The internal read code change to stop sharing the palette was incompletely
implemented. The result is that unless palette index checking is turned off and
there are no read transformations the png_info palette gets deleted when the
png_struct is deleted. This is normally harmless (png_info gets deleted first)
but in the case of pngcp it results in use-after-free of the palette and,
therefore, palette corruption and maybe on some operating systems and access
violation.
This also updated pngcp 'search' mode to check a restricted range of memLevels;
there is an unrelated bug which means that lower zlib memLevels result in memory
corruption under some circumstances, probably less often than 1:1000.
Signed-off-by: John Bowler <jbowler@acm.org>
This removes the side-effect on the png_struct palette of calling png_set_PLTE
or png_set_tRNS. NOTE: this is a quiet API change, it was possible before to
alter the palette on a PNG image by using png_set_PLTE, but this was unintended
and inconsistent with the other png_set APIs.
Fix a bug in palette index checking; png_struct::num_palette could, in
principle, get changed by the transformations (e.g. png_set_quantize) and this
would invalidate the check. The palette checking init function now makes a copy
of png_struct::num_palette.
Fix a bug in pngvalid error handling. A png_error in png_write_info is not
continuable (a valid image cannot necessarily be written afterward) because the
png_error aborts the write of subsequent pre-IDAT chunks. In particular an
abort as a result of a bogus colorspace information (gAMA, cHRM, sBIT etc)
prevents the write of the PLTE chunk.
Signed-off-by: John Bowler <jbowler@acm.org>
Fixes for sBIT handling in the low-bit-depth gray and pngstest cases, extends
sBIT handling to the colormap code in the simplified API which is separately
implemented in pngread.c
Signed-off-by: John Bowler <jbowler@acm.org>
This fixes the code that optimizes RGB to Gray transformations that only
selected on channel and clarifies the handling of max_depth in the transform
code. It eliminates some UNTESTED cases and removes the write 'invert alpha'
UNTESTED macro because, while there are no test cases for it, code review
some months after writing it suggests it is ok.
Signed-off-by: John Bowler <jbowler@acm.org>
If a gamma encoded file that has a gamma not matching that of sRGB is passed to
the simplified API the previous code simply interpreted it as a power law
encoding. However old Mac files had a power law correction of 1.45 built in to
the encoding, even though the display devices were consistent with sRGB.
Assuming a power law encoding results in substantial differences in the
interpretation of low 8-bit values; below 10. For example an Apple '5' which is
equivalent to an sRGB '17' ends up as the value '8'.
This patch provides some measure of correction for this by making the gamma
correction done within the simplified API assume that any encoded data is
encoded relative to an sRGB-like transfer function; the data is corrected back
to the PNG-nominal 2.2 value then decoded to linear (if required) using the sRGB
transfer function.
This reduces the errors reported by pngstest for such files (colormapped ones)
but still leaves the issue with files where the standard libpng code does the
gamma decoding. To cope with the latter cases the patch also includes a new
pngstest-errors which allows the result, however this is still a
work-in-progress; a better solution is possible.
Signed-off-by: John Bowler <jbowler@acm.org>
One serious bug; 8 was forced as a bit depth when caching a palette, even though
the palette have been expanded. One less serious bug, the optimization for
avoiding gamma correction introduced significant errors if the app subsequently
did further corrections, only shown by using gAMA 1/1.52 files in pngstest.
Signed-off-by: John Bowler <jbowler@acm.org>
These should fix most of the reported Coverity issues. The remaining issues
should be the back_b etc assignments, which look like a Coverity bug, and
passing a pointer to a byte to a function that expects a pointer to one or more
bytes, which should (I believe) be fixed in one case and not the other
(next_filter) case; the latter case will probably go away as I am going to
rewrite that piece of code to avoid a spurious buffer allocation.
Signed-off-by: John Bowler <jbowler@acm.org>
Replaced by a structure copy which is safer since it doesn't depend on knowing
the first member to be copied, also the copies are improved to copy the
transform args too; not required at present but it may prevent a bug being
introduced in the future.
Signed-off-by: John Bowler <jbowler@acm.org>
The low-bit-depth gray tests were disabled in prior versions of libpng because
of problems which should have been fixed by the recent changes to libpng17,
enabling the tests reveals bugs in those changes which are fixed by this commit.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements a new chunk parse implementation that can be shared, it
is currently shared by the progressive reader and the sequential one
(not, yet, the writer).
The patch also implements shared transform handling that is used
throughout.
