DO NOT MERGE Update libpng to 1.6.20
BUG:23265085
Change-Id: I85199805636d771f3597b691b63bc0bf46084833
(cherry picked from commit bbe98b40cda082024b669fa508931042eed18f82)
diff --git a/pngset.c b/pngset.c
index fd718c9..8fd7965 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,8 +1,8 @@
/* pngset.c - storage of image information into info struct
*
- * Last changed in libpng 1.6.8 [December 19, 2013]
- * Copyright (c) 1998-2013 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.19 [November 12, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
@@ -59,7 +59,7 @@
xy.whitey = white_y;
if (png_colorspace_set_chromaticities(png_ptr, &info_ptr->colorspace, &xy,
- 2/* override with app values*/))
+ 2/* override with app values*/) != 0)
info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
png_colorspace_sync_info(png_ptr, info_ptr);
@@ -90,7 +90,8 @@
XYZ.blue_Y = int_blue_Y;
XYZ.blue_Z = int_blue_Z;
- if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace, &XYZ, 2))
+ if (png_colorspace_set_endpoints(png_ptr, &info_ptr->colorspace,
+ &XYZ, 2) != 0)
info_ptr->colorspace.flags |= PNG_COLORSPACE_FROM_cHRM;
png_colorspace_sync_info(png_ptr, info_ptr);
@@ -122,16 +123,16 @@
png_fixed(png_ptr, red_X, "cHRM Red X"),
png_fixed(png_ptr, red_Y, "cHRM Red Y"),
png_fixed(png_ptr, red_Z, "cHRM Red Z"),
- png_fixed(png_ptr, green_X, "cHRM Red X"),
- png_fixed(png_ptr, green_Y, "cHRM Red Y"),
- png_fixed(png_ptr, green_Z, "cHRM Red Z"),
- png_fixed(png_ptr, blue_X, "cHRM Red X"),
- png_fixed(png_ptr, blue_Y, "cHRM Red Y"),
- png_fixed(png_ptr, blue_Z, "cHRM Red Z"));
+ png_fixed(png_ptr, green_X, "cHRM Green X"),
+ png_fixed(png_ptr, green_Y, "cHRM Green Y"),
+ png_fixed(png_ptr, green_Z, "cHRM Green Z"),
+ png_fixed(png_ptr, blue_X, "cHRM Blue X"),
+ png_fixed(png_ptr, blue_Y, "cHRM Blue Y"),
+ png_fixed(png_ptr, blue_Z, "cHRM Blue Z"));
}
-# endif /* PNG_FLOATING_POINT_SUPPORTED */
+# endif /* FLOATING_POINT */
-#endif /* PNG_cHRM_SUPPORTED */
+#endif /* cHRM */
#ifdef PNG_gAMA_SUPPORTED
void PNGFAPI
@@ -189,6 +190,7 @@
if (info_ptr->hist == NULL)
{
png_warning(png_ptr, "Insufficient memory for hIST chunk data");
+
return;
}
@@ -227,13 +229,13 @@
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
info_ptr->channels = 1;
- else if (info_ptr->color_type & PNG_COLOR_MASK_COLOR)
+ else if ((info_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0)
info_ptr->channels = 3;
else
info_ptr->channels = 1;
- if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA)
+ if ((info_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)
info_ptr->channels++;
info_ptr->pixel_depth = (png_byte)(info_ptr->channels * info_ptr->bit_depth);
@@ -270,7 +272,7 @@
png_debug1(1, "in %s storage function", "pCAL");
if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL
- || (nparams > 0 && params == NULL))
+ || (nparams > 0 && params == NULL))
return;
length = strlen(purpose) + 1;
@@ -288,16 +290,19 @@
/* Validate params[nparams] */
for (i=0; i<nparams; ++i)
+ {
if (params[i] == NULL ||
- !png_check_fp_string(params[i], strlen(params[i])))
+ !png_check_fp_string(params[i], strlen(params[i])))
png_error(png_ptr, "Invalid format for pCAL parameter");
+ }
info_ptr->pcal_purpose = png_voidcast(png_charp,
- png_malloc_warn(png_ptr, length));
+ png_malloc_warn(png_ptr, length));
if (info_ptr->pcal_purpose == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL purpose");
+
return;
}
@@ -319,6 +324,7 @@
if (info_ptr->pcal_units == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL units");
+
return;
}
@@ -330,6 +336,7 @@
if (info_ptr->pcal_params == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL params");
+
return;
}
@@ -346,6 +353,7 @@
if (info_ptr->pcal_params[i] == NULL)
{
png_warning(png_ptr, "Insufficient memory for pCAL parameter");
+
return;
}
@@ -395,6 +403,7 @@
if (info_ptr->scal_s_width == NULL)
{
png_warning(png_ptr, "Memory allocation failed while processing sCAL");
+
return;
}
@@ -413,6 +422,7 @@
info_ptr->scal_s_width = NULL;
png_warning(png_ptr, "Memory allocation failed while processing sCAL");
+
return;
}
@@ -503,12 +513,17 @@
png_const_colorp palette, int num_palette)
{
+ png_uint_32 max_palette_length;
+
png_debug1(1, "in %s storage function", "PLTE");
if (png_ptr == NULL || info_ptr == NULL)
return;
- if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH)
+ max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ?
