mirror of
				https://git.code.sf.net/p/libpng/code.git
				synced 2025-07-10 18:04:09 +02:00 
			
		
		
		
	 f8d3e854cb
			
		
	
	
		f8d3e854cb
		
	
	
	
	
		
			
			These should fix most of the reported Coverity issues. The remaining issues should be the back_b etc assignments, which look like a Coverity bug, and passing a pointer to a byte to a function that expects a pointer to one or more bytes, which should (I believe) be fixed in one case and not the other (next_filter) case; the latter case will probably go away as I am going to rewrite that piece of code to avoid a spurious buffer allocation. Signed-off-by: John Bowler <jbowler@acm.org>
		
			
				
	
	
		
			1242 lines
		
	
	
		
			38 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			1242 lines
		
	
	
		
			38 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| 
 | |
| /* pngerror.c - stub functions for i/o and memory allocation
 | |
|  *
 | |
|  * Last changed in libpng 1.7.0 [(PENDING RELEASE)]
 | |
|  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
 | |
|  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 | |
|  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
 | |
|  *
 | |
|  * This code is released under the libpng license.
 | |
|  * For conditions of distribution and use, see the disclaimer
 | |
|  * and license in png.h
 | |
|  *
 | |
|  * This file provides a location for all error handling.  Users who
 | |
|  * need special error handling are expected to write replacement functions
 | |
|  * and use png_set_error_fn() to use those functions.  See the instructions
 | |
|  * at each function.
 | |
|  */
 | |
| 
 | |
| #include "pngpriv.h"
 | |
| #define PNG_SRC_FILE PNG_SRC_FILE_pngerror
 | |
| 
 | |
| #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
 | |
| 
 | |
| static PNG_FUNCTION(void, png_default_error,PNGARG((png_const_structrp png_ptr,
 | |
|     png_const_charp error_message)),PNG_NORETURN);
 | |
| 
 | |
| #ifdef PNG_WARNINGS_SUPPORTED
 | |
| static void /* PRIVATE */
 | |
| png_default_warning PNGARG((png_const_structrp png_ptr,
 | |
|    png_const_charp warning_message));
 | |
| #endif /* WARNINGS */
 | |
| 
 | |
| /* This function is called whenever there is a fatal error.  This function
 | |
|  * should not be changed.  If there is a need to handle errors differently,
 | |
|  * you should supply a replacement error function and use png_set_error_fn()
 | |
|  * to replace the error function at run-time.
 | |
|  */
 | |
| #ifdef PNG_ERROR_TEXT_SUPPORTED
 | |
| PNG_FUNCTION(void,PNGAPI
 | |
| png_error,(png_const_structrp png_ptr, png_const_charp error_message),
 | |
|    PNG_NORETURN)
 | |
| {
 | |
| #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 | |
|    char msg[16];
 | |
|    if (png_ptr != NULL)
 | |
|    {
 | |
|       if ((png_ptr->flags &
 | |
|          (PNG_FLAG_STRIP_ERROR_NUMBERS|PNG_FLAG_STRIP_ERROR_TEXT)) != 0)
 | |
|       {
 | |
|          if (*error_message == PNG_LITERAL_SHARP)
 | |
|          {
 | |
|             /* Strip "#nnnn " from beginning of error message. */
 | |
|             int offset;
 | |
|             for (offset = 1; offset<15; offset++)
 | |
|                if (error_message[offset] == ' ')
 | |
|                   break;
 | |
| 
 | |
|             if ((png_ptr->flags & PNG_FLAG_STRIP_ERROR_TEXT) != 0)
 | |
|             {
 | |
|                int i;
 | |
|                for (i = 0; i < offset - 1; i++)
 | |
|                   msg[i] = error_message[i + 1];
 | |
|                msg[i - 1] = '\0';
 | |
|                error_message = msg;
 | |
|             }
 | |
| 
 | |
|             else
 | |
|                error_message += offset;
 | |
|       }
 | |
| 
 | |
|       else
 | |
|       {
 | |
|          if ((png_ptr->flags & PNG_FLAG_STRIP_ERROR_TEXT) != 0)
 | |
|          {
 | |
|             msg[0] = '0';
 | |
|             msg[1] = '\0';
 | |
|             error_message = msg;
 | |
|          }
 | |
|        }
 | |
|      }
 | |
|    }
 | |
| #endif
 | |
|    if (png_ptr != NULL && png_ptr->error_fn != NULL)
 | |
|       (*(png_ptr->error_fn))(png_constcast(png_structrp,png_ptr),
 | |
|           error_message);
 | |
| 
 | |
|    /* If the custom handler doesn't exist, or if it returns,
 | |
|       use the default handler, which will not return. */
 | |
|    png_default_error(png_ptr, error_message);
 | |
| }
 | |
| #else
 | |
| PNG_FUNCTION(void,PNGAPI
 | |
| png_err,(png_const_structrp png_ptr),PNG_NORETURN)
 | |
| {
 | |
|    /* Prior to 1.5.2 the error_fn received a NULL pointer, expressed
 | |
|     * erroneously as '\0', instead of the empty string "".  This was
 | |
|     * apparently an error, introduced in libpng-1.2.20, and png_default_error
 | |
|     * will crash in this case.
 | |
|     */
 | |
|    if (png_ptr != NULL && png_ptr->error_fn != NULL)
 | |
|       (*(png_ptr->error_fn))(png_constcast(png_structrp,png_ptr), "");
 | |
| 
 | |
|    /* If the custom handler doesn't exist, or if it returns,
 | |
|       use the default handler, which will not return. */
 | |
|    png_default_error(png_ptr, "");
 | |
| }
 | |
| #endif /* ERROR_TEXT */
 | |
| 
 | |
| /* Utility to safely appends strings to a buffer.  This never errors out so
 | |
|  * error checking is not required in the caller.
 | |
|  */
 | |
| size_t
 | |
| png_safecat(png_charp buffer, size_t bufsize, size_t pos,
 | |
|    png_const_charp string)
 | |
| {
 | |
|    if (buffer != NULL && pos < bufsize)
 | |
|    {
 | |
|       if (string != NULL)
 | |
|          while (*string != '\0' && pos < bufsize-1)
 | |
|            buffer[pos++] = *string++;
 | |
| 
 | |
|       buffer[pos] = '\0';
 | |
|    }
 | |
| 
 | |
|    return pos;
 | |
| }
 | |
| 
 | |
| #if defined(PNG_WARNINGS_SUPPORTED) || defined(PNG_TIME_RFC1123_SUPPORTED)
 | |
| /* Utility to dump an unsigned value into a buffer, given a start pointer and
 | |
|  * and end pointer (which should point just *beyond* the end of the buffer!)
 | |
|  * Returns the pointer to the start of the formatted string.
 | |
