and to check for double alloc or failure to 1820 * free.) 1821 */ 1822 file->idat = idat; 1823 } 1824 1825 static png_uint_32 1826 rechunk_length(struct IDAT *idat, int start) 1827 /* Return the length for the next IDAT chunk, taking into account 1828 * rechunking. 1829 */ 1830 { 1831 png_uint_32 len = idat->global->idat_max; 1832 1833 if (len == 0) /* use original chunk lengths */ 1834 { 1835 const struct IDAT_list *cur; 1836 unsigned int count; 1837 1838 if (start) 1839 return idat->idat_length; /* use the cache */ 1840 1841 /* Otherwise rechunk_length is called at the end of a chunk for the length 1842 * of the next one. 1843 */ 1844 cur = idat->idat_cur; 1845 count = idat->idat_count; 1846 1847 assert(idat->idat_index == idat->idat_length && 1848 idat->idat_length == cur->lengths[count]); 1849 1850 /* Return length of the *next* chunk */ 1851 if (++count < cur->count) 1852 return cur->lengths[count]; 1853 1854 /* End of this list */ 1855 assert(cur != idat->idat_list_tail); 1856 cur = cur->next; 1857 assert(cur != NULL && cur->count > 0); 1858 return cur->lengths[0]; 1859 } 1860 1861 else /* rechunking */ 1862 { 1863 /* The chunk size is the lesser of file->idat_max and the number 1864 * of remaining bytes. 1865 */ 1866 png_uint_32 have = idat->idat_length - idat->idat_index; 1867 1868 if (len > have) 1869 { 1870 struct IDAT_list *cur = idat->idat_cur; 1871 unsigned int j = idat->idat_count+1; /* the next IDAT in the list */ 1872 1873 do 1874 { 1875 /* Add up the remaining bytes. This can't overflow because the 1876 * individual lengths are always <= 0x7fffffff, so when we add two 1877 * of them overflow is not possible. 1878 */ 1879 assert(cur != NULL); 1880 1881 for (;;) 1882 { 1883 /* NOTE: IDAT_list::count here, not IDAT_list::length */ 1884 for (; j < cur->count; ++j) 1885 { 1886 have += cur->lengths[j]; 1887 if (len <= have) 1888 return len; 1889 } 1890 1891 /* If this was the end return the count of the available bytes */ 1892 if (cur == idat->idat_list_tail) 1893 return have; 1894 1895 cur = cur->next; 1896 j = 0; 1897 } 1898 } 1899 while (len > have); 1900 } 1901 1902 return len; 1903 } 1904 } 1905 1906 static int 1907 process_IDAT(struct file *file) 1908 /* Process the IDAT stream, this is the more complex than the preceding 1909 * cases because the compressed data is spread across multiple IDAT chunks 1910 * (typically). Rechunking of the data is not handled here; all this 1911 * function does is establish whether the zlib header needs to be modified. 1912 * 1913 * Initially the function returns false, indicating that the chunk should not 1914 * be written. It does this until the last IDAT chunk is passed in, then it 1915 * checks the zlib data and returns true. 1916 * 1917 * It does not return false on a fatal error; it calls stop instead. 1918 * 1919 * The caller must have an instantiated (IDAT) control structure and it must 1920 * have extent over the whole read of the IDAT stream. For a PNG this means 1921 * the whole PNG read, for MNG it could have lesser extent. 1922 */ 1923 { 1924 struct IDAT_list *list; 1925 1926 assert(file->idat != NULL && file->chunk != NULL); 1927 1928 /* We need to first check the entire sequence of IDAT chunks to ensure the 1929 * stream is in sync. Do this by building a list of all the chunks and 1930 * recording the length of each because the length may have been fixed up by 1931 * sync_stream below. 1932 * 1933 * At the end of the list of chunks, where the type of the next chunk is not 1934 * png_IDAT, process the whole stream using the list data to check validity 1935 * then return control to the start and rewrite everything. 1936 */ 1937 list = file->idat->idat_list_tail; 1938 1939 if (list->count == list->length) 1940 { 1941 list = IDAT_list_extend(list); 1942 1943 if (list == NULL) 1944 stop(file, READ_ERROR_CODE, "out of memory"); 1945 1946 /* Move to the next block */ 1947 list->count = 0; 1948 file->idat->idat_list_tail = list; 1949 } 1950 1951 /* And fill in the next IDAT information buffer. */ 1952 list->lengths[(list->count)++] = file->chunk->chunk_length; 1953 1954 /* The type of the next chunk was recorded in the file control structure by 1955 * the caller, if this is png_IDAT return 'skip' to the caller. 1956 */ 1957 if (file->type == png_IDAT) 1958 return 0; /* skip this for the moment */ 1959 1960 /* This is the final IDAT chunk, so run the tests to check for the too far 1961 * back error and possibly optimize the window bits. This means going back 1962 * to the start of the first chunk data, which is stored in the original 1963 * chunk allocation. 1964 */ 1965 setpos(file->chunk); 1966 1967 if (zlib_check(file, 0)) 1968 { 1969 struct IDAT *idat; 1970 int cmp; 1971 1972 /* The IDAT stream was successfully uncompressed; see whether it 1973 * contained the correct number of bytes of image data. 1974 */ 1975 cmp = uarb_cmp(file->image_bytes, file->image_digits, 1976 file->chunk->uncompressed_bytes, file->chunk->uncompressed_digits); 1977 1978 if (cmp < 0) 1979 type_message(file, png_IDAT, "extra uncompressed data"); 1980 1981 else if (cmp > 0) 1982 stop(file, LIBPNG_ERROR_CODE, "IDAT: uncompressed data too small"); 1983 1984 /* Return the stream to the start of the first IDAT chunk; the length 1985 * is set in the write case below but the input chunk variables must be 1986 * set (once) here: 1987 */ 1988 setpos(file->chunk); 1989 1990 idat = file->idat; 1991 idat->idat_cur = idat->idat_list_head; 1992 idat->idat_length = idat->idat_cur->lengths[0]; 1993 idat->idat_count = 0; /* Count of chunks read in current list */ 1994 idat->idat_index = 0; /* Index into chunk data */ 1995 1996 /* Update the chunk length to the correct value for the IDAT chunk: */ 1997 file->chunk->chunk_length = rechunk_length(idat, 1/*start*/); 1998 1999 /* Change the state to writing IDAT chunks */ 2000 file->state = STATE_IDAT; 2001 2002 return 1; 2003 } 2004 2005 else /* Failure to decompress the IDAT stream; give up. */ 2006 stop(file, ZLIB_ERROR_CODE, "could not uncompress IDAT"); 2007 } 2008 2009 /* ZLIB CONTROL STRUCTURE */ 2010 struct zlib 2011 { 2012 /* ANCESTORS */ 2013 struct IDAT * idat; /* NOTE: May be NULL */ 2014 struct chunk * chunk; 2015 struct file * file; 2016 struct global *global; 2017 2018 /* GLOBAL ZLIB INFORMATION: SET BY THE CALLER */ 2019 png_uint_32 rewrite_offset; 2020 2021 /* GLOBAL ZLIB INFORMATION: SET BY THE ZLIB READ CODE */ 2022 udigit compressed_bytes[5]; 2023 int compressed_digits; 2024 udigit uncompressed_bytes[5]; 2025 int uncompressed_digits; 2026 int file_bits; /* window bits from the file */ 2027 int ok_bits; /* Set <16 on a successful read */ 2028 int cksum; /* Set on a checksum error */ 2029 2030 /* PROTECTED ZLIB INFORMATION: USED BY THE ZLIB ROUTINES */ 2031 z_stream z; 2032 png_uint_32 extra_bytes; /* Count of extra compressed bytes */ 2033 int state; 2034 int rc; /* Last return code */ 2035 int window_bits; /* 0 if no change */ 2036 png_byte header[2]; 2037 }; 2038 2039 static const char * 2040 zlib_flevel(struct zlib *zlib) 2041 { 2042 switch (zlib->header[1] >> 6) 2043 { 2044 case 0: return "supfast"; 2045 case 1: return "stdfast"; 2046 case 2: return "default"; 2047 case 3: return "maximum"; 2048 default: assert(UNREACHED); 2049 } 2050 2051 return "COMPILER BUG"; 2052 } 2053 2054 static const char * 2055 zlib_rc(struct zlib *zlib) 2056 /* Return a string for the zlib return code */ 2057 { 2058 switch (zlib->rc) 2059 { 2060 case Z_OK: return "Z_OK"; 2061 case Z_STREAM_END: return "Z_STREAM_END"; 2062 case Z_NEED_DICT: return "Z_NEED_DICT"; 2063 case Z_ERRNO: return "Z_ERRNO"; 2064 case Z_STREAM_ERROR: return "Z_STREAM_ERROR"; 2065 case Z_DATA_ERROR: return "Z_DATA_ERROR"; 2066 case Z_MEM_ERROR: return "Z_MEM_ERROR"; 2067 case Z_BUF_ERROR: return "Z_BUF_ERROR"; 2068 case Z_VERSION_ERROR: return "Z_VERSION_ERROR"; 2069 default: return "Z_*INVALID_RC*"; 2070 } 2071 } 2072 2073 static void 2074 zlib_message(struct zlib *zlib, int unexpected) 2075 /* Output a message given a zlib rc */ 2076 { 2077 if (zlib->global->errors) 2078 { 2079 const char *reason = zlib->z.msg; 2080 2081 if (reason == NULL) 2082 reason = "[no message]"; 2083 2084 fputs(zlib->file->file_name, stderr); 2085 type_sep(stderr); 2086 type_name(zlib->chunk->chunk_type, stderr); 2087 fprintf(stderr, ": %szlib error: %d (%s) (%s)\n", 2088 unexpected ? "unexpected " : "", zlib->rc, zlib_rc(zlib), reason); 2089 } 2090 } 2091 2092 static void 2093 zlib_end(struct zlib *zlib) 2094 { 2095 /* Output the summary line now; this ensures a summary line always gets 2096 * output regardless of the manner of exit. 2097 */ 2098 if (!zlib->global->quiet) 2099 { 2100 if (zlib->ok_bits < 16) /* stream was read ok */ 2101 { 2102 const char *reason; 2103 2104 if (zlib->cksum) 2105 reason = "CHK"; /* checksum error */ 2106 2107 else if (zlib->ok_bits > zlib->file_bits) 2108 reason = "TFB"; /* fixing a too-far-back error */ 2109 2110 else if (zlib->ok_bits == zlib->file_bits) 2111 reason = "OK "; 2112 2113 else 2114 reason = "OPT"; /* optimizing window bits */ 2115 2116 /* SUMMARY FORMAT (for a successful zlib inflate): 2117 * 2118 * IDAT reason flevel file-bits ok-bits compressed uncompressed file 2119 */ 2120 type_name(zlib->chunk->chunk_type, stdout); 2121 printf(" %s %s %d %d ", reason, zlib_flevel(zlib), zlib->file_bits, 2122 zlib->ok_bits); 2123 uarb_print(zlib->compressed_bytes, zlib->compressed_digits, stdout); 2124 putc(' ', stdout); 2125 uarb_print(zlib->uncompressed_bytes, zlib->uncompressed_digits, 2126 stdout); 2127 putc(' ', stdout); 2128 fputs(zlib->file->file_name, stdout); 2129 putc('\n', stdout); 2130 } 2131 2132 else 2133 { 2134 /* This is a zlib read error; the chunk will be skipped. For an IDAT 2135 * stream this will also cause a fatal read error (via stop()). 