void PNGAPI png_set_sPLT(png_const_structrp png_ptr, png_inforp info_ptr, png_const_sPLT_tp entries, int nentries) /* * entries - array of png_sPLT_t structures * to be added to the list of palettes * in the info structure. * * nentries - number of palette structures to be * added. */ { png_sPLT_tp np; if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL) return; /* Use the internal realloc function, which checks for all the possible * overflows. Notice that the parameters are (int) and (size_t) */ np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr, info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries, sizeof *np)); if (np == NULL) { /* Out of memory or too many chunks */ png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR); return; } png_free(png_ptr, info_ptr->splt_palettes); info_ptr->splt_palettes = np; info_ptr->free_me |= PNG_FREE_SPLT; np += info_ptr->splt_palettes_num; do { png_size_t length; /* Skip invalid input entries */ if (entries->name == NULL || entries->entries == NULL) { /* png_handle_sPLT doesn't do this, so this is an app error */ png_app_error(png_ptr, "png_set_sPLT: invalid sPLT"); /* Just skip the invalid entry */ continue; } np->depth = entries->depth; /* In the event of out-of-memory just return - there's no point keeping * on trying to add sPLT chunks. */ length = strlen(entries->name) + 1; np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length)); if (np->name == NULL) break; memcpy(np->name, entries->name, length); /* IMPORTANT: we have memory now that won't get freed if something else * goes wrong; this code must free it. png_malloc_array produces no * warnings; use a png_chunk_report (below) if there is an error. */ np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr, entries->nentries, sizeof (png_sPLT_entry))); if (np->entries == NULL) { png_free(png_ptr, np->name); np->name = NULL; break; } np->nentries = entries->nentries; /* This multiply can't overflow because png_malloc_array has already * checked it when doing the allocation. */ memcpy(np->entries, entries->entries, entries->nentries * sizeof (png_sPLT_entry)); /* Note that 'continue' skips the advance of the out pointer and out * count, so an invalid entry is not added. */ info_ptr->valid |= PNG_INFO_sPLT; ++(info_ptr->splt_palettes_num); ++np; } while (++entries, --nentries); if (nentries > 0) png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR); }
void PNGAPI png_set_unknown_chunks(png_const_structrp png_ptr, png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns) { png_unknown_chunkp np; if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 || unknowns == NULL) return; /* Check for the failure cases where support has been disabled at compile * time. This code is hardly ever compiled - it's here because * STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this * code) but may be meaningless if the read or write handling of unknown * chunks is not compiled in. */ # if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \ defined(PNG_READ_SUPPORTED) if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0) { png_app_error(png_ptr, "no unknown chunk support on read"); return; } # endif # if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \ defined(PNG_WRITE_SUPPORTED) if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0) { png_app_error(png_ptr, "no unknown chunk support on write"); return; } # endif /* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that * unknown critical chunks could be lost with just a warning resulting in * undefined behavior. Now png_chunk_report is used to provide behavior * appropriate to read or write. */ np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr, info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns, sizeof *np)); if (np == NULL) { png_chunk_report(png_ptr, "too many unknown chunks", PNG_CHUNK_WRITE_ERROR); return; } png_free(png_ptr, info_ptr->unknown_chunks); info_ptr->unknown_chunks = np; /* safe because it is initialized */ info_ptr->free_me |= PNG_FREE_UNKN; np += info_ptr->unknown_chunks_num; /* Increment unknown_chunks_num each time round the loop to protect the * just-allocated chunk data. */ for (; num_unknowns > 0; --num_unknowns, ++unknowns) { memcpy(np->name, unknowns->name, (sizeof np->name)); np->name[(sizeof np->name)-1] = '\0'; np->location = check_location(png_ptr, unknowns->location); if (unknowns->size == 0) { np->data = NULL; np->size = 0; } else { np->data = png_voidcast(png_bytep, png_malloc_base(png_ptr, unknowns->size)); if (np->data == NULL) { png_chunk_report(png_ptr, "unknown chunk: out of memory", PNG_CHUNK_WRITE_ERROR); /* But just skip storing the unknown chunk */ continue; } memcpy(np->data, unknowns->data, unknowns->size); np->size = unknowns->size; } /* These increments are skipped on out-of-memory for the data - the * unknown chunk entry gets overwritten if the png_chunk_report returns. * This is correct in the read case (the chunk is just dropped.) */ ++np; ++(info_ptr->unknown_chunks_num); } }