Signed-off-by: John Bowler <jbowler@acm.org>
depend on READ_TRANSFORMS and moves all the transform gamma (READ_GAMMA)
code from elsewhere to png_tran.c. There are no code changes.
There is one remaining use of the gamma (16-bit) code in the simplified
API in pngread.c but that is because of a long-standing libpng bug,
namely that the gamma corrected palette is no produced by
png_read_update_info (John Bowler).
internal struct (png_transform_control) to replace row_info and uses
that to implement affirms correctly. The change also adds checks on
the rowbytes calculation and additional checks on most transform
implementations.
Added png_uint_16 range checking, pngvalid tRNS, fixed png_uint_16:
review of previous checks, removal of some where SAFE. pngvalid: add
testing of tRNS for better code coverage pngvalid: correct rgb-to-gray
error calculations. Code coverage is still incomplete: see /*UNTESTED*/
in pngrtran.c
added RELEASE/!RELEASE convenience macros. png_muldiv_warn was used in
only one place, and the overflow condition is a genuine warning not
an internal error. Four macros allow code or function parameters to be
condition on RELEASE (or not) builds and tidy up the #ifdef handling of
functions.
Added 'assert' based overflow checking for debug builds for char
and short assignments. Simply ignore the error in release builds
(a truncated value will be used without warning). Controlled by
PNG_RANGE_CHECK_SUPPORTED.
scripts. Fixed combination of ~alpha with shift. On read invert alpha,
processing occurred after shift processing, which causes the final values to be
outside the range that should be produced by the shift. Reversing the
order on read makes the two transforms work together correctly and mirrors
the order used on write.
instead of png_chunk_report(), which by default issues a warning
rather than an error, leading to later reading from a NULL pointer
(png_ptr->palette) in png_do_expand_palette().
internal functions called by png_do_{read|write}_transformations static.
On an x86-64 DLL build (Gentoo Linux) this reduces the size of the text
segment of the DLL by 1208 bytes, about 0.6%. It also simplifies
maintenance by removing the declarations from pngpriv.h and allowing
easier changes to the internal interfaces.
function definitions before the place where they are called so that
they can be masde static. Move the intrapixel functions and the
grayscale palette builder out of the png?tran.c files. The latter
isn't a transform function and is no longer used internally, and the
former MNG specific functions are better placed in pngread/pngwrite.c
png_set of the transform function, but that doesn't matter unless the
transform function changes the rowbuf size, and that is only valid if
transform_info is called.
by earlier versions of GCC fixed for Cygwin and Min/GW (which both use old GCCs.)
ARM support is enabled by default in zlib.props (unsupported by Microsoft) and
ARM compilation is made possible by deleting the check for x86. The test programs
cannot be run because they are not signed.
sCAL APIs; some of these use floating point arithmetic so they need to be
disabled if floating point arithmetic is switched off. This is a quiet API
change - previously it appeared that the APIs were supported if fixed point
arithmetic was used internally, however they required certain APIs (floor,
modf, frexp, atof) that are part of C floating point support. Changed
png_fixed and the gamma code specific version of the same to avoid floor(),
which may be a library function (not an intrinsic). Removed unused #if 0
code.
png_malloc_default png_free_default.
Updated some left over "1.6.0beta32" in code sources.
Fixed a "png_structp" prototype (should be png_structrp) in arm_init.c
Updated the version-number hack in pngvalid.c
handling png_struct members rearranged - partly to reorder to avoid packing,
partly to put frequently accessed members at the start and partly to make
the grouping more clear. png_set_filter code has been rewritten and the
code shared with png_write_start_row moved to a common function. Comments
in png.h have been made more clear. Minor fixes to
contrib/libtests/timepng.c and some of the png_*_tRNS logic, including
more error detection in png_set_tRNS.
These changes cause 16-bit arithmetic to be used for 8-bit data in the gamma
corrected compose and grayscale operations. The arithmetic errors have
three sources all of which are fixed in this commit:
1) 8-bit linear calculations produce massive errors for lower intensity
values.
2) The old 16-bit "16 to 8" gamma table code erroneously wrote the lowest
output value into a table entry which corresponded to multiple output
values (so where the value written should have been the closest to the
transformed input value.)
3) In a number of cases the code to access the 16-bit table did not round;
it did a simple shift, which was wrong and made the side effects of (2)
even worse.
The new gamma code does not have the 16-to-8 problem at the cost of slighly
more calculations and the algorithm used to minimize the number of
calculations has been extended to all the 16-bit tables; it has advantages
for any significant gamma correction.
