Add contrib/examples/.clang-format, tailored to fit the existing code
as closely as possible. The end goal is to set up automatic formatting
for the entire libpng source tree. We're doing this experiment in this
subdirectory, for now.
Also make refactoring changes, as follows:
* Rewrite the preprocessor checks `#if PNG_FOO_SUPPORTED` to stop
compilation immediately, with a descriptive `#error` about what
needs to be supported.
* Rewrite and reflow comments, add braces and brackets, and make other
minor modifications that are suited for the clang-format'ed code.
Make the error directives uniformly consistent with one another.
Remove surrounding quotes and trailing punctuation, and rephrase
some of the error messages and some of their associated comments
for either brevity or clarity.
`png_icc_profile_error` is no longer used when writing iCCP chunks,
therefore it can be compiled out when the reading is disabled.
This change includes two `minconfig` files to test read-only and
write-only "full" configurations, to supplement the existing tests
for "minimal" configurations.
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
We should use `FILE *` instead of `FILE*` or `(FILE*)`, consistently,
as we should for all other pointer types. Moreover, when we refer to
standard stdio file objects in comments and in documentation, we should
use the term "FILE objects" consistently.
Lastly, we clarify in a comment in example.c that `PNG_STDIO_SUPPORTED`
is true only when the stdio support is both available in the system and
accessible in the user's libpng build.
This is a cherry-pick of commit c63c5463903014c904b540216c2784023fb8c1c8
from branch 'libpng18'.
Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
pngimage: The code simply exited with a return code of 99 in the event
of a user error including giving pngimage invalid PNG files and an
internal error. It now attempts to clean up the state before doing so,
matching the normal behaviour.
pngimage: Non-ISO use of setjmp(3) corrected.
pngerror.c: Failure to call png_image_free on a false result from a
png_safe_execute function call fixed. This was a regression caused by
the 'volatile' clean-up. Not normally detectable because png_image_free
will often be called by the application.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
nocompile-limits.dfa: turns off all limits including run-time limits
nolimits.dfa: makes the compile time limits unlimited while leaving on
the run-time limits.
Fixes compiler warnings exposed by these tests. These are just warnings,
there were no bugs other than a failure to handle systems with a 16-bit
at the appropriate time which would result in a later failure on malloc.
png.c: png_icc_check_length: in-line code was still used in place of
png_chunk_max when checking the current chunk allocation limit. The
in-line code did not handle PNG_MAXSEG_64K and, anyway, issued
compiler warnings in the 'nocompile-limits' case. Changed to use
png_malloc_max.
pngrutil.c: eliminated an erroneous 'truncation' warning with GCC-14 by
using a safe cast.
pngtest.c: failed to check for PNG_USER_LIMITS_SUPPORTED around API
calls which don't exist without PNG_USER_LIMITS.
Signed-off-by: John Bowler <jbowler@acm.org>
The two new configuation tests, fixed.dfa and float-fixed.dfa verify
that the 'standard' configuration of libpng works without floating point
arithmetic.
Signed-off-by: John Bowler <jbowler@acm.org>
A downgrade from 16-bit samples to 8-bit samples, or an expansion from
1- or 2-channel grayscale (or grayscale+alpha) to 3- or 4-channel
RGB (or RGB+alpha), etc., may be deemed generally useful. Such image
transforms could be made available to the user via command-line options.
On the other hand, keeping the decision to disable or enable these
transforms unconditionally at compile time (e.g. because they're needed
to work around a specific printer's limitations) is less than ideal.
This adds APIs to get/set the two remaining new PNG-v3 colour space
chunks. The mDCV API matches that of cHRM. Both chunks support
floating point APIs (all values in the two chunks are real numbers).
Both chunks have a new encoded type, a four-digit-precision fixed-point
number, which cannot be represented in the existing `png_fixed_point`
type, so a `png_uint_32` is used.
Test examples for cICP, cLLI and mDCV are now in pngtest.png, and a
necessary change to the pngunknown.c test program has been made to
accomodate the additions.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
cICP was written after PLTE, not before. The other chunks were output
in an order which does not match the new PNG-v3 "priority" order.
This change outputs all chunks in the "priority" order; highest
precedence first. This means that the PNGs so written conform to
PNG v3 (cICP), and allow a streaming app to handle chunks in order,
without buffering data which may later be overridden.
Note that PNG-v3 establishes the idea of dropping ancillary chunks
which are inconveniently ordered in the definition of how APNG chunks
are handled.
This is a cherry-pick of commit 945f2602a0ea05a7938b2f52df9ef16cf3440291
from branch 'libpng18'.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Update the main CMake file and the auxiliary test scripts accordingly.
This is a cherry-pick of commit fe277b7752990be35523832a546aec478437968a
from branch 'libpng18'.
Embarcadero's compilers, old (Borland-based) and new (Clang-based),
do have full support for Standard C. The Clang-based compiler is
claiming, through the macro __STDC_VERSION__, to support C99 and C11,
whereas the Borland-based compiler supports ANSI C, as it has for
decades.