|  */
 | |
| #define PNG_HAVE_FORMAT_NUMBER /* for the code below */
 | |
| png_charp
 | |
| png_format_number(png_const_charp start, png_charp end, int format,
 | |
|    png_alloc_size_t number)
 | |
| {
 | |
|    int count = 0;    /* number of digits output */
 | |
|    int mincount = 1; /* minimum number required */
 | |
|    int output = 0;   /* digit output (for the fixed point format) */
 | |
| 
 | |
|    *--end = '\0';
 | |
| 
 | |
|    /* This is written so that the loop always runs at least once, even with
 | |
|     * number zero.
 | |
|     */
 | |
|    while (end > start && (number != 0 || count < mincount))
 | |
|    {
 | |
| 
 | |
|       static const char digits[] = "0123456789ABCDEF";
 | |
| 
 | |
|       switch (format)
 | |
|       {
 | |
|          case PNG_NUMBER_FORMAT_fixed:
 | |
|             /* Needs five digits (the fraction) */
 | |
|             mincount = 5;
 | |
|             if (output != 0 || number % 10 != 0)
 | |
|             {
 | |
|                *--end = digits[number % 10];
 | |
|                output = 1;
 | |
|             }
 | |
|             number /= 10;
 | |
|             break;
 | |
| 
 | |
|          case PNG_NUMBER_FORMAT_02u:
 | |
|             /* Expects at least 2 digits. */
 | |
|             mincount = 2;
 | |
|             /* FALL THROUGH */
 | |
| 
 | |
|          case PNG_NUMBER_FORMAT_u:
 | |
|             *--end = digits[number % 10];
 | |
|             number /= 10;
 | |
|             break;
 | |
| 
 | |
|          case PNG_NUMBER_FORMAT_02x:
 | |
|             /* This format expects at least two digits */
 | |
|             mincount = 2;
 | |
|             /* FALL THROUGH */
 | |
| 
 | |
|          case PNG_NUMBER_FORMAT_x:
 | |
|             *--end = digits[number & 0xf];
 | |
|             number >>= 4;
 | |
|             break;
 | |
| 
 | |
|          default: /* an error */
 | |
|             number = 0;
 | |
|             break;
 | |
|       }
 | |
| 
 | |
|       /* Keep track of the number of digits added */
 | |
|       ++count;
 | |
| 
 | |
|       /* Float a fixed number here: */
 | |
|       if ((format == PNG_NUMBER_FORMAT_fixed) && (count == 5) && (end > start))
 | |
|       {
 | |
|          /* End of the fraction, but maybe nothing was output?  In that case
 | |
|           * drop the decimal point.  If the number is a true zero handle that
 | |
|           * here.
 | |
|           */
 | |
|          if (output != 0)
 | |
|             *--end = '.';
 | |
|          else if (number == 0) /* and !output */
 | |
|             *--end = '0';
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    return end;
 | |
| }
 | |
| #endif
 | |
| 
 | |
| #ifdef PNG_WARNINGS_SUPPORTED
 | |
| /* This function is called whenever there is a non-fatal error.  This function
 | |
|  * should not be changed.  If there is a need to handle warnings differently,
 | |
|  * you should supply a replacement warning function and use
 | |
|  * png_set_error_fn() to replace the warning function at run-time.
 | |
|  */
 | |
| void PNGAPI
 | |
| png_warning(png_const_structrp png_ptr, png_const_charp warning_message)
 | |
| {
 | |
|    int offset = 0;
 | |
|    if (png_ptr != NULL)
 | |
|    {
 | |
| #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 | |
|    if ((png_ptr->flags &
 | |
|        (PNG_FLAG_STRIP_ERROR_NUMBERS|PNG_FLAG_STRIP_ERROR_TEXT)) != 0)
 | |
| #endif
 | |
|       {
 | |
|          if (*warning_message == PNG_LITERAL_SHARP)
 | |
|          {
 | |
|             for (offset = 1; offset < 15; offset++)
 | |
|                if (warning_message[offset] == ' ')
 | |
|                   break;
 | |
|          }
 | |
|       }
 | |
|    }
 | |
|    if (png_ptr != NULL && png_ptr->warning_fn != NULL)
 | |
|       (*(png_ptr->warning_fn))(png_constcast(png_structrp,png_ptr),
 | |
|          warning_message + offset);
 | |
|    else
 | |
|       png_default_warning(png_ptr, warning_message + offset);
 | |
| }
 | |
| 
 | |
| /* These functions support 'formatted' warning messages with up to
 | |
|  * PNG_WARNING_PARAMETER_COUNT parameters.  In the format string the parameter
 | |
|  * is introduced by @<number>, where 'number' starts at 1.  This follows the
 | |
|  * standard established by X/Open for internationalizable error messages.
 | |
|  */
 | |
| void
 | |
| png_warning_parameter(png_warning_parameters p, int number,
 | |
|    png_const_charp string)
 | |
| {
 | |
|    if (number > 0 && number <= PNG_WARNING_PARAMETER_COUNT)
 | |
|       (void)png_safecat(p[number-1], (sizeof p[number-1]), 0, string);
 | |
| }
 | |
| 
 | |
| void
 | |
| png_warning_parameter_unsigned(png_warning_parameters p, int number, int format,
 | |
|    png_alloc_size_t value)
 | |
| {
 | |
|    char buffer[PNG_NUMBER_BUFFER_SIZE];
 | |
|    png_warning_parameter(p, number, PNG_FORMAT_NUMBER(buffer, format, value));
 | |
| }
 | |
| 
 | |
| void
 | |
| png_warning_parameter_signed(png_warning_parameters p, int number, int format,
 | |
|    png_int_32 value)
 | |
| {
 | |
|    png_alloc_size_t u;
 | |
|    png_charp str;
 | |
|    char buffer[PNG_NUMBER_BUFFER_SIZE];
 | |
| 
 | |
|    /* Avoid overflow by doing the negate in a png_alloc_size_t: */
 | |
|    u = (png_alloc_size_t)value;
 | |
|    if (value < 0)
 | |
|       u = ~u + 1;
 | |
| 
 | |
|    str = PNG_FORMAT_NUMBER(buffer, format, u);
 | |
| 
 | |
|    if (value < 0 && str > buffer)
 | |
|       *--str = '-';
 | |
| 
 | |
|    png_warning_parameter(p, number, str);
 | |
| }
 | |
| 
 | |
| void
 | |
| png_formatted_warning(png_const_structrp png_ptr, png_warning_parameters p,
 | |
|    png_const_charp message)
 | |
| {
 | |
|    /* The internal buffer is just 192 bytes - enough for all our messages,
 | |
|     * overflow doesn't happen because this code checks!  If someone figures
 | |
|     * out how to send us a message longer than 192 bytes, all that will
 | |
|     * happen is that the message will be truncated appropriately.
 | |
|     */
 | |
|    size_t i = 0; /* Index in the msg[] buffer: */
 | |
