png.c source code [tensorflow/external/png/png.c]

1
2	/ png.c - location for general purpose libpng functions*
3	*
4	* Copyright (c) 2018-2019 Cosmin Truta
5	* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
6	* Copyright (c) 1996-1997 Andreas Dilger
7	* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8	*
9	* This code is released under the libpng license.
10	* For conditions of distribution and use, see the disclaimer
11	* and license in png.h
12	*/
13
14	#include "pngpriv.h"
15
16	/ Generate a compiler error if there is an old png.h in the search path. /
17	typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37;
18
19	#ifdef __GNUC__
20	/ The version tests may need to be added to, but the problem warning has*
21	* consistently been fixed in GCC versions which obtain wide-spread release.
22	* The problem is that many versions of GCC rearrange comparison expressions in
23	* the optimizer in such a way that the results of the comparison will change
24	* if signed integer overflow occurs. Such comparisons are not permitted in
25	* ANSI C90, however GCC isn't clever enough to work out that that do not occur
26	* below in png_ascii_from_fp and png_muldiv, so it produces a warning with
27	* -Wextra. Unfortunately this is highly dependent on the optimizer and the
28	* machine architecture so the warning comes and goes unpredictably and is
29	* impossible to "fix", even were that a good idea.
30	*/
31	#if __GNUC__ == 7 && __GNUC_MINOR__ == 1
32	#define GCC_STRICT_OVERFLOW 1
33	#endif /* GNU 7.1.x */
34	#endif /* GNU */
35	#ifndef GCC_STRICT_OVERFLOW
36	#define GCC_STRICT_OVERFLOW 0
37	#endif
38
39	/ Tells libpng that we have already handled the first "num_bytes" bytes*
40	* of the PNG file signature. If the PNG data is embedded into another
41	* stream we can set num_bytes = 8 so that libpng will not attempt to read
42	* or write any of the magic bytes before it starts on the IHDR.
43	*/
44
45	#ifdef PNG_READ_SUPPORTED
46	void PNGAPI
47	png_set_sig_bytes(png_structrp png_ptr, int num_bytes)
48	{
49	unsigned int nb = (unsigned int)num_bytes;
50
51	png_debug(`1`, "in png_set_sig_bytes");
52
53	if (png_ptr == NULL)
54	return;
55
56	if (num_bytes < `0`)
57	nb = `0`;
58
59	if (nb > `8`)
60	png_error(png_ptr, "Too many bytes for PNG signature");
61
62	png_ptr->sig_bytes = (png_byte)nb;
63	}
64
65	/ Checks whether the supplied bytes match the PNG signature. We allow*
66	* checking less than the full 8-byte signature so that those apps that
67	* already read the first few bytes of a file to determine the file type
68	* can simply check the remaining bytes for extra assurance. Returns
69	* an integer less than, equal to, or greater than zero if sig is found,
70	* respectively, to be less than, to match, or be greater than the correct
71	* PNG signature (this is the same behavior as strcmp, memcmp, etc).
72	*/
73	int PNGAPI
74	png_sig_cmp(png_const_bytep sig, size_t start, size_t num_to_check)
75	{
76	png_byte png_signature[`8`] = {`137`, `80`, `78`, `71`, `13`, `10`, `26`, `10`};
77
78	if (num_to_check > `8`)
79	num_to_check = `8`;
80
81	else if (num_to_check < `1`)
82	return (-`1`);
83
84	if (start > `7`)
85	return (-`1`);
86
87	if (start + num_to_check > `8`)
88	num_to_check = `8` - start;
89
90	return ((int)(memcmp(&sig[start], &png_signature[start], num_to_check)));
91	}
92
93	#endif /* READ */
94
95	#if defined(PNG_READ_SUPPORTED) \|\| defined(PNG_WRITE_SUPPORTED)
96	/ Function to allocate memory for zlib /
97	PNG_FUNCTION(voidpf / PRIVATE /,
98	png_zalloc,(voidpf png_ptr, uInt items, uInt size),PNG_ALLOCATED)
99	{
100	png_alloc_size_t num_bytes = size;
101
102	if (png_ptr == NULL)
103	return NULL;
104
105	if (items >= (~(png_alloc_size_t)`0`)/size)
106	{
107	png_warning (png_voidcast(png_structrp, png_ptr),
108	"Potential overflow in png_zalloc()");
109	return NULL;
110	}
111
112	num_bytes *= items;
113	return png_malloc_warn(png_voidcast(png_structrp, png_ptr), num_bytes);
114	}
115
116	/ Function to free memory for zlib /
117	void / PRIVATE /
118	png_zfree(voidpf png_ptr, voidpf ptr)
119	{
120	png_free(png_voidcast(png_const_structrp,png_ptr), ptr);
121	}
122
123	/ Reset the CRC variable to 32 bits of 1's. Care must be taken*
124	* in case CRC is > 32 bits to leave the top bits 0.
