/* pngfix.c

 *

 * Copyright (c) 2014-2016 John Cunningham Bowler

 *

 * Last changed in libpng 1.6.21 [January 15, 2016]

 *

 * This code is released under the libpng license.

 * For conditions of distribution and use, see the disclaimer

 * and license in png.h

 *

 * Tool to check and fix the zlib inflate 'too far back' problem.

 * See the usage message for more information.

 */

#include <stdlib.h></stdlib.h>

#include <stdio.h></stdio.h>

#include <string.h></string.h>

#include <ctype.h></ctype.h>

#include <limits.h></limits.h>

#include <errno.h></errno.h>

#include <assert.h></assert.h>

#define implies(x,y) assert(!(x) || (y))

#ifdef __GNUC__

   /* This is used to fix the error:

    *

    * pngfix.c:

    * In function 'zlib_advance':

    * pngfix.c:181:13: error: assuming signed overflow does not

    *   occur when simplifying conditional to constant [-Werror=strict-overflow]

    */

#  define FIX_GCC volatile

#else

#  define FIX_GCC

#endif

#define PROGRAM_NAME "pngfix"

/* Define the following to use this program against your installed libpng,

 * rather than the one being built here:

 */

#ifdef PNG_FREESTANDING_TESTS

#  include <png.h></png.h>

#else

#  include "../../png.h"

#endif

#if PNG_LIBPNG_VER < 10603 /* 1.6.3 */

#  error "pngfix will not work with libpng prior to 1.6.3"

#endif

#ifdef PNG_SETJMP_SUPPORTED

#include <setjmp.h></setjmp.h>

#if defined(PNG_READ_SUPPORTED) && defined(PNG_EASY_ACCESS_SUPPORTED) &&\

   (defined(PNG_READ_DEINTERLACE_SUPPORTED) ||\

    defined(PNG_READ_INTERLACING_SUPPORTED))

/* zlib.h defines the structure z_stream, an instance of which is included

 * in this structure and is required for decompressing the LZ compressed

 * data in PNG files.

 */

#ifndef ZLIB_CONST

   /* We must ensure that zlib uses 'const' in declarations. */

#  define ZLIB_CONST

#endif

#include <zlib.h></zlib.h>

#ifdef const

   /* zlib.h sometimes #defines const to nothing, undo this. */

#  undef const

#endif

/* zlib.h has mediocre z_const use before 1.2.6, this stuff is for compatibility

 * with older builds.

 */

#if ZLIB_VERNUM < 0x1260

#  define PNGZ_MSG_CAST(s) constcast(char*,s)

#  define PNGZ_INPUT_CAST(b) constcast(png_bytep,b)

#else

#  define PNGZ_MSG_CAST(s) (s)

#  define PNGZ_INPUT_CAST(b) (b)

#endif

#ifndef PNG_MAXIMUM_INFLATE_WINDOW

#  error "pngfix not supported in this libpng version"

#endif

#if ZLIB_VERNUM >= 0x1240

/* Copied from pngpriv.h */

#ifdef __cplusplus

#  define voidcast(type, value) static_cast<type>(value)</type>

#  define constcast(type, value) const_cast<type>(value)</type>

#  define aligncast(type, value) \

   static_cast<type>(static_cast<void*>(value))</void*></type>

#  define aligncastconst(type, value) \

   static_cast<type>(static_cast<const void*="">(value))</const></type>

#else

#  define voidcast(type, value) (value)

#  define constcast(type, value) ((type)(value))

#  define aligncast(type, value) ((void*)(value))

#  define aligncastconst(type, value) ((const void*)(value))

#endif /* __cplusplus */

#if PNG_LIBPNG_VER < 10700

/* Chunk tags (copied from pngpriv.h) */

#define PNG_32b(b,s) ((png_uint_32)(b) << (s))

#define PNG_U32(b1,b2,b3,b4) \

   (PNG_32b(b1,24) | PNG_32b(b2,16) | PNG_32b(b3,8) | PNG_32b(b4,0))

/* Constants for known chunk types. */

#define png_IDAT PNG_U32( 73,  68,  65,  84)

