The macro underreported the size (by up to 512 bytes) of an 8-bit non-color
palette based memory format because it failed to take into account that the
memory palette has to be expanded to full RGB when it is written to PNG.
This is not likely to be a serious bug because the macro is new, the memory
format in question is likely to be rarely used and the result of an undersized
buffer fails in a safe way.
Signed-off-by: John Bowler <jbowler@acm.org>
This is the test backported from 1.7 to ensure that when treating IDATs as
unknown the test does not fail if there are more than one IDAT chunks in the
file.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements an API and provides a number of assist macros to allow an
application which uses the simplified API write to bypass stdio and write
directly to memory.
It also includes some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows
image width/height/format that *might* overflow. A quiet API change that limits
in-memory image size (uncompressed) to less that 4GByte and image row size
(stride) to less than 2GByte.
Signed-off-by: John Bowler <jbowler@acm.org>
Undefined because (png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this.
Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8.
This changes pngvalid to use BE random numbers; this used to produce errors but
these should not be fixed as a result of the previous changes.
Signed-off-by: John Bowler <jbowler@acm.org>
This widens the 'limit' check on the internally calculated error limits in the
'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks) and it
changes the check to only operate in non-release builds (base build type not RC
or RELEASE.)
Signed-off-by: John Bowler <jbowler@acm.org>
Fixes to pngvalid for various reduced build configurations (eliminate unused
statics) and a fix for the case in rgb_to_gray when the digitize option reduces
graylo to 0, producing a large error.
Signed-off-by: John Bowler <jbowler@acm.org>
This 'fixes' the current problem in the BE tests by not testing it, making the
BE code the same as the LE version.
Signed-off-by: John Bowler <jbowler@acm.org>
The previous attempts to ignore the errors in the code aren't quite enough to
deal with the 'channel selection' encoding added to libpng 1.7; abort.
pngvalid.c is changed to drop this encoding in prior versions.
Signed-off-by: John Bowler <jbowler@acm.org>
Remove the '--strict' in 1.6 because of the double-gamma-correction warning,
update pngstest-errors.h for the errors detected with the new contrib/testspngs
PNG test files.
Signed-off-by: John Bowler <jbowler@acm.org>
input that was made in version 1.6.17beta01, to preserve legacy
behavior even though it was incorrect. Instead, added new API
png_set_filter_16() and png_set_add_alpha_16() that set a flag to
make png_do_read_filter() interpret the filler bytes properly.
Splitting the machine generated error structs out to a file allows the values to
be updated without changing pngstest.c itself, since libpng 1.6 and 1.7 have
slightly different error limits this simplifies maintenance.
Signed-off-by: John Bowler <jbowler@acm.org>
This is a patch for libpng16.
It incorporates fixes to the low-bit-depth gray background handling from
libpng17 and turns one of the low-bit-depth gray cases that does work (and,
indeed, did work before) in libpng16
Signed-off-by: John Bowler <jbowler@acm.org>
This updates libpng16 with all the test changes from libpng17,
including changes to pngvalid.c to ensure that the original,
distributed, version of contrib/visupng/cexcept.h can be used.
pngvalid contains the correction to the use of SAVE/STORE_
UNKNOWN_CHUNKS; a bug revealed by changes in libpng 1.7. More
tests contain the --strict option to detect warnings and the
pngvalid-standard test has been corrected so that it does not
turn on progresive-read (there is a separate test which does
that.)
Some signed/unsigned fixes have been made.