125	*/
126	void / PRIVATE /
127	png_reset_crc(png_structrp png_ptr)
128	{
129	/ The cast is safe because the crc is a 32-bit value. /
130	png_ptr->crc = (png_uint_32)crc32(`0`, Z_NULL, `0`);
131	}
132
133	/ Calculate the CRC over a section of data. We can only pass as*
134	* much data to this routine as the largest single buffer size. We
135	* also check that this data will actually be used before going to the
136	* trouble of calculating it.
137	*/
138	void / PRIVATE /
139	png_calculate_crc(png_structrp png_ptr, png_const_bytep ptr, size_t length)
140	{
141	int need_crc = `1`;
142
143	if (PNG_CHUNK_ANCILLARY(png_ptr->chunk_name) != `0`)
144	{
145	if ((png_ptr->flags & PNG_FLAG_CRC_ANCILLARY_MASK) ==
146	(PNG_FLAG_CRC_ANCILLARY_USE \| PNG_FLAG_CRC_ANCILLARY_NOWARN))
147	need_crc = `0`;
148	}
149
150	else / critical /
151	{
152	if ((png_ptr->flags & PNG_FLAG_CRC_CRITICAL_IGNORE) != `0`)
153	need_crc = `0`;
154	}
155
156	/ 'uLong' is defined in zlib.h as unsigned long; this means that on some*
157	* systems it is a 64-bit value. crc32, however, returns 32 bits so the
158	* following cast is safe. 'uInt' may be no more than 16 bits, so it is
159	* necessary to perform a loop here.
160	*/
161	if (need_crc != `0` && length > `0`)
162	{
163	uLong crc = png_ptr->crc; / Should never issue a warning /
164
165	do
166	{
167	uInt safe_length = (uInt)length;
168	#ifndef __COVERITY__
169	if (safe_length == `0`)
170	safe_length = (uInt)-`1`; / evil, but safe /
171	#endif
172
173	crc = crc32(crc, ptr, safe_length);
174
175	/ The following should never issue compiler warnings; if they do the*
176	* target system has characteristics that will probably violate other
177	* assumptions within the libpng code.
178	*/
179	ptr += safe_length;
180	length -= safe_length;
181	}
182	while (length > `0`);
183
184	/ And the following is always safe because the crc is only 32 bits. /
185	png_ptr->crc = (png_uint_32)crc;
186	}
187	}
188
189	/ Check a user supplied version number, called from both read and write*
190	* functions that create a png_struct.
191	*/
192	int
193	png_user_version_check(png_structrp png_ptr, png_const_charp user_png_ver)
194	{
195	/ Libpng versions 1.0.0 and later are binary compatible if the version*
196	* string matches through the second '.'; we must recompile any
197	* applications that use any older library version.
198	*/
199
200	if (user_png_ver != NULL)
201	{
202	int i = -`1`;
203	int found_dots = `0`;
204
205	do
206	{
207	i++;
208	if (user_png_ver[i] != PNG_LIBPNG_VER_STRING[i])
209	png_ptr->flags \|= PNG_FLAG_LIBRARY_MISMATCH;
210	if (user_png_ver[i] == `'.'`)
211	found_dots++;
212	} while (found_dots < `2` && user_png_ver[i] != `0` &&
213	PNG_LIBPNG_VER_STRING[i] != `0`);
214	}
215
216	else
217	png_ptr->flags \|= PNG_FLAG_LIBRARY_MISMATCH;
218
219	if ((png_ptr->flags & PNG_FLAG_LIBRARY_MISMATCH) != `0`)
220	{
221	#ifdef PNG_WARNINGS_SUPPORTED
222	size_t pos = `0`;
223	char m[`128`];
224
225	pos = png_safecat(m, (sizeof m), pos,
226	"Application built with libpng-");
227	pos = png_safecat(m, (sizeof m), pos, user_png_ver);
228	pos = png_safecat(m, (sizeof m), pos, " but running with ");
229	pos = png_safecat(m, (sizeof m), pos, PNG_LIBPNG_VER_STRING);
230	PNG_UNUSED(pos)
231
232	png_warning(png_ptr, m);
233	#endif
234
235	#ifdef PNG_ERROR_NUMBERS_SUPPORTED
236	png_ptr->flags = `0`;
237	#endif
238
239	return `0`;
240	}
241
242	/ Success return. /
243	return `1`;
244	}
245
246	/ Generic function to create a png_struct for either read or write - this*
247	* contains the common initialization.