#define png_IEND PNG_U32( 73,  69,  78,  68)

#define png_IHDR PNG_U32( 73,  72,  68,  82)

#define png_PLTE PNG_U32( 80,  76,  84,  69)

#define png_bKGD PNG_U32( 98,  75,  71,  68)

#define png_cHRM PNG_U32( 99,  72,  82,  77)

#define png_fRAc PNG_U32(102,  82,  65,  99) /* registered, not defined */

#define png_gAMA PNG_U32(103,  65,  77,  65)

#define png_gIFg PNG_U32(103,  73,  70, 103)

#define png_gIFt PNG_U32(103,  73,  70, 116) /* deprecated */

#define png_gIFx PNG_U32(103,  73,  70, 120)

#define png_hIST PNG_U32(104,  73,  83,  84)

#define png_iCCP PNG_U32(105,  67,  67,  80)

#define png_iTXt PNG_U32(105,  84,  88, 116)

#define png_oFFs PNG_U32(111,  70,  70, 115)

#define png_pCAL PNG_U32(112,  67,  65,  76)

#define png_pHYs PNG_U32(112,  72,  89, 115)

#define png_sBIT PNG_U32(115,  66,  73,  84)

#define png_sCAL PNG_U32(115,  67,  65,  76)

#define png_sPLT PNG_U32(115,  80,  76,  84)

#define png_sRGB PNG_U32(115,  82,  71,  66)

#define png_sTER PNG_U32(115,  84,  69,  82)

#define png_tEXt PNG_U32(116,  69,  88, 116)

#define png_tIME PNG_U32(116,  73,  77,  69)

#define png_tRNS PNG_U32(116,  82,  78,  83)

#define png_zTXt PNG_U32(122,  84,  88, 116)

#endif

/* The 8-byte signature as a pair of 32-bit quantities */

#define sig1 PNG_U32(137,  80,  78,  71)

#define sig2 PNG_U32( 13,  10,  26,  10)

/* Is the chunk critical? */

#define CRITICAL(chunk) (((chunk) & PNG_U32(32,0,0,0)) == 0)

/* Is it safe to copy? */

#define SAFE_TO_COPY(chunk) (((chunk) & PNG_U32(0,0,0,32)) != 0)

/* Fix ups for builds with limited read support */

#ifndef PNG_ERROR_TEXT_SUPPORTED

#  define png_error(a,b) png_err(a)

#endif

/********************************* UTILITIES **********************************/

/* UNREACHED is a value to cause an assert to fail. Because of the way the

 * assert macro is written the string "UNREACHED" is produced in the error

 * message.

 */

#define UNREACHED 0

/* 80-bit number handling - a PNG image can be up to (2^31-1)x(2^31-1) 8-byte

 * (16-bit RGBA) pixels in size; that's less than 2^65 bytes or 2^68 bits, so

 * arithmetic of 80-bit numbers is sufficient.  This representation uses an

 * arbitrary length array of png_uint_16 digits (0..65535).  The representation

 * is little endian.

 *

 * The arithmetic functions take zero to two uarb values together with the

 * number of digits in those values and write the result to the given uarb

 * (always the first argument) returning the number of digits in the result.

 * If the result is negative the return value is also negative (this would

 * normally be an error).

 */

typedef png_uint_16  udigit; /* A 'unum' is an array of these */

typedef png_uint_16p uarb;

typedef png_const_uint_16p uarbc;

#define UDIGITS(unum) ((sizeof unum)/(sizeof (udigit))

   /* IMPORTANT: only apply this to an array, applied to a pointer the result

    * will typically be '2', which is not useful.

    */

static int

uarb_set(uarb result, png_alloc_size_t val)

   /* Set (initialize) 'result' to 'val'.  The size required for 'result' must

    * be determined by the caller from a knowledge of the maximum for 'val'.