However, their run-time library is exposing global functions beyond
the scope of Standard C, for backwards compatibility with the older
Borland products. One of these functions is `randomize`, which clashes
with a function inside pngvalid.c that incidentally has the same name.
Building libpng in "Strict ANSI C" mode, in which all Borland-specific
globals are hidden (e.g. via `bcc32 -A`), would have been a workable
solution for the Borland-based ANSI C compiler, but no such solution
appears to exist for the Clang-based C90/C99/C11 compiler.
Fortunately, renaming a private function inside a test program is a
cost-free alternative fix.
This is a cherry-pick of commit 6184164aa73ee764b1822f44d3db7619cf84f3fa
from branch 'libpng18'.
Disable the check on `interlace_method` inside function `compare_read`
in pngimage.c, if WRITE_INTERLACING is not supported.
If interlaced encoding is disabled inside libpng, the encoded images
are non-interlaced silently and unconditionally. This commit updates
the image comparison to skip the interlace check in the resultant
image; other behavior is still checked.
This is a cherry-pick of commit d9f13d8d846e08b00f6530b7a5fe07039d48c78d
from branch 'libpng18'.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The leading blank lines are apparently an artefact of an older source
control system. They are not required and they look like accidents,
because starting a source file with a blank line is not a regular habit
of software developers nowadays.
This is a cherry-pick of commit 37cc20add8fb5b83bb5299a26cd3b41e0f776017
from branch 'libpng18'.
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This corrects the checks to that libpng 10800 does not turn on the
enhanced transform checks in either pngvalid or pngstest. The correct
fix is to change the 10700 code for comments which explain what aspect
or aspects of the transforms are broken (ideally) or at least state that
the transforms are broken.
This is a cherry-pick of commit aec888ab80f5d2241b3515b60f0f9337108fb624
from branch 'libpng18'.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This reverts commit b7276eca0182bb6ad174ef044bb5f6f0504451af.
Although the brand new pngfuzz repo is coming up next, it turned out
that the deletion of contrib/oss-fuzz/ from the 'libpng16' branch was
premature. (Oopsie!)
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Also add an .editorconfig-checker.json file. We need to instruct the
editorconfig-checker program to skip the checks for the indent size.
(As of this commit time, editorconfig-checker is too rigid to recognize
"smart indentations".)
This is a cherry-pick of commit 67c99f75cf05b354f89c01c8fc15948300e84143
from branch 'libpng18'.
Co-authored-by: John Bowler <jbowler@acm.org>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
A new repository named "pngfuzz", dedicated to fuzz testing PNG
processing software in general and libpng in particular, has been
created:
https://github.com/pnggroup/pngfuzz
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
We used this experimental project in the development of the PNG-EXIF
("eXIf") specification, back in 2017. The project evolved together
with the draft specification, which was finalized on 2017-Jun-15 and
approved by the PNG Group on 2017-Jul-13.
The EXIF specification, outside of the scope of PNG and libpng, is
quite complex. The libpng implementation cannot grow too much beyond
performing basic integrity checks on top of serialization. In order
to create and manipulate PNG-EXIF image files, the use of external
libraries and tools such as ExifTool is necessary.
Now, with the addition of contrib/pngexif to the libpng repository,
offline tasks like metadata inspection and linting can be performed
without importing external dependencies.
This adds a new configuration file, 'contrib/conftest/basic.dfa' which
disables unused APIs on a test Linux-based system. So support the
configuration several fixes were necessary in the test programs so that
the tests are skipped correctly when APIs are not available.
The configuration has been tested on a range of common Linux apps
including web browser code (qtwebengine), image processing code (e.g.
ImageMagick) and general display code (X11, Qt5 and Qt6, KDE). Overall
this first step reduces libpng linked code and data size to about 2/3 of
the full configuration.
To use the new test simply copy basic.dfa to 'pngusr.dfa' in the root of
the source directory and build.
Signed-off-by: John Bowler <jbowler@acm.org>
This corrects contrib/testpngs/badpal/regression-palette-8.png. Despite
the comment in commit da109d3e the file checked in had 255 PLTE entries
so failed to perform the regression test. This version of the PNG has
254 entries.
Signed-off-by: John Bowler <jbowler@acm.org>
This adds a file to regression-test the previously introduced off-by-one
error in the check on read for a colormapped PNG with an out-of-range
index (equal or greater than the length of the PLTE).
Previous tests covered all cases except the 8-bit palette case; the
"small" test file contains the "bad" entry at index 254, not 255 so it
passes even if the final byte is not checked. The new file has the
erroneous entry in the last byte.
Signed-off-by: John Bowler <jbowler@acm.org>
The PNG IDAT did not include a '255' entry, the highest entry is '254',
this corrects the test PNG to have a palette with only 254 entries so
that it triggers the palette index checks.
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The palette index checking function is called by default but only if
some *other* transformation is happening. This makes the 'get palette
max' public API disfunctional (sometimes it works, sometimes it returns
0) and causes the supposed default behaviour of checking the palette
index only to work sometimes. It works in pngtest, it doesn't work in
pngcp.
