mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[master]

Browse Source
This commit is contained in:
Glenn Randers-Pehrson 2010-02-12 21:07:14 -06:00
parent 13714e87f2
commit a2cde53c87
3 changed files with 191 additions and 201 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
ANNOUNCE
View File

@ -1,5 +1,5 @@
Libpng 1.4.1beta10 - February 8, 2010
Libpng 1.4.1beta11 - February 13, 2010
This is not intended to be a public release. It will be replaced
within a few weeks by a public version or by another test version.
@ -9,20 +9,20 @@ Files available for download:
Source files with LF line endings (for Unix/Linux) and with a
"configure" script
1.4.1beta10.tar.xz (LZMA-compressed, recommended)
1.4.1beta10.tar.gz
1.4.1beta10.tar.bz2
1.4.1beta11.tar.xz (LZMA-compressed, recommended)
1.4.1beta11.tar.gz
1.4.1beta11.tar.bz2
Source files with CRLF line endings (for Windows), without the
"configure" script
lp141b10.zip
lp141b10.7z
lp141b11.zip
lp141b11.7z
Other information:
1.4.1beta10-README.txt
1.4.1beta10-LICENSE.txt
1.4.1beta11-README.txt
1.4.1beta11-LICENSE.txt
Changes since the last public release (1.4.0):
@ -72,10 +72,17 @@ version 1.4.1beta08 [February 6, 2010]
version 1.4.1beta09 [February 7, 2010]
Reverted to original png_push_save_buffer() code.
version 1.4.1beta10 [February 8, 2010]
version 1.4.1beta10 [February 9, 2010]
Return allocated "old_buffer" in png_push_save_buffer() before calling
png_error(), to avoid a potential memory leak.
version 1.4.1beta11 [February 13, 2010]
Removed the cbuilder5 project, which has not been updated to 1.4.0.
Removed unused "buffer_size" variable from png_decompress_chunk().
Relocated misplaced closing curley bracket in png_decompress_chunk().
Reverted to original png_decompress_chunk() plus counting pass.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement

10
CHANGES
View File

@ -2505,10 +2505,18 @@ version 1.4.1beta08 [February 6, 2010]
version 1.4.1beta09 [February 7, 2010]
Reverted to original png_push_save_buffer() code.
version 1.4.1beta10 [February 8, 2010]
version 1.4.1beta10 [February 9, 2010]
Return allocated "old_buffer" in png_push_save_buffer() before calling
png_error(), to avoid a potential memory leak.
version 1.4.1beta11 [February 13, 2010]
Relocated misplaced closing curley bracket in png_decompress_chunk().
Removed unused "buffer_size" variable from png_decompress_chunk().
Removed the cbuilder5 project, which has not been updated to 1.4.0.
Reverted to original png_decompress_chunk() plus counting pass.
version 1.4.1rc02 [February 13, 2010]
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement

357
pngrutil.c
View File

@ -1,7 +1,7 @@
/* pngrutil.c - utilities to read a PNG file
*
* Last changed in libpng 1.4.1 [February 8, 2010]
* Last changed in libpng 1.4.1 [February 13, 2010]
* Copyright (c) 1998-2010 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -201,70 +201,93 @@ png_crc_error(png_structp png_ptr)
#if defined(PNG_READ_zTXt_SUPPORTED) || defined(PNG_READ_iTXt_SUPPORTED) || \
defined(PNG_READ_iCCP_SUPPORTED)
png_size_t
png_measure_decompressed_chunk(png_structp png_ptr, int comp_type,
png_size_t chunklength, png_size_t prefix_size)
static png_size_t
png_inflate(png_structp png_ptr, const png_byte *data, png_size_t size,
png_bytep output, png_size_t output_size)
{
png_charp text;
png_charp test = "X";
png_size_t text_size = 0;
png_size_t count = 0;
if (comp_type == PNG_COMPRESSION_TYPE_BASE)
png_ptr->zstream.next_in = (png_bytep)data; /* const_cast: VALID */
png_ptr->zstream.avail_in = size;
while (1)
{
int ret = Z_OK;
int ret, avail;
png_ptr->zstream.next_in = (png_bytep)(png_ptr->chunkdata + prefix_size);
png_ptr->zstream.avail_in = (uInt)(chunklength - prefix_size);
/* Reset the output buffer each time round - we empty it
* after every inflate call.
*/
png_ptr->zstream.next_out = png_ptr->zbuf;
png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
png_ptr->zstream.avail_out = png_ptr->zbuf_size;
text = NULL;
ret = inflate(&png_ptr->zstream, Z_NO_FLUSH);
avail = png_ptr->zbuf_size - png_ptr->zstream.avail_out;
while (png_ptr->zstream.avail_in)
/* First copy/count any new output - but only if we didn't
* get an error code.
*/
if ((ret == Z_OK || ret == Z_STREAM_END) && avail > 0)
{
ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END)
{
inflateReset(&png_ptr->zstream);
png_ptr->zstream.avail_in = 0;
break;
}
if (!png_ptr->zstream.avail_out || ret == Z_STREAM_END)
{
if (text == NULL) /* Initialize the decompression buffer */
{
text_size = prefix_size +
png_ptr->zbuf_size - png_ptr->zstream.avail_out;
text=test;
}
else /* Enlarge the decompression buffer */
{
text_size += png_ptr->zbuf_size - png_ptr->zstream.avail_out;
#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
if (png_ptr->user_chunk_malloc_max &&
(text_size >= png_ptr->user_chunk_malloc_max - 1))
#else
if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
text_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
#endif
return 0;
}
}
if (ret == Z_STREAM_END)
break;
else
{
png_ptr->zstream.next_out = png_ptr->zbuf;
png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
}
if (output != 0 && output_size > count)
{
int copy = output_size - count;
if (avail < copy) copy = avail;
png_memcpy(output + count, png_ptr->zbuf, copy);
}
count += avail;
}
inflateReset(&png_ptr->zstream);
if (ret == Z_OK)
continue;
/* Termination conditions - always reset the zstream, it
* must be left in inflateInit state.
*/
png_ptr->zstream.avail_in = 0;
inflateReset(&png_ptr->zstream);
if (ret == Z_STREAM_END)
return count; /* NOTE: may be zero. */
/* Now handle the error codes - the API always returns 0
* and the error message is dumped into the uncompressed
* buffer if available.
*/
{
char *msg, umsg[52];
if (png_ptr->zstream.msg != 0)
msg = png_ptr->zstream.msg;
else
{
#ifdef PNG_STDIO_SUPPORTED
switch (ret)
{
case Z_BUF_ERROR:
msg = "Buffer error in compressed datastream in %s chunk";
break;
case Z_DATA_ERROR:
msg = "Data error in compressed datastream in %s chunk";
break;
default:
msg = "Incomplete compressed datastream in %s chunk";
break;
}
png_snprintf(umsg, sizeof umsg, msg, png_ptr->chunk_name);
msg = umsg;
#else
msg = "Damaged compressed datastream in chunk other than IDAT";
#endif
}
png_warning(png_ptr, msg);
}
/* 0 means an error - notice that this code simple ignores
* zero length compressed chunks as a result.
*/
return 0;
}
return text_size;
}
/*
@ -279,164 +302,104 @@ png_decompress_chunk(png_structp png_ptr, int comp_type,
png_size_t chunklength,
png_size_t prefix_size, png_size_t *newlength)
{
static PNG_CONST char msg[] = "Error decoding compressed chunk";
png_charp text;
png_size_t text_size;
png_size_t expanded_size;
expanded_size= png_measure_decompressed_chunk(png_ptr, comp_type,
chunklength, prefix_size);
if (expanded_size == 0)
/* The caller should guarantee this */
if (prefix_size > chunklength)
{
*newlength=0;
return;
/* The recovery is to delete the chunk. */
png_warning(png_ptr, "invalid chunklength");
prefix_size = 0; /* To delete everything */
}
if (comp_type == PNG_COMPRESSION_TYPE_BASE)
else if (comp_type == PNG_COMPRESSION_TYPE_BASE)
{
int ret = Z_OK;
png_size_t buffer_size;
png_size_t expanded_size = png_inflate(png_ptr,
(png_bytep)(png_ptr->chunkdata + prefix_size),
chunklength - prefix_size,
0/*output*/, 0/*output size*/);
png_ptr->zstream.next_in = (png_bytep)(png_ptr->chunkdata + prefix_size);
png_ptr->zstream.avail_in = (uInt)(chunklength - prefix_size);
png_ptr->zstream.next_out = png_ptr->zbuf;
png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
text_size = 0;
text = NULL;
buffer_size = 0;
while (png_ptr->zstream.avail_in)
{
ret = inflate(&png_ptr->zstream, Z_PARTIAL_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END)
{
if (png_ptr->zstream.msg != NULL)
png_warning(png_ptr, png_ptr->zstream.msg);
else
png_warning(png_ptr, msg);
inflateReset(&png_ptr->zstream);