248	*/
249	PNG_FUNCTION(png_structp / PRIVATE /,
250	png_create_png_struct,(png_const_charp user_png_ver, png_voidp error_ptr,
251	png_error_ptr error_fn, png_error_ptr warn_fn, png_voidp mem_ptr,
252	png_malloc_ptr malloc_fn, png_free_ptr free_fn),PNG_ALLOCATED)
253	{
254	png_struct create_struct;
255	# ifdef PNG_SETJMP_SUPPORTED
256	jmp_buf create_jmp_buf;
257	# endif
258
259	/ This temporary stack-allocated structure is used to provide a place to*
260	* build enough context to allow the user provided memory allocator (if any)
261	* to be called.
262	*/
263	memset(&create_struct, `0`, (sizeof create_struct));
264
265	/ Added at libpng-1.2.6 /
266	# ifdef PNG_USER_LIMITS_SUPPORTED
267	create_struct.user_width_max = PNG_USER_WIDTH_MAX;
268	create_struct.user_height_max = PNG_USER_HEIGHT_MAX;
269
270	# ifdef PNG_USER_CHUNK_CACHE_MAX
271	/ Added at libpng-1.2.43 and 1.4.0 /
272	create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX;
273	# endif
274
275	# ifdef PNG_USER_CHUNK_MALLOC_MAX
276	/ Added at libpng-1.2.43 and 1.4.1, required only for read but exists*
277	* in png_struct regardless.
278	*/
279	create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX;
280	# endif
281	# endif
282
283	/ The following two API calls simply set fields in png_struct, so it is safe*
284	* to do them now even though error handling is not yet set up.
285	*/
286	# ifdef PNG_USER_MEM_SUPPORTED
287	png_set_mem_fn(&create_struct, mem_ptr, malloc_fn, free_fn);
288	# else
289	PNG_UNUSED(mem_ptr)
290	PNG_UNUSED(malloc_fn)
291	PNG_UNUSED(free_fn)
292	# endif
293
294	/ (error_fn) can return control to the caller after the error_ptr is set,
295	* this will result in a memory leak unless the error_fn does something
296	* extremely sophisticated. The design lacks merit but is implicit in the
297	* API.
298	*/
299	png_set_error_fn(&create_struct, error_ptr, error_fn, warn_fn);
300
301	# ifdef PNG_SETJMP_SUPPORTED
302	if (!setjmp(create_jmp_buf))
303	# endif
304	{
305	# ifdef PNG_SETJMP_SUPPORTED
306	/ Temporarily fake out the longjmp information until we have*
307	* successfully completed this function. This only works if we have
308	* setjmp() support compiled in, but it is safe - this stuff should
309	* never happen.
310	*/
311	create_struct.jmp_buf_ptr = &create_jmp_buf;
312	create_struct.jmp_buf_size = `0`; /stack allocation/
313	create_struct.longjmp_fn = longjmp;
314	# endif
315	/ Call the general version checker (shared with read and write code):*
316	*/
317	if (png_user_version_check(&create_struct, user_png_ver) != `0`)
318	{
319	png_structrp png_ptr = png_voidcast(png_structrp,
320	png_malloc_warn(&create_struct, (sizeof *png_ptr)));
321
322	if (png_ptr != NULL)
323	{
324	/ png_ptr->zstream holds a back-pointer to the png_struct, so*
325	* this can only be done now:
326	*/
327	create_struct.zstream.zalloc = png_zalloc;
328	create_struct.zstream.zfree = png_zfree;
329	create_struct.zstream.opaque = png_ptr;
330
331	# ifdef PNG_SETJMP_SUPPORTED
332	/ Eliminate the local error handling: /
333	create_struct.jmp_buf_ptr = NULL;
334	create_struct.jmp_buf_size = `0`;
335	create_struct.longjmp_fn = `0`;
336	# endif
337
338	*png_ptr = create_struct;
339
340	/ This is the successful return point /
341	return png_ptr;
342	}
343	}
344	}
345
346	/ A longjmp because of a bug in the application storage allocator or a*
347	* simple failure to allocate the png_struct.
348	*/
349	return NULL;
350	}
351
352	/ Allocate the memory for an info_struct for the application. /
353	PNG_FUNCTION(png_infop,PNGAPI
354	png_create_info_struct,(png_const_structrp png_ptr),PNG_ALLOCATED)
355	{
356	png_inforp info_ptr;
357
358	png_debug(`1`, "in png_create_info_struct");
359
360	if (png_ptr == NULL)
361	return NULL;
362
363	/ Use the internal API that does not (or at least should not) error out, so*
364	* that this call always returns ok. The application typically sets up the
365	* error handling after creating the info_struct because this is the way it
366	* has always been done in 'example.c'.