|    char msg[192];
 | |
| 
 | |
|    /* Each iteration through the following loop writes at most one character
 | |
|     * to msg[i++] then returns here to validate that there is still space for
 | |
|     * the trailing '\0'.  It may (in the case of a parameter) read more than
 | |
|     * one character from message[]; it must check for '\0' and continue to the
 | |
|     * test if it finds the end of string.
 | |
|     */
 | |
|    while (i<(sizeof msg)-1 && *message != '\0')
 | |
|    {
 | |
|       /* '@' at end of string is now just printed (previously it was skipped);
 | |
|        * it is an error in the calling code to terminate the string with @.
 | |
|        */
 | |
|       if (p != NULL && *message == '@' && message[1] != '\0')
 | |
|       {
 | |
|          int parameter_char = *++message; /* Consume the '@' */
 | |
|          static const char valid_parameters[] = "123456789";
 | |
|          int parameter = 0;
 | |
| 
 | |
|          /* Search for the parameter digit, the index in the string is the
 | |
|           * parameter to use.
 | |
|           */
 | |
|          while (valid_parameters[parameter] != parameter_char &&
 | |
|             valid_parameters[parameter] != '\0')
 | |
|             ++parameter;
 | |
| 
 | |
|          /* If the parameter digit is out of range it will just get printed. */
 | |
|          if (parameter < PNG_WARNING_PARAMETER_COUNT)
 | |
|          {
 | |
|             /* Append this parameter */
 | |
|             png_const_charp parm = p[parameter];
 | |
|             png_const_charp pend = p[parameter] + (sizeof p[parameter]);
 | |
| 
 | |
|             /* No need to copy the trailing '\0' here, but there is no guarantee
 | |
|              * that parm[] has been initialized, so there is no guarantee of a
 | |
|              * trailing '\0':
 | |
|              */
 | |
|             while (i<(sizeof msg)-1 && *parm != '\0' && parm < pend)
 | |
|                msg[i++] = *parm++;
 | |
| 
 | |
|             /* Consume the parameter digit too: */
 | |
|             ++message;
 | |
|             continue;
 | |
|          }
 | |
| 
 | |
|          /* else not a parameter and there is a character after the @ sign; just
 | |
|           * copy that.  This is known not to be '\0' because of the test above.
 | |
|           */
 | |
|       }
 | |
| 
 | |
|       /* At this point *message can't be '\0', even in the bad parameter case
 | |
|        * above where there is a lone '@' at the end of the message string.
 | |
|        */
 | |
|       msg[i++] = *message++;
 | |
|    }
 | |
| 
 | |
|    /* i is always less than (sizeof msg), so: */
 | |
|    msg[i] = '\0';
 | |
| 
 | |
|    /* And this is the formatted message. It may be larger than
 | |
|     * PNG_MAX_ERROR_TEXT, but that is only used for 'chunk' errors and these
 | |
|     * are not (currently) formatted.
 | |
|     */
 | |
|    png_warning(png_ptr, msg);
 | |
| }
 | |
| #endif /* WARNINGS */
 | |
| 
 | |
| #ifdef PNG_BENIGN_ERRORS_SUPPORTED
 | |
| void PNGAPI
 | |
| png_benign_error(png_const_structrp png_ptr, png_const_charp error_message)
 | |
| {
 | |
|    if ((png_ptr->flags & PNG_FLAG_BENIGN_ERRORS_WARN) != 0)
 | |
|    {
 | |
| #     ifdef PNG_READ_SUPPORTED
 | |
|          if (png_ptr->read_struct && png_ptr->chunk_name != 0)
 | |
|             png_chunk_warning(png_ptr, error_message);
 | |
|          else
 | |
| #     endif
 | |
|       png_warning(png_ptr, error_message);
 | |
|    }
 | |
| 
 | |
|    else
 | |
|    {
 | |
| #     ifdef PNG_READ_SUPPORTED
 | |
|          if (png_ptr->read_struct && png_ptr->chunk_name != 0)
 | |
|             png_chunk_error(png_ptr, error_message);
 | |
|          else
 | |
| #     endif
 | |
|       png_error(png_ptr, error_message);
 | |
|    }
 | |
| 
 | |
| #  ifndef PNG_ERROR_TEXT_SUPPORTED
 | |
|       PNG_UNUSED(error_message)
 | |
| #  endif
 | |
| }
 | |
| 
 | |
| void /* PRIVATE */
 | |
| png_app_warning(png_const_structrp png_ptr, png_const_charp error_message)
 | |
| {
 | |
|   if ((png_ptr->flags & PNG_FLAG_APP_WARNINGS_WARN) != 0)
 | |
|      png_warning(png_ptr, error_message);
 | |
|   else
 | |
|      png_error(png_ptr, error_message);
 | |
| 
 | |
| #  ifndef PNG_ERROR_TEXT_SUPPORTED
 | |
|       PNG_UNUSED(error_message)
 | |
| #  endif
 | |
| }
 | |
| 
 | |
| void /* PRIVATE */
 | |
| png_app_error(png_const_structrp png_ptr, png_const_charp error_message)
 | |
| {
 | |
|   if ((png_ptr->flags & PNG_FLAG_APP_ERRORS_WARN) != 0)
 | |
|      png_warning(png_ptr, error_message);
 | |
|   else
 | |
|      png_error(png_ptr, error_message);
 | |
| 
 | |
| #  ifndef PNG_ERROR_TEXT_SUPPORTED
 | |
|       PNG_UNUSED(error_message)
 | |
| #  endif
 | |
| }
 | |
| #endif /* BENIGN_ERRORS */
 | |
| 
 | |
| #define PNG_MAX_ERROR_TEXT 196 /* Currently limited by profile_error in png.c */
 | |
| #if defined(PNG_WARNINGS_SUPPORTED) || \
 | |
|    (defined(PNG_READ_SUPPORTED) && defined(PNG_ERROR_TEXT_SUPPORTED))
 | |
| /* These utilities are used internally to build an error message that relates
 | |
|  * to the current chunk.  The chunk name comes from png_ptr->chunk_name unless
 | |
|  * png_ptr->zowner is set in which case that is used in preference.  This is
 | |
|  * used to prefix the message.  The message is limited in length to 63 bytes.
 | |
|  * The name characters are output as hex digits wrapped in [] if the character
 | |
|  * is invalid.
 | |
|  *
 | |
|  * Using 'zowner' means that IDAT errors at the end of the IDAT stream are still
 | |
|  * reported as from the IDAT chunks.
 | |
|  */
 | |
| #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
 | |
| static PNG_CONST char png_digit[16] = {
 | |
|    '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
 | |
|    'A', 'B', 'C', 'D', 'E', 'F'
 | |
| };
 | |
| 
 | |
| static void /* PRIVATE */
 | |
| png_format_buffer(png_const_structrp png_ptr, png_charp buffer, png_const_charp
 | |
|     error_message)
 | |
| {
 | |
|    png_uint_32 chunk_name = png_ptr->zowner;
 | |
|    int iout = 0, ishift = 24;
