The code no longer gives up/fails on invalid PNG data, it just skips it (with
error messages). The code no longer fails on PNG files with data beyond IEND.
Options exist to use png_read_png (reading the whole image, not by row) and, in
that case, to apply any of the supported transforms. This makes for more
realistic testing; the decoded data actually gets used in a meaningful fashion.
Signed-off-by: John Bowler <jbowler@acm.org>
The macro underreported the size (by up to 512 bytes) of an 8-bit non-color
palette based memory format because it failed to take into account that the
memory palette has to be expanded to full RGB when it is written to PNG.
This is not likely to be a serious bug because the macro is new, the memory
format in question is likely to be rarely used and the result of an undersized
buffer fails in a safe way.
Signed-off-by: John Bowler <jbowler@acm.org>
This is the test backported from 1.7 to ensure that when treating IDATs as
unknown the test does not fail if there are more than one IDAT chunks in the
file.
Signed-off-by: John Bowler <jbowler@acm.org>
This implements an API and provides a number of assist macros to allow an
application which uses the simplified API write to bypass stdio and write
directly to memory.
It also includes some warnings (png.h) and some check code to detect *possible*
overflow in the ROW_STRIDE and simplified image SIZE macros. This disallows
image width/height/format that *might* overflow. A quiet API change that limits
in-memory image size (uncompressed) to less that 4GByte and image row size
(stride) to less than 2GByte.
Signed-off-by: John Bowler <jbowler@acm.org>
Undefined because (png_byte) << shift is undefined if it changes the signed bit
(because png_byte is promoted to int). The libpng exported functions
png_get_uint_32 and png_get_uint_16 handle this.
Bug reported by David Drysdale as a result of reports from UBSAN in clang 3.8.
This changes pngvalid to use BE random numbers; this used to produce errors but
these should not be fixed as a result of the previous changes.
Signed-off-by: John Bowler <jbowler@acm.org>
This widens the 'limit' check on the internally calculated error limits in the
'DIGITIZE' case (the code used prior to 1.7 for rgb_to_gray error checks) and it
changes the check to only operate in non-release builds (base build type not RC
or RELEASE.)
Signed-off-by: John Bowler <jbowler@acm.org>
Fixes to pngvalid for various reduced build configurations (eliminate unused
statics) and a fix for the case in rgb_to_gray when the digitize option reduces
graylo to 0, producing a large error.
Signed-off-by: John Bowler <jbowler@acm.org>
This 'fixes' the current problem in the BE tests by not testing it, making the
BE code the same as the LE version.
Signed-off-by: John Bowler <jbowler@acm.org>
The previous attempts to ignore the errors in the code aren't quite enough to
deal with the 'channel selection' encoding added to libpng 1.7; abort.
pngvalid.c is changed to drop this encoding in prior versions.
Signed-off-by: John Bowler <jbowler@acm.org>
Remove the '--strict' in 1.6 because of the double-gamma-correction warning,
update pngstest-errors.h for the errors detected with the new contrib/testspngs
PNG test files.
Signed-off-by: John Bowler <jbowler@acm.org>
input that was made in version 1.6.17beta01, to preserve legacy
behavior even though it was incorrect. Instead, added new API
png_set_filter_16() and png_set_add_alpha_16() that set a flag to
make png_do_read_filter() interpret the filler bytes properly.
Splitting the machine generated error structs out to a file allows the values to
be updated without changing pngstest.c itself, since libpng 1.6 and 1.7 have
slightly different error limits this simplifies maintenance.
Signed-off-by: John Bowler <jbowler@acm.org>
This is a patch for libpng16.
It incorporates fixes to the low-bit-depth gray background handling from
libpng17 and turns one of the low-bit-depth gray cases that does work (and,
indeed, did work before) in libpng16
Signed-off-by: John Bowler <jbowler@acm.org>
This updates libpng16 with all the test changes from libpng17,
including changes to pngvalid.c to ensure that the original,
distributed, version of contrib/visupng/cexcept.h can be used.
pngvalid contains the correction to the use of SAVE/STORE_
UNKNOWN_CHUNKS; a bug revealed by changes in libpng 1.7. More
tests contain the --strict option to detect warnings and the
pngvalid-standard test has been corrected so that it does not
turn on progresive-read (there is a separate test which does
that.)
Some signed/unsigned fixes have been made.
Signed-off-by: John Bowler <jbowler@acm.org>
handling in contrib/libtests/pngstest.c; possible overflow of
unsigned char in contrib/tools/png-fix-itxt.c). To use the "secure"
file handling, define PNG_USE_MKSTEMP, otherwise "tmpfile()" will
continue to be used.
in the code the number of elements in an array is calculated using
sizeof. This generates a compile time constant of type (size_t) which
is then typically assigned to an (unsigned int) or (int). Some versions
of GCC on 64-bit systems warn about the apparent narrowing, even though
the same compiler does apparently generate the correct, in-range,
numeric constant. This adds appropriate, safe, casts to make the
warnings go away.