Signed-off-by: John Bowler <jbowler@acm.org>
handling in contrib/libtests/pngstest.c; possible overflow of
unsigned char in contrib/tools/png-fix-itxt.c). To use the "secure"
file handling, define PNG_USE_MKSTEMP, otherwise "tmpfile()" will
continue to be used.
simpleover. Also added a comment to png.h pointing out that the pointer must
be set to NULL! (simpleover crashes with any slightly complex command lines
without this fix.)
in the code the number of elements in an array is calculated using
sizeof. This generates a compile time constant of type (size_t) which
is then typically assigned to an (unsigned int) or (int). Some versions
of GCC on 64-bit systems warn about the apparent narrowing, even though
the same compiler does apparently generate the correct, in-range,
numeric constant. This adds appropriate, safe, casts to make the
warnings go away.
implementation of the ARM NEON discovery function to be set at
build-time and provide sample implementations from the current code in the
contrib/arm-neon subdirectory. The __linux__ code has also been changed to
compile and link on Android by using /proc/cpuinfo, and the old linux code
is in contrib/arm-neon/linux-auxv.c. The new code avoids POSIX and Linux
dependencies apart from opening /proc/cpuinfo and is C90 compliant.
configurations don't build because of missing contrib/libtests test programs
and overly complex dependencies in scripts/pnglibconf.dfa. This change adds
contrib/conftest/*.dfa files that can be used in automatic build
scripts to ensure that these configurations continue to build.
the useful side effect of avoiding a bogus warning generated by the latest
version of the Intel C compiler (it objects to
condition ? string-literal : string-literal).
requirements of png_modifier are greater than that of png_store and as a
consequence compilation of pngvalid.c results in a warning about increased
alignment requirements because of the bare cast to (png_modifier*). The code
is safe, because the pointer is known to point to a stack allocated
png_modifier, but this change avoids the warning.
Fixed default behavior of ARM_NEON_API. If the ARM NEON API option was
compiled without the CHECK option it defaulted to on, not off.
Check user callback behavior in pngunknown.c. Previous versions compiled
if SAVE_UNKNOWN was not available but did nothing since the callback
was never implemented.
Merged pngunknown.c with 1.7 version and back ported 1.7 improvements/fixes
off. Also fixed the pngminim makefiles to work when $(MAKEFLAGS) contains stuff
which terminates the make options (as by default in recent versions of Gentoo).
strip option. pngfix relied on undefined behavior and even a simple change from
gcc to g++ caused it to fail. The new strip option 'unsafe' has been
implemented and is the default if --max is given. Option names have
been clarified, with --strip=transform now stripping the bKGD chunk,
which was stripped previously with --strip=unused.
Added all documented chunk types to pngpriv.h
only works with libpng versions that can be made to reliably fail when
the deflate data contains an out-of-window reference. This means only
1.6 and later.
Fixed gnu issues: g++ needs a static_cast, gcc 4.4.7 has a broken warning
message which it is easier to work round than ignore.
For inflate, reverted previous fixes.
Added fixitxt and pngdeflate to the built programs and removed warnings
from the source code and timepng that are revealed as a result. Fixed
fixitxt when the chunk length is more than 65535 (untested, no test case).
a flag to change default. In 1.6.0 when the simplified API was used
to produce color-mapped output from an input image with no gamma
information the gamma assumed for the input could be different from
that assumed for non-color-mapped output. In particular 16-bit depth
input files were assumed to be sRGB encoded, whereas in the 'direct'
case they were assumed to have linear data. This was an error. The
fix makes the simplified API treat all input files the same way and
adds a new flag to the png_image::flags member to allow the
application/user to specify that 16-bit files contain sRGB data
rather than the default linear.
Fixed bugs in the pngpixel and makepng test programs.