    */

{

   int ndigits = 0;

   while (val > 0)

   {

      result[ndigits++] = (png_uint_16)(val & 0xffff);

      val >>= 16;

   }

   return ndigits;

}

static int

uarb_copy(uarb to, uarb from, int idigits)

   /* Copy a uarb, may reduce the digit count */

{

   int d, odigits;

   for (d=odigits=0; d

      if ((to[d] = from[d]) != 0)

         odigits = d+1;

   return odigits;

}

static int

uarb_inc(uarb num, int in_digits, png_int_32 add)

   /* This is a signed 32-bit add, except that to avoid overflow the value added

    * or subtracted must be no more than 2^31-65536.  A negative result

    * indicates a negative number (which is an error below).  The size of

    * 'num' should be max(in_digits+1,2) for arbitrary 'add' but can be just

    * in_digits+1 if add is known to be in the range -65535..65535.

    */

{

   FIX_GCC int out_digits = 0;

   while (out_digits < in_digits)

   {

      add += num[out_digits];

      num[out_digits++] = (png_uint_16)(add & 0xffff);

      add >>= 16;

   }

   while (add != 0 && add != (-1))

   {

      num[out_digits++] = (png_uint_16)(add & 0xffff);

      add >>= 16;

   }

   if (add == 0)

   {

      while (out_digits > 0 && num[out_digits-1] == 0)

         --out_digits;

      return out_digits; /* may be 0 */

   }

   else /* negative result */

   {

      while (out_digits > 1 && num[out_digits-1] == 0xffff)

         --out_digits;

      return -out_digits;

   }

}

static int

uarb_add32(uarb num, int in_digits, png_uint_32 add)

   /* As above but this works with any 32-bit value and only does 'add' */

{

   if (in_digits > 0)

   {

      in_digits = uarb_inc(num, in_digits, add & 0xffff);

      return uarb_inc(num+1, in_digits-1, add >> 16)+1;

   }

   return uarb_set(num, add);

}

static int

uarb_mult_digit(uarb acc, int a_digits, uarb num, FIX_GCC int n_digits,

   png_uint_16 val)

   /* Primitive one-digit multiply - 'val' must be 0..65535. Note that this

    * primitive is a multiply and accumulate - the result of *num * val is added

    * to *acc.

    *

    * This is a one-digit multiply, so the product may be up to one digit longer

    * than 'num', however the add to 'acc' means that the caller must ensure

    * that 'acc' is at least one digit longer than this *and* at least one digit

    * longer than the current length of 'acc'.  (Or the caller must otherwise

    * ensure 'adigits' is adequate from knowledge of the values.)

    */

{

   /* The digits in *acc, *num and val are in the range 0..65535, so the

    * result below is at most (65535*65535)+2*65635 = 65535*(65535+2), which is

    * exactly 0xffffffff.

    */

   if (val > 0 && n_digits > 0) /* Else the product is 0 */

   {

      png_uint_32 carry = 0;

      int out_digits = 0;

      while (out_digits < n_digits || carry > 0)

      {

         if (out_digits < a_digits)

            carry += acc[out_digits];

         if (out_digits < n_digits)

            carry += (png_uint_32)num[out_digits] * val;

         acc[out_digits++] = (png_uint_16)(carry & 0xffff);

         carry >>= 16;

      }

      /* So carry is 0 and all the input digits have been consumed. This means

       * that it is possible to skip any remaining digits in acc.

       */

      if (out_digits > a_digits)

         return out_digits;

   }

   return a_digits;

}

static int

uarb_mult32(uarb acc, int a_digits, uarb num, int n_digits, png_uint_32 val)

   /* calculate acc += num * val, 'val' may be any 32-bit value, 'acc' and 'num'

    * may be any value, returns the number of digits in 'acc'.

    */

{

   if (n_digits > 0 && val > 0)

   {

      a_digits = uarb_mult_digit(acc, a_digits, num, n_digits,

         (png_uint_16)(val & 0xffff));

      val >>= 16;

      if (val > 0)

         a_digits = uarb_mult_digit(acc+1, a_digits-1, num, n_digits,

            (png_uint_16)val) + 1;

      /* Because n_digits and val are >0 the following must be true: */

      assert(a_digits > 0);

   }

   return a_digits;

}

static int

uarb_shift(uarb inout, int ndigits, unsigned int right_shift)