 | |
| 
 | |
|    if (chunk_name == 0)
 | |
|       chunk_name = png_ptr->chunk_name;
 | |
| 
 | |
|    while (ishift >= 0)
 | |
|    {
 | |
|       int c = (int)(chunk_name >> ishift) & 0xff;
 | |
| 
 | |
|       ishift -= 8;
 | |
|       if (isnonalpha(c) != 0)
 | |
|       {
 | |
|          buffer[iout++] = PNG_LITERAL_LEFT_SQUARE_BRACKET;
 | |
|          buffer[iout++] = png_digit[(c & 0xf0) >> 4];
 | |
|          buffer[iout++] = png_digit[c & 0x0f];
 | |
|          buffer[iout++] = PNG_LITERAL_RIGHT_SQUARE_BRACKET;
 | |
|       }
 | |
| 
 | |
|       else
 | |
|       {
 | |
|          buffer[iout++] = png_check_char(png_ptr, c);
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    if (error_message == NULL)
 | |
|       buffer[iout] = '\0';
 | |
| 
 | |
|    else
 | |
|    {
 | |
|       int iin = 0;
 | |
| 
 | |
|       buffer[iout++] = ':';
 | |
|       buffer[iout++] = ' ';
 | |
| 
 | |
|       while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
 | |
|          buffer[iout++] = error_message[iin++];
 | |
| 
 | |
|       /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
 | |
|       buffer[iout] = '\0';
 | |
|    }
 | |
| }
 | |
| #endif /* WARNINGS || ERROR_TEXT */
 | |
| 
 | |
| #if defined(PNG_READ_SUPPORTED) && defined(PNG_ERROR_TEXT_SUPPORTED)
 | |
| PNG_FUNCTION(void,PNGAPI
 | |
| png_chunk_error,(png_const_structrp png_ptr, png_const_charp error_message),
 | |
|    PNG_NORETURN)
 | |
| {
 | |
|    char msg[18+PNG_MAX_ERROR_TEXT];
 | |
|    if (png_ptr == NULL)
 | |
|       png_error(png_ptr, error_message);
 | |
| 
 | |
|    else
 | |
|    {
 | |
|       png_format_buffer(png_ptr, msg, error_message);
 | |
|       png_error(png_ptr, msg);
 | |
|    }
 | |
| }
 | |
| #endif /* READ && ERROR_TEXT */
 | |
| 
 | |
| #ifdef PNG_WARNINGS_SUPPORTED
 | |
| void PNGAPI
 | |
| png_chunk_warning(png_const_structrp png_ptr, png_const_charp warning_message)
 | |
| {
 | |
|    char msg[18+PNG_MAX_ERROR_TEXT];
 | |
|    if (png_ptr == NULL)
 | |
|       png_warning(png_ptr, warning_message);
 | |
| 
 | |
|    else
 | |
|    {
 | |
|       png_format_buffer(png_ptr, msg, warning_message);
 | |
|       png_warning(png_ptr, msg);
 | |
|    }
 | |
| }
 | |
| #endif /* WARNINGS */
 | |
| 
 | |
| #ifdef PNG_READ_SUPPORTED
 | |
| #ifdef PNG_BENIGN_ERRORS_SUPPORTED
 | |
| void PNGAPI
 | |
| png_chunk_benign_error(png_const_structrp png_ptr, png_const_charp
 | |
|     error_message)
 | |
| {
 | |
|    if ((png_ptr->flags & PNG_FLAG_BENIGN_ERRORS_WARN) != 0)
 | |
|       png_chunk_warning(png_ptr, error_message);
 | |
| 
 | |
|    else
 | |
|       png_chunk_error(png_ptr, error_message);
 | |
| 
 | |
| #  ifndef PNG_ERROR_TEXT_SUPPORTED
 | |
|       PNG_UNUSED(error_message)
 | |
| #  endif
 | |
| }
 | |
| #endif
 | |
| #endif /* READ */
 | |
| 
 | |
| void /* PRIVATE */
 | |
| (png_chunk_report)(png_const_structrp png_ptr, png_const_charp message,
 | |
|    int error)
 | |
| {
 | |
|    /* This is always supported, but for just read or just write it
 | |
|     * unconditionally does the right thing.
 | |
|     */
 | |
| #  if defined(PNG_READ_SUPPORTED) && defined(PNG_WRITE_SUPPORTED)
 | |
|       if (png_ptr->read_struct)
 | |
| #  endif
 | |
| 
 | |
| #  ifdef PNG_READ_SUPPORTED
 | |
|       {
 | |
|          if (error < PNG_CHUNK_ERROR)
 | |
|             png_chunk_warning(png_ptr, message);
 | |
| 
 | |
|          else if (error < PNG_CHUNK_FATAL)
 | |
|             png_chunk_benign_error(png_ptr, message);
 | |
| 
 | |
|          else
 | |
|             png_chunk_error(png_ptr, message);
 | |
|       }
 | |
| #  endif
 | |
| 
 | |
| #  if defined(PNG_READ_SUPPORTED) && defined(PNG_WRITE_SUPPORTED)
 | |
|       else if (!png_ptr->read_struct)
 | |
| #  endif
 | |
| 
 | |
| #  ifdef PNG_WRITE_SUPPORTED
 | |
|       {
 | |
|          if (error < PNG_CHUNK_WRITE_ERROR)
 | |
|             png_app_warning(png_ptr, message);
 | |
| 
 | |
|          else if (error < PNG_CHUNK_FATAL)
 | |
|             png_app_error(png_ptr, message);
 | |
| 
 | |
|          else
 | |
|             png_error(png_ptr, message);
 | |
|       }
 | |
| #  endif
 | |
| 
 | |
| #  ifndef PNG_ERROR_TEXT_SUPPORTED
 | |
|       PNG_UNUSED(message)
 | |
| #  endif
 | |
| }
 | |
| 
 | |
| #ifdef PNG_ERROR_TEXT_SUPPORTED
 | |
| 
 | |
| #if defined(PNG_FLOATING_POINT_SUPPORTED) && \
 | |
|    (defined(PNG_gAMA_SUPPORTED) || defined(PNG_cHRM_SUPPORTED) || \
 | |
|    defined(PNG_sCAL_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED) || \
 | |
|    defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) || \
 | |
|    (defined(PNG_FLOATING_ARITHMETIC_SUPPORTED) &&\
 | |
|    defined(PNG_sCAL_SUPPORTED))
 | |
| PNG_FUNCTION(void,
 | |
| png_fixed_error,(png_const_structrp png_ptr, png_const_charp name),PNG_NORETURN)
 | |
| {
 | |
| #  define fixed_message "fixed point overflow in "
 | |
| #  define fixed_message_ln ((sizeof fixed_message)-1)
 | |
|    int  iin;
 | |
|    char msg[fixed_message_ln+PNG_MAX_ERROR_TEXT];
 | |
|    memcpy(msg, fixed_message, fixed_message_ln);
 | |
|    iin = 0;
 | |
|    if (name != NULL)
 | |
|       while (iin < (PNG_MAX_ERROR_TEXT-1) && name[iin] != 0)
 | |
|       {
 | |
|          msg[fixed_message_ln + iin] = name[iin];
 | |
|          ++iin;
 | |
|       }
 | |
|    msg[fixed_message_ln + iin] = 0;
 | |
|    png_error(png_ptr, msg);
 | |
| }
 | |
| #endif
 | |
| #endif
 | |
| 
 | |
| #ifdef PNG_SETJMP_SUPPORTED
 | |
| /* This API only exists if ANSI-C style error handling is used,
 | |
|  * otherwise it is necessary for png_default_error to be overridden.
 | |
|  */
 | |
| jmp_buf* PNGAPI
 | |
| png_set_longjmp_fn(png_structrp png_ptr, png_longjmp_ptr longjmp_fn,
 | |
|     size_t jmp_buf_size)
 | |
| {
 | |
|    /* From libpng 1.6.0 the app gets one chance to set a 'jmpbuf_size' value
 | |
|     * and it must not change after that.  Libpng doesn't care how big the
 | |
|     * buffer is, just that it doesn't change.
 | |
|     *
 | |