2136 * 2137 * SUMMARY FORMAT: 2138 * 2139 * IDAT SKP flevel file-bits z-rc compressed message file 2140 * 2141 * z-rc is the zlib failure code; message is the error message with 2142 * spaces replaced by '-'. The compressed byte count indicates where 2143 * in the zlib stream the error occurred. 2144 */ 2145 type_name(zlib->chunk->chunk_type, stdout); 2146 printf(" SKP %s %d %s ", zlib_flevel(zlib), zlib->file_bits, 2147 zlib_rc(zlib)); 2148 uarb_print(zlib->compressed_bytes, zlib->compressed_digits, stdout); 2149 putc(' ', stdout); 2150 emit_string(zlib->z.msg ? zlib->z.msg : "[no_message]", stdout); 2151 putc(' ', stdout); 2152 fputs(zlib->file->file_name, stdout); 2153 putc('\n', stdout); 2154 } 2155 } 2156 2157 if (zlib->state >= 0) 2158 { 2159 zlib->rc = inflateEnd(&zlib->z); 2160 2161 if (zlib->rc != Z_OK) 2162 zlib_message(zlib, 1/*unexpected*/); 2163 } 2164 2165 CLEAR(*zlib); 2166 } 2167 2168 static int 2169 zlib_reset(struct zlib *zlib, int window_bits) 2170 /* Reinitializes a zlib with a different window_bits */ 2171 { 2172 assert(zlib->state >= 0); /* initialized by zlib_init */ 2173 2174 zlib->z.next_in = Z_NULL; 2175 zlib->z.avail_in = 0; 2176 zlib->z.next_out = Z_NULL; 2177 zlib->z.avail_out = 0; 2178 2179 zlib->window_bits = window_bits; 2180 zlib->compressed_digits = 0; 2181 zlib->uncompressed_digits = 0; 2182 2183 zlib->state = 0; /* initialized, once */ 2184 zlib->rc = inflateReset2(&zlib->z, 0); 2185 if (zlib->rc != Z_OK) 2186 { 2187 zlib_message(zlib, 1/*unexpected*/); 2188 return 0; 2189 } 2190 2191 return 1; 2192 } 2193 2194 static int 2195 zlib_init(struct zlib *zlib, struct IDAT *idat, struct chunk *chunk, 2196 int window_bits, png_uint_32 offset) 2197 /* Initialize a zlib_control; the result is true/false */ 2198 { 2199 CLEAR(*zlib); 2200 2201 zlib->idat = idat; 2202 zlib->chunk = chunk; 2203 zlib->file = chunk->file; 2204 zlib->global = chunk->global; 2205 zlib->rewrite_offset = offset; /* never changed for this zlib */ 2206 2207 /* *_out does not need to be set: */ 2208 zlib->z.next_in = Z_NULL; 2209 zlib->z.avail_in = 0; 2210 zlib->z.zalloc = Z_NULL; 2211 zlib->z.zfree = Z_NULL; 2212 zlib->z.opaque = Z_NULL; 2213 2214 zlib->state = -1; 2215 zlib->window_bits = window_bits; 2216 2217 zlib->compressed_digits = 0; 2218 zlib->uncompressed_digits = 0; 2219 2220 /* These values are sticky across reset (in addition to the stuff in the 2221 * first block, which is actually constant.) 2222 */ 2223 zlib->file_bits = 24; 2224 zlib->ok_bits = 16; /* unset */ 2225 zlib->cksum = 0; /* set when a checksum error is detected */ 2226 2227 /* '0' means use the header; inflateInit2 should always succeed because it 2228 * does nothing apart from allocating the internal zstate. 2229 */ 2230 zlib->rc = inflateInit2(&zlib->z, 0); 2231 if (zlib->rc != Z_OK) 2232 { 2233 zlib_message(zlib, 1/*unexpected*/); 2234 return 0; 2235 } 2236 2237 else 2238 { 2239 zlib->state = 0; /* initialized */ 2240 return 1; 2241 } 2242 } 2243 2244 static int 2245 max_window_bits(uarbc size, int ndigits) 2246 /* Return the zlib stream window bits required for data of the given size. */ 2247 { 2248 png_uint_16 cb; 2249 2250 if (ndigits > 1) 2251 return 15; 2252 2253 cb = size[0]; 2254 2255 if (cb > 16384) return 15; 2256 if (cb > 8192) return 14; 2257 if (cb > 4096) return 13; 2258 if (cb > 2048) return 12; 2259 if (cb > 1024) return 11; 2260 if (cb > 512) return 10; 2261 if (cb > 256) return 9; 2262 return 8; 2263 } 2264 2265 static int 2266 zlib_advance(struct zlib *zlib, png_uint_32 nbytes) 2267 /* Read nbytes compressed bytes; the stream will be initialized if required. 2268 * Bytes are always being reread and errors are fatal. The return code is as 2269 * follows: 2270 * 2271 * -1: saw the "too far back" error 2272 * 0: ok, keep going 2273 * 1: saw Z_STREAM_END (zlib->extra_bytes indicates too much data) 2274 * 2: a zlib error that cannot be corrected (error message already 2275 * output if required.) 2276 */ 2277 # define ZLIB_TOO_FAR_BACK (-1) 2278 # define ZLIB_OK 0 2279 # define ZLIB_STREAM_END 1 2280 # define ZLIB_FATAL 2 2281 { 2282 int state = zlib->state; 2283 int endrc = ZLIB_OK; 2284 png_uint_32 in_bytes = 0; 2285 struct file *file = zlib->file; 2286 2287 assert(state >= 0); 2288 2289 while (in_bytes < nbytes && endrc == ZLIB_OK) 2290 { 2291 png_uint_32 out_bytes; 2292 int flush; 2293 png_byte bIn = reread_byte(file); 2294 png_byte bOut; 2295 2296 switch (state) 2297 { 2298 case 0: /* first header byte */ 2299 { 2300 int file_bits = 8+(bIn >> 4); 2301 int new_bits = zlib->window_bits; 2302 2303 zlib->file_bits = file_bits; 2304 2305 /* Check against the existing value - it may not need to be 2306 * changed. Note that a bogus file_bits is allowed through once, 2307 * to see if it works, but the window_bits value is set to 15, 2308 * the maximum. 2309 */ 2310 if (new_bits == 0) /* no change */ 2311 zlib->window_bits = ((file_bits > 15) ? 15 : file_bits); 2312 2313 else if (new_bits != file_bits) /* rewrite required */ 2314 bIn = (png_byte)((bIn & 0xf) + ((new_bits-8) << 4)); 2315 } 2316 2317 zlib->header[0] = bIn; 2318 zlib->state = state = 1; 2319 break; 2320 2321 case 1: /* second header byte */ 2322 { 2323 int b2 = bIn & 0xe0; /* top 3 bits */ 2324 2325 /* The checksum calculation, on the first 11 bits: */ 2326 b2 += 0x1f - ((zlib->header[0] << 8) + b2) % 0x1f; 2327 2328 /* Update the checksum byte if required: */ 2329 if (bIn != b2) 2330 { 2331 /* If the first byte wasn't changed this indicates an error in 2332 * the checksum calculation; signal this by setting 'cksum'. 2333 */ 2334 if (zlib->file_bits == zlib->window_bits) 2335 zlib->cksum = 1; 2336 2337 bIn = (png_byte)b2; 2338 } 2339 } 2340 2341 zlib->header[1] = bIn; 2342 zlib->state = state = 2; 2343 break; 2344 2345 default: /* After the header bytes */ 2346 break; 2347 } 2348 2349 /* For some streams, perhaps only those compressed with 'superfast 2350 * compression' (which results in a lot of copying) Z_BUF_ERROR can happen 2351 * immediately after all output has been flushed on the next input byte. 2352 * This is handled below when Z_BUF_ERROR is detected by adding an output 2353 * byte. 2354 */ 2355 zlib->z.next_in = &bIn; 2356 zlib->z.avail_in = 1; 2357 zlib->z.next_out = &bOut; 2358 zlib->z.avail_out = 0; /* Initially */ 2359 2360 /* Initially use Z_NO_FLUSH in an attempt to persuade zlib to look at this 2361 * byte without confusing what is going on with output. 2362 */ 2363 flush = Z_NO_FLUSH; 2364 out_bytes = 0; 2365 2366 /* NOTE: expression 3 is only evaluted on 'continue', because of the 2367 * 'break' at the end of this loop below. 2368 */ 2369 for (;endrc == ZLIB_OK; 2370 flush = Z_SYNC_FLUSH, 2371 zlib->z.next_out = &bOut, 2372 zlib->z.avail_out = 1, 2373 ++out_bytes) 2374 { 2375 zlib->rc = inflate(&zlib->z, flush); 2376 out_bytes -= zlib->z.avail_out; 2377 2378 switch (zlib->rc) 2379 { 2380 case Z_BUF_ERROR: 2381 if (zlib->z.avail_out == 0) 2382 continue; /* Try another output byte. */ 2383 2384 if (zlib->z.avail_in == 0) 2385 break; /* Try another input byte */ 2386 2387 /* Both avail_out and avail_in are 1 yet zlib returned a code 2388 * indicating no progress was possible. This is unexpected. 