READ_GAMMA. Prior to 1.6.0 switching off READ_GAMMA did unpredictable things
to the interfaces that use it (specifically, png_do_background in 1.4 would
simply display composite for grayscale images but do composition
with the incorrect arithmetic for color ones). In 1.6 the semantic
of -DPNG_NO_READ_GAMMA is changed to simply disable any interface that
depends on it; this obliges people who set it to consider whether they
really want it off if they happen to use any of the interfaces in
question (typically most users who disable it won't).
option to pngtest. The "--relaxed" option turns off the benign errors that are
enabled by default in pre-RC builds. makepng can now write ICC profiles
where the length has not been extended to a multiple of 4, and pngtest
now intercepts all libpng errors, allowing the previously-introduced
"--strict test" on no warnings to actually work.
contrib/libtests/makepng: corrected 'rgb' and 'gray' cases. profile_error
messages could be truncated; made a correct buffer size calculation and
adjusted pngerror.c appropriately. png_icc_check_* checking improved;
changed the functions to receive the correct color type of the PNG on read
or write and check that it matches the color space of the profile (despite
what the comments said before, there is danger in assuming the app will
cope correctly with an RGB profile on a grayscale image and, since it
violates the PNG spec, allowing it is certain to produce inconsistent
app behavior and might even cause app crashes.) Check that profiles
contain the tags needed to process the PNG (tags all required by the ICC
spec). Removed unused PNG_STATIC from pngpriv.h.
png_handle_unknown() when SAVE support is absent. Moved the shell test
scripts for contrib/libtests from the libpng top directory to contrib/libtests.
png_handle_unknown() must always read or skip the chunk, if
SAVE_UNKNOWN_CHUNKS is turned off *and* the application does not set
a user callback an unknown chunk will not be read, leading to a read
error, which was revealed by the "tunknown" test.
control of the unknown handling, corrects the pre-existing bug where
the per-chunk 'keep' setting is ignored and makes it possible to skip
IDAT chunks in the sequential reader (broken in earlier 1.6 versions).
There is a new test program, test-unknown.c, which is a work in progress
(not currently part of the test suite). Comments in the header files now
explain how the unknown handling works.
support. Now "make check" will succeed even if libpng is compiled with
-DPNG_NO_READ or -DPNG_NO_WRITE. The tests performed are reduced, but the
basic reading and writing of a PNG file is always tested by one or more of
the tests.
ignore all unknown chunks and all known chunks except for IHDR, PLTE, tRNS,
IDAT, and IEND. Previously it only meant ignore all unknown chunks, the
same as num_chunks == 0. Revised png_image_skip_unused_chunks() to
provide a list of chunks to be processed instead of a list of chunks to
ignore. Revised contrib/gregbook/readpng2.c accordingly.
The compiler performs an optimization which is safe; however it then warns
about it. Changing the type of 'palette_number' in pngvalid.c removes the
warning.
This is necessary because the VS2010 output window otherwise simply loses
the error messages on error (they weren't flushed to the window before
the process exited, apparently!)
all potentially valid ICC profiles and reject obviously invalid ones.
It now uses png_error() to do so rather than casually writing a PNG
without the necessary color data.
generator. The generator generates images that test the full range of sample
values, allow the error numbers in pngstest to be tuned and checked. makepng
also allows generation of images with extra chunks, although this is
still work-in-progress.
store intermediate files, or intermediate in-memory data, while processing
image data with the simplified API. The option makes the files larger
but faster to write and read. pngstest now uses this by default; this
can be disabled with the --slow option.
Fixed a memory overwrite bug in simplified read of RGB PNG with
non-linear gamma Also bugs in the error checking in pngread.c and changed
quite a lot of the checks in pngstest.c to be correct; either correctly
written or not over-optimistic. The pngstest changes are insufficient to
allow all possible RGB transforms to be passed; pngstest cmppixel needs
to be rewritten to make it clearer which errors it allows and then changed
to permit known inaccuracies.
The API is extremely inaccurate for sRGB conversions because it uses an 8-bit
intermediate linear value and it does not use the sRGB transform, so it
suffers from the known instability in gamma transforms for values close
to 0 (see Poynton). The net result is that the calculation has a maximum
error of 14.99/255; 0.5/255^(1/2.2). pngstest now uses 15 for the
permitted 8-bit error. This may still not be enough because of arithmetic
error.
to the background parameter of png_image_finish_read. The --background
option is now done automagically only when required, so that commandline
option no longer exists.
