Filter selection, palette index checks

Palette index checking: checking on read was erroneously skipped.  pngcp can now
turn off the palette index checking or fix the errors (mainly to allow
comparison with libpng 1.6, which defaulted to ignoring it).  The API now
documents how the 'enabled' parameter works.  On read the check is on by default
(it was apparently off in libpng 1.6) however now if explicitly turned on the
warning message is stopped, this provides better interaction with
get_palette_max at the cost of a small API change (may need to be reviewed.)

Palette size errors: invalid entries in the palette are now set to #beaded to
make the errors more obvious and allow easy detection in memory.

Read transform pipeline caching: changes to fix the palette index check (which
are erroneously cached), the pipeline can now contain multiple caches.  E.g.
caching of packing of palette indices can be combined with caching of palette
RGB transforms.

Read code now checks for callbacks to read 0 data (and faults them).  Fixed the
reading of PNGs with multiple 0 length IDATs that failed as a result plus the
handling of zero length unknown.  (Which occurs, validly; the spurious warning
has been removed).

filter selection: the 1.6 and earlier sum of absolute differences algorithm has
been reintroduced with an option to disfavor some filters over others where the
sums are close (not yet exposed).  The selection code also logs the last known
occurence of each possible byte code across multiple lines.  This allows
detection of PNG images with lower bit depth than the format implies and,
therefore, allows the filtering to be turned off in those cases as well.

The default write zlib settings are still lower than libpng16.  The selection
algorithm is being refined (the overall results are worse than not doing any
filtering).

Signed-off-by: John Bowler <jbowler@acm.org>

pngrutil.c

@@ -955,8 +955,11 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr)
    debug(png_ptr->palette == NULL); /* should only get set once */
    png_ptr->palette = png_voidcast(png_colorp, png_malloc(png_ptr,
          sizeof (png_color[PNG_MAX_PALETTE_LENGTH])));
-   memset(png_ptr->palette, 0xFFU, sizeof (png_color[PNG_MAX_PALETTE_LENGTH]));
-   memcpy(png_ptr->palette, info_ptr->palette, 3*num);
+   /* This works because we know png_set_PLTE also expands the palette to the
+    * full size:
+    */
+   memcpy(png_ptr->palette, info_ptr->palette,
+      sizeof (png_color[PNG_MAX_PALETTE_LENGTH]));
    png_ptr->num_palette = info_ptr->num_palette;
 
    /* The three chunks, bKGD, hIST and tRNS *must* appear after PLTE and before
@@ -4330,11 +4333,10 @@ png_read_process_IDAT(png_structrp png_ptr, png_bytep transformed_row,
                      /* Run the list.  It is ok if it doesn't end up doing
                       * anything; this can happen with a lazy init.
                       *
-                      * TODO: I don't think lazy inits happen any more, hence
-                      * the 'debug' below.
+                      * NOTE: if the only thingin the list is a palette check
+                      * function it can remove itself at this point.
                       */
                      max_depth = png_run_transform_list_forwards(png_ptr, &tc);
-                     debug(png_ptr->transform_list != NULL);
 
                      /* This is too late, a stack overwrite has already
                       * happened, but it may still prevent exploits: