We should use `FILE *` instead of `FILE*` or `(FILE*)`, consistently,
as we should for all other pointer types. Moreover, when we refer to
standard stdio file objects in comments and in documentation, we should
use the term "FILE objects" consistently.
Lastly, we clarify in a comment in example.c that `PNG_STDIO_SUPPORTED`
is true only when the stdio support is both available in the system and
accessible in the user's libpng build.
This is a cherry-pick of commit c63c5463903014c904b540216c2784023fb8c1c8
from branch 'libpng18'.
Reviewed-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This is a regression of commit a8242dd9473a8da4d851623cf0b514a8ee4bee34
"PNGv3 colourspace precedence rules conformance".
Previously, `png_write_iCCP` used the length from the first four bytes
of the profile set by `png_set_iCCP`, rather than the actual data length
recorded by `png_set_iCCP`.
If the profile data were less than 4 bytes long, it would have caused
a read-beyond-end-of-malloc error. This bug was in the libpng code even
before the changes introduced in the above-mentioned commit, but it was
inaccessible. It became accessible when we removed the pre-PNGv3 colour
space checks in `png_set_iCCP`.
Reported-by: Bob Friesenhahn <bobjfriesenhahn@gmail.com>
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
This is a major change required by the new PNGv3 colour chunk precedence
rules. It **does not** change the libpng API (png.h) however it changes
the following handling of PNG files:
IFF the PNG file contains colour space information it changes from the
libpng v3 behaviour to the now compulsory PNG v3 behaviour:
1) libpng no longer invalidates colour space chunks because they are
inconsistent.
2) libpng no longer responds to the "png_get_" APIs positively if they
are not present in the PNG but can be deduced from the colour space
chunks that are present.
This adds APIs to get/set the two remaining new PNG-v3 colour space
chunks. The mDCV API matches that of cHRM. Both chunks support
floating point APIs (all values in the two chunks are real numbers).
Both chunks have a new encoded type, a four-digit-precision fixed-point
number, which cannot be represented in the existing `png_fixed_point`
type, so a `png_uint_32` is used.
Test examples for cICP, cLLI and mDCV are now in pngtest.png, and a
necessary change to the pngunknown.c test program has been made to
accomodate the additions.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
cICP was written after PLTE, not before. The other chunks were output
in an order which does not match the new PNG-v3 "priority" order.
This change outputs all chunks in the "priority" order; highest
precedence first. This means that the PNGs so written conform to
PNG v3 (cICP), and allow a streaming app to handle chunks in order,
without buffering data which may later be overridden.
Note that PNG-v3 establishes the idea of dropping ancillary chunks
which are inconveniently ordered in the definition of how APNG chunks
are handled.
This is a cherry-pick of commit 945f2602a0ea05a7938b2f52df9ef16cf3440291
from branch 'libpng18'.
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
Apply the following corrections and improvements:
* Add a validity check in `png_set_cICP`.
* Fix the ordering check in `png_handle_cICP`.
* Add a multiplicity check in `png_handle_cICP`.
* Optimize the implementation of `png_write_cICP`.
* Remove an unnecessary preprocessor guard from pngtest.c.
* Update the dependency declaration in pnglibconf.dfa.
* Fix the indentation where necessary.
This is a cherry-pick of commit c2a02691df1ecf51b7c97142752a7034350cb1f6
from branch 'libpng18'.
This chunk was added in the third edition of the PNG specification and
contains Coding Independent Code Points (related to color space
description). It is fairly simple as it only contains four fields of one
byte each: Colour Primaries, Transfer Function, Matrix Coefficients,
Video Full Range Flag.
The test file originally comes from the related WPT test case:
https://github.com/web-platform-tests/wpt/blob/master/png/support/cicp-display-p3.png
Note that I reencoded the file to make it match libpng's default
encoding parameters (it only modifies the IDAT chunk).
This is a cherry-pick of commit 65925ad4b2cbed934d5d850fe764dc46c4becbcb
from branch 'libpng18'.
Reviewed-by: John Bowler <jbowler@acm.org>
Reviewed-by: Chris Blume <ProgramMax@gmail.com>
Reviewed-by: Cosmin Truta <ctruta@gmail.com>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The leading blank lines are apparently an artefact of an older source
control system. They are not required and they look like accidents,
because starting a source file with a blank line is not a regular habit
of software developers nowadays.
This is a cherry-pick of commit 37cc20add8fb5b83bb5299a26cd3b41e0f776017
from branch 'libpng18'.
Signed-off-by: John Bowler <jbowler@acm.org>
Signed-off-by: Cosmin Truta <ctruta@gmail.com>
The write palette check is off-by-one when checking the maximum palette
index against the number of entries however, because of the
implementation, the simple correction would fail if no palette check had
been performed (for example for a non-palette image). This corrects
both errors so that the code outputs a warning (but not an error) if a
user of libpng writes an image with a PLTE which is one entry short.
The write palette check can be turned off on colour type 3 images
(colour mapping images) but this is done by setting the 'maximum'
palette index in the image to (-1). The ammended code works because it
only executes for paletted images, it is dependent on palette checks
being compiled in and they will always be checked unless the stored
'max' value is less than 0.
Signed-off-by: John Bowler <jbowler@acm.org>
EXIF data can be stored in an eXIf chunk before IDAT, or after IDAT,
but the entire PNG datastream may contain one eXIf chunk at most.
Introduce the private mode flag PNG_WROTE_eXIf, which is meant to be
used like the PNG_WROTE_tIME flag. The eXIf chunk and the tIME chunk
have the same ordering rules (i.e. no constraints are imposed), and
the same multiplicity rules (i.e. no multiples are allowed), and they
should be initialized and checked using the same algorithm.
This fixes commit cd03aaf7bf0e0c748b8c6cb34a56b402b40d61d0,
previously reverted in 3d57708c9166419b7f5e0bbda2f7a2149112c844.
Reported-by: Ben Bullock <benkasminbullock@gmail.com>
The second call to png_write_eXIf should not have been removed.
The first call to png_write_eXIf is for writing the eXIf chunk that is
positioned before IDAT, while the second call is for writing the eXIf
chunk that is positioned after IDAT.
TODO:
Implement a correct fix which consists in ensuring that there are no
eXIf chunks simultaneously before and after IDAT.
This reverts commit cd03aaf7bf0e0c748b8c6cb34a56b402b40d61d0.
This bug was found by FUTAG, a program for generating automated
fuzz-targets of libraries.
TODO:
Implement a safe function, alternative to png_convert_from_time_t,
which takes a png_ptr argument and raises a png_error if the time_t
argument is invalid.
Reported-by: Tran Chi Thien <thientc@ispras.ru>
Reported-by: Shamil Kurmangaleev <kursh@ispras.ru>
The second call to write_eXIf doesn't check whether the first call
succeeded; no other chunks except tIME and the text chunks seem to be
doubled like this.
The second call causes the eXIf chunk to incorrectly be written twice.
Move deallocation of riffled_palette from png_write_destroy to
png_read_destroy. The reader (not the writer) is the owner of
riffled_palette.
Move allocation and initialization of riffled_palette from
png_do_read_transformations to png_init_palette_transformations.
Allow riffled_palette inside png_struct only if the ARM Neon
optimizations are enabled.
Rename png_riffle_palette_rgba to png_riffle_palette_rgba8, etc.,
to better indicate the strict applicability of these routines.
Fix an unused parameter warning in the build configurations where
riffled palette optimization is not enabled.
Fix indentation.
As per the const correctness rules, top-level const-ness of data
in automatic scopes does not propagate outside of these scopes
(unlike const-ness at lower levels, such as pointers to const data).
Previously, const was used liberally, but inconsistently across the
libpng codebase. Using const wherever applicable is not incorrect.
However, _consistent_ use of const is difficult to maintain in such
conditions.
In conclusion, we shall continue to use const only where doing so is
strictly necessary:
1. If a function guarantees that it will not modify an argument
passed by pointer, the corresponding function parameter should be
a pointer-to-const (const T *).
2. Static data should not be modified, therefore it should be const.
Reference:
Google C++ Style Guide
https://google.github.io/styleguide/cppguide.html#Use_of_const
In v1.6.0, compiler support for const became a requirement.
It should be used consistently. To maintain backwards compatibility,
PNG_CONST is still maintained in deprecated form.
In v1.6.0, size_t became a required type. It should be used
consistently. To maintain backwards compatibility, png_size_t
is still maintained in deprecated form.
in pngwrite.c, and made various other fixes to png_write_eXIf().
Eliminated png_ptr->num_exif member from pngstruct.h and added num_exif
to arguments for png_get_eXIf() and png_set_eXIf().
result when integers appear on both sides of a compare. Worked around the
others by forcing the strict-overflow setting in the relevant functions to
a level where they are not reported.
Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like
the space.
Worked around some C-style casts from (void*) because g++ 5.4.0 objects
to them.
Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint
overflow' check that is on by default with -Wall -Wextra.
Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements an API and provides a number of assist macros to allow an
application which uses the simplified API write to bypass stdio and write
directly to memory.
It also includes some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows
image width/height/format that *might* overflow. A quiet API change that limits
in-memory image size (uncompressed) to less that 4GByte and image row size
(stride) to less than 2GByte.
Signed-off-by: John Bowler <jbowler@acm.org>
input that was made in version 1.6.17beta01, to preserve legacy
behavior even though it was incorrect. Instead, added new API
png_set_filter_16() and png_set_add_alpha_16() that set a flag to
make png_do_read_filter() interpret the filler bytes properly.