png_ptr->zstream.avail_in = 0;
if (text == NULL)
{
text_size = prefix_size + png_sizeof(msg) + 1;
text = (png_charp)png_malloc_warn(png_ptr, text_size);
if (text == NULL)
{
png_error(png_ptr,
"Not enough memory to decompress chunk");
text_size = 0;
break;
}
png_memcpy(text, png_ptr->chunkdata, prefix_size);
}
text[text_size - 1] = 0x00;
/* Copy what we can of the error message into the text chunk */
text_size = (png_size_t)(chunklength -
(text - png_ptr->chunkdata) - 1);
if (text_size > png_sizeof(msg))
text_size = png_sizeof(msg);
png_memcpy(text + prefix_size, msg, text_size);
buffer_size = text_size;
break;
}
if (!png_ptr->zstream.avail_out || ret == Z_STREAM_END)
{
if (text == NULL) /* Initialize the decompression buffer */
{
text_size = expanded_size;
text = (png_charp)png_malloc_warn(png_ptr, text_size + 1);
if (text == NULL)
{
png_error(png_ptr,
"Not enough memory to decompress chunk");
text_size = 0;
break;
}
png_memcpy(text + prefix_size, png_ptr->zbuf,
text_size - prefix_size);
png_memcpy(text, png_ptr->chunkdata, prefix_size);
*(text + text_size) = 0x00;
buffer_size = text_size;
}
}
if (ret == Z_STREAM_END)
break;
else
{
png_ptr->zstream.next_out = png_ptr->zbuf;
png_ptr->zstream.avail_out = (uInt)png_ptr->zbuf_size;
}
}
if (ret != Z_STREAM_END)
{
#ifdef PNG_STDIO_SUPPORTED
char umsg[52];
if (ret == Z_BUF_ERROR)
png_snprintf(umsg, 52,
"Buffer error in compressed datastream in %s chunk",
png_ptr->chunk_name);
else if (ret == Z_DATA_ERROR)
png_snprintf(umsg, 52,
"Data error in compressed datastream in %s chunk",
png_ptr->chunk_name);
else
png_snprintf(umsg, 52,
"Incomplete compressed datastream in %s chunk",
png_ptr->chunk_name);
png_warning(png_ptr, umsg);
/* Now check the limits on this chunk - if the limit fails the
* compressed data will be removed, the prefix will remain.
*/
#ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
if (png_ptr->user_chunk_malloc_max &&
(prefix_size + expanded_size >= png_ptr->user_chunk_malloc_max - 1))
#else
png_warning(png_ptr,
"Incomplete compressed datastream in chunk other than IDAT");
if ((PNG_USER_CHUNK_MALLOC_MAX > 0) &&
prefix_size + expanded_size >= PNG_USER_CHUNK_MALLOC_MAX - 1)
#endif
text_size = prefix_size;
if (text == NULL)
png_warning(png_ptr, "Exceeded size limit while expanding chunk");
/* If the size is zero either there was an error and a message
* has already been output (warning) or the size really is zero
* and we have nothing to do - the code will exit through the
* error case below.
*/
else if (expanded_size > 0)
{
/* Success (maybe) - really uncompress the chunk. */
png_size_t new_size = 0;
png_charp text = png_malloc_warn(png_ptr,
prefix_size + expanded_size + 1);
if (text != NULL)
{
text = (png_charp)png_malloc_warn(png_ptr, text_size+1);
if (text == NULL)
{
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = NULL;
png_error(png_ptr, "Not enough memory for text");
}
png_memcpy(text, png_ptr->chunkdata, prefix_size);
}
*(text + text_size) = 0x00;
png_memcpy(text, png_ptr->chunkdata, prefix_size);
new_size = png_inflate(png_ptr,
(png_bytep)(png_ptr->chunkdata + prefix_size),
chunklength - prefix_size,
(png_bytep)(text + prefix_size), expanded_size);
text[prefix_size + expanded_size] = 0; /* just in case */
if (new_size == expanded_size)
{
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = text;
*newlength = prefix_size + expanded_size;
return; /* The success return! */
}
png_warning(png_ptr, "png_inflate logic error");
png_free(png_ptr, text);
}
else
png_warning(png_ptr, "Not enough memory to decompress chunk");
}
inflateReset(&png_ptr->zstream);
png_ptr->zstream.avail_in = 0;
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = text;
*newlength=text_size;
}
else /* if (comp_type != PNG_COMPRESSION_TYPE_BASE) */
{
#ifdef PNG_STDIO_SUPPORTED
char umsg[50];
png_snprintf(umsg, 50, "Unknown zTXt compression type %d", comp_type);
#ifdef PNG_STDIO_SUPPORTED
png_snprintf(umsg, sizeof umsg, "Unknown zTXt compression type %d", comp_type);
png_warning(png_ptr, umsg);
#else
png_warning(png_ptr, "Unknown zTXt compression type");
#endif
*(png_ptr->chunkdata + prefix_size) = 0x00;
*newlength = prefix_size;
/* The recovery is to simply drop the data. */
}
/* Generic error return - leave the prefix, delete the compressed
* data, reallocate the chunkdata to remove the potentially large
* amount of compressed data.
*/
{
png_charp text = png_malloc_warn(png_ptr, prefix_size + 1);
if (text != NULL)
{
if (prefix_size > 0)
png_memcpy(text, png_ptr->chunkdata, prefix_size);
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = text;
/* This is an extra zero in the 'uncompressed' part. */
*(png_ptr->chunkdata + prefix_size) = 0x00;
}
/* Ignore a malloc error here - it is safe. */
}
*newlength = prefix_size;
}
#endif
@ -1157,6 +1120,18 @@ png_handle_iCCP(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
png_free(png_ptr, png_ptr->chunkdata);
png_ptr->chunkdata = NULL;
png_warning(png_ptr, "Ignoring truncated iCCP profile");
#ifdef PNG_STDIO_SUPPORTED
{
char umsg[50];
png_snprintf(umsg, 50, "declared profile size = %lu",
(unsigned long)profile_size);
png_warning(png_ptr, umsg);
png_snprintf(umsg, 50, "actual profile length = %lu",
(unsigned long)profile_length);
png_warning(png_ptr, umsg);
}
#endif
return;
}