   /* Shift inout right by right_shift bits, right_shift must be in the range

    * 1..15

    */

{

   FIX_GCC int i = ndigits;

   png_uint_16 carry = 0;

   assert(right_shift >= 1 && right_shift <= 15);

   while (--i >= 0)

   {

      png_uint_16 temp = (png_uint_16)(carry | (inout[i] >> right_shift));

      /* Bottom bits to top bits of carry */

      carry = (png_uint_16)((inout[i] << (16-right_shift)) & 0xffff);

      inout[i] = temp;

      /* The shift may reduce ndigits */

      if (i == ndigits-1 && temp == 0)

         ndigits = i;

   }

   return ndigits;

}

static int

uarb_cmp(uarb a, int adigits, uarb b, int bdigits)

   /* Return -1/0/+1 according as ab */

{

   if (adigits < bdigits)

      return -1;

   if (adigits > bdigits)

      return 1;

   while (adigits-- > 0)

      if (a[adigits] < b[adigits])

         return -1;

      else if (a[adigits] > b[adigits])

         return 1;

   return 0;

}

#if 0 /*UNUSED*/

static int

uarb_eq32(uarb num, int digits, png_uint_32 val)

   /* Return true if the uarb is equal to 'val' */

{

   switch (digits)

   {

      case 0:  return val == 0;

      case 1:  return val == num[0];

      case 2:  return (val & 0xffff) == num[0] && (val >> 16) == num[1];

      default: return 0;

   }

}

#endif

static void

uarb_printx(uarb num, int digits, FILE *out)

   /* Print 'num' as a hexadecimal number (easier than decimal!) */

{

   while (digits > 0)

      if (num[--digits] > 0)

      {

         fprintf(out, "0x%x", num[digits]);

         while (digits > 0)

            fprintf(out, "%.4x", num[--digits]);

      }

      else if (digits == 0) /* the number is 0 */

         fputs("0x0", out);

}

static void

uarb_print(uarb num, int digits, FILE *out)

   /* Prints 'num' as a decimal if it will fit in an unsigned long, else as a

    * hexadecimal number.  Notice that the results vary for images over 4GByte

    * in a system dependent way, and the hexadecimal form doesn't work very well

    * in awk script input.

    *

    *

    * TODO: write uarb_div10

    */

{

   if (digits * sizeof (udigit) > sizeof (unsigned long))

      uarb_printx(num, digits, out);

   else

   {

      unsigned long n = 0;

      while (digits > 0)

         n = (n << 16) + num[--digits];

      fprintf(out, "%lu", n);

   }

}

/* Generate random bytes.  This uses a boring repeatable algorithm and it

 * is implemented here so that it gives the same set of numbers on every

 * architecture.  It's a linear congruential generator (Knuth or Sedgewick

 * "Algorithms") but it comes from the 'feedback taps' table in Horowitz and

 * Hill, "The Art of Electronics" (Pseudo-Random Bit Sequences and Noise

 * Generation.)

 *

 * (Copied from contrib/libtests/pngvalid.c)

 */

static void

make_random_bytes(png_uint_32* seed, void* pv, size_t size)

{

   png_uint_32 u0 = seed[0], u1 = seed[1];

   png_bytep bytes = voidcast(png_bytep, pv);

   /* There are thirty-three bits; the next bit in the sequence is bit-33 XOR

    * bit-20.  The top 1 bit is in u1, the bottom 32 are in u0.

    */

   size_t i;

   for (i=0; i

   {

      /* First generate 8 new bits then shift them in at the end. */

      png_uint_32 u = ((u0 >> (20-8)) ^ ((u1 << 7) | (u0 >> (32-7)))) & 0xff;

      u1 <<= 8;

      u1 |= u0 >> 24;

      u0 <<= 8;

      u0 |= u;

      *bytes++ = (png_byte)u;

   }

   seed[0] = u0;

   seed[1] = u1;

}

/* Clear an object to a random value. */

static void

clear(void *pv, size_t size)

{

   static png_uint_32 clear_seed[2] = { 0x12345678, 0x9abcdef0 };

   make_random_bytes(clear_seed, pv, size);

}

#define CLEAR(object) clear(&(object), sizeof (object))

/* Copied from unreleased 1.7 code.

 *

 * CRC checking uses a local pre-built implementation of the Ethernet CRC32.

 * This is to avoid a function call to the zlib DLL and to optimize the

 * byte-by-byte case.

 */

static png_uint_32 crc_table[256] =

{

   0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,

   0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,

   0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,

   0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,

   0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,

   0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,

   0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,

   0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,

   0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,

   0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,

   0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,

   0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,

   0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,

   0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,

   0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,

   0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,

   0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,

   0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,

   0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,

   0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,

   0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,

   0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,

   0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,

   0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,

   0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,

   0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,

   0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,

   0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,

   0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,

   0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,

   0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,

   0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,

   0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,

   0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,

   0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,

   0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,

   0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,

   0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,

   0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,

   0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,

   0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,

   0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,

   0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,

   0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,

   0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,

   0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,

   0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,

   0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,

   0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,

   0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,

   0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,

   0x2d02ef8d

};

/* The CRC calculated here *IS* conditioned, the corresponding value used by

 * zlib and the result value is obtained by XORing with CRC_INIT, which is also

 * the first value that must be passed in (for the first byte) to crc_one_byte.

 */

#define CRC_INIT 0xffffffff

static png_uint_32

crc_one_byte(png_uint_32 crc, int b)

{

   return crc_table[(crc ^ b) & 0xff] ^ (crc >> 8);

}

static png_uint_32

crc_init_4(png_uint_32 value)

{

   /* This is an alternative to the algorithm used in zlib, which requires four

    * separate tables to parallelize the four byte operations, it only works for

    * a CRC of the first four bytes of the stream, but this is what happens in

    * the parser below where length+chunk-name is read and chunk-name used to

    * initialize the CRC.  Notice that the calculation here avoids repeated

    * conditioning (xor with 0xffffffff) by storing the conditioned value.

    */

   png_uint_32 crc = crc_table[(~value >> 24)] ^ 0xffffff;

   crc = crc_table[(crc ^ (value >> 16)) & 0xff] ^ (crc >> 8);

   crc = crc_table[(crc ^ (value >> 8)) & 0xff] ^ (crc >> 8);

   return crc_table[(crc ^ value) & 0xff] ^ (crc >> 8);

}

static int

chunk_type_valid(png_uint_32 c)

   /* Bit whacking approach to chunk name validation that is intended to avoid

    * branches.  The cost is that it uses a lot of 32-bit constants, which might

    * be bad on some architectures.

    */

{

   png_uint_32 t;

   /* Remove bit 5 from all but the reserved byte; this means every

    * 8-bit unit must be in the range 65-90 to be valid.  So bit 5

    * must be zero, bit 6 must be set and bit 7 zero.

    */

   c &= ~PNG_U32(32,32,0,32);

   t = (c & ~0x1f1f1f1f) ^ 0x40404040;

   /* Subtract 65 for each 8-bit quantity, this must not overflow

    * and each byte must then be in the range 0-25.

    */

   c -= PNG_U32(65,65,65,65);

   t |=c ;

   /* Subtract 26, handling the overflow which should set the top

    * three bits of each byte.

    */

   c -= PNG_U32(25,25,25,26);

   t |= ~c;

   return (t & 0xe0e0e0e0) == 0;

}

/**************************** CONTROL INFORMATION *****************************/

/* Information about a sequence of IDAT chunks, the chunks have been re-synced

 * using sync_stream below and the new lengths are recorded here.  Because the

 * number of chunks is unlimited this is handled using a linked list of these

 * structures.

 */

struct IDAT_list

{

   struct IDAT_list *next;     /* Linked list */

   unsigned int      length;   /* Actual length of the array below */

   unsigned int      count;    /* Number of entries that are valid */

#     define IDAT_INIT_LENGTH 16

   png_uint_32       lengths[IDAT_INIT_LENGTH];

};

static void

IDAT_list_init(struct IDAT_list *list)

{

   CLEAR(*list);

   list->next = NULL;

   list->length = IDAT_INIT_LENGTH;

}

static size_t

IDAT_list_size(struct IDAT_list *list, unsigned int length)

   /* Return the size in bytes of an IDAT_list of the given length. */

{

   if (list != NULL)

      length = list->length;

   return sizeof *list - sizeof list->lengths +

      length * sizeof list->lengths[0];

}

static void

IDAT_list_end(struct IDAT_list *IDAT_list)

{

   struct IDAT_list *list = IDAT_list->next;

   CLEAR(*IDAT_list);

   while (list != NULL)

   {

      struct IDAT_list *next = list->next;

      clear(list, IDAT_list_size(list, 0));

      free(list);

      list = next;

   }

}

static struct IDAT_list *

IDAT_list_extend(struct IDAT_list *tail)

{

   /* Use the previous cached value if available. */

   struct IDAT_list *next = tail->next;

   if (next == NULL)

   {

      /* Insert a new, malloc'ed, block of IDAT information buffers, this

       * one twice as large as the previous one:

       */

      unsigned int length = 2 * tail->length;

      if (length < tail->length) /* arithmetic overflow */

         length = tail->length;

      next = voidcast(IDAT_list*, malloc(IDAT_list_size(NULL, length)));

      CLEAR(*next);

      /* The caller must handle this: */

      if (next == NULL)

         return NULL;

      next->next = NULL;

      next->length = length;

      tail->next = next;

   }

   return next;

}

/* GLOBAL CONTROL STRUCTURE */

struct global

{

   /* PUBLIC GLOBAL VARIABLES: OWNER INITIALIZE */

   unsigned int   errors        :1; /* print file errors to stderr */

   unsigned int   warnings      :1; /* print libpng warnings to stderr */

   unsigned int   optimize_zlib :1; /* Run optimization search */

   unsigned int   quiet         :2; /* don't output summaries */

   unsigned int   verbose       :3; /* various internal tracking */

   unsigned int   skip          :3; /* Non-critical chunks to skip */

#     define SKIP_NONE      0

#     define SKIP_BAD_CRC   1    /* Chunks with a bad CRC */

#     define SKIP_UNSAFE    2    /* Chunks not safe to copy */

#     define SKIP_UNUSED    3    /* Chunks not used by libpng */

#     define SKIP_TRANSFORM 4    /* Chunks only used in transforms */

#     define SKIP_COLOR     5    /* Everything but tRNS, sBIT, gAMA and sRGB */

#     define SKIP_ALL       6    /* Everything but tRNS and sBIT */

   png_uint_32    idat_max;         /* 0 to perform no re-chunking */

   int            status_code;      /* Accumulated status code */

#     define TOO_FAR_BACK   0x01 /* found a too-far-back error */

#     define CRC_ERROR      0x02 /* fixed an invalid CRC */

#     define STREAM_ERROR   0x04 /* damaged PNG stream (may be fixable) */

#     define TRUNCATED      0x08 /* truncated but still readable */

#     define FILE_ERROR     0x10 /* could not read the file */

#     define WRITE_ERROR    0x20 /* write error (this terminates the read) */

#     define INTERNAL_ERROR 0x40 /* internal limits/errors encountered */

   /* PUBLIC GLOBAL VARIABLES: USED INTERNALLY BY IDAT READ CODE */

   struct IDAT_list idat_cache;  /* Cache of file IDAT information buffers */

      /* The structure is shared across all uses of this global control

       * structure to avoid reallocation between IDAT streams.

       */

};

static int

global_end(struct global *global)

{

   int rc;

   IDAT_list_end(&global->idat_cache);

   rc = global->status_code;

   CLEAR(*global);

   return rc;

}

static void

global_init(struct global *global)

   /* Call this once (and only once) to initialize the control */

{

   CLEAR(*global);

   /* Globals */

   global->errors        = 0;

   global->warnings      = 0;

   global->quiet         = 0;

   global->verbose       = 0;

   global->idat_max      = 0;         /* no re-chunking of IDAT */

   global->optimize_zlib = 0;

   global->skip          = SKIP_NONE;

   global->status_code   = 0;

   IDAT_list_init(&global->idat_cache);

}

static int

skip_chunk_type(const struct global *global, png_uint_32 type)

   /* Return true if this chunk is to be skipped according to the --strip

    * option.  This code needs to recognize all known ancillary chunks in order

    * to handle the --strip=unsafe option.