2389 */ 2390 zlib_message(zlib, 1/*unexpected*/); 2391 endrc = ZLIB_FATAL; /* stop processing */ 2392 break; 2393 2394 case Z_OK: 2395 /* Zlib is supposed to have made progress: */ 2396 assert(zlib->z.avail_out == 0 || zlib->z.avail_in == 0); 2397 continue; 2398 2399 case Z_STREAM_END: 2400 /* This is the successful end. */ 2401 zlib->state = 3; /* end of stream */ 2402 endrc = ZLIB_STREAM_END; 2403 break; 2404 2405 case Z_NEED_DICT: 2406 zlib_message(zlib, 0/*stream error*/); 2407 endrc = ZLIB_FATAL; 2408 break; 2409 2410 case Z_DATA_ERROR: 2411 /* The too far back error can be corrected, others cannot: */ 2412 if (zlib->z.msg != NULL && 2413 strcmp(zlib->z.msg, "invalid distance too far back") == 0) 2414 { 2415 endrc = ZLIB_TOO_FAR_BACK; 2416 break; 2417 } 2418 /* FALLTHROUGH */ 2419 2420 default: 2421 zlib_message(zlib, 0/*stream error*/); 2422 endrc = ZLIB_FATAL; 2423 break; 2424 } /* switch (inflate rc) */ 2425 2426 /* Control gets here when further output is not possible; endrc may 2427 * still be ZLIB_OK if more input is required. 2428 */ 2429 break; 2430 } /* for (output bytes) */ 2431 2432 /* Keep a running count of output byte produced: */ 2433 zlib->uncompressed_digits = uarb_add32(zlib->uncompressed_bytes, 2434 zlib->uncompressed_digits, out_bytes); 2435 2436 /* Keep going, the loop will terminate when endrc is no longer set to 2437 * ZLIB_OK or all the input bytes have been consumed; meanwhile keep 2438 * adding input bytes. 2439 */ 2440 assert(zlib->z.avail_in == 0 || endrc != ZLIB_OK); 2441 2442 in_bytes += 1 - zlib->z.avail_in; 2443 } /* while (input bytes) */ 2444 2445 assert(in_bytes == nbytes || endrc != ZLIB_OK); 2446 2447 /* Update the running total of input bytes consumed */ 2448 zlib->compressed_digits = uarb_add32(zlib->compressed_bytes, 2449 zlib->compressed_digits, in_bytes - zlib->z.avail_in); 2450 2451 /* At the end of the stream update the chunk with the accumulated 2452 * information if it is an improvement: 2453 */ 2454 if (endrc == ZLIB_STREAM_END && zlib->window_bits < zlib->ok_bits) 2455 { 2456 struct chunk *chunk = zlib->chunk; 2457 2458 chunk->uncompressed_digits = uarb_copy(chunk->uncompressed_bytes, 2459 zlib->uncompressed_bytes, zlib->uncompressed_digits); 2460 chunk->compressed_digits = uarb_copy(chunk->compressed_bytes, 2461 zlib->compressed_bytes, zlib->compressed_digits); 2462 chunk->rewrite_buffer[0] = zlib->header[0]; 2463 chunk->rewrite_buffer[1] = zlib->header[1]; 2464 2465 if (zlib->window_bits != zlib->file_bits || zlib->cksum) 2466 { 2467 /* A rewrite is required */ 2468 chunk->rewrite_offset = zlib->rewrite_offset; 2469 chunk->rewrite_length = 2; 2470 } 2471 2472 else 2473 { 2474 chunk->rewrite_offset = 0; 2475 chunk->rewrite_length = 0; 2476 } 2477 2478 if (in_bytes < nbytes) 2479 chunk_message(chunk, "extra compressed data"); 2480 2481 zlib->extra_bytes = nbytes - in_bytes; 2482 zlib->ok_bits = zlib->window_bits; 2483 } 2484 2485 return endrc; 2486 } 2487 2488 static int 2489 zlib_run(struct zlib *zlib) 2490 /* Like zlib_advance but also handles a stream of IDAT chunks. */ 2491 { 2492 /* The 'extra_bytes' field is set by zlib_advance if there is extra 2493 * compressed data in the chunk it handles (if it sees Z_STREAM_END before 2494 * all the input data has been used.) This function uses the value to update 2495 * the correct chunk length, so the problem should only ever be detected once 2496 * for each chunk. zlib_advance outputs the error message, though see the 2497 * IDAT specific check below. 2498 */ 2499 zlib->extra_bytes = 0; 2500 2501 if (zlib->idat != NULL) 2502 { 2503 struct IDAT_list *list = zlib->idat->idat_list_head; 2504 struct IDAT_list *last = zlib->idat->idat_list_tail; 2505 int skip = 0; 2506 2507 /* 'rewrite_offset' is the offset of the LZ data within the chunk, for 2508 * IDAT it should be 0: 2509 */ 2510 assert(zlib->rewrite_offset == 0); 2511 2512 /* Process each IDAT_list in turn; the caller has left the stream 2513 * positioned at the start of the first IDAT chunk data. 2514 */ 2515 for (;;) 2516 { 2517 const unsigned int count = list->count; 2518 unsigned int i; 2519 2520 for (i = 0; i<count; ++i) 2521 { 2522 int rc; 2523 2524 if (skip > 0) /* Skip CRC and next IDAT header */ 2525 skip_12(zlib->file); 2526 2527 skip = 12; /* for the next time */ 2528 2529 rc = zlib_advance(zlib, list->lengths[i]); 2530 2531 switch (rc) 2532 { 2533 case ZLIB_OK: /* keep going */ 2534 break; 2535 2536 case ZLIB_STREAM_END: /* stop */ 2537 /* There may be extra chunks; if there are and one of them is 2538 * not zero length output the 'extra data' message. Only do 2539 * this check if errors are being output. 2540 */ 2541 if (zlib->global->errors && zlib->extra_bytes == 0) 2542 { 2543 struct IDAT_list *check = list; 2544 int j = i+1, jcount = count; 2545 2546 for (;;) 2547 { 2548 for (; j<jcount; ++j) 2549 if (check->lengths[j] > 0) 2550 { 2551 chunk_message(zlib->chunk, 2552 "extra compressed data"); 2553 goto end_check; 2554 } 2555 2556 if (check == last) 2557 break; 2558 2559 check = check->next; 2560 jcount = check->count; 2561 j = 0; 2562 } 2563 } 2564 2565 end_check: 2566 /* Terminate the list at the current position, reducing the 2567 * length of the last IDAT too if required. 2568 */ 2569 list->lengths[i] -= zlib->extra_bytes; 2570 list->count = i+1; 2571 zlib->idat->idat_list_tail = list; 2572 /* FALLTHROUGH */ 2573 2574 default: 2575 return rc; 2576 } 2577 } 2578 2579 /* At the end of the compressed data and Z_STREAM_END was not seen. */ 2580 if (list == last) 2581 return ZLIB_OK; 2582 2583 list = list->next; 2584 } 2585 } 2586 2587 else 2588 { 2589 struct chunk *chunk = zlib->chunk; 2590 int rc; 2591 2592 assert(zlib->rewrite_offset < chunk->chunk_length); 2593 2594 rc = zlib_advance(zlib, chunk->chunk_length - zlib->rewrite_offset); 2595 2596 /* The extra bytes in the chunk are handled now by adjusting the chunk 2597 * length to exclude them; the zlib data is always stored at the end of 2598 * the PNG chunk (although clearly this is not necessary.) zlib_advance 2599 * has already output a warning message. 2600 */ 2601 chunk->chunk_length -= zlib->extra_bytes; 2602 return rc; 2603 } 2604 } 2605 2606 static int /* global function; not a member function */ 2607 zlib_check(struct file *file, png_uint_32 offset) 2608 /* Check the stream of zlib compressed data in either idat (if given) or (if 2609 * not) chunk. In fact it is zlib_run that handles the difference in reading 2610 * a single chunk and a list of IDAT chunks. 2611 * 2612 * In either case the input file must be positioned at the first byte of zlib 2613 * compressed data (the first header byte). 2614 * 2615 * The return value is true on success, including the case where the zlib 2616 * header may need to be rewritten, and false on an unrecoverable error. 2617 * 2618 * In the case of IDAT chunks 'offset' should be 0. 2619 */ 2620 { 2621 fpos_t start_pos; 2622 struct zlib zlib; 2623 2624 /* Record the start of the LZ data to allow a re-read. */ 2625 file_getpos(file, &start_pos); 2626 2627 /* First test the existing (file) window bits: */ 2628 if (zlib_init(&zlib, file->idat, file->chunk, 0/*window bits*/, offset)) 2629 { 2630 int min_bits, max_bits, rc; 2631 2632 /* The first run using the existing window bits. */ 2633 rc = zlib_run(&zlib); 2634 2635 switch (rc) 2636 { 2637 case ZLIB_TOO_FAR_BACK: 2638 /* too far back error */ 2639 file->status_code |= TOO_FAR_BACK; 2640 min_bits = zlib.window_bits + 1; 2641 max_bits = 15; 2642 break; 2643 2644 case ZLIB_STREAM_END: 2645 if (!zlib.global->optimize_zlib && 2646 zlib.window_bits == zlib.file_bits && !zlib.cksum) 2647 { 2648 /* The trivial case where the stream is ok and optimization was 2649 * not requested. 2650 */ 2651 zlib_end(&zlib); 2652 return 1; 2653 } 2654 2655 max_bits = max_window_bits(zlib.uncompressed_bytes, 2656 zlib.uncompressed_digits); 2657 if (zlib.ok_bits < max_bits) 2658 max_bits = zlib.ok_bits; 2659 min_bits = 8; 2660 2661 /* cksum is set if there is an error in the zlib header checksum 2662 * calculation in the original file (and this may be the only reason 2663 * a rewrite is required). We can't rely on the file window bits in 2664 * this case, so do the optimization anyway. 2665 */ 2666 if (zlib.cksum) 2667 chunk_message(zlib.chunk, "zlib checkum"); 2668 break; 2669 2670 2671 case ZLIB_OK: 2672 /* Truncated stream; unrecoverable, gets converted to ZLIB_FATAL */ 2673 zlib.z.msg = PNGZ_MSG_CAST("[truncated]"); 2674 zlib_message(&zlib, 0/*expected*/); 2675 /* FALLTHROUGH */ 2676 2677 default: 2678 /* Unrecoverable error; skip the chunk; a zlib_message has already 2679 * been output. 