367	*/
368	info_ptr = png_voidcast(png_inforp, png_malloc_base(png_ptr,
369	(sizeof *info_ptr)));
370
371	if (info_ptr != NULL)
372	memset(info_ptr, `0`, (sizeof *info_ptr));
373
374	return info_ptr;
375	}
376
377	/ This function frees the memory associated with a single info struct.*
378	* Normally, one would use either png_destroy_read_struct() or
379	* png_destroy_write_struct() to free an info struct, but this may be
380	* useful for some applications. From libpng 1.6.0 this function is also used
381	* internally to implement the png_info release part of the 'struct' destroy
382	* APIs. This ensures that all possible approaches free the same data (all of
383	* it).
384	*/
385	void PNGAPI
386	png_destroy_info_struct(png_const_structrp png_ptr, png_infopp info_ptr_ptr)
387	{
388	png_inforp info_ptr = NULL;
389
390	png_debug(`1`, "in png_destroy_info_struct");
391
392	if (png_ptr == NULL)
393	return;
394
395	if (info_ptr_ptr != NULL)
396	info_ptr = *info_ptr_ptr;
397
398	if (info_ptr != NULL)
399	{
400	/ Do this first in case of an error below; if the app implements its own*
401	* memory management this can lead to png_free calling png_error, which
402	* will abort this routine and return control to the app error handler.
403	* An infinite loop may result if it then tries to free the same info
404	* ptr.
405	*/
406	*info_ptr_ptr = NULL;
407
408	png_free_data(png_ptr, info_ptr, PNG_FREE_ALL, -`1`);
409	memset(info_ptr, `0`, (sizeof *info_ptr));
410	png_free(png_ptr, info_ptr);
411	}
412	}
413
414	/ Initialize the info structure. This is now an internal function (0.89)*
415	* and applications using it are urged to use png_create_info_struct()
416	* instead. Use deprecated in 1.6.0, internal use removed (used internally it
417	* is just a memset).
418	*
419	* NOTE: it is almost inconceivable that this API is used because it bypasses
420	* the user-memory mechanism and the user error handling/warning mechanisms in
421	* those cases where it does anything other than a memset.
422	*/
423	PNG_FUNCTION(void,PNGAPI
424	png_info_init_3,(png_infopp ptr_ptr, size_t png_info_struct_size),
425	PNG_DEPRECATED)
426	{
427	png_inforp info_ptr = *ptr_ptr;
428
429	png_debug(`1`, "in png_info_init_3");
430
431	if (info_ptr == NULL)
432	return;
433
434	if ((sizeof (png_info)) > png_info_struct_size)
435	{
436	*ptr_ptr = NULL;
437	/ The following line is why this API should not be used: /
438	free(info_ptr);
439	info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL,
440	(sizeof *info_ptr)));
441	if (info_ptr == NULL)
442	return;
443	*ptr_ptr = info_ptr;
444	}
445
446	/ Set everything to 0 /
447	memset(info_ptr, `0`, (sizeof *info_ptr));
448	}
449
450	/ The following API is not called internally /
451	void PNGAPI
452	png_data_freer(png_const_structrp png_ptr, png_inforp info_ptr,
453	int freer, png_uint_32 mask)
454	{
455	png_debug(`1`, "in png_data_freer");
456
457	if (png_ptr == NULL \|\| info_ptr == NULL)
458	return;
459
460	if (freer == PNG_DESTROY_WILL_FREE_DATA)
461	info_ptr->free_me \|= mask;
462
463	else if (freer == PNG_USER_WILL_FREE_DATA)
464	info_ptr->free_me &= ~mask;
465
466	else
467	png_error(png_ptr, "Unknown freer parameter in png_data_freer");
468	}
469
470	void PNGAPI
471	png_free_data(png_const_structrp png_ptr, png_inforp info_ptr, png_uint_32 mask,
472	int num)
473	{
474	png_debug(`1`, "in png_free_data");
475
476	if (png_ptr == NULL \|\| info_ptr == NULL)
477	return;
478
479	#ifdef PNG_TEXT_SUPPORTED
480	/ Free text item num or (if num == -1) all text items /