+ (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH;
+
+ if (num_palette < 0 || num_palette > (int) max_palette_length)
{
if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
png_error(png_ptr, "Invalid palette length");
@@ -516,6 +531,7 @@
else
{
png_warning(png_ptr, "Invalid palette length");
+
return;
}
}
@@ -528,7 +544,6 @@
))
{
png_error(png_ptr, "Invalid palette");
- return;
}
/* It may not actually be necessary to set png_ptr->palette here;
@@ -541,8 +556,8 @@
png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0);
/* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead
- * of num_palette entries, in case of an invalid PNG file that has
- * too-large sample values.
+ * of num_palette entries, in case of an invalid PNG file or incorrect
+ * call to png_set_PLTE() with too-large sample values.
*/
png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr,
PNG_MAX_PALETTE_LENGTH * (sizeof (png_color))));
@@ -594,7 +609,8 @@
if (png_ptr == NULL || info_ptr == NULL)
return;
- if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace, srgb_intent))
+ if (png_colorspace_set_sRGB(png_ptr, &info_ptr->colorspace,
+ srgb_intent) != 0)
{
/* This causes the gAMA and cHRM to be written too */
info_ptr->colorspace.flags |=
@@ -637,7 +653,7 @@
png_colorspace_sync_info(png_ptr, info_ptr);
/* Don't do any of the copying if the profile was bad, or inconsistent. */
- if (!result)
+ if (result == 0)
return;
/* But do write the gAMA and cHRM chunks from the profile. */
@@ -651,6 +667,7 @@
if (new_iccp_name == NULL)
{
png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk");
+
return;
}
@@ -663,6 +680,7 @@
png_free(png_ptr, new_iccp_name);
png_benign_error(png_ptr,
"Insufficient memory to process iCCP profile");
+
return;
}
@@ -686,7 +704,7 @@
int ret;
ret = png_set_text_2(png_ptr, info_ptr, text_ptr, num_text);
- if (ret)
+ if (ret != 0)
png_error(png_ptr, "Insufficient memory to store text");
}
@@ -696,7 +714,7 @@
{
int i;
- png_debug1(1, "in %lx storage function", png_ptr == NULL ? "unexpected" :
+ png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U :
(unsigned long)png_ptr->chunk_name);
if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL)
@@ -726,7 +744,7 @@
else
max_text = INT_MAX;
- /* Now allocate a new array and copy the old members in, this does all
+ /* Now allocate a new array and copy the old members in; this does all
* the overflow checks.