    */

{

   /* Never strip critical chunks: */

   if (CRITICAL(type))

      return 0;

   switch (type)

   {

      /* Chunks that are treated as, effectively, critical because they affect

       * correct interpretation of the pixel values:

       */

      case png_tRNS: case png_sBIT:

         return 0;

      /* Chunks that specify gamma encoding which should therefore only be

       * removed the the user insists:

       */

      case png_gAMA: case png_sRGB:

         if (global->skip >= SKIP_ALL)

            return 1;

         return 0;

      /* Chunks that affect color interpretation - not used by libpng and rarely

       * used by applications, but technically still required for correct

       * interpretation of the image data:

       */

      case png_cHRM: case png_iCCP:

         if (global->skip >= SKIP_COLOR)

            return 1;

         return 0;

      /* Other chunks that are used by libpng in image transformations (as

       * opposed to known chunks that have get/set APIs but are not otherwise

       * used.)

       */

      case png_bKGD:

         if (global->skip >= SKIP_TRANSFORM)

            return 1;

         return 0;

      /* All other chunks that libpng knows about and affect neither image

       * interpretation nor libpng transforms - chunks that are effectively

       * unused by libpng even though libpng might recognize and store them.

       */

      case png_fRAc: case png_gIFg: case png_gIFt: case png_gIFx: case png_hIST:

      case png_iTXt: case png_oFFs: case png_pCAL: case png_pHYs: case png_sCAL:

      case png_sPLT: case png_sTER: case png_tEXt: case png_tIME: case png_zTXt:

         if (global->skip >= SKIP_UNUSED)

            return 1;

         return 0;

      /* Chunks that libpng does not know about (notice that this depends on the

       * list above including all known chunks!)  The decision here depends on

       * whether the safe-to-copy bit is set in the chunk type.

       */

      default:

         if (SAFE_TO_COPY(type))

         {

            if (global->skip >= SKIP_UNUSED) /* as above */

               return 1;

         }

         else if (global->skip >= SKIP_UNSAFE)

            return 1;

         return 0;

   }

}

/* PER-FILE CONTROL STRUCTURE */

struct chunk;

struct IDAT;

struct file

{

   /* ANCESTORS */

   struct global *global;

   /* PUBLIC PER-FILE VARIABLES: CALLER INITIALIZE */

   const char *   file_name;

   const char *   out_name;      /* Name of output file (if required) */

   /* PUBLIC PER-FILE VARIABLES: SET BY PNG READ CODE */

   /* File specific result codes */

   int            status_code;   /* Set to a bit mask of the following: */

   int            read_errno;    /* Records a read error errno */

   int            write_errno;   /* Records a write error errno */

   /* IHDR information */

   png_uint_32    width;

   png_uint_32    height;

   png_byte       bit_depth;

   png_byte       color_type;

   png_byte       compression_method;

   png_byte       filter_method;

   png_byte       interlace_method;

   udigit         image_bytes[5];

   int            image_digits;

   /* PROTECTED PER-FILE VARIABLES: USED BY THE READ CODE */

   FILE *         file;          /* Original PNG file */

   FILE *         out;           /* If a new one is being written */

   jmp_buf        jmpbuf;        /* Set while reading a PNG */

   /* PROTECTED CHUNK SPECIFIC VARIABLES: USED BY CHUNK CODE */

   /* The following variables are used during reading to record the length, type

    * and data position of the *next* chunk or, right at the start, the

    * signature (in length,type).

    *

    * When a chunk control structure is instantiated these values are copied

    * into the structure and can then be overritten with the data for the next

    * chunk.

    */

   fpos_t         data_pos;      /* Position of first byte of chunk data */

   png_uint_32    length;        /* First word (length or signature start) */

   png_uint_32    type;          /* Second word (type or signature end) */

   png_uint_32    crc;           /* Running chunk CRC (used by read_chunk) */