481	if (info_ptr->text != NULL &&
482	((mask & PNG_FREE_TEXT) & info_ptr->free_me) != `0`)
483	{
484	if (num != -`1`)
485	{
486	png_free(png_ptr, info_ptr->text[num].key);
487	info_ptr->text[num].key = NULL;
488	}
489
490	else
491	{
492	int i;
493
494	for (i = `0`; i < info_ptr->num_text; i++)
495	png_free(png_ptr, info_ptr->text[i].key);
496
497	png_free(png_ptr, info_ptr->text);
498	info_ptr->text = NULL;
499	info_ptr->num_text = `0`;
500	info_ptr->max_text = `0`;
501	}
502	}
503	#endif
504
505	#ifdef PNG_tRNS_SUPPORTED
506	/ Free any tRNS entry /
507	if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != `0`)
508	{
509	info_ptr->valid &= ~PNG_INFO_tRNS;
510	png_free(png_ptr, info_ptr->trans_alpha);
511	info_ptr->trans_alpha = NULL;
512	info_ptr->num_trans = `0`;
513	}
514	#endif
515
516	#ifdef PNG_sCAL_SUPPORTED
517	/ Free any sCAL entry /
518	if (((mask & PNG_FREE_SCAL) & info_ptr->free_me) != `0`)
519	{
520	png_free(png_ptr, info_ptr->scal_s_width);
521	png_free(png_ptr, info_ptr->scal_s_height);
522	info_ptr->scal_s_width = NULL;
523	info_ptr->scal_s_height = NULL;
524	info_ptr->valid &= ~PNG_INFO_sCAL;
525	}
526	#endif
527
528	#ifdef PNG_pCAL_SUPPORTED
529	/ Free any pCAL entry /
530	if (((mask & PNG_FREE_PCAL) & info_ptr->free_me) != `0`)
531	{
532	png_free(png_ptr, info_ptr->pcal_purpose);
533	png_free(png_ptr, info_ptr->pcal_units);
534	info_ptr->pcal_purpose = NULL;
535	info_ptr->pcal_units = NULL;
536
537	if (info_ptr->pcal_params != NULL)
538	{
539	int i;
540
541	for (i = `0`; i < info_ptr->pcal_nparams; i++)
542	png_free(png_ptr, info_ptr->pcal_params[i]);
543
544	png_free(png_ptr, info_ptr->pcal_params);
545	info_ptr->pcal_params = NULL;
546	}
547	info_ptr->valid &= ~PNG_INFO_pCAL;
548	}
549	#endif
550
551	#ifdef PNG_iCCP_SUPPORTED
552	/ Free any profile entry /
553	if (((mask & PNG_FREE_ICCP) & info_ptr->free_me) != `0`)
554	{
555	png_free(png_ptr, info_ptr->iccp_name);
556	png_free(png_ptr, info_ptr->iccp_profile);
557	info_ptr->iccp_name = NULL;
558	info_ptr->iccp_profile = NULL;
559	info_ptr->valid &= ~PNG_INFO_iCCP;
560	}
561	#endif
562
563	#ifdef PNG_sPLT_SUPPORTED
564	/ Free a given sPLT entry, or (if num == -1) all sPLT entries /
565	if (info_ptr->splt_palettes != NULL &&
566	((mask & PNG_FREE_SPLT) & info_ptr->free_me) != `0`)
567	{
568	if (num != -`1`)
569	{
570	png_free(png_ptr, info_ptr->splt_palettes[num].name);
571	png_free(png_ptr, info_ptr->splt_palettes[num].entries);
572	info_ptr->splt_palettes[num].name = NULL;
573	info_ptr->splt_palettes[num].entries = NULL;
574	}
575
576	else
577	{
578	int i;
579
580	for (i = `0`; i < info_ptr->splt_palettes_num; i++)
581	{
582	png_free(png_ptr, info_ptr->splt_palettes[i].name);
583	png_free(png_ptr, info_ptr->splt_palettes[i].entries);
584	}
585
586	png_free(png_ptr, info_ptr->splt_palettes);
587	info_ptr->splt_palettes = NULL;
588	info_ptr->splt_palettes_num = `0`;
589	info_ptr->valid &= ~PNG_INFO_sPLT;
590	}
591	}
592	#endif
593
594	#ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED
595	if (info_ptr->unknown_chunks != NULL &&
596	((mask & PNG_FREE_UNKN) & info_ptr->free_me) != `0`)
597	{
598	if (num != -`1`)
599	{
600	png_free(png_ptr, info_ptr->unknown_chunks[num].data);
601	info_ptr->unknown_chunks[num].data = NULL;
602	}
603
604	else
605	{
606	int i;
607
608	for (i = `0`; i < info_ptr->unknown_chunks_num; i++)
609	png_free(png_ptr, info_ptr->unknown_chunks[i].data);
610
611	png_free(png_ptr, info_ptr->unknown_chunks);
612	info_ptr->unknown_chunks = NULL;
613	info_ptr->unknown_chunks_num = `0`;