*/
new_text = png_voidcast(png_textp,png_realloc_array(png_ptr,
@@ -738,6 +756,7 @@
{
png_chunk_report(png_ptr, "too many text chunks",
PNG_CHUNK_WRITE_ERROR);
+
return 1;
}
@@ -793,7 +812,7 @@
else
lang_key_len = 0;
}
-# else /* PNG_iTXt_SUPPORTED */
+# else /* iTXt */
{
png_chunk_report(png_ptr, "iTXt chunk not supported",
PNG_CHUNK_WRITE_ERROR);
@@ -826,6 +845,7 @@
{
png_chunk_report(png_ptr, "text chunk: out of memory",
PNG_CHUNK_WRITE_ERROR);
+
return 1;
}
@@ -855,7 +875,7 @@
textp->text = textp->key + key_len + 1;
}
- if (text_length)
+ if (text_length != 0)
memcpy(textp->text, text_ptr[i].text, text_length);
*(textp->text + text_length) = '\0';
@@ -890,7 +910,7 @@
png_debug1(1, "in %s storage function", "tIME");
if (png_ptr == NULL || info_ptr == NULL || mod_time == NULL ||
- (png_ptr->mode & PNG_WROTE_tIME))
+ (png_ptr->mode & PNG_WROTE_tIME) != 0)
return;
if (mod_time->month == 0 || mod_time->month > 12 ||
@@ -899,6 +919,7 @@
mod_time->second > 60)
{
png_warning(png_ptr, "Ignoring invalid time value");
+
return;
}
@@ -915,6 +936,7 @@
png_debug1(1, "in %s storage function", "tRNS");
if (png_ptr == NULL || info_ptr == NULL)
+
return;
if (trans_alpha != NULL)
@@ -940,16 +962,21 @@
if (trans_color != NULL)
{
- int sample_max = (1 << info_ptr->bit_depth);
+#ifdef PNG_WARNINGS_SUPPORTED
+ if (info_ptr->bit_depth < 16)
+ {
+ int sample_max = (1 << info_ptr->bit_depth) - 1;
- if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
- trans_color->gray > sample_max) ||
- (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
- (trans_color->red > sample_max ||
- trans_color->green > sample_max ||
- trans_color->blue > sample_max)))
- png_warning(png_ptr,
- "tRNS chunk has out-of-range samples for bit_depth");
+ if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY &&
+ trans_color->gray > sample_max) ||
+ (info_ptr->color_type == PNG_COLOR_TYPE_RGB &&
+ (trans_color->red > sample_max ||
+ trans_color->green > sample_max ||
+ trans_color->blue > sample_max)))
+ png_warning(png_ptr,
+ "tRNS chunk has out-of-range samples for bit_depth");
+ }
+#endif
info_ptr->trans_color = *trans_color;
@@ -996,6 +1023,7 @@
{
/* Out of memory or too many chunks */
png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR);
+
return;
}
@@ -1020,8 +1048,8 @@
np->depth = entries->depth;
- /* In the even of out-of-memory just return - there's no point keeping on
- * trying to add sPLT chunks.
+ /* In the event of out-of-memory just return - there's no point keeping
+ * on trying to add sPLT chunks.
*/
length = strlen(entries->name) + 1;
np->name = png_voidcast(png_charp, png_malloc_base(png_ptr, length));
@@ -1032,8 +1060,8 @@
memcpy(np->name, entries->name, length);
/* IMPORTANT: we have memory now that won't get freed if something else
- * goes wrong, this code must free it. png_malloc_array produces no
- * warnings, use a png_chunk_report (below) if there is an error.
+ * goes wrong; this code must free it. png_malloc_array produces no
+ * warnings; use a png_chunk_report (below) if there is an error.
*/
np->entries = png_voidcast(png_sPLT_entryp, png_malloc_array(png_ptr,
entries->nentries, sizeof (png_sPLT_entry)));
@@ -1041,6 +1069,7 @@
if (np->entries == NULL)
{
png_free(png_ptr, np->name);
+ np->name = NULL;
break;
}
@@ -1063,7 +1092,7 @@
if (nentries > 0)
png_chunk_report(png_ptr, "sPLT out of memory", PNG_CHUNK_WRITE_ERROR);
}
-#endif /* PNG_sPLT_SUPPORTED */
+#endif /* sPLT */
#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
static png_byte
@@ -1072,10 +1101,10 @@
location &= (PNG_HAVE_IHDR|PNG_HAVE_PLTE|PNG_AFTER_IDAT);
/* New in 1.6.0; copy the location and check it. This is an API
- * change, previously the app had to use the
+ * change; previously the app had to use the
* png_set_unknown_chunk_location API below for each chunk.