The check in pngread also has an off-by-one error; the number recorded
is the highest index found so it should be checked to ensure that it is
less than the palette length but it was checked for being greater.
The pull request includes a set of 8 files which all have the full range
of possible indices including one (the highest) which is invalid because
the PLTE chunk is one short of the maximum for each bit depth.
Signed-off-by: John Bowler <jbowler@acm.org>
Previously pngfix had been made warning-free in GCC7.1 by marking auto
variables (volatile). This prevented the arithmetic optimizations which
caused warnings from GCC7.1 with higher values -Wstrict-overflow=<n>
GCC has moved on a lot since 7.1 and pngfix.c now compiles with just one
warning using -Wstrict-overflow=5. The change includes a change to make
this go away by performing the rearrangement GCC was using in the code:
i == ndigits-1
becomes:
i+1 == ndigits
i is initialized to ndigits and has been decremented at least once so
this is fine.
Test, configure:
CFLAGS="-Wall -Wextra -Wno-maybe-uninitialized -Wstrict-overflow=5" \
../configure --enable-werror
make
make cehck
Test, cmake:
cmake ..
make
make test
Signed-off-by: John Bowler <jbowler@acm.org>
Prior versons of the GCC warned about the 'dest' parameter of
contrib/tools/pngcp.c not being volatile, which isn't necessary because
it isn't modified. This removes the GCC specific fixup.
The function which calls setjmp, cppng() also relied on undefined
behavior because it assigned the result of setjmp() to a variable; this
is not one of the four uses of setjmp permitted by ANSI-C. This passes
the result previously returned by longjmp via (struct display). It's
very very unlikely that any compiler could have got the code wrong but
it is technically undefined.
Defer the program termination on error until all files are closed and
(if applicable) all incompletely-written output files are deleted.
In addition, perform the following maintenance tasks:
* Rename and document the internal helpers used by the functions
`png2pnm` and `pnm2png`.
* Unset the executable permission bits for the *.bat test programs.
The pngminus programs use several PNG image transformations:
`png_set_expand`, `png_set_expand_1_2_4_to_8`, etc. (in png2pnm.c);
`png_set_packing`, `png_set_invert_mono`, etc. (in pnm2png.c).
The availability of all of these transformations in libpng is now
required at compile time.
On the topic of transformations, apply an unrelated fix to the use
of `png_set_gamma`.
Improve and modernize png2pnm.c:
* Remove the explicit reading of the input PNG file signature.
Libpng is now able to read it, check it, and issue an appropriate
error message in case of magic number mismatch or file corruption.
(See the function `png_read_sig`.)
* Remove the explicit allocation and dealocation of the image data.
Libpng is now able to manage all the image data automatically.
(See the function `png_read_png`.)
* Specify the needed image transformations without a-priori checking
the image type for applicability.
* Use the `png_set_expand_gray_1_2_4_to_8` transformation.
Since libpng version 1.2.9, this transformation (if needed) must
be enabled separately from `png_set_expand`.
Improve and modernize pnm2png.c:
* Modify the allocation of image data, in order to match libpng's
internal allocation model.
* Transfer the ownership of the image data from the `pnm2png` function
to libpng, which will manage and dealocate it at the right time.
(See the functions `png_set_image_rows` and `png_data_freer`.)
Refactor, clean up, etc.
Improve png2pnm.c:
* Add support for writing 16-bit raw PNM image files.
Fix and improve pnm2png.c:
* Add support for reading 16-bit raw PNM image files.
* Fix the parsing of arbitrarily long numeric strings.
In the parsing of PNM tokens, we can and we should avoid storing
more than one leading '0' in the token buffer. All valid (in-range)
numeric strings must fit in this limited-size buffer, regardless of
their actual length in the input file.
* Refactor the PNM parsing in order to make it more capable to handle
various kinds of input file errors.
* Remove the volatile qualifiers from all variable declarations.
Their original purpose was to appease old (and incorrect) warnings
issued by ancient optimizing compilers.
* Print a note about the program's lack of support for the PAM ("P7")
file format when the input is in this format.
* Add FIXME notes about the need to signal incorrect or incomplete
input files. (For png2pnm, this is done inside libpng.)
Raise the minimum required CMake version to 3.5.
Add the configuration option `PNGMINUS_USE_SYSTEM_PNG` for compiling
and linking with the system libpng library instead of the internal one.
Remove the old configuration option `PNGMINUS_USE_STATIC_LIBRARIES`.
When using the internal libpng (via `PNGMINUS_USE_SYSTEM_PNG=OFF`),
simply enforce static linking and produce single-file executables.
Rename the scripts "png2pnm.sh" (etc.) to "test_png2pnm.sh" (etc.),
to make it obvious that they are test drivers, not program launchers.
Add a .gitignore file for project-specific build and test artifacts.
This reverts the code to a variant of my old style of doing an 'fclose'
correctly and adds comments explaining why it is so difficult. Thanks
to @ihsinme for pointing out the error on github.com
Signed-off-by: John Bowler <jbowler@acm.org>