|     * If the buffer size is no *larger* than the size of jmp_buf when libpng is
 | |
|     * compiled a built in jmp_buf is returned; this preserves the pre-1.6.0
 | |
|     * semantics that this call will not fail.  If the size is larger, however,
 | |
|     * the buffer is allocated and this may fail, causing the function to return
 | |
|     * NULL.
 | |
|     */
 | |
|    if (png_ptr == NULL)
 | |
|       return NULL;
 | |
| 
 | |
|    if (png_ptr->jmp_buf_ptr == NULL)
 | |
|    {
 | |
|       png_ptr->jmp_buf_size = 0; /* not allocated */
 | |
| 
 | |
|       if (jmp_buf_size <= (sizeof png_ptr->jmp_buf_local))
 | |
|          png_ptr->jmp_buf_ptr = &png_ptr->jmp_buf_local;
 | |
| 
 | |
|       else
 | |
|       {
 | |
|          png_ptr->jmp_buf_ptr = png_voidcast(jmp_buf *,
 | |
|             png_malloc_warn(png_ptr, jmp_buf_size));
 | |
| 
 | |
|          if (png_ptr->jmp_buf_ptr == NULL)
 | |
|             return NULL; /* new NULL return on OOM */
 | |
| 
 | |
|          png_ptr->jmp_buf_size = jmp_buf_size;
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    else /* Already allocated: check the size */
 | |
|    {
 | |
|       size_t size = png_ptr->jmp_buf_size;
 | |
| 
 | |
|       if (size == 0)
 | |
|       {
 | |
|          size = (sizeof png_ptr->jmp_buf_local);
 | |
|          if (png_ptr->jmp_buf_ptr != &png_ptr->jmp_buf_local)
 | |
|          {
 | |
|             /* This is an internal error in libpng: somehow we have been left
 | |
|              * with a stack allocated jmp_buf when the application regained
 | |
|              * control.  It's always possible to fix this up, but for the moment
 | |
|              * this is an affirm because that makes it easy to detect.
 | |
|              */
 | |
|             impossible("Libpng jmp_buf still allocated");
 | |
|             /* png_ptr->jmp_buf_ptr = &png_ptr->jmp_buf_local; */
 | |
|          }
 | |
|       }
 | |
| 
 | |
|       if (size != jmp_buf_size)
 | |
|       {
 | |
|          png_warning(png_ptr, "Application jmp_buf size changed");
 | |
|          return NULL; /* caller will probably crash: no choice here */
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    /* Finally fill in the function, now we have a satisfactory buffer. It is
 | |
|     * valid to change the function on every call.
 | |
|     */
 | |
|    png_ptr->longjmp_fn = longjmp_fn;
 | |
|    return png_ptr->jmp_buf_ptr;
 | |
| }
 | |
| 
 | |
| void /* PRIVATE */
 | |
| png_free_jmpbuf(png_structrp png_ptr)
 | |
| {
 | |
|    if (png_ptr != NULL)
 | |
|    {
 | |
|       jmp_buf *jb = png_ptr->jmp_buf_ptr;
 | |
| 
 | |
|       /* A size of 0 is used to indicate a local, stack, allocation of the
 | |
|        * pointer; used here and in png.c
 | |
|        */
 | |
|       if (jb != NULL && png_ptr->jmp_buf_size > 0)
 | |
|       {
 | |
| 
 | |
|          /* This stuff is so that a failure to free the error control structure
 | |
|           * does not leave libpng in a state with no valid error handling: the
 | |
|           * free always succeeds, if there is an error it gets ignored.
 | |
|           */
 | |
|          if (jb != &png_ptr->jmp_buf_local)
 | |
|          {
 | |
|             /* Make an internal, libpng, jmp_buf to return here */
 | |
|             jmp_buf free_jmp_buf;
 | |
| 
 | |
|             if (!setjmp(free_jmp_buf))
 | |
|             {
 | |
|                png_ptr->jmp_buf_ptr = &free_jmp_buf; /* come back here */
 | |
|                png_ptr->jmp_buf_size = 0; /* stack allocation */
 | |
|                png_ptr->longjmp_fn = longjmp;
 | |
|                png_free(png_ptr, jb); /* Return to setjmp on error */
 | |
|             }
 | |
|          }
 | |
|       }
 | |
| 
 | |
|       /* *Always* cancel everything out: */
 | |
|       png_ptr->jmp_buf_size = 0;
 | |
|       png_ptr->jmp_buf_ptr = NULL;
 | |
|       png_ptr->longjmp_fn = 0;
 | |
|    }
 | |
| }
 | |
| #endif
 | |
| 
 | |
| /* This is the default error handling function.  Note that replacements for
 | |
|  * this function MUST NOT RETURN, or the program will likely crash.  This
 | |
|  * function is used by default, or if the program supplies NULL for the
 | |
|  * error function pointer in png_set_error_fn().
 | |
|  */
 | |
| static PNG_FUNCTION(void /* PRIVATE */,
 | |
| png_default_error,(png_const_structrp png_ptr, png_const_charp error_message),
 | |
|    PNG_NORETURN)
 | |
| {
 | |
| #ifdef PNG_CONSOLE_IO_SUPPORTED
 | |
| #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 | |
|    /* Check on NULL only added in 1.5.4 */
 | |
|    if (error_message != NULL && *error_message == PNG_LITERAL_SHARP)
 | |
|    {
 | |
|       /* Strip "#nnnn " from beginning of error message. */
 | |
|       int offset;
 | |
|       char error_number[16];
 | |
|       for (offset = 0; offset<15; offset++)
 | |
|       {
 | |
|          error_number[offset] = error_message[offset + 1];
 | |
|          if (error_message[offset] == ' ')
 | |
|             break;
 | |
|       }
 | |
| 
 | |
|       if ((offset > 1) && (offset < 15))
 | |
|       {
 | |
|          error_number[offset - 1] = '\0';
 | |
|          fprintf(stderr, "libpng error no. %s: %s",
 | |
|              error_number, error_message + offset + 1);
 | |
|          fprintf(stderr, PNG_STRING_NEWLINE);
 | |
|       }
 | |
| 
 | |
|       else
 | |
|       {
 | |
|          fprintf(stderr, "libpng error: %s, offset=%d",
 | |
|              error_message, offset);
 | |
|          fprintf(stderr, PNG_STRING_NEWLINE);
 | |
|       }
 | |
|    }
 | |
|    else
 | |
| #endif
 | |
|    {
 | |
|       fprintf(stderr, "libpng error: %s", error_message ? error_message :
 | |
|          "undefined");
 | |
|       fprintf(stderr, PNG_STRING_NEWLINE);
 | |
|    }
 | |
| #else
 | |
|    PNG_UNUSED(error_message) /* Make compiler happy */
 | |
| #endif
 | |
|    png_longjmp(png_ptr, 1);
 | |
| }
 | |
| 
 | |
| PNG_FUNCTION(void,PNGAPI
 | |
| png_longjmp,(png_const_structrp png_ptr, int val),PNG_NORETURN)
 | |
| {
 | |
| #ifdef PNG_SETJMP_SUPPORTED
 | |