614	}
615	}
616	#endif
617
618	#ifdef PNG_eXIf_SUPPORTED
619	/ Free any eXIf entry /
620	if (((mask & PNG_FREE_EXIF) & info_ptr->free_me) != `0`)
621	{
622	# ifdef PNG_READ_eXIf_SUPPORTED
623	if (info_ptr->eXIf_buf)
624	{
625	png_free(png_ptr, info_ptr->eXIf_buf);
626	info_ptr->eXIf_buf = NULL;
627	}
628	# endif
629	if (info_ptr->exif)
630	{
631	png_free(png_ptr, info_ptr->exif);
632	info_ptr->exif = NULL;
633	}
634	info_ptr->valid &= ~PNG_INFO_eXIf;
635	}
636	#endif
637
638	#ifdef PNG_hIST_SUPPORTED
639	/ Free any hIST entry /
640	if (((mask & PNG_FREE_HIST) & info_ptr->free_me) != `0`)
641	{
642	png_free(png_ptr, info_ptr->hist);
643	info_ptr->hist = NULL;
644	info_ptr->valid &= ~PNG_INFO_hIST;
645	}
646	#endif
647
648	/ Free any PLTE entry that was internally allocated /
649	if (((mask & PNG_FREE_PLTE) & info_ptr->free_me) != `0`)
650	{
651	png_free(png_ptr, info_ptr->palette);
652	info_ptr->palette = NULL;
653	info_ptr->valid &= ~PNG_INFO_PLTE;
654	info_ptr->num_palette = `0`;
655	}
656
657	#ifdef PNG_INFO_IMAGE_SUPPORTED
658	/ Free any image bits attached to the info structure /
659	if (((mask & PNG_FREE_ROWS) & info_ptr->free_me) != `0`)
660	{
661	if (info_ptr->row_pointers != NULL)
662	{
663	png_uint_32 row;
664	for (row = `0`; row < info_ptr->height; row++)
665	png_free(png_ptr, info_ptr->row_pointers[row]);
666
667	png_free(png_ptr, info_ptr->row_pointers);
668	info_ptr->row_pointers = NULL;
669	}
670	info_ptr->valid &= ~PNG_INFO_IDAT;
671	}
672	#endif
673
674	if (num != -`1`)
675	mask &= ~PNG_FREE_MUL;
676
677	info_ptr->free_me &= ~mask;
678	}
679	#endif /* READ \|\| WRITE */
680
681	/ This function returns a pointer to the io_ptr associated with the user*
682	* functions. The application should free any memory associated with this
683	* pointer before png_write_destroy() or png_read_destroy() are called.
684	*/
685	png_voidp PNGAPI
686	png_get_io_ptr(png_const_structrp png_ptr)
687	{
688	if (png_ptr == NULL)
689	return (NULL);
690
691	return (png_ptr->io_ptr);
692	}
693
694	#if defined(PNG_READ_SUPPORTED) \|\| defined(PNG_WRITE_SUPPORTED)
695	# ifdef PNG_STDIO_SUPPORTED
696	/ Initialize the default input/output functions for the PNG file. If you*
697	* use your own read or write routines, you can call either png_set_read_fn()
698	* or png_set_write_fn() instead of png_init_io(). If you have defined
699	* PNG_NO_STDIO or otherwise disabled PNG_STDIO_SUPPORTED, you must use a
700	* function of your own because "FILE *" isn't necessarily available.
701	*/
702	void PNGAPI
703	png_init_io(png_structrp png_ptr, png_FILE_p fp)
704	{
705	png_debug(`1`, "in png_init_io");
706
707	if (png_ptr == NULL)
708	return;
709
710	png_ptr->io_ptr = (png_voidp)fp;
711	}
712	# endif
713
714	# ifdef PNG_SAVE_INT_32_SUPPORTED
715	/ PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90*
716	* defines a cast of a signed integer to an unsigned integer either to preserve
717	* the value, if it is positive, or to calculate:
718	*
719	* (UNSIGNED_MAX+1) + integer
720	*
721	* Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the
722	* negative integral value is added the result will be an unsigned value
723	* correspnding to the 2's complement representation.
724	*/
725	void PNGAPI
726	png_save_int_32(png_bytep buf, png_int_32 i)
727	{
728	png_save_uint_32(buf, (png_uint_32)i);
729	}
730	# endif
731
732	# ifdef PNG_TIME_RFC1123_SUPPORTED
733	/ Convert the supplied time into an RFC 1123 string suitable for use in*
734	* a "Creation Time" or other text-based time string.
