As per the const correctness rules, top-level const-ness of data
in automatic scopes does not propagate outside of these scopes
(unlike const-ness at lower levels, such as pointers to const data).
Previously, const was used liberally, but inconsistently across the
libpng codebase. Using const wherever applicable is not incorrect.
However, _consistent_ use of const is difficult to maintain in such
conditions.
In conclusion, we shall continue to use const only where doing so is
strictly necessary:
1. If a function guarantees that it will not modify an argument
passed by pointer, the corresponding function parameter should be
a pointer-to-const (const T *).
2. Static data should not be modified, therefore it should be const.
Reference:
Google C++ Style Guide
https://google.github.io/styleguide/cppguide.html#Use_of_const
In v1.6.0, size_t became a required type. It should be used
consistently. To maintain backwards compatibility, png_size_t
is still maintained in deprecated form.
result when integers appear on both sides of a compare. Worked around the
others by forcing the strict-overflow setting in the relevant functions to
a level where they are not reported.
Changed "FALL THROUGH" comments to "FALLTHROUGH" because GCC doesn't like
the space.
Worked around some C-style casts from (void*) because g++ 5.4.0 objects
to them.
Increased the buffer size for 'sprint' to pass the gcc 7.1.0 'sprint
overflow' check that is on by default with -Wall -Wextra.
This removes the use of a macro containing the pre-processor 'defined'
operator. It is unclear whether this is valid; a macro which
"generates" 'defined' is not permitted, but the use of the work
"generates" within the C90 standard seems to imply more than simple
substitution of an expression itself containing a well-formed defined
operation.
Signed-off-by: John Bowler <jbowler@acm.org>
Remove all currently detected cases of unsigned overflow. Detection is
runtime, so test case dependent. The changes to pngvalid.c eliminate
spurious and probably invalid tests with one while loop exception.
Apart from that and the change to the dependence on the intended
unsigned overflow in pngtrans.c the changes are limited to altering the
meme for an unsigned 'x' from:
while (x-- > 0)
to
for (; x > 0; --x)
This works because, in all cases, the control variable is not used in
the loop. The 'while' meme was, at one time, warn'ed by GCC so it is
probably a good change, for some weird religious value of good.
Signed-off-by: John Bowler <jbowler@acm.org>
MSVC does not like (uInt) = -(unsigned) (i.e. as an initializer), but it is fine
with it if the conversion is explicitly invoked by a cast.
Signed-off-by: John Bowler <jbowler@acm.org>
Coverity rejects code where an array element count has type size_t, this
elminates the code in question from contrib/libtests/pngvalid.c
Signed-off-by: John Bowler <jbowler@acm.org>
The previous version of the code invariably passed just one byte at a time to
libpng. The intention was to pass a random number of bytes in the range 0..511
(and this is what happens now).
Signed-off-by: John Bowler <jbowler@acm.org>
Undefined because (png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this.
Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8.
This changes pngvalid to use BE random numbers; this used to produce errors but
these should not be fixed as a result of the previous changes.
Signed-off-by: John Bowler <jbowler@acm.org>
This widens the 'limit' check on the internally calculated error limits in the
'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks) and it
changes the check to only operate in non-release builds (base build type not RC
or RELEASE.)
Signed-off-by: John Bowler <jbowler@acm.org>
Fixes to pngvalid for various reduced build configurations (eliminate unused
statics) and a fix for the case in rgb_to_gray when the digitize option reduces
graylo to 0, producing a large error.
Signed-off-by: John Bowler <jbowler@acm.org>
This 'fixes' the current problem in the BE tests by not testing it, making the
BE code the same as the LE version.
Signed-off-by: John Bowler <jbowler@acm.org>
