void PNGAPI
png_set_sPLT(png_const_structrp png_ptr,
png_inforp info_ptr, png_const_sPLT_tp entries, int nentries)
/*
* entries - array of png_sPLT_t structures
* to be added to the list of palettes
* in the info structure.
*
* nentries - number of palette structures to be
* added.
*/
{
png_sPLT_tp np;
if (png_ptr == NULL || info_ptr == NULL || nentries <= 0 || entries == NULL)
return;
/* Use the internal realloc function, which checks for all the possible
* overflows. Notice that the parameters are (int) and (size_t)
*/
np = png_voidcast(png_sPLT_tp,png_realloc_array(png_ptr,
info_ptr->splt_palettes, info_ptr->splt_palettes_num, nentries,
sizeof *np));
if (np == NULL)
{
/* Out of memory or too many chunks */
png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
return;
}
png_free(png_ptr, info_ptr->splt_palettes);
info_ptr->splt_palettes = np;
info_ptr->free_me |= PNG_FREE_SPLT;
np += info_ptr->splt_palettes_num;
do
{
png_size_t length;
/* Skip invalid input entries */
if (entries->name == NULL || entries->entries == NULL)
{
/* png_handle_sPLT doesn't do this, so this is an app error */
png_app_error(png_ptr, "png_set_sPLT: invalid sPLT");
/* Just skip the invalid entry */
continue;
}
np->depth = entries->depth;
/* In the event of out-of-memory just return - there's no point keeping
* on trying to add sPLT chunks.
*/
length = strlen(entries->name) + 1;
np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
if (np->name == NULL)
break;
memcpy(np->name, entries->name, length);
/* IMPORTANT: we have memory now that won't get freed if something else
* goes wrong; this code must free it. png_malloc_array produces no
* warnings; use a png_chunk_report (below) if there is an error.
*/
np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
entries->nentries, sizeof (png_sPLT_entry)));
if (np->entries == NULL)
{
png_free(png_ptr, np->name);
np->name = NULL;
break;
}
np->nentries = entries->nentries;
/* This multiply can't overflow because png_malloc_array has already
* checked it when doing the allocation.
*/
memcpy(np->entries, entries->entries,
entries->nentries * sizeof (png_sPLT_entry));
/* Note that 'continue' skips the advance of the out pointer and out
* count, so an invalid entry is not added.
*/
info_ptr->valid |= PNG_INFO_sPLT;
++(info_ptr->splt_palettes_num);
++np;
}
while (++entries, --nentries);
if (nentries > 0)
png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
}
void PNGAPI
png_set_unknown_chunks(png_const_structrp png_ptr,
png_inforp info_ptr, png_const_unknown_chunkp unknowns, int num_unknowns)
{
png_unknown_chunkp np;
if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
unknowns == NULL)
return;
/* Check for the failure cases where support has been disabled at compile
* time. This code is hardly ever compiled - it's here because
* STORE_UNKNOWN_CHUNKS is set by both read and write code (compiling in this
* code) but may be meaningless if the read or write handling of unknown
* chunks is not compiled in.
*/
# if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
defined(PNG_READ_SUPPORTED)
if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
{
png_app_error(png_ptr, "no unknown chunk support on read");
return;
}
# endif
# if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
defined(PNG_WRITE_SUPPORTED)
if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
{
png_app_error(png_ptr, "no unknown chunk support on write");
return;
}
# endif
/* Prior to 1.6.0 this code used png_malloc_warn; however, this meant that
* unknown critical chunks could be lost with just a warning resulting in
* undefined behavior. Now png_chunk_report is used to provide behavior
* appropriate to read or write.
*/
np = png_voidcast(png_unknown_chunkp, png_realloc_array(png_ptr,
info_ptr->unknown_chunks, info_ptr->unknown_chunks_num, num_unknowns,
sizeof *np));
if (np == NULL)
{
png_chunk_report(png_ptr, "too many unknown chunks",
PNG_CHUNK_WRITE_ERROR);
return;
}
png_free(png_ptr, info_ptr->unknown_chunks);
info_ptr->unknown_chunks = np; /* safe because it is initialized */
info_ptr->free_me |= PNG_FREE_UNKN;
np += info_ptr->unknown_chunks_num;
/* Increment unknown_chunks_num each time round the loop to protect the
* just-allocated chunk data.