735	*/
736	int PNGAPI
737	png_convert_to_rfc1123_buffer(char out[`29`], png_const_timep ptime)
738	{
739	static const char short_months[`12`][`4`] =
740	{"Jan", "Feb", "Mar", "Apr", "May", "Jun",
741	"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};
742
743	if (out == NULL)
744	return `0`;
745
746	if (ptime->year > `9999` / RFC1123 limitation / \|\|
747	ptime->month == `0` \|\| ptime->month > `12` \|\|
748	ptime->day == `0` \|\| ptime->day > `31` \|\|
749	ptime->hour > `23` \|\| ptime->minute > `59` \|\|
750	ptime->second > `60`)
751	return `0`;
752
753	{
754	size_t pos = `0`;
755	char number_buf[`5`]; / enough for a four-digit year /
756
757	# define APPEND_STRING(string) pos = png_safecat(out, 29, pos, (string))
758	# define APPEND_NUMBER(format, value)\
759	APPEND_STRING(PNG_FORMAT_NUMBER(number_buf, format, (value)))
760	# define APPEND(ch) if (pos < 28) out[pos++] = (ch)
761
762	APPEND_NUMBER(PNG_NUMBER_FORMAT_u, (unsigned)ptime->day);
763	APPEND(`' '`);
764	APPEND_STRING(short_months[(ptime->month - `1`)]);
765	APPEND(`' '`);
766	APPEND_NUMBER(PNG_NUMBER_FORMAT_u, ptime->year);
767	APPEND(`' '`);
768	APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->hour);
769	APPEND(`':'`);
770	APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->minute);
771	APPEND(`':'`);
772	APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second);
773	APPEND_STRING(" +0000"); / This reliably terminates the buffer /
774	PNG_UNUSED (pos)
775
776	# undef APPEND
777	# undef APPEND_NUMBER
778	# undef APPEND_STRING
779	}
780
781	return `1`;
782	}
783
784	# if PNG_LIBPNG_VER < 10700
785	/ To do: remove the following from libpng-1.7 /
786	/ Original API that uses a private buffer in png_struct.*
787	* Deprecated because it causes png_struct to carry a spurious temporary
788	* buffer (png_struct::time_buffer), better to have the caller pass this in.
789	*/
790	png_const_charp PNGAPI
791	png_convert_to_rfc1123(png_structrp png_ptr, png_const_timep ptime)
792	{
793	if (png_ptr != NULL)
794	{
795	/ The only failure above if png_ptr != NULL is from an invalid ptime /
796	if (png_convert_to_rfc1123_buffer(png_ptr->time_buffer, ptime) == `0`)
797	png_warning(png_ptr, "Ignoring invalid time value");
798
799	else
800	return png_ptr->time_buffer;
801	}
802
803	return NULL;
804	}
805	# endif /* LIBPNG_VER < 10700 */
806	# endif /* TIME_RFC1123 */
807
808	#endif /* READ \|\| WRITE */
809
810	png_const_charp PNGAPI
811	png_get_copyright(png_const_structrp png_ptr)
812	{
813	PNG_UNUSED(png_ptr) / Silence compiler warning about unused png_ptr /
814	#ifdef PNG_STRING_COPYRIGHT
815	return PNG_STRING_COPYRIGHT
816	#else
817	return PNG_STRING_NEWLINE \
818	"libpng version 1.6.37" PNG_STRING_NEWLINE \
819	"Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \
820	"Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \
821	PNG_STRING_NEWLINE \
822	"Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
823	"Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
824	PNG_STRING_NEWLINE;
825	#endif
826	}
827
828	/ The following return the library version as a short string in the*
829	* format 1.0.0 through 99.99.99zz. To get the version of *.h files
830	* used with your application, print out PNG_LIBPNG_VER_STRING, which
831	* is defined in png.h.
832	* Note: now there is no difference between png_get_libpng_ver() and
833	* png_get_header_ver(). Due to the version_nn_nn_nn typedef guard,
834	* it is guaranteed that png.c uses the correct version of png.h.