|    if (png_ptr != NULL && png_ptr->longjmp_fn != NULL &&
 | |
|        png_ptr->jmp_buf_ptr != NULL)
 | |
|       png_ptr->longjmp_fn(*png_ptr->jmp_buf_ptr, val);
 | |
| #else
 | |
|    PNG_UNUSED(png_ptr)
 | |
|    PNG_UNUSED(val)
 | |
| #endif
 | |
| 
 | |
|    /* If control reaches this point, png_longjmp() must not return. The only
 | |
|     * choice is to terminate the whole process (or maybe the thread); to do
 | |
|     * this the ANSI-C abort() function is used unless a different method is 
 | |
|     * implemented by overriding the default configuration setting for
 | |
|     * PNG_ABORT (see scripts/pnglibconf.dfa).
 | |
|     *
 | |
|     * API change: prior to 1.7.0 PNG_ABORT was invoked as a function type macro
 | |
|     * with no arguments 'PNG_ABORT();', in 1.7.0 this is changed to a simple
 | |
|     * macro that is defined in the configuration.
 | |
|     */
 | |
|    PNG_ABORT
 | |
| }
 | |
| 
 | |
| #ifdef PNG_WARNINGS_SUPPORTED
 | |
| /* This function is called when there is a warning, but the library thinks
 | |
|  * it can continue anyway.  Replacement functions don't have to do anything
 | |
|  * here if you don't want them to.  In the default configuration, png_ptr is
 | |
|  * not used, but it is passed in case it may be useful.
 | |
|  */
 | |
| static void /* PRIVATE */
 | |
| png_default_warning(png_const_structrp png_ptr, png_const_charp warning_message)
 | |
| {
 | |
| #ifdef PNG_CONSOLE_IO_SUPPORTED
 | |
| #  ifdef PNG_ERROR_NUMBERS_SUPPORTED
 | |
|    if (*warning_message == PNG_LITERAL_SHARP)
 | |
|    {
 | |
|       int offset;
 | |
|       char warning_number[16];
 | |
|       for (offset = 0; offset < 15; offset++)
 | |
|       {
 | |
|          warning_number[offset] = warning_message[offset + 1];
 | |
|          if (warning_message[offset] == ' ')
 | |
|             break;
 | |
|       }
 | |
| 
 | |
|       if ((offset > 1) && (offset < 15))
 | |
|       {
 | |
|          warning_number[offset + 1] = '\0';
 | |
|          fprintf(stderr, "libpng warning no. %s: %s",
 | |
|              warning_number, warning_message + offset);
 | |
|          fprintf(stderr, PNG_STRING_NEWLINE);
 | |
|       }
 | |
| 
 | |
|       else
 | |
|       {
 | |
|          fprintf(stderr, "libpng warning: %s",
 | |
|              warning_message);
 | |
|          fprintf(stderr, PNG_STRING_NEWLINE);
 | |
|       }
 | |
|    }
 | |
|    else
 | |
| #  endif
 | |
| 
 | |
|    {
 | |
|       fprintf(stderr, "libpng warning: %s", warning_message);
 | |
|       fprintf(stderr, PNG_STRING_NEWLINE);
 | |
|    }
 | |
| #else
 | |
|    PNG_UNUSED(warning_message) /* Make compiler happy */
 | |
| #endif
 | |
|    PNG_UNUSED(png_ptr) /* Make compiler happy */
 | |
| }
 | |
| #endif /* WARNINGS */
 | |
| 
 | |
| /* This function is called when the application wants to use another method
 | |
|  * of handling errors and warnings.  Note that the error function MUST NOT
 | |
|  * return to the calling routine or serious problems will occur.  The return
 | |
|  * method used in the default routine calls longjmp(png_ptr->jmp_buf_ptr, 1)
 | |
|  */
 | |
| void PNGAPI
 | |
| png_set_error_fn(png_structrp png_ptr, png_voidp error_ptr,
 | |
|     png_error_ptr error_fn, png_error_ptr warning_fn)
 | |
| {
 | |
|    if (png_ptr == NULL)
 | |
|       return;
 | |
| 
 | |
|    png_ptr->error_ptr = error_ptr;
 | |
|    png_ptr->error_fn = error_fn;
 | |
| #ifdef PNG_WARNINGS_SUPPORTED
 | |
|    png_ptr->warning_fn = warning_fn;
 | |
| #else
 | |
|    PNG_UNUSED(warning_fn)
 | |
| #endif
 | |
| }
 | |
| 
 | |
| 
 | |
| /* This function returns a pointer to the error_ptr associated with the user
 | |
|  * functions.  The application should free any memory associated with this
 | |
|  * pointer before png_write_destroy and png_read_destroy are called.
 | |
|  */
 | |
| png_voidp PNGAPI
 | |
| png_get_error_ptr(png_const_structrp png_ptr)
 | |
| {
 | |
|    if (png_ptr == NULL)
 | |
|       return NULL;
 | |
| 
 | |
|    return ((png_voidp)png_ptr->error_ptr);
 | |
| }
 | |
| 
 | |
| 
 | |
| #ifdef PNG_ERROR_NUMBERS_SUPPORTED
 | |
| void PNGAPI
 | |
| png_set_strip_error_numbers(png_structrp png_ptr, png_uint_32 strip_mode)
 | |
| {
 | |
|    if (png_ptr != NULL)
 | |
|    {
 | |
|       png_ptr->flags &=
 | |
|          ((PNG_BIC_MASK(PNG_FLAG_STRIP_ERROR_NUMBERS |
 | |
|          PNG_FLAG_STRIP_ERROR_TEXT))&strip_mode);
 | |
|    }
 | |
| }
 | |
| #endif
 | |
| 
 | |
| #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
 | |
|    defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
 | |
|    /* Currently the above both depend on SETJMP_SUPPORTED, however it would be
 | |
|     * possible to implement without setjmp support just so long as there is some
 | |
|     * way to handle the error return here:
 | |
|     */
 | |
| PNG_FUNCTION(void /* PRIVATE */, (PNGCBAPI
 | |
| png_safe_error),(png_structp png_nonconst_ptr, png_const_charp error_message),
 | |
|    PNG_NORETURN)
 | |
| {
 | |
|    const png_const_structrp png_ptr = png_nonconst_ptr;
 | |
|    png_imagep image = png_voidcast(png_imagep, png_ptr->error_ptr);
 | |
| 
 | |
|    /* An error is always logged here, overwriting anything (typically a warning)
 | |
|     * that is already there:
 | |
|     */
 | |
|    if (image != NULL)
 | |
|    {
 | |
|       png_safecat(image->message, (sizeof image->message), 0, error_message);
 | |
|       image->warning_or_error |= PNG_IMAGE_ERROR;
 | |
| 
 | |
|       /* Retrieve the jmp_buf from within the png_control, making this work for
 | |
|        * C++ compilation too is pretty tricky: C++ wants a pointer to the first
 | |
|        * element of a jmp_buf, but C doesn't tell us the type of that.
 | |
|        */
 | |
|       if (image->opaque != NULL && image->opaque->error_buf != NULL)
 | |
|          longjmp(png_control_jmp_buf(image->opaque), 1);
 | |
| 
 | |
|       /* Missing longjmp buffer, the following is to help debugging: */
 | |
|       {
 | |
|          size_t pos = png_safecat(image->message, (sizeof image->message), 0,
