The palette index checking function is called by default but only if
some *other* transformation is happening. This makes the 'get palette
max' public API disfunctional (sometimes it works, sometimes it returns
0) and causes the supposed default behaviour of checking the palette
index only to work sometimes. It works in pngtest, it doesn't work in
pngcp.
The check in pngread also has an off-by-one error; the number recorded
is the highest index found so it should be checked to ensure that it is
less than the palette length but it was checked for being greater.
The pull request includes a set of 8 files which all have the full range
of possible indices including one (the highest) which is invalid because
the PLTE chunk is one short of the maximum for each bit depth.
Signed-off-by: John Bowler <jbowler@acm.org>
Remove all remaining "last changed" version info from source comments.
(The version control system maintains this information automatically.)
Delete the trailing whitespace characters.
Move deallocation of riffled_palette from png_write_destroy to
png_read_destroy. The reader (not the writer) is the owner of
riffled_palette.
Move allocation and initialization of riffled_palette from
png_do_read_transformations to png_init_palette_transformations.
Allow riffled_palette inside png_struct only if the ARM Neon
optimizations are enabled.
Rename png_riffle_palette_rgba to png_riffle_palette_rgba8, etc.,
to better indicate the strict applicability of these routines.
Fix an unused parameter warning in the build configurations where
riffled palette optimization is not enabled.
Fix indentation.
As per the const correctness rules, top-level const-ness of data
in automatic scopes does not propagate outside of these scopes
(unlike const-ness at lower levels, such as pointers to const data).
Previously, const was used liberally, but inconsistently across the
libpng codebase. Using const wherever applicable is not incorrect.
However, _consistent_ use of const is difficult to maintain in such
conditions.
In conclusion, we shall continue to use const only where doing so is
strictly necessary:
1. If a function guarantees that it will not modify an argument
passed by pointer, the corresponding function parameter should be
a pointer-to-const (const T *).
2. Static data should not be modified, therefore it should be const.
Reference:
Google C++ Style Guide
https://google.github.io/styleguide/cppguide.html#Use_of_const
In v1.6.0, compiler support for const became a requirement.
It should be used consistently. To maintain backwards compatibility,
PNG_CONST is still maintained in deprecated form.
In v1.6.0, size_t became a required type. It should be used
consistently. To maintain backwards compatibility, png_size_t
is still maintained in deprecated form.
result when integers appear on both sides of a compare. Worked around the
others by forcing the strict-overflow setting in the relevant functions to
a level where they are not reported.
Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like
the space.
Worked around some C-style casts from (void*) because g++ 5.4.0 objects
to them.
Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint
overflow' check that is on by default with -Wall -Wextra.
Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements an API and provides a number of assist macros to allow an
application which uses the simplified API write to bypass stdio and write
directly to memory.
It also includes some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows
image width/height/format that *might* overflow. A quiet API change that limits
in-memory image size (uncompressed) to less that 4GByte and image row size
(stride) to less than 2GByte.
Signed-off-by: John Bowler <jbowler@acm.org>
input that was made in version 1.6.17beta01, to preserve legacy
behavior even though it was incorrect. Instead, added new API
png_set_filter_16() and png_set_add_alpha_16() that set a flag to
make png_do_read_filter() interpret the filler bytes properly.
0x8000 flag definitions on 16-bit systems. They aren't supported
yet the defs *probably* work, however it seems much safer to do this
and be advised if anyone, contrary to advice, is building libpng 1.6
on a 16-bit system. It also adds back various switch default clauses
for GCC; GCC errors out if they are not present (with an appropriately
high level of warnings).