2680 */ 2681 zlib_end(&zlib); 2682 return 0; 2683 } 2684 2685 /* Optimize window bits or fix a too-far-back error. min_bits and 2686 * max_bits have been set appropriately, ok_bits records the bit value 2687 * known to work. 2688 */ 2689 while (min_bits < max_bits || max_bits < zlib.ok_bits/*if 16*/) 2690 { 2691 int test_bits = (min_bits + max_bits) >> 1; 2692 2693 if (zlib_reset(&zlib, test_bits)) 2694 { 2695 file_setpos(file, &start_pos); 2696 rc = zlib_run(&zlib); 2697 2698 switch (rc) 2699 { 2700 case ZLIB_TOO_FAR_BACK: 2701 min_bits = test_bits+1; 2702 if (min_bits > max_bits) 2703 { 2704 /* This happens when the stream really is damaged and it 2705 * contains a distance code that addresses bytes before 2706 * the start of the uncompressed data. 2707 */ 2708 assert(test_bits == 15); 2709 2710 /* Output the error that wasn't output before: */ 2711 if (zlib.z.msg == NULL) 2712 zlib.z.msg = PNGZ_MSG_CAST( 2713 "invalid distance too far back"); 2714 zlib_message(&zlib, 0/*stream error*/); 2715 zlib_end(&zlib); 2716 return 0; 2717 } 2718 break; 2719 2720 case ZLIB_STREAM_END: /* success */ 2721 max_bits = test_bits; 2722 break; 2723 2724 default: 2725 /* A fatal error; this happens if a too-far-back error was 2726 * hiding a more serious error, zlib_advance has already 2727 * output a zlib_message. 2728 */ 2729 zlib_end(&zlib); 2730 return 0; 2731 } 2732 } 2733 2734 else /* inflateReset2 failed */ 2735 { 2736 zlib_end(&zlib); 2737 return 0; 2738 } 2739 } 2740 2741 /* The loop guarantees this */ 2742 assert(zlib.ok_bits == max_bits); 2743 zlib_end(&zlib); 2744 return 1; 2745 } 2746 2747 else /* zlib initialization failed - skip the chunk */ 2748 { 2749 zlib_end(&zlib); 2750 return 0; 2751 } 2752 } 2753 2754 /***************************** LIBPNG CALLBACKS *******************************/ 2755 /* The strategy here is to run a regular libpng PNG file read but examine the 2756 * input data (from the file) before passing it to libpng so as to be aware of 2757 * the state we expect libpng to be in. Warning and error callbacks are also 2758 * intercepted so that they can be quieted and interpreted. Interpretation 2759 * depends on a somewhat risky string match for known error messages; let us 2760 * hope that this can be fixed in the next version of libpng. 2761 * 2762 * The control structure is pointed to by the libpng error pointer. It contains 2763 * that set of structures which must persist across multiple read callbacks, 2764 * which is pretty much everything except the 'zlib' control structure. 2765 * 2766 * The file structure is instantiated in the caller of the per-file routine, but 2767 * the per-file routine contains the chunk and IDAT control structures. 2768 */ 2769 /* The three routines read_chunk, process_chunk and sync_stream can only be 2770 * called via a call to read_chunk and only exit at a return from process_chunk. 2771 * These routines could have been written as one confusing large routine, 2772 * instead this code relies on the compiler to do tail call elimination. The 2773 * possible calls are as follows: 2774 * 2775 * read_chunk 2776 * -> sync_stream 2777 * -> process_chunk 2778 * -> process_chunk 2779 * -> read_chunk 2780 * returns 2781 */ 2782 static void read_chunk(struct file *file); 2783 static void 2784 process_chunk(struct file *file, png_uint_32 file_crc, png_uint_32 next_length, 2785 png_uint_32 next_type) 2786 /* Called when the chunk data has been read, next_length and next_type 2787 * will be set for the next chunk (or 0 if this is IEND). 2788 * 2789 * When this routine returns, chunk_length and chunk_type will be set for the 2790 * next chunk to write because if a chunk is skipped this return calls back 2791 * to read_chunk. 2792 */ 2793 { 2794 const png_uint_32 type = file->type; 2795 2796 if (file->global->verbose > 1) 2797 { 2798 fputs(" ", stderr); 2799 type_name(file->type, stderr); 2800 fprintf(stderr, " %lu 0x%.8x 0x%.8x\n", (unsigned long)file->length, 2801 file->crc ^ 0xffffffff, file_crc); 2802 } 2803 2804 /* The basic structure seems correct but the CRC may not match, in this 2805 * case assume that it is simply a bad CRC, either wrongly calculated or 2806 * because of damaged stream data. 2807 */ 2808 if ((file->crc ^ 0xffffffff) != file_crc) 2809 { 2810 /* The behavior is set by the 'skip' setting; if it is anything other 2811 * than SKIP_BAD_CRC ignore the bad CRC and return the chunk, with a 2812 * corrected CRC and possibly processed, to libpng. Otherwise skip the 2813 * chunk, which will result in a fatal error if the chunk is critical. 2814 */ 2815 file->status_code |= CRC_ERROR; 2816 2817 /* Ignore the bad CRC */ 2818 if (file->global->skip != SKIP_BAD_CRC) 2819 type_message(file, type, "bad CRC"); 2820 2821 /* This will cause an IEND with a bad CRC to stop */ 2822 else if (CRITICAL(type)) 2823 stop(file, READ_ERROR_CODE, "bad CRC in critical chunk"); 2824 2825 else 2826 { 2827 type_message(file, type, "skipped: bad CRC"); 2828 2829 /* NOTE: this cannot be reached for IEND because it is critical. */ 2830 goto skip_chunk; 2831 } 2832 } 2833 2834 /* Check for other 'skip' cases and handle these; these only apply to 2835 * ancillary chunks (and not tRNS, which should probably have been a critical 2836 * chunk.) 2837 */ 2838 if (skip_chunk_type(file->global, type)) 2839 goto skip_chunk; 2840 2841 /* The chunk may still be skipped if problems are detected in the LZ data, 2842 * however the LZ data check requires a chunk. Handle this by instantiating 2843 * a chunk unless an IDAT is already instantiated (IDAT control structures 2844 * instantiate their own chunk.) 2845 */ 2846 if (type != png_IDAT) 2847 file->alloc(file, 0/*chunk*/); 2848 2849 else if (file->idat == NULL) 2850 file->alloc(file, 1/*IDAT*/); 2851 2852 else 2853 { 2854 /* The chunk length must be updated for process_IDAT */ 2855 assert(file->chunk != NULL); 2856 assert(file->chunk->chunk_type == png_IDAT); 2857 file->chunk->chunk_length = file->length; 2858 } 2859 2860 /* Record the 'next' information too, now that the original values for 2861 * this chunk have been copied. Notice that the IDAT chunks only make a 2862 * copy of the position of the first chunk, this is fine - process_IDAT does 2863 * not need the position of this chunk. 2864 */ 2865 file->length = next_length; 2866 file->type = next_type; 2867 getpos(file); 2868 2869 /* Do per-type processing, note that if this code does not return from the 2870 * function the chunk will be skipped. The rewrite is cancelled here so that 2871 * it can be set in the per-chunk processing. 2872 */ 2873 file->chunk->rewrite_length = 0; 2874 file->chunk->rewrite_offset = 0; 2875 switch (type) 2876 { 2877 default: 2878 return; 2879 2880 case png_IHDR: 2881 /* Read this now and update the control structure with the information 2882 * it contains. The header is validated completely to ensure this is a 2883 * PNG. 2884 */ 2885 { 2886 struct chunk *chunk = file->chunk; 2887 2888 if (chunk->chunk_length != 13) 2889 stop_invalid(file, "IHDR length"); 2890 2891 /* Read all the IHDR information and validate it. */ 2892 setpos(chunk); 2893 file->width = reread_4(file); 2894 file->height = reread_4(file); 2895 file->bit_depth = reread_byte(file); 2896 file->color_type = reread_byte(file); 2897 file->compression_method = reread_byte(file); 2898 file->filter_method = reread_byte(file); 2899 file->interlace_method = reread_byte(file); 2900 2901 /* This validates all the fields, and calls stop_invalid if 2902 * there is a problem. 2903 */ 2904 calc_image_size(file); 2905 } 2906 return; 2907 2908 /* Ancillary chunks that require further processing: */ 2909 case png_zTXt: case png_iCCP: 2910 if (process_zTXt_iCCP(file)) 2911 return; 2912 chunk_end(&file->chunk); 2913 file_setpos(file, &file->data_pos); 2914 break; 2915 2916 case png_iTXt: 2917 if (process_iTXt(file)) 2918 return; 2919 chunk_end(&file->chunk); 2920 file_setpos(file, &file->data_pos); 2921 break; 2922 2923 case png_IDAT: 2924 if (process_IDAT(file)) 2925 return; 2926 /* First pass: */ 2927 assert(next_type == png_IDAT); 2928 break; 2929 } 2930 2931 /* Control reaches this point if the chunk must be skipped. For chunks other 2932 * than IDAT this means that the zlib compressed data is fatally damanged and 2933 * the chunk will not be passed to libpng. For IDAT it means that the end of 2934 * the IDAT stream has not yet been reached and we must handle the next 2935 * (IDAT) chunk. If the LZ data in an IDAT stream cannot be read 'stop' must 2936 * be used to halt parsing of the PNG. 2937 */ 2938 read_chunk(file); 2939 return; 2940 2941 /* This is the generic code to skip the current chunk; simply jump to the 2942 * next one. 2943 */ 2944 skip_chunk: 2945 file->length = next_length; 2946 file->type = next_type; 2947 getpos(file); 2948 read_chunk(file); 2949 } 2950 2951 static png_uint_32 2952 get32(png_bytep buffer, int offset) 2953 /* Read a 32-bit value from an 8-byte circular buffer (used only below). 2954 */ 2955 { 2956 return 2957 (buffer[ offset & 7] << 24) + 2958 (buffer[(offset+1) & 7] << 16) + 2959 (buffer[(offset+2) & 7] << 8) + 2960 (buffer[(offset+3) & 7] ); 2961 } 2962 2963 static void 2964 sync_stream(struct file *file) 2965 /* The stream seems to be messed up, attempt to resync from the current chunk 2966 * header. Executes stop on a fatal error, otherwise calls process_chunk. 2967 */ 2968 { 2969 png_uint_32 file_crc; 2970 2971 file->status_code |= STREAM_ERROR; 2972 2973 if (file->global->verbose) 2974 { 2975 fputs(" SYNC ", stderr); 2976 type_name(file->type, stderr); 2977 putc('\n', stderr); 2978 } 2979 2980 /* Return to the start of the chunk data */ 2981 file_setpos(file, &file->data_pos); 2982 file->read_count = 8; 2983 2984 if (read_4(file, &file_crc) == 4) /* else completely truncated */ 2985 { 2986 /* Ignore the recorded chunk length, proceed through the data looking for 2987 * a leading sequence of bytes that match the CRC in the following four 2988 * bytes. Each time a match is found check the next 8 bytes for a valid 2989 * length, chunk-type pair. 2990 */ 2991 png_uint_32 length; 2992 png_uint_32 type = file->type; 2993 png_uint_32 crc = crc_init_4(type); 2994 png_byte buffer[8]; 2995 unsigned int nread = 0, nused = 0; 2996 2997 for (length=0; length <= 0x7fffffff; ++length) 2998 { 2999 int ch; 3000 3001 if ((crc ^ 0xffffffff) == file_crc) 3002 { 3003 /* A match on the CRC; for IEND this is sufficient, but for anything 3004 * else expect a following chunk header. 3005 */ 3006 if (type == png_IEND) 3007 { 3008 file->length = length; 3009 process_chunk(file, file_crc, 0, 0); 3010 return; 3011 } 3012 3013 else 3014 { 3015 /* Need 8 bytes */ 3016 while (nread < 8+nused) 3017 { 3018 ch = read_byte(file); 3019 if (ch == EOF) 3020 goto truncated; 3021 buffer[(nread++) & 7] = (png_byte)ch; 3022 } 3023 3024 /* Prevent overflow */ 3025 nread -= nused & ~7; 3026 nused -= nused & ~7; /* or, nused &= 7 ;-) */ 3027 3028 /* Examine the 8 bytes for a valid chunk header. */ 3029 { 3030 png_uint_32 next_length = get32(buffer, nused); 3031 3032 if (next_length < 0x7fffffff) 3033 { 3034 png_uint_32 next_type = get32(buffer, nused+4); 3035 3036 if (chunk_type_valid(next_type)) 3037 { 3038 file->read_count -= 8; 3039 process_chunk(file, file_crc, next_length, next_type); 3040 return; 3041 } 3042 } 3043 3044 /* Not valid, keep going. */ 3045 } 3046 } 3047 } 3048 3049 /* This catches up with the circular buffer which gets filled above 3050 * while checking a chunk header. This code is slightly tricky - if 3051 * the chunk_type is IEND the buffer will never be used, if it is not 3052 * the code will always read ahead exactly 8 bytes and pass this on to 3053 * process_chunk. So the invariant that IEND leaves the file position 3054 * after the IEND CRC and other chunk leave it after the *next* chunk 3055 * header is not broken. 3056 */ 3057 if (nread <= nused) 3058 { 3059 ch = read_byte(file); 3060 3061 if (ch == EOF) 3062 goto truncated; 3063 } 3064 3065 else 3066 ch = buffer[(++nused) & 7]; 3067 3068 crc = crc_one_byte(crc, file_crc >> 24); 3069 file_crc = (file_crc << 8) + ch; 3070 } 3071 3072 /* Control gets to here if when 0x7fffffff bytes (plus 8) have been read, 3073 * ok, treat this as a damaged stream too: 3074 */ 3075 } 3076 3077 truncated: 3078 stop(file, READ_ERROR_CODE, "damaged PNG stream"); 3079 } 3080 3081 static void 3082 read_chunk(struct file *file) 3083 /* On entry file::data_pos must be set to the position of the first byte 3084 * of the chunk data *and* the input file must be at this position. This 3085 * routine (via process_chunk) instantiates a chunk or IDAT control structure 3086 * based on file::length and file::type and also resets these fields and 3087 * file::data_pos for the chunk after this one. For an IDAT chunk the whole 3088 * stream of IDATs will be read, until something other than an IDAT is 3089 * encountered, and the file fields will be set for the chunk after the end 3090 * of the stream of IDATs. 3091 * 3092 * For IEND the file::type field will be set to 0, and nothing beyond the end 3093 * of the IEND chunk will have been read. 3094 */ 3095 { 3096 png_uint_32 length = file->length; 3097 png_uint_32 type = file->type; 3098 3099 /* After IEND file::type is set to 0, if libpng attempts to read 3100 * more data at this point this is a bug in libpng. 3101 */ 3102 if (type == 0) 3103 stop(file, UNEXPECTED_ERROR_CODE, "read beyond IEND"); 3104 3105 if (file->global->verbose > 2) 3106 { 3107 fputs(" ", stderr); 3108 type_name(type, stderr); 3109 fprintf(stderr, " %lu\n", (unsigned long)length); 3110 } 3111 3112 /* Start the read_crc calculation with the chunk type, then read to the end 3113 * of the chunk data (without processing it in any way) to check that it is 3114 * all there and calculate the CRC. 3115 */ 3116 file->crc = crc_init_4(type); 3117 if (crc_read_many(file, length)) /* else it was truncated */ 3118 { 3119 png_uint_32 file_crc; /* CRC read from file */ 3120 unsigned int nread = read_4(file, &file_crc); 3121 3122 if (nread == 4) 3123 { 3124 if (type != png_IEND) /* do not read beyond IEND */ 3125 { 3126 png_uint_32 next_length; 3127 3128 nread += read_4(file, &next_length); 3129 if (nread == 8 && next_length <= 0x7fffffff) 3130 { 3131 png_uint_32 next_type; 3132 3133 nread += read_4(file, &next_type); 3134 3135 if (nread == 12 && chunk_type_valid(next_type)) 3136 { 3137 /* Adjust the read count back to the correct value for this 3138 * chunk. 3139 */ 3140 file->read_count -= 8; 3141 process_chunk(file, file_crc, next_length, next_type); 3142 return; 3143 } 3144 } 3145 } 3146 3147 else /* IEND */ 3148 { 3149 process_chunk(file, file_crc, 0, 0); 3150 return; 3151 } 3152 } 3153 } 3154 3155 /* Control gets to here if the the stream seems invalid or damaged in some 3156 * way. Either there was a problem reading all the expected data (this 3157 * chunk's data, its CRC and the length and type of the next chunk) or the 3158 * next chunk length/type are invalid. Notice that the cases that end up 3159 * here all correspond to cases that would otherwise terminate the read of 3160 * the PNG file. 3161 */ 3162 sync_stream(file); 3163 } 3164 3165 /* This returns a file* from a png_struct in an implementation specific way. */ 3166 static struct file *get_control(png_const_structrp png_ptr); 3167 3168 static void PNGCBAPI 3169 error_handler(png_structp png_ptr, png_const_charp message) 3170 { 3171 stop(get_control(png_ptr), LIBPNG_ERROR_CODE, message); 3172 } 3173 3174 static void PNGCBAPI 3175 warning_handler(png_structp png_ptr, png_const_charp message) 3176 { 3177 struct file *file = get_control(png_ptr); 3178 3179 if (file->global->warnings) 3180 emit_error(file, LIBPNG_WARNING_CODE, message); 3181 } 3182 3183 /* Read callback - this is where the work gets done to check the stream before 3184 * passing it to libpng 3185 */ 3186 static void PNGCBAPI 3187 read_callback(png_structp png_ptr, png_bytep buffer, size_t count) 3188 /* Return 'count' bytes to libpng in 'buffer' */ 3189 { 3190 struct file *file = get_control(png_ptr); 3191 png_uint_32 type, length; /* For the chunk be *WRITTEN* */ 3192 struct chunk *chunk; 3193 3194 /* libpng should always ask for at least one byte */ 3195 if (count == 0) 3196 stop(file, UNEXPECTED_ERROR_CODE, "read callback for 0 bytes"); 3197 3198 /* The callback always reads ahead by 8 bytes - the signature or chunk header 3199 * - these bytes are stored in chunk_length and chunk_type. This block is 3200 * executed once for the signature and once for the first chunk right at the 3201 * start. 3202 */ 3203 if (file->read_count < 8) 3204 { 3205 assert(file->read_count == 0); 3206 assert((file->status_code & TRUNCATED) == 0); 3207 3208 (void)read_4(file, &file->length); 3209 3210 if (file->read_count == 4) 3211 (void)read_4(file, &file->type); 3212 3213 if (file->read_count < 8) 3214 { 3215 assert((file->status_code & TRUNCATED) != 0); 3216 stop(file, READ_ERROR_CODE, "not a PNG (too short)"); 3217 } 3218 3219 if (file->state == STATE_SIGNATURE) 3220 { 3221 if (file->length != sig1 || file->type != sig2) 3222 stop(file, LIBPNG_ERROR_CODE, "not a PNG (signature)"); 3223 3224 /* Else write it (this is the initialization of write_count, prior to 3225 * this it contains CLEAR garbage.) 3226 */ 3227 file->write_count = 0; 3228 } 3229 3230 else 3231 { 3232 assert(file->state == STATE_CHUNKS); 3233 3234 /* The first chunk must be a well formed IHDR (this could be relaxed to 3235 * use the checks in process_chunk, but that seems unnecessary.) 3236 */ 3237 if (file->length != 13 || file->type != png_IHDR) 3238 stop(file, LIBPNG_ERROR_CODE, "not a PNG (IHDR)"); 3239 3240 /* The position of the data must be stored too */ 3241 getpos(file); 3242 } 3243 } 3244 3245 /* Retrieve previous state (because the read callbacks are made pretty much 3246 * byte-by-byte in the sequential reader prior to 1.7). 3247 */ 3248 chunk = file->chunk; 3249 3250 if (chunk != NULL) 3251 { 3252 length = chunk->chunk_length; 3253 type = chunk->chunk_type; 3254 } 3255 3256 else 3257 { 3258 /* This is the signature case; for IDAT and other chunks these values will 3259 * be overwritten when read_chunk is called below. 