 | |
|             "bad longjmp: ");
 | |
|          png_safecat(image->message, (sizeof image->message), pos,
 | |
|              error_message);
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    /* Here on an internal programming error. */
 | |
|    abort();
 | |
| }
 | |
| 
 | |
| #ifdef PNG_WARNINGS_SUPPORTED
 | |
| void /* PRIVATE */ PNGCBAPI
 | |
| png_safe_warning(png_structp png_nonconst_ptr, png_const_charp warning_message)
 | |
| {
 | |
|    const png_const_structrp png_ptr = png_nonconst_ptr;
 | |
|    png_imagep image = png_voidcast(png_imagep, png_ptr->error_ptr);
 | |
| 
 | |
|    /* A warning is only logged if there is no prior warning or error. */
 | |
|    if (image->warning_or_error == 0)
 | |
|    {
 | |
|       png_safecat(image->message, (sizeof image->message), 0, warning_message);
 | |
|       image->warning_or_error |= PNG_IMAGE_WARNING;
 | |
|    }
 | |
| }
 | |
| #endif
 | |
| 
 | |
| int /* PRIVATE */
 | |
| png_safe_execute(png_imagep image_in, int (*function)(png_voidp), png_voidp arg)
 | |
| {
 | |
|    volatile png_imagep image = image_in;
 | |
|    volatile int result;
 | |
|    volatile png_voidp saved_error_buf;
 | |
|    jmp_buf safe_jmpbuf;
 | |
| 
 | |
|    /* Safely execute function(arg) with png_error returning to this function. */
 | |
|    saved_error_buf = image->opaque->error_buf;
 | |
|    result = setjmp(safe_jmpbuf) == 0;
 | |
| 
 | |
|    if (result != 0)
 | |
|    {
 | |
| 
 | |
|       image->opaque->error_buf = safe_jmpbuf;
 | |
|       result = function(arg);
 | |
|    }
 | |
| 
 | |
|    image->opaque->error_buf = saved_error_buf;
 | |
| 
 | |
|    /* And do the cleanup prior to any failure return. */
 | |
|    if (result == 0)
 | |
|       png_image_free(image);
 | |
| 
 | |
|    return result;
 | |
| }
 | |
| #endif /* SIMPLIFIED READ || SIMPLIFIED_WRITE */
 | |
| 
 | |
| /* Affirms: minimal code in 'STABLE' builds to return control to the
 | |
|  * application via png_error(), more verbose code followed by PNG_ABORT for
 | |
|  * all other builds to ensure that internal errors are detected.
 | |
|  *
 | |
|  * The code always produces a message if it is possible, regardless of the
 | |
|  * setting of PNG_ERROR_TEXT_SUPPORTED, except that in stable builds
 | |
|  * PNG_ERROR_TEXT_SUPPORTED is honored.  See pngpriv.h for the calculation of
 | |
|  * the two control macros PNG_RELEASE_BUILD (don't abort; stable build or rc)
 | |
|  * and PNG_AFFIRM_TEXT (output text.)
 | |
|  */
 | |
| #if PNG_AFFIRM_TEXT
 | |
| #  ifdef PNG_HAVE_FORMAT_NUMBER
 | |
| static size_t
 | |
| png_affirm_number(png_charp buffer, size_t bufsize, size_t pos,
 | |
|    unsigned int number, int format)
 | |
| {
 | |
|    char numbuf[PNG_NUMBER_BUFFER_SIZE];
 | |
|    return png_safecat(buffer, bufsize, pos,
 | |
|       png_format_number(numbuf, numbuf + sizeof numbuf, format, number));
 | |
| }
 | |
| #  define affirm_number(a,b,c,d,e) png_affirm_number(a,b,c,d,e)
 | |
| #  else /* !HAVE_FORMAT_NUMBER */
 | |
| static size_t
 | |
| png_affirm_number(png_charp buffer, size_t bufsize, size_t pos,
 | |
|    unsigned int number)
 | |
| {
 | |
|    /* binhex it; highly non-portable, assumes the ASCII character set, but
 | |
|     * if warnings are turned off then it is unlikely the text will get read
 | |
|     * anyway.  This binhex variant is (48+val), where 'val' is the next 6
 | |
|     * bits of the number, so it starts as '0' (for 0) and ends at 'I' for
 | |
|     * 63.  The number is wrapped in {}, so 0 comes out as '{}' and 9 comes
 | |
|     * out as '{9}' and so on.
 | |
|     */
 | |
|    char numbuf[32];
 | |
|    int i = sizeof numbuf;
 | |
| 
 | |
|    numbuf[--i] = 0;
 | |
|    numbuf[--i] = '}';
 | |
| 
 | |
|    do
 | |
|    {
 | |
|       if (number > 0)
 | |
|          numbuf[--i] = (char)/*SAFE*/((number & 63) + 48), number >>= 6;
 | |
|       else
 | |
|       {
 | |
|          numbuf[--i] = '{';
 | |
|          break;
 | |
|       }
 | |
|    }
 | |
|    while (i > 0);
 | |
| 
 | |
|    return png_safecat(buffer, bufsize, pos, numbuf+i);
 | |
| }
 | |
| #  define affirm_number(a,b,c,d,e) png_affirm_number(a,b,c,d)
 | |
| #endif /* !HAVE_FORMAT_NUMBER */
 | |
| 
 | |
| static void
 | |
| affirm_text(png_charp buffer, size_t bufsize,
 | |
|    param_deb(png_const_charp condition) unsigned int position)
 | |
| {
 | |
|   /* Format the 'position' number and output:
 | |
|    *
 | |
|    *  "<file> <line>: affirm 'condition' failed\n"
 | |
|    *  " libpng version <version> - <date>\n"
 | |
|    *  " translated __DATE__ __TIME__"
 | |
|    *
 | |
|    * In the STABLE versions the output is the same for the last two lines
 | |
|    * but the first line becomes:
 | |
|    *
 | |
|    *  "<position>: affirm failed"
 | |
|    *
 | |
|    * If there is no number formatting the numbers just get replaced by
 | |
|    * some binhex (see the utility above).
 | |
|    */
 | |
|   size_t pos = 0;
 | |
| 
 | |
| # if PNG_RELEASE_BUILD /* no 'condition' parameter: minimal text */
 | |
|      pos = affirm_number(buffer, bufsize, pos, position, PNG_NUMBER_FORMAT_x);
 | |
|      pos = png_safecat(buffer, bufsize, pos, ": affirm failed");
 | |
| # else /* !STABLE */
 | |
|      /* Break down 'position' into a file name and a line number: */
 | |
|      {
 | |
| #        define PNG_apply(f) { #f "\0", PNG_SRC_FILE_ ## f },
 | |
| #        define PNG_end      { "", PNG_SRC_FILE_LAST }
 | |
|          static struct {
 | |
|              char         filename[28]; /* GCC checks this size */
 | |
|              unsigned int base;
 | |
|          } fileinfo[] = { PNG_FILES };
 | |
| #        undef PNG_apply
 | |
| #        undef PNG_end
 | |
| 
 | |
|          unsigned int i;
 | |
|          png_const_charp filename;
 | |
| 
 | |
|          /* Do 'nfiles' this way to avoid problems with g++ where it whines
 | |
|           * about (size_t) being larger than (int), even though this is a
 | |
|           * compile time constant:
 | |
|           */
 | |