*/
- if (location == 0 && !(png_ptr->mode & PNG_IS_READ_STRUCT))
+ if (location == 0 && (png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
{
/* Write struct, so unknown chunks come from the app */
png_app_warning(png_ptr,
@@ -1110,7 +1139,7 @@
png_unknown_chunkp np;
if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 ||
- unknowns == NULL)
+ unknowns == NULL)
return;
/* Check for the failure cases where support has been disabled at compile
@@ -1121,17 +1150,19 @@
*/
# if !defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) && \
defined(PNG_READ_SUPPORTED)
- if (png_ptr->mode & PNG_IS_READ_STRUCT)
+ if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
{
png_app_error(png_ptr, "no unknown chunk support on read");
+
return;
}
# endif
# if !defined(PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED) && \
defined(PNG_WRITE_SUPPORTED)
- if (!(png_ptr->mode & PNG_IS_READ_STRUCT))
+ if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
{
png_app_error(png_ptr, "no unknown chunk support on write");
+
return;
}
# endif
@@ -1149,6 +1180,7 @@
{
png_chunk_report(png_ptr, "too many unknown chunks",
PNG_CHUNK_WRITE_ERROR);
+
return;
}
@@ -1215,7 +1247,7 @@
{
png_app_error(png_ptr, "invalid unknown chunk location");
/* Fake out the pre 1.6.0 behavior: */
- if ((location & PNG_HAVE_IDAT)) /* undocumented! */
+ if ((location & PNG_HAVE_IDAT) != 0) /* undocumented! */
location = PNG_AFTER_IDAT;
else
@@ -1226,8 +1258,7 @@
check_location(png_ptr, location);
}
}
-#endif
-
+#endif /* STORE_UNKNOWN_CHUNKS */
#ifdef PNG_MNG_FEATURES_SUPPORTED
png_uint_32 PNGAPI
@@ -1253,10 +1284,14 @@
/* Utility function: update the 'keep' state of a chunk if it is already in
* the list, otherwise add it to the list.
*/
- for (i=0; i<count; ++i, list += 5) if (memcmp(list, add, 4) == 0)
+ for (i=0; i<count; ++i, list += 5)
{
- list[4] = (png_byte)keep;
- return count;
+ if (memcmp(list, add, 4) == 0)
+ {
+ list[4] = (png_byte)keep;
+
+ return count;
+ }
}
if (keep != PNG_HANDLE_CHUNK_AS_DEFAULT)
@@ -1282,6 +1317,7 @@
if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST)
{
png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep");
+
return;
}
@@ -1320,7 +1356,7 @@
};
chunk_list = chunks_to_ignore;
- num_chunks = (sizeof chunks_to_ignore)/5;
+ num_chunks = (unsigned int)/*SAFE*/(sizeof chunks_to_ignore)/5U;
}
else /* num_chunks_in > 0 */
@@ -1331,6 +1367,7 @@
* which can be switched off.
*/
png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list");
+
return;
}
@@ -1346,6 +1383,7 @@
if (num_chunks + old_num_chunks > UINT_MAX/5)
{
png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks");
+
return;
}
@@ -1353,7 +1391,7 @@
* required because add_one_chunk above doesn't extend the list if the 'keep'
* parameter is the default.
*/
- if (keep)
+ if (keep != 0)
{
new_list = png_voidcast(png_bytep, png_malloc(png_ptr,
5 * (num_chunks + old_num_chunks)));
@@ -1380,12 +1418,15 @@
unsigned int i;
for (i=0; i<num_chunks; ++i)
+ {
old_num_chunks = add_one_chunk(new_list, old_num_chunks,
chunk_list+5*i, keep);
+ }
/* Now remove any spurious 'default' entries. */
num_chunks = 0;
for (i=0, inlist=outlist=new_list; i<old_num_chunks; ++i, inlist += 5)
+ {
if (inlist[4])
{
if (outlist != inlist)
@@ -1393,6 +1434,7 @@
outlist += 5;
++num_chunks;
}
+ }
/* This means the application has removed all the specialized handling. */
if (num_chunks == 0)
@@ -1444,12 +1486,13 @@
if (png_ptr == NULL || info_ptr == NULL)
return;
- if (info_ptr->row_pointers && (info_ptr->row_pointers != row_pointers))
+ if (info_ptr->row_pointers != NULL &&
+ (info_ptr->row_pointers != row_pointers))
png_free_data(png_ptr, info_ptr, PNG_FREE_ROWS, 0);
info_ptr->row_pointers = row_pointers;
- if (row_pointers)
+ if (row_pointers != NULL)
info_ptr->valid |= PNG_INFO_IDAT;
}
#endif
@@ -1464,7 +1507,7 @@
png_error(png_ptr, "invalid compression buffer size");
# ifdef PNG_SEQUENTIAL_READ_SUPPORTED
- if (png_ptr->mode & PNG_IS_READ_STRUCT)
+ if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
{
png_ptr->IDAT_read_size = (png_uint_32)size; /* checked above */
return;
@@ -1472,29 +1515,36 @@
# endif
# ifdef PNG_WRITE_SUPPORTED
- if (!(png_ptr->mode & PNG_IS_READ_STRUCT))
+ if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
{
if (png_ptr->zowner != 0)
{
png_warning(png_ptr,
"Compression buffer size cannot be changed because it is in use");
+
return;
}
+#ifndef __COVERITY__
+ /* Some compilers complain that this is always false. However, it
+ * can be true when integer overflow happens.