3260 */ 3261 length = file->length; 3262 type = file->type; 3263 } 3264 3265 do 3266 { 3267 png_uint_32 b; 3268 3269 /* Complete the read of a chunk; as a side effect this also instantiates 3270 * a chunk control structure and sets the file length/type/data_pos fields 3271 * for the *NEXT* chunk header. 3272 * 3273 * NOTE: at an IDAT any following IDAT chunks will also be read and the 3274 * next_ fields will refer to the chunk after the last IDAT. 3275 * 3276 * NOTE: read_chunk only returns when it has read a chunk that must now be 3277 * written. 3278 */ 3279 if (file->state != STATE_SIGNATURE && chunk == NULL) 3280 { 3281 assert(file->read_count == 8); 3282 assert(file->idat == NULL); 3283 read_chunk(file); 3284 chunk = file->chunk; 3285 assert(chunk != NULL); 3286 3287 /* Do the initialization that was not done before. */ 3288 length = chunk->chunk_length; 3289 type = chunk->chunk_type; 3290 3291 /* And start writing the new chunk. */ 3292 file->write_count = 0; 3293 } 3294 3295 /* The chunk_ fields describe a chunk that must be written, or hold the 3296 * signature. Write the header first. In the signature case this 3297 * rewrites the signature. 3298 */ 3299 switch (file->write_count) 3300 { 3301 case 0: b = length >> 24; break; 3302 case 1: b = length >> 16; break; 3303 case 2: b = length >> 8; break; 3304 case 3: b = length ; break; 3305 3306 case 4: b = type >> 24; break; 3307 case 5: b = type >> 16; break; 3308 case 6: b = type >> 8; break; 3309 case 7: b = type ; break; 3310 3311 case 8: 3312 /* The header has been written. If this is really the signature 3313 * that's all that is required and we can go to normal chunk 3314 * processing. 3315 */ 3316 if (file->state == STATE_SIGNATURE) 3317 { 3318 /* The signature has been written, the tail call to read_callback 3319 * below (it's just a goto to the start with a decent compiler) 3320 * will read the IHDR header ahead and validate it. 3321 */ 3322 assert(length == sig1 && type == sig2); 3323 file->read_count = 0; /* Forces a header read */ 3324 file->state = STATE_CHUNKS; /* IHDR: checked above */ 3325 read_callback(png_ptr, buffer, count); 3326 return; 3327 } 3328 3329 else 3330 { 3331 assert(chunk != NULL); 3332 3333 /* Set up for write, notice that repositioning the input stream 3334 * is only necessary if something is to be read from it. Also 3335 * notice that for the IDAT stream this must only happen once - 3336 * on the first IDAT - to get back to the start of the list and 3337 * this is done inside process_IDAT: 3338 */ 3339 chunk->write_crc = crc_init_4(type); 3340 if (file->state != STATE_IDAT && length > 0) 3341 setpos(chunk); 3342 } 3343 /* FALLTHROUGH */ 3344 3345 default: 3346 assert(chunk != NULL); 3347 3348 /* NOTE: the arithmetic below overflows and gives a large positive 3349 * png_uint_32 value until the whole chunk data has been written. 3350 */ 3351 switch (file->write_count - length) 3352 { 3353 /* Write the chunk data, normally this just comes from 3354 * the file. The only exception is for that part of a 3355 * chunk which is zlib data and which must be rewritten, 3356 * and IDAT chunks which can be completely 3357 * reconstructed. 3358 */ 3359 default: 3360 if (file->state == STATE_IDAT) 3361 { 3362 struct IDAT *idat = file->idat; 3363 3364 assert(idat != NULL); 3365 3366 /* Read an IDAT byte from the input stream of IDAT chunks. 3367 * Because the IDAT stream can be re-chunked this stream is 3368 * held in the struct IDAT members. The chunk members, in 3369 * particular chunk_length (and therefore the length local) 3370 * refer to the output chunk. 3371 */ 3372 while (idat->idat_index >= idat->idat_length) 3373 { 3374 /* Advance one chunk */ 3375 struct IDAT_list *cur = idat->idat_cur; 3376 3377 assert(idat->idat_index == idat->idat_length); 3378 assert(cur != NULL && cur->count > 0); 3379 3380 /* NOTE: IDAT_list::count here, not IDAT_list::length */ 3381 if (++(idat->idat_count) >= cur->count) 3382 { 3383 assert(idat->idat_count == cur->count); 3384 3385 /* Move on to the next IDAT_list: */ 3386 cur = cur->next; 3387 3388 /* This is an internal error - read beyond the end of 3389 * the pre-calculated stream. 3390 */ 3391 if (cur == NULL || cur->count == 0) 3392 stop(file, UNEXPECTED_ERROR_CODE, 3393 "read beyond end of IDAT"); 3394 3395 idat->idat_count = 0; 3396 idat->idat_cur = cur; 3397 } 3398 3399 idat->idat_index = 0; 3400 /* Zero length IDAT chunks are permitted, so the length 3401 * here may be 0. 3402 */ 3403 idat->idat_length = cur->lengths[idat->idat_count]; 3404 3405 /* And skip 12 bytes to the next chunk data */ 3406 skip_12(file); 3407 } 3408 3409 /* The index is always that of the next byte, the rest of 3410 * the information is always the current IDAT chunk and the 3411 * current list. 3412 */ 3413 ++(idat->idat_index); 3414 } 3415 3416 /* Read the byte from the stream. */ 3417 b = reread_byte(file); 3418 3419 /* If the byte must be rewritten handle that here */ 3420 if (chunk->rewrite_length > 0) 3421 { 3422 if (chunk->rewrite_offset > 0) 3423 --(chunk->rewrite_offset); 3424 3425 else 3426 { 3427 b = chunk->rewrite_buffer[0]; 3428 memmove(chunk->rewrite_buffer, chunk->rewrite_buffer+1, 3429 (sizeof chunk->rewrite_buffer)- 3430 (sizeof chunk->rewrite_buffer[0])); 3431 3432 --(chunk->rewrite_length); 3433 } 3434 } 3435 3436 chunk->write_crc = crc_one_byte(chunk->write_crc, b); 3437 break; 3438 3439 /* The CRC is written at: 3440 * 3441 * chunk_write == chunk_length+8..chunk_length+11 3442 * 3443 * so 8 to 11. The CRC is not (yet) conditioned. 3444 */ 3445 case 8: b = chunk->write_crc >> 24; goto write_crc; 3446 case 9: b = chunk->write_crc >> 16; goto write_crc; 3447 case 10: b = chunk->write_crc >> 8; goto write_crc; 3448 case 11: 3449 /* This must happen before the chunk_end below: */ 3450 b = chunk->write_crc; 3451 3452 if (file->global->verbose > 2) 3453 { 3454 fputs(" ", stderr); 3455 type_name(type, stderr); 3456 fprintf(stderr, " %lu 0x%.8x\n", (unsigned long)length, 3457 chunk->write_crc ^ 0xffffffff); 3458 } 3459 3460 /* The IDAT stream is written without a call to read_chunk 3461 * until the end is reached. rechunk_length() calculates the 3462 * length of the output chunks. Control gets to this point at 3463 * the end of an *output* chunk - the length calculated by 3464 * rechunk_length. If this corresponds to the end of the 3465 * input stream stop writing IDAT chunks, otherwise continue. 3466 */ 3467 if (file->state == STATE_IDAT && 3468 (file->idat->idat_index < file->idat->idat_length || 3469 1+file->idat->idat_count < file->idat->idat_cur->count || 3470 file->idat->idat_cur != file->idat->idat_list_tail)) 3471 { 3472 /* Write another IDAT chunk. Call rechunk_length to 3473 * calculate the length required. 3474 */ 3475 length = chunk->chunk_length = 3476 rechunk_length(file->idat, 0/*end*/); 3477 assert(type == png_IDAT); 3478 file->write_count = 0; /* for the new chunk */ 3479 --(file->write_count); /* fake out the increment below */ 3480 } 3481 3482 else 3483 { 3484 /* Entered at the end of a non-IDAT chunk and at the end of 3485 * the IDAT stream. The rewrite should have been cleared. 3486 */ 3487 if (chunk->rewrite_length > 0 || chunk->rewrite_offset > 0) 3488 stop(file, UNEXPECTED_ERROR_CODE, "pending rewrite"); 3489 3490 /* This is the last byte so reset chunk_read for the next 3491 * chunk and move the input file to the position after the 3492 * *next* chunk header if required. 3493 */ 3494 file->read_count = 8; 3495 file_setpos(file, &file->data_pos); 3496 3497 if (file->idat == NULL) 3498 chunk_end(&file->chunk); 3499 3500 else 3501 IDAT_end(&file->idat); 3502 } 3503 3504 write_crc: 3505 b ^= 0xff; /* conditioning */ 3506 break; 3507 } 3508 break; 3509 } 3510 3511 /* Write one byte */ 3512 b &= 0xff; 3513 *buffer++ = (png_byte)b; 3514 --count; 3515 write_byte(file, (png_byte)b); /* increments chunk_write */ 3516 } 3517 while (count > 0); 3518 } 3519 3520 /* Bundle the file and an uninitialized chunk and IDAT control structure 3521 * together to allow implementation of the chunk/IDAT allocate routine. 3522 */ 3523 struct control 3524 { 3525 struct file file; 3526 struct chunk chunk; 3527 struct IDAT idat; 3528 }; 3529 3530 static int 3531 control_end(struct control *control) 3532 { 3533 return file_end(&control->file); 3534 } 3535 3536 static struct file * 3537 get_control(png_const_structrp png_ptr) 3538 { 3539 /* This just returns the (file*). The chunk and idat control structures 3540 * don't always exist. 