| #        define nfiles ((sizeof fileinfo)/(sizeof (fileinfo[0])))
 | |
|          for (i=0; i < nfiles && position > fileinfo[i].base; ++i) {}
 | |
| 
 | |
|          if (i == 0 || i > nfiles)
 | |
|              filename = "UNKNOWN";
 | |
|          else
 | |
|          {
 | |
|              filename = fileinfo[i-1].filename;
 | |
|              position -= fileinfo[i-1].base;
 | |
|          }
 | |
| #        undef nfiles
 | |
| 
 | |
|          pos = png_safecat(buffer, bufsize, pos, filename);
 | |
|          pos = png_safecat(buffer, bufsize, pos, ".c ");
 | |
|          pos = affirm_number(buffer, bufsize, pos, position,
 | |
|             PNG_NUMBER_FORMAT_u);
 | |
|      }
 | |
| 
 | |
|      pos = png_safecat(buffer, bufsize, pos, ": affirm '");
 | |
|      pos = png_safecat(buffer, bufsize, pos, condition);
 | |
|      pos = png_safecat(buffer, bufsize, pos, "' failed\n");
 | |
| # endif /* !STABLE */
 | |
| 
 | |
|   pos = png_safecat(buffer, bufsize, pos, PNG_HEADER_VERSION_STRING);
 | |
|   pos = png_safecat(buffer, bufsize, pos,
 | |
|      " translated " __DATE__ " " __TIME__);
 | |
| }
 | |
| 
 | |
| #define affirm_text(b, c, p)\
 | |
|    do {\
 | |
|       (affirm_text)(b, sizeof b, param_deb(c) (p));\
 | |
|    } while (0)
 | |
| 
 | |
| #endif /* AFFIRM_TEXT */
 | |
| 
 | |
| PNG_FUNCTION(void,png_affirm,(png_const_structrp png_ptr,
 | |
|    param_deb(png_const_charp condition) unsigned int position),PNG_NORETURN)
 | |
| {
 | |
| #  if PNG_AFFIRM_TEXT
 | |
|       char   buffer[512];
 | |
| 
 | |
|       affirm_text(buffer, condition, position);
 | |
| #  else /* !AFFIRM_TEXT */
 | |
|       PNG_UNUSED(position)
 | |
| #     if !PNG_RELEASE_BUILD
 | |
|          PNG_UNUSED(condition)
 | |
| #     endif
 | |
| #  endif /* AFFIRM_TEXT */
 | |
| 
 | |
|    /* Now in STABLE do a png_error, but in other builds output the message
 | |
|     * (if possible) then abort (PNG_ABORT).
 | |
|     */
 | |
| #  if PNG_RELEASE_BUILD
 | |
|       png_error(png_ptr, buffer/*macro parameter used only if ERROR_TEXT*/);
 | |
| #  else /* !AFFIRM_ERROR */
 | |
|       /* Use console IO if possible; this is because there is no guarantee that
 | |
|        * the app 'warning' will output anything.  For certain the simplified
 | |
|        * API implementation just copies the message (truncated) to the image
 | |
|        * message buffer, which makes debugging much more difficult.
 | |
|        *
 | |
|        * Note that it is possible that neither WARNINGS nor CONSOLE_IO are
 | |
|        * supported; in that case no text will be output (and PNG_AFFIRM_TEXT
 | |
|        * will be false.)
 | |
|        */
 | |
| #     ifdef PNG_CONSOLE_IO_SUPPORTED
 | |
|          fprintf(stderr, "%s\n", buffer);
 | |
|          PNG_UNUSED(png_ptr)
 | |
| #     elif defined PNG_WARNINGS_SUPPORTED
 | |
|          if (png_ptr != NULL && png_ptr->warning_fn != NULL)
 | |
|             png_ptr->warning_fn(png_constcast(png_structrp, png_ptr), buffer);
 | |
|          /* else no way to output the text */
 | |
| #     else
 | |
|          PNG_UNUSED(png_ptr)
 | |
| #     endif
 | |
| 
 | |
|       PNG_ABORT
 | |
| #  endif /* AFFIRM_ERROR */
 | |
| }
 | |
| 
 | |
| #if !PNG_RELEASE_BUILD
 | |
| void /* PRIVATE */
 | |
| png_handled_affirm(png_const_structrp png_ptr, png_const_charp message,
 | |
|    unsigned int position)
 | |
| {
 | |
| #  if PNG_RELEASE_BUILD
 | |
|       /* testing in RC: we want to return control to the caller, so do not
 | |
|        * use png_affirm.
 | |
|        */
 | |
|       char   buffer[512];
 | |
| 
 | |
|       affirm_text(buffer, message, position);
 | |
| 
 | |
| #     ifdef PNG_CONSOLE_IO_SUPPORTED
 | |
|          fprintf(stderr, "%s\n", buffer);
 | |
| #     elif defined PNG_WARNINGS_SUPPORTED
 | |
|          if (png_ptr != NULL && png_ptr->warning_fn != NULL)
 | |
|             png_ptr->warning_fn(png_constcast(png_structrp, png_ptr), buffer);
 | |
|          /* else no way to output the text */
 | |
| #     else
 | |
|          PNG_UNUSED(png_ptr)
 | |
| #     endif
 | |
| #  else
 | |
|       png_affirm(png_ptr, message, position);
 | |
| #  endif
 | |
| }
 | |
| #endif /* !RELEASE_BUILD */
 | |
| 
 | |
| #ifdef PNG_RANGE_CHECK_SUPPORTED
 | |
| /* The character/byte checking APIs. These do their own calls to png_affirm
 | |
|  * because the caller provides the position.
 | |
|  */
 | |
| unsigned int /* PRIVATE */
 | |
| png_bit_affirm(png_const_structrp png_ptr, unsigned int position,
 | |
|    unsigned int u, unsigned int bits)
 | |
| {
 | |
|    /* The following avoids overflow errors even if 'bits' is 16 or 32: */
 | |
|    if (u <= (1U << bits)-1U)
 | |
|        return u;
 | |
| 
 | |
|    png_affirm(png_ptr, param_deb("(bit field) range") position);
 | |
| }
 | |
| 
 | |
| char /* PRIVATE */
 | |
| png_char_affirm(png_const_structrp png_ptr, unsigned int position, int c)
 | |
| {
 | |
|    if (c >= CHAR_MIN && c <= CHAR_MAX)
 | |
|        return (char)/*SAFE*/c;
 | |
| 
 | |
|    png_affirm(png_ptr, param_deb("(char) range") position);
 | |
| }
 | |
| 
 | |
| png_byte /* PRIVATE */
 | |
| png_byte_affirm(png_const_structrp png_ptr, unsigned int position, int b)
 | |
| {
 | |
|    /* For the type png_byte the limits.h values are ignored and we check
 | |
|     * against the values PNG expects to store in a byte:
 | |
|     */
 | |
|    if (b >= 0 && b <= 255)
 | |
|        return (png_byte)/*SAFE*/b;
 | |
| 
 | |
|    png_affirm(png_ptr, param_deb("PNG byte range") position);
 | |
| }
 | |
| 
 | |
| #if INT_MAX >= 65535
 | |
| png_uint_16 /* PRIVATE */
 | |
| png_u16_affirm(png_const_structrp png_ptr, unsigned int position, int b)
 | |
| {
 | |
|    /* Check against the PNG 16-bit limit, as with png_byte. */
 | |
|    if (b >= 0 && b <= 65535)
 | |
|        return (png_uint_16)/*SAFE*/b;
 | |
| 
 | |
|    png_affirm(png_ptr, param_deb("PNG 16-bit range") position);
 | |
| }
 | |
| #endif /* INT_MAX >= 65535 */
 | |
| #endif /* RANGE_CHECK */
 | |
| #endif /* READ || WRITE */
 |