*/
for (; num_unknowns > 0; --num_unknowns, ++unknowns)
{
memcpy(np->name, unknowns->name, (sizeof np->name));
np->name[(sizeof np->name)-1] = '\0';
np->location = check_location(png_ptr, unknowns->location);
if (unknowns->size == 0)
{
np->data = NULL;
np->size = 0;
}
else
{
np->data = png_voidcast(png_bytep,
png_malloc_base(png_ptr, unknowns->size));
if (np->data == NULL)
{
png_chunk_report(png_ptr, "unknown chunk: out of memory",
PNG_CHUNK_WRITE_ERROR);
/* But just skip storing the unknown chunk */
continue;
}
memcpy(np->data, unknowns->data, unknowns->size);
np->size = unknowns->size;
}
/* These increments are skipped on out-of-memory for the data - the
* unknown chunk entry gets overwritten if the png_chunk_report returns.
* This is correct in the read case (the chunk is just dropped.)
*/
++np;
++(info_ptr->unknown_chunks_num);
}
}
int /* PRIVATE */
png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
png_const_textp text_ptr, int num_text)
{
int i;
png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U :
(unsigned long)png_ptr->chunk_name);
if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
return(0);
/* Make sure we have enough space in the "text" array in info_struct
* to hold all of the incoming text_ptr objects. This compare can't overflow
* because max_text >= num_text (anyway, subtract of two positive integers
* can't overflow in any case.)
*/
if (num_text > info_ptr->max_text - info_ptr->num_text)
{
int old_num_text = info_ptr->num_text;
int max_text;
png_textp new_text = NULL;
/* Calculate an appropriate max_text, checking for overflow. */
max_text = old_num_text;
if (num_text <= INT_MAX - max_text)
{
max_text += num_text;
/* Round up to a multiple of 8 */
if (max_text < INT_MAX-8)
max_text = (max_text + 8) & ~0x7;
else
max_text = INT_MAX;
/* Now allocate a new array and copy the old members in; this does all
* the overflow checks.
*/
new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
info_ptr->text, old_num_text, max_text-old_num_text,
sizeof *new_text));
}
if (new_text == NULL)
{
png_chunk_report(png_ptr, "too many text chunks",
PNG_CHUNK_WRITE_ERROR);
return 1;
}
png_free(png_ptr, info_ptr->text);
info_ptr->text = new_text;
info_ptr->free_me |= PNG_FREE_TEXT;
info_ptr->max_text = max_text;
/* num_text is adjusted below as the entries are copied in */
png_debug1(3, "allocated %d entries for info_ptr->text", max_text);
}
for (i = 0; i < num_text; i++)
{
size_t text_length, key_len;
size_t lang_len, lang_key_len;
png_textp textp = &(info_ptr->text[info_ptr->num_text]);
if (text_ptr[i].key == NULL)
continue;
if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
{
png_chunk_report(png_ptr, "text compression mode is out of range",
PNG_CHUNK_WRITE_ERROR);
continue;
}
key_len = strlen(text_ptr[i].key);
if (text_ptr[i].compression <= 0)
{
lang_len = 0;
lang_key_len = 0;
}
else
# ifdef PNG_iTXt_SUPPORTED
{
/* Set iTXt data */
if (text_ptr[i].lang != NULL)
lang_len = strlen(text_ptr[i].lang);
else
lang_len = 0;
if (text_ptr[i].lang_key != NULL)
lang_key_len = strlen(text_ptr[i].lang_key);
else
lang_key_len = 0;
}
# else /* iTXt */
{
png_chunk_report(png_ptr, "iTXt chunk not supported",
PNG_CHUNK_WRITE_ERROR);
continue;
}
# endif
if (text_ptr[i].text == NULL || text_ptr[i].text[0] == '\0')
{
text_length = 0;
# ifdef PNG_iTXt_SUPPORTED
if (text_ptr[i].compression > 0)
textp->compression = PNG_ITXT_COMPRESSION_NONE;
else
# endif
textp->compression = PNG_TEXT_COMPRESSION_NONE;
}
else
{
text_length = strlen(text_ptr[i].text);
textp->compression = text_ptr[i].compression;
}
textp->key = png_voidcast(png_charp,png_malloc_base(png_ptr,
key_len + text_length + lang_len + lang_key_len + 4));
if (textp->key == NULL)
{
png_chunk_report(png_ptr, "text chunk: out of memory",