+ */
if (size > ZLIB_IO_MAX)
{
png_warning(png_ptr,
"Compression buffer size limited to system maximum");
size = ZLIB_IO_MAX; /* must fit */
}
+#endif
- else if (size < 6)
+ if (size < 6)
{
/* Deflate will potentially go into an infinite loop on a SYNC_FLUSH
* if this is permitted.
*/
png_warning(png_ptr,
"Compression buffer size cannot be reduced below 6");
+
return;
}
@@ -1510,7 +1560,7 @@
void PNGAPI
png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask)
{
- if (png_ptr && info_ptr)
+ if (png_ptr != NULL && info_ptr != NULL)
info_ptr->valid &= ~mask;
}
@@ -1523,7 +1573,7 @@
{
/* Images with dimensions larger than these limits will be
* rejected by png_set_IHDR(). To accept any PNG datastream
- * regardless of dimensions, set both limits to 0x7ffffffL.
+ * regardless of dimensions, set both limits to 0x7fffffff.
*/
if (png_ptr == NULL)
return;
@@ -1536,8 +1586,8 @@
void PNGAPI
png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max)
{
- if (png_ptr)
- png_ptr->user_chunk_cache_max = user_chunk_cache_max;
+ if (png_ptr != NULL)
+ png_ptr->user_chunk_cache_max = user_chunk_cache_max;
}
/* This function was added to libpng 1.4.1 */
@@ -1545,10 +1595,10 @@
png_set_chunk_malloc_max (png_structrp png_ptr,
png_alloc_size_t user_chunk_malloc_max)
{
- if (png_ptr)
+ if (png_ptr != NULL)
png_ptr->user_chunk_malloc_max = user_chunk_malloc_max;
}
-#endif /* ?PNG_SET_USER_LIMITS_SUPPORTED */
+#endif /* ?SET_USER_LIMITS */
#ifdef PNG_BENIGN_ERRORS_SUPPORTED
@@ -1563,7 +1613,7 @@
* is the default behavior if png_set_benign_errors() is not called).
*/
- if (allowed)
+ if (allowed != 0)
png_ptr->flags |= PNG_FLAG_BENIGN_ERRORS_WARN |
PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN;
@@ -1571,14 +1621,14 @@
png_ptr->flags &= ~(PNG_FLAG_BENIGN_ERRORS_WARN |
PNG_FLAG_APP_WARNINGS_WARN | PNG_FLAG_APP_ERRORS_WARN);
}
-#endif /* PNG_BENIGN_ERRORS_SUPPORTED */
+#endif /* BENIGN_ERRORS */
#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED
/* Whether to report invalid palette index; added at libng-1.5.10.
* It is possible for an indexed (color-type==3) PNG file to contain
* pixels with invalid (out-of-range) indexes if the PLTE chunk has
* fewer entries than the image's bit-depth would allow. We recover
- * from this gracefully by filling any incomplete palette with zeroes
+ * from this gracefully by filling any incomplete palette with zeros
* (opaque black). By default, when this occurs libpng will issue
* a benign error. This API can be used to override that behavior.
*/
@@ -1594,4 +1644,4 @@
png_ptr->num_palette_max = -1;
}
#endif
-#endif /* PNG_READ_SUPPORTED || PNG_WRITE_SUPPORTED */
+#endif /* READ || WRITE */