int /* PRIVATE */ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr, png_const_textp text_ptr, int num_text) { int i; png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U : (unsigned long)png_ptr->chunk_name); if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL) return(0); /* Make sure we have enough space in the "text" array in info_struct * to hold all of the incoming text_ptr objects. This compare can't overflow * because max_text >= num_text (anyway, subtract of two positive integers * can't overflow in any case.) */ if (num_text > info_ptr->max_text - info_ptr->num_text) { int old_num_text = info_ptr->num_text; int max_text; png_textp new_text = NULL; /* Calculate an appropriate max_text, checking for overflow. */ max_text = old_num_text; if (num_text <= INT_MAX - max_text) { max_text += num_text; /* Round up to a multiple of 8 */ if (max_text < INT_MAX-8) max_text = (max_text + 8) & ~0x7; else max_text = INT_MAX; /* Now allocate a new array and copy the old members in; this does all * the overflow checks. */ new_text = png_voidcast(png_textp,png_realloc_array(png_ptr, info_ptr->text, old_num_text, max_text-old_num_text, sizeof *new_text)); } if (new_text == NULL) { png_chunk_report(png_ptr, "too many text chunks", PNG_CHUNK_WRITE_ERROR); return 1; } png_free(png_ptr, info_ptr->text); info_ptr->text = new_text; info_ptr->free_me |= PNG_FREE_TEXT; info_ptr->max_text = max_text; /* num_text is adjusted below as the entries are copied in */ png_debug1(3, "allocated %d entries for info_ptr->text", max_text); } for (i = 0; i < num_text; i++) { size_t text_length, key_len; size_t lang_len, lang_key_len; png_textp textp = &(info_ptr->text[info_ptr->num_text]); if (text_ptr[i].key == NULL) continue; if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE || text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST) { png_chunk_report(png_ptr, "text compression mode is out of range", PNG_CHUNK_WRITE_ERROR); continue; } key_len = strlen(text_ptr[i].key); if (text_ptr[i].compression <= 0) { lang_len = 0; lang_key_len = 0; } else # ifdef PNG_iTXt_SUPPORTED { /* Set iTXt data */ if (text_ptr[i].lang != NULL) lang_len = strlen(text_ptr[i].lang); else lang_len = 0; if (text_ptr[i].lang_key != NULL) lang_key_len = strlen(text_ptr[i].lang_key); else lang_key_len = 0; } # else /* iTXt */ { png_chunk_report(png_ptr, "iTXt chunk not supported", PNG_CHUNK_WRITE_ERROR); continue; } # endif if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0') { text_length = 0; # ifdef PNG_iTXt_SUPPORTED if (text_ptr[i].compression > 0) textp->compression = PNG_ITXT_COMPRESSION_NONE; else # endif textp->compression = PNG_TEXT_COMPRESSION_NONE; } else { text_length = strlen(text_ptr[i].text); textp->compression = text_ptr[i].compression; } textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr, key_len + text_length + lang_len + lang_key_len + 4)); if (textp->key == NULL) { png_chunk_report(png_ptr, "text chunk: out of memory", PNG_CHUNK_WRITE_ERROR); return 1; } png_debug2(2, "Allocated %lu bytes at %p in png_set_text", (unsigned long)(png_uint_32) (key_len + lang_len + lang_key_len + text_length + 4), textp->key); memcpy(textp->key, text_ptr[i].key, key_len); *(textp->key + key_len) = '\0'; if (text_ptr[i].compression > 0) { textp->lang = textp->key + key_len + 1; memcpy(textp->lang, text_ptr[i].lang, lang_len); *(textp->lang + lang_len) = '\0'; textp->lang_key = textp->lang + lang_len + 1; memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len); *(textp->lang_key + lang_key_len) = '\0'; textp->text = textp->lang_key + lang_key_len + 1; } else { textp->lang=NULL; textp->lang_key=NULL; textp->text = textp->key + key_len + 1; } if (text_length != 0) memcpy(textp->text, text_ptr[i].text, text_length); *(textp->text + text_length) = '\0'; # ifdef PNG_iTXt_SUPPORTED if (textp->compression > 0) { textp->text_length = 0; textp->itxt_length = text_length; } else # endif { textp->text_length = text_length; textp->itxt_length = 0; } info_ptr->num_text++; png_debug1(3, "transferred text chunk %d", info_ptr->num_text); } return(0); }
void PNGAPI png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr, png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type, int nparams, png_const_charp units, png_charpp params) { png_size_t length; int i; png_debug1(1, "in %s storage function", "pCAL"); if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL || (nparams > 0 && params == NULL)) return; length = strlen(purpose) + 1; png_debug1(3, "allocating purpose for info (%lu bytes)", (unsigned long)length); /* TODO: validate format of calibration name and unit name */ /* Check that the type matches the specification. */ if (type < 0 || type > 3) { png_chunk_report(png_ptr, "Invalid pCAL equation type", PNG_CHUNK_WRITE_ERROR); return; } if (nparams < 0 || nparams > 255) { png_chunk_report(png_ptr, "Invalid pCAL parameter count", PNG_CHUNK_WRITE_ERROR); return; } /* Validate params[nparams] */ for (i=0; i<nparams; ++i) { if (params[i] == NULL || !png_check_fp_string(params[i], strlen(params[i]))) { png_chunk_report(png_ptr, "Invalid format for pCAL parameter", PNG_CHUNK_WRITE_ERROR); return; } } info_ptr->pcal_purpose = png_voidcast(png_charp, png_malloc_warn(png_ptr, length)); if (info_ptr->pcal_purpose == NULL) { png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose", PNG_CHUNK_WRITE_ERROR); return; } memcpy(info_ptr->pcal_purpose, purpose, length); png_debug(3, "storing X0, X1, type, and nparams in info"); info_ptr->pcal_X0 = X0; info_ptr->pcal_X1 = X1; info_ptr->pcal_type = (png_byte)type; info_ptr->pcal_nparams = (png_byte)nparams; length = strlen(units) + 1; png_debug1(3, "allocating units for info (%lu bytes)", (unsigned long)length); info_ptr->pcal_units = png_voidcast(png_charp, png_malloc_warn(png_ptr, length)); if (info_ptr->pcal_units == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL units"); return; } memcpy(info_ptr->pcal_units, units, length); info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr, (png_size_t)((nparams + 1) * (sizeof (png_charp))))); if (info_ptr->pcal_params == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL params"); return; } memset(info_ptr->pcal_params, 0, (nparams + 1) * (sizeof (png_charp))); for (i = 0; i < nparams; i++) { length = strlen(params[i]) + 1; png_debug2(3, "allocating parameter %d for info (%lu bytes)", i, (unsigned long)length); info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length); if (info_ptr->pcal_params[i] == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL parameter"); return; } memcpy(info_ptr->pcal_params[i], params[i], length); } info_ptr->valid |= PNG_INFO_pCAL; info_ptr->free_me |= PNG_FREE_PCAL; }