PNG_CHUNK_WRITE_ERROR);
return 1;
}
png_debug2(2, "Allocated %lu bytes at %p in png_set_text",
(unsigned long)(png_uint_32)
(key_len + lang_len + lang_key_len + text_length + 4),
textp->key);
memcpy(textp->key, text_ptr[i].key, key_len);
*(textp->key + key_len) = '\0';
if (text_ptr[i].compression > 0)
{
textp->lang = textp->key + key_len + 1;
memcpy(textp->lang, text_ptr[i].lang, lang_len);
*(textp->lang + lang_len) = '\0';
textp->lang_key = textp->lang + lang_len + 1;
memcpy(textp->lang_key, text_ptr[i].lang_key, lang_key_len);
*(textp->lang_key + lang_key_len) = '\0';
textp->text = textp->lang_key + lang_key_len + 1;
}
else
{
textp->lang=NULL;
textp->lang_key=NULL;
textp->text = textp->key + key_len + 1;
}
if (text_length != 0)
memcpy(textp->text, text_ptr[i].text, text_length);
*(textp->text + text_length) = '\0';
# ifdef PNG_iTXt_SUPPORTED
if (textp->compression > 0)
{
textp->text_length = 0;
textp->itxt_length = text_length;
}
else
# endif
{
textp->text_length = text_length;
textp->itxt_length = 0;
}
info_ptr->num_text++;
png_debug1(3, "transferred text chunk %d", info_ptr->num_text);
}
return(0);
}
void PNGAPI
png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr,
png_const_charp purpose, png_int_32 X0, png_int_32 X1, int type,
int nparams, png_const_charp units, png_charpp params)
{
png_size_t length;
int i;
png_debug1(1, "in %s storage function", "pCAL");
if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
|| (nparams > 0 && params == NULL))
return;
length = strlen(purpose) + 1;
png_debug1(3, "allocating purpose for info (%lu bytes)",
(unsigned long)length);
/* TODO: validate format of calibration name and unit name */
/* Check that the type matches the specification. */
if (type < 0 || type > 3)
{
png_chunk_report(png_ptr, "Invalid pCAL equation type",
PNG_CHUNK_WRITE_ERROR);
return;
}
if (nparams < 0 || nparams > 255)
{
png_chunk_report(png_ptr, "Invalid pCAL parameter count",
PNG_CHUNK_WRITE_ERROR);
return;
}
/* Validate params[nparams] */
for (i=0; i<nparams; ++i)
{
if (params[i] == NULL ||
!png_check_fp_string(params[i], strlen(params[i])))
{
png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
PNG_CHUNK_WRITE_ERROR);
return;
}
}
info_ptr->pcal_purpose = png_voidcast(png_charp,
png_malloc_warn(png_ptr, length));
if (info_ptr->pcal_purpose == NULL)
{
png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
PNG_CHUNK_WRITE_ERROR);
return;
}
memcpy(info_ptr->pcal_purpose, purpose, length);
png_debug(3, "storing X0, X1, type, and nparams in info");
info_ptr->pcal_X0 = X0;
info_ptr->pcal_X1 = X1;
info_ptr->pcal_type = (png_byte)type;
info_ptr->pcal_nparams = (png_byte)nparams;
length = strlen(units) + 1;
png_debug1(3, "allocating units for info (%lu bytes)",
(unsigned long)length);
info_ptr->pcal_units = png_voidcast(png_charp,
png_malloc_warn(png_ptr, length));
if (info_ptr->pcal_units == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL units");
return;
}
memcpy(info_ptr->pcal_units, units, length);
info_ptr->pcal_params = png_voidcast(png_charpp, png_malloc_warn(png_ptr,
(png_size_t)((nparams + 1) * (sizeof (png_charp)))));
if (info_ptr->pcal_params == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL params");
return;
}
memset(info_ptr->pcal_params, 0, (nparams + 1) * (sizeof (png_charp)));
for (i = 0; i < nparams; i++)
{
length = strlen(params[i]) + 1;
png_debug2(3, "allocating parameter %d for info (%lu bytes)", i,
(unsigned long)length);
info_ptr->pcal_params[i] = (png_charp)png_malloc_warn(png_ptr, length);
if (info_ptr->pcal_params[i] == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL parameter");
return;
}
memcpy(info_ptr->pcal_params[i], params[i], length);
}
info_ptr->valid |= PNG_INFO_pCAL;
info_ptr->free_me |= PNG_FREE_PCAL;
}