3541 */ 3542 struct control *control = voidcast(struct control*, 3543 png_get_error_ptr(png_ptr)); 3544 return &control->file; 3545 } 3546 3547 static void 3548 allocate(struct file *file, int allocate_idat) 3549 { 3550 struct control *control = voidcast(struct control*, file->alloc_ptr); 3551 3552 if (allocate_idat) 3553 { 3554 assert(file->idat == NULL); 3555 IDAT_init(&control->idat, file); 3556 } 3557 3558 else /* chunk */ 3559 { 3560 assert(file->chunk == NULL); 3561 chunk_init(&control->chunk, file); 3562 } 3563 } 3564 3565 static int 3566 control_init(struct control *control, struct global *global, 3567 const char *file_name, const char *out_name) 3568 /* This wraps file_init(&control::file) and simply returns the result from 3569 * file_init. 3570 */ 3571 { 3572 return file_init(&control->file, global, file_name, out_name, control, 3573 allocate); 3574 } 3575 3576 static int 3577 read_png(struct control *control) 3578 /* Read a PNG, return 0 on success else an error (status) code; a bit mask as 3579 * defined for file::status_code as above. 3580 */ 3581 { 3582 png_structp png_ptr; 3583 png_infop info_ptr = NULL; 3584 volatile int rc; 3585 3586 png_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, control, 3587 error_handler, warning_handler); 3588 3589 if (png_ptr == NULL) 3590 { 3591 /* This is not really expected. */ 3592 log_error(&control->file, LIBPNG_ERROR_CODE, "OOM allocating png_struct"); 3593 control->file.status_code |= INTERNAL_ERROR; 3594 return LIBPNG_ERROR_CODE; 3595 } 3596 3597 rc = setjmp(control->file.jmpbuf); 3598 if (rc == 0) 3599 { 3600 # ifdef PNG_SET_USER_LIMITS_SUPPORTED 3601 /* Remove any limits on the size of PNG files that can be read, 3602 * without this we may reject files based on built-in safety 3603 * limits. 3604 */ 3605 png_set_user_limits(png_ptr, 0x7fffffff, 0x7fffffff); 3606 png_set_chunk_cache_max(png_ptr, 0); 3607 png_set_chunk_malloc_max(png_ptr, 0); 3608 # endif 3609 3610 png_set_read_fn(png_ptr, control, read_callback); 3611 3612 info_ptr = png_create_info_struct(png_ptr); 3613 if (info_ptr == NULL) 3614 png_error(png_ptr, "OOM allocating info structure"); 3615 3616 if (control->file.global->verbose) 3617 fprintf(stderr, " INFO\n"); 3618 3619 png_read_info(png_ptr, info_ptr); 3620 3621 { 3622 png_uint_32 height = png_get_image_height(png_ptr, info_ptr); 3623 int passes = png_set_interlace_handling(png_ptr); 3624 int pass; 3625 3626 png_start_read_image(png_ptr); 3627 3628 for (pass = 0; pass < passes; ++pass) 3629 { 3630 png_uint_32 y = height; 3631 3632 /* NOTE: this skips asking libpng to return either version of 3633 * the image row, but libpng still reads the rows. 3634 */ 3635 while (y-- > 0) 3636 png_read_row(png_ptr, NULL, NULL); 3637 } 3638 } 3639 3640 if (control->file.global->verbose) 3641 fprintf(stderr, " END\n"); 3642 3643 /* Make sure to read to the end of the file: */ 3644 png_read_end(png_ptr, info_ptr); 3645 } 3646 3647 png_destroy_read_struct(&png_ptr, &info_ptr, NULL); 3648 return rc; 3649 } 3650 3651 static int 3652 one_file(struct global *global, const char *file_name, const char *out_name) 3653 { 3654 int rc; 3655 struct control control; 3656 3657 if (global->verbose) 3658 fprintf(stderr, "FILE %s -> %s\n", file_name, 3659 out_name ? out_name : "<none>"); 3660 3661 /* Although control_init can return a failure code the structure is always 3662 * initialized, so control_end can be used to accumulate any status codes. 3663 */ 3664 rc = control_init(&control, global, file_name, out_name); 3665 3666 if (rc == 0) 3667 rc = read_png(&control); 3668 3669 rc |= control_end(&control); 3670 3671 return rc; 3672 } 3673 3674 static void 3675 usage(const char *prog) 3676 { 3677 /* ANSI C-90 limits strings to 509 characters, so use a string array: */ 3678 size_t i; 3679 static const char *usage_string[] = { 3680 " Tests, optimizes and optionally fixes the zlib header in PNG files.", 3681 " Optionally, when fixing, strips ancilliary chunks from the file.", 3682 0, 3683 "OPTIONS", 3684 " OPERATION", 3685 " By default files are just checked for readability with a summary of the", 3686 " of zlib issues founds for each compressed chunk and the IDAT stream in", 3687 " the file.", 3688 " --optimize (-o):", 3689 " Find the smallest deflate window size for the compressed data.", 3690 " --strip=[none|crc|unsafe|unused|transform|color|all]:", 3691 " none (default): Retain all chunks.", 3692 " crc: Remove chunks with a bad CRC.", 3693 " unsafe: Remove chunks that may be unsafe to retain if the image data", 3694 " is modified. This is set automatically if --max is given but", 3695 " may be cancelled by a later --strip=none.", 3696 " unused: Remove chunks not used by libpng when decoding an image.", 3697 " This retains any chunks that might be used by libpng image", 3698 " transformations.", 3699 " transform: unused+bKGD.", 3700 " color: transform+iCCP and cHRM.", 3701 " all: color+gAMA and sRGB.", 3702 " Only ancillary chunks are ever removed. In addition the tRNS and sBIT", 3703 " chunks are never removed as they affect exact interpretation of the", 3704 " image pixel values. The following known chunks are treated specially", 3705 " by the above options:", 3706 " gAMA, sRGB [all]: These specify the gamma encoding used for the pixel", 3707 " values.", 3708 " cHRM, iCCP [color]: These specify how colors are encoded. iCCP also", 3709 " specifies the exact encoding of a pixel value; however, in", 3710 " practice most programs will ignore it.", 3711 " bKGD [transform]: This is used by libpng transforms." 3712 " --max=<number>:", 3713 " Use IDAT chunks sized <number>. If no number is given the the IDAT", 3714 " chunks will be the maximum size permitted; 2^31-1 bytes. If the option", 3715 " is omitted the original chunk sizes will not be changed. When the", 3716 " option is given --strip=unsafe is set automatically. This may be", 3717 " cancelled if you know that all unknown unsafe-to-copy chunks really are", 3718 " safe to copy across an IDAT size change. This is true of all chunks", 3719 " that have ever been formally proposed as PNG extensions.", 3720 " MESSAGES", 3721 " By default the program only outputs summaries for each file.", 3722 " --quiet (-q):", 3723 " Do not output the summaries except for files that cannot be read. With", 3724 " two --quiets these are not output either.", 3725 " --errors (-e):", 3726 " Output errors from libpng and the program (except too-far-back).", 3727 " --warnings (-w):", 3728 " Output warnings from libpng.", 3729 " OUTPUT", 3730 " By default nothing is written.", 3731 " --out=<file>:", 3732 " Write the optimized/corrected version of the next PNG to <file>. This", 3733 " overrides the following two options", 3734 " --suffix=<suffix>:", 3735 " Set --out=<name><suffix> for all following files unless overridden on", 3736 " a per-file basis by explicit --out.", 3737 " --prefix=<prefix>:", 3738 " Set --out=<prefix><name> for all the following files unless overridden", 3739 " on a per-file basis by explicit --out.", 3740 " These two options can be used together to produce a suffix and prefix.", 3741 " INTERNAL OPTIONS", 3742 #if 0 /*NYI*/ 3743 #ifdef PNG_MAXIMUM_INFLATE_WINDOW 3744 " --test:", 3745 " Test the PNG_MAXIMUM_INFLATE_WINDOW option. Setting this disables", 3746 " output as this would produce a broken file.", 3747 #endif 3748 #endif 3749 0, 3750 "EXIT CODES", 3751 " *** SUBJECT TO CHANGE ***", 3752 " The program exit code is value in the range 0..127 holding a bit mask of", 3753 " the following codes. Notice that the results for each file are combined", 3754 " together - check one file at a time to get a meaningful error code!", 3755 " 0x01: The zlib too-far-back error existed in at least one chunk.", 3756 " 0x02: At least one chunk had a CRC error.", 3757 " 0x04: A chunk length was incorrect.", 3758 " 0x08: The file was truncated.", 3759 " Errors less than 16 are potentially recoverable, for a single file if the", 3760 " exit code is less than 16 the file could be read (with corrections if a", 3761 " non-zero code is returned).", 3762 " 0x10: The file could not be read, even with corrections.", 3763 " 0x20: The output file could not be written.", 3764 " 0x40: An unexpected, potentially internal, error occurred.", 3765 " If the command line arguments are incorrect the program exits with exit", 3766 " 255. Some older operating systems only support 7-bit exit codes, on those", 3767 " systems it is suggested that this program is first tested by supplying", 3768 " invalid arguments.", 3769 0, 3770 "DESCRIPTION", 3771 " " PROGRAM_NAME ":", 3772 " checks each PNG file on the command line for errors. By default errors are", 3773 " not output and the program just returns an exit code and prints a summary.", 3774 " With the --quiet (-q) option the summaries are suppressed too and the", 3775 " program only outputs unexpected errors (internal errors and file open", 3776 " errors).", 3777 " Various known problems in PNG files are fixed while the file is being read", 3778 " The exit code says what problems were fixed. In particular the zlib error:", 3779 0, 3780 " \"invalid distance too far back\"", 3781 0, 3782 " caused by an incorrect optimization of a zlib stream is fixed in any", 3783 " compressed chunk in which it is encountered. An integrity problem of the", 3784 " PNG stream caused by a bug in libpng which wrote an incorrect chunk length", 3785 " is also fixed. Chunk CRC errors are automatically fixed up.", 3786 0, 3787 " Setting one of the \"OUTPUT\" options causes the possibly modified file to", 3788 " be written to a new file.", 3789 0, 3790 " Notice that some PNG files with the zlib optimization problem can still be", 3791 " read by libpng under some circumstances. This program will still detect", 3792 " and, if requested, correct the error.", 3793 0, 3794 " The program will reliably process all files on the command line unless", 3795 " either an invalid argument causes the usage message (this message) to be", 3796 " produced or the program crashes.", 3797 0, 3798 " The summary lines describe issues encountered with the zlib compressed", 3799 " stream of a chunk. They have the following format, which is SUBJECT TO", 3800 " CHANGE in the future:", 3801 0, 3802 " chunk reason comp-level p1 p2 p3 p4 file", 3803 0, 3804 " p1 through p4 vary according to the 'reason'. There are always 8 space", 3805 " separated fields. Reasons specific formats are:", 3806 0, 3807 " chunk ERR status code read-errno write-errno message file", 3808 " chunk SKP comp-level file-bits zlib-rc compressed message file", 3809 " chunk ??? comp-level file-bits ok-bits compressed uncompress file", 3810 0, 3811 " The various fields are", 3812 0, 3813 "$1 chunk: The chunk type of a chunk in the file or 'HEAD' if a problem", 3814 " is reported by libpng at the start of the IDAT stream.", 3815 "$2 reason: One of:", 3816 " CHK: A zlib header checksum was detected and fixed.", 3817 " TFB: The zlib too far back error was detected and fixed.", 3818 " OK : No errors were detected in the zlib stream and optimization", 3819 " was not requested, or was not possible.", 3820 " OPT: The zlib stream window bits value could be improved (and was).", 3821 " SKP: The chunk was skipped because of a zlib issue (zlib-rc) with", 3822 " explanation 'message'", 3823 " ERR: The read of the file was aborted. The parameters explain why.", 3824 "$3 status: For 'ERR' the accumulated status code from 'EXIT CODES' above.", 3825 " This is printed as a 2 digit hexadecimal value", 3826 " comp-level: The recorded compression level (FLEVEL) of a zlib stream", 3827 " expressed as a string {supfast,stdfast,default,maximum}", 3828 "$4 code: The file exit code; where stop was called, as a fairly terse", 3829 " string {warning,libpng,zlib,invalid,read,write,unexpected}.", 3830 " file-bits: The zlib window bits recorded in the file.", 3831 "$5 read-errno: A system errno value from a read translated by strerror(3).", 3832 " zlib-rc: A zlib return code as a string (see zlib.h).", 3833 " ok-bits: The smallest zlib window bits value that works.", 3834 "$6 write-errno:A system errno value from a write translated by strerror(3).", 3835 " compressed: The count of compressed bytes in the zlib stream, when the", 3836 " reason is 'SKP'; this is a count of the bytes read from the", 3837 " stream when the fatal error was encountered.", 3838 "$7 message: An error message (spaces replaced by _, as in all parameters),", 3839 " uncompress: The count of bytes from uncompressing the zlib stream; this", 3840 " may not be the same as the number of bytes in the image.", 3841 "$8 file: The name of the file (this may contain spaces).", 3842 }; 3843 3844 fprintf(stderr, "Usage: %s {[options] png-file}\n", prog); 3845 3846 for (i=0; i < (sizeof usage_string)/(sizeof usage_string[0]); ++i) 3847 { 3848 if (usage_string[i] != 0) 3849 fputs(usage_string[i], stderr); 3850 3851 fputc('\n', stderr); 3852 } 3853 3854 exit(255); 3855 } 3856 3857 int 3858 main(int argc, const char **argv) 3859 { 3860 char temp_name[FILENAME_MAX+1]; 3861 const char * prog = *argv; 3862 const char * outfile = NULL; 3863 const char * suffix = NULL; 3864 const char * prefix = NULL; 3865 int done = 0; /* if at least one file is processed */ 3866 struct global global; 3867 3868 global_init(&global); 3869 3870 while (--argc > 0) 3871 { 3872 ++argv; 3873 3874 if (strcmp(*argv, "--debug") == 0) 3875 { 3876 /* To help debugging problems: */ 3877 global.errors = global.warnings = 1; 3878 global.quiet = 0; 3879 global.verbose = 7; 3880 } 3881 3882 else if (strncmp(*argv, "--max=", 6) == 0) 3883 { 3884 global.idat_max = (png_uint_32)atol(6+*argv); 3885 3886 if (global.skip < SKIP_UNSAFE) 3887 global.skip = SKIP_UNSAFE; 3888 } 3889 3890 else if (strcmp(*argv, "--max") == 0) 3891 { 3892 global.idat_max = 0x7fffffff; 3893 3894 if (global.skip < SKIP_UNSAFE) 3895 global.skip = SKIP_UNSAFE; 3896 } 3897 3898 else if (strcmp(*argv, "--optimize") == 0 || strcmp(*argv, "-o") == 0) 3899 global.optimize_zlib = 1; 3900 3901 else if (strncmp(*argv, "--out=", 6) == 0) 3902 outfile = 6+*argv; 3903 3904 else if (strncmp(*argv, "--suffix=", 9) == 0) 3905 suffix = 9+*argv; 3906 3907 else if (strncmp(*argv, "--prefix=", 9) == 0) 3908 prefix = 9+*argv; 3909 3910 else if (strcmp(*argv, "--strip=none") == 0) 3911 global.skip = SKIP_NONE; 3912 3913 else if (strcmp(*argv, "--strip=crc") == 0) 3914 global.skip = SKIP_BAD_CRC; 3915 3916 else if (strcmp(*argv, "--strip=unsafe") == 0) 3917 global.skip = SKIP_UNSAFE; 3918 3919 else if (strcmp(*argv, "--strip=unused") == 0) 3920 global.skip = SKIP_UNUSED; 3921 3922 else if (strcmp(*argv, "--strip=transform") == 0) 3923 global.skip = SKIP_TRANSFORM; 3924 3925 else if (strcmp(*argv, "--strip=color") == 0) 3926 global.skip = SKIP_COLOR; 3927 3928 else if (strcmp(*argv, "--strip=all") == 0) 3929 global.skip = SKIP_ALL; 3930 3931 else if (strcmp(*argv, "--errors") == 0 || strcmp(*argv, "-e") == 0) 3932 global.errors = 1; 3933 3934 else if (strcmp(*argv, "--warnings") == 0 || strcmp(*argv, "-w") == 0) 3935 global.warnings = 1; 3936 3937 else if (strcmp(*argv, "--quiet") == 0 || strcmp(*argv, "-q") == 0) 3938 { 3939 if (global.quiet) 3940 global.quiet = 2; 3941 3942 else 3943 global.quiet = 1; 3944 } 3945 3946 else if (strcmp(*argv, "--verbose") == 0 || strcmp(*argv, "-v") == 0) 3947 ++global.verbose; 3948 3949 #if 0 3950 /* NYI */ 3951 # ifdef PNG_MAXIMUM_INFLATE_WINDOW 3952 else if (strcmp(*argv, "--test") == 0) 3953 ++set_option; 3954 # endif 3955 #endif 3956 3957 else if ((*argv)[0] == '-') 3958 usage(prog); 3959 3960 else 3961 { 3962 size_t outlen = strlen(*argv); 3963 3964 if (outfile == NULL) /* else this takes precedence */ 3965 { 3966 /* Consider the prefix/suffix options */ 3967 if (prefix != NULL) 3968 { 3969 size_t prefixlen = strlen(prefix); 3970 3971 if (prefixlen+outlen > FILENAME_MAX) 3972 { 3973 fprintf(stderr, "%s: output file name too long: %s%s%s\n", 3974 prog, prefix, *argv, suffix ? suffix : ""); 3975 global.status_code |= WRITE_ERROR; 3976 continue; 3977 } 3978 3979 memcpy(temp_name, prefix, prefixlen); 3980 memcpy(temp_name+prefixlen, *argv, outlen); 3981 outlen += prefixlen; 3982 outfile = temp_name; 3983 } 3984 3985 else if (suffix != NULL) 3986 memcpy(temp_name, *argv, outlen); 3987 3988 temp_name[outlen] = 0; 3989 3990 if (suffix != NULL) 3991 { 3992 size_t suffixlen = strlen(suffix); 3993 3994 if (outlen+suffixlen > FILENAME_MAX) 3995 { 3996 fprintf(stderr, "%s: output file name too long: %s%s\n", 3997 prog, *argv, suffix); 3998 global.status_code |= WRITE_ERROR; 3999 continue; 4000 } 4001 4002 memcpy(temp_name+outlen, suffix, suffixlen); 4003 outlen += suffixlen; 4004 temp_name[outlen] = 0; 4005 outfile = temp_name; 4006 } 4007 } 4008 4009 (void)one_file(&global, *argv, outfile); 4010 ++done; 4011 outfile = NULL; 4012 } 4013 } 4014 4015 if (!done) 4016 usage(prog); 4017 4018 return global_end(&global); 4019 } 4020 4021 #else /* ZLIB_VERNUM < 0x1240 */ 4022 int 4023 main(void) 4024 { 4025 fprintf(stderr, 4026 "pngfix needs libpng with a zlib >=1.2.4 (not 0x%x)\n", 4027 ZLIB_VERNUM); 4028 return 77; 4029 } 4030 #endif /* ZLIB_VERNUM */ 4031 4032 #else /* No read support */ 4033 4034 int 4035 main(void) 4036 { 4037 fprintf(stderr, "pngfix does not work without read deinterlace support\n"); 4038 return 77; 4039 } 4040 #endif /* PNG_READ_SUPPORTED && PNG_EASY_ACCESS_SUPPORTED */ 4041 #else /* No setjmp support */ 4042 int 4043 main(void) 4044 { 4045 fprintf(stderr, "pngfix does not work without setjmp support\n"); 4046 return 77; 4047 } 4048 #endif /* PNG_SETJMP_SUPPORTED */ 4049 4050