835	*/
836	png_const_charp PNGAPI
837	png_get_libpng_ver(png_const_structrp png_ptr)
838	{
839	/ Version of .c files used when building libpng /*
840	return png_get_header_ver(png_ptr);
841	}
842
843	png_const_charp PNGAPI
844	png_get_header_ver(png_const_structrp png_ptr)
845	{
846	/ Version of .h files used when building libpng /*
847	PNG_UNUSED(png_ptr) / Silence compiler warning about unused png_ptr /
848	return PNG_LIBPNG_VER_STRING;
849	}
850
851	png_const_charp PNGAPI
852	png_get_header_version(png_const_structrp png_ptr)
853	{
854	/ Returns longer string containing both version and date /
855	PNG_UNUSED(png_ptr) / Silence compiler warning about unused png_ptr /
856	#ifdef __STDC__
857	return PNG_HEADER_VERSION_STRING
858	# ifndef PNG_READ_SUPPORTED
859	" (NO READ SUPPORT)"
860	# endif
861	PNG_STRING_NEWLINE;
862	#else
863	return PNG_HEADER_VERSION_STRING;
864	#endif
865	}
866
867	#ifdef PNG_BUILD_GRAYSCALE_PALETTE_SUPPORTED
868	/ NOTE: this routine is not used internally! /
869	/ Build a grayscale palette. Palette is assumed to be 1 << bit_depth*
870	* large of png_color. This lets grayscale images be treated as
871	* paletted. Most useful for gamma correction and simplification
872	* of code. This API is not used internally.
873	*/
874	void PNGAPI
875	png_build_grayscale_palette(int bit_depth, png_colorp palette)
876	{
877	int num_palette;
878	int color_inc;
879	int i;
880	int v;
881
882	png_debug(`1`, "in png_do_build_grayscale_palette");
883
884	if (palette == NULL)
885	return;
886
887	switch (bit_depth)
888	{
889	case `1`:
890	num_palette = `2`;
891	color_inc = `0xff`;
892	break;
893
894	case `2`:
895	num_palette = `4`;
896	color_inc = `0x55`;
897	break;
898
899	case `4`:
900	num_palette = `16`;
901	color_inc = `0x11`;
902	break;
903
904	case `8`:
905	num_palette = `256`;
906	color_inc = `1`;
907	break;
908
909	default:
910	num_palette = `0`;
911	color_inc = `0`;
912	break;
913	}
914
915	for (i = `0`, v = `0`; i < num_palette; i++, v += color_inc)
916	{
917	palette[i].red = (png_byte)(v & `0xff`);
918	palette[i].green = (png_byte)(v & `0xff`);
919	palette[i].blue = (png_byte)(v & `0xff`);
920	}
921	}
922	#endif
923
924	#ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
925	int PNGAPI
926	png_handle_as_unknown(png_const_structrp png_ptr, png_const_bytep chunk_name)
927	{
928	/ Check chunk_name and return "keep" value if it's on the list, else 0 /
929	png_const_bytep p, p_end;
930
931	if (png_ptr == NULL \|\| chunk_name == NULL \|\| png_ptr->num_chunk_list == `0`)
932	return PNG_HANDLE_CHUNK_AS_DEFAULT;
933
934	p_end = png_ptr->chunk_list;
935	p = p_end + png_ptr->num_chunk_list`5`; /* beyond end /
936
937	/ The code is the fifth byte after each four byte string. Historically this*
938	* code was always searched from the end of the list, this is no longer
939	* necessary because the 'set' routine handles duplicate entries correctly.
940	*/
941	do / num_chunk_list > 0, so at least one /
942	{
943	p -= `5`;
944
945	if (memcmp(chunk_name, p, `4`) == `0`)
946	return p[`4`];
947	}
948	while (p > p_end);
949
950	/ This means that known chunks should be processed and unknown chunks should*
951	* be handled according to the value of png_ptr->unknown_default; this can be
952	* confusing because, as a result, there are two levels of defaulting for
953	* unknown chunks.
954	*/
955	return PNG_HANDLE_CHUNK_AS_DEFAULT;
956	}
957
958	#if defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) \|\|\
959	defined(PNG_HANDLE_AS_UNKNOWN_SUPPORTED)
960	int / PRIVATE /
961	png_chunk_unknown_handling(png_const_structrp png_ptr, png_uint_32 chunk_name)
962	{
963	png_byte chunk_string[`5`];
964
965	PNG_CSTRING_FROM_CHUNK(chunk_string, chunk_name);
966	return png_handle_as_unknown(png_ptr, chunk_string);
967	}
968	#endif /* READ_UNKNOWN_CHUNKS \|\| HANDLE_AS_UNKNOWN */
969	#endif /* SET_UNKNOWN_CHUNKS */
970
971	#ifdef PNG_READ_SUPPORTED
972	/ This function, added to libpng-1.0.6g, is untested. /
973	int PNGAPI
974	png_reset_zstream(png_structrp png_ptr)
975	{
976	if (png_ptr == NULL)
977	return Z_STREAM_ERROR;
978
979	/ WARNING: this resets the window bits to the maximum! /
980	return (inflateReset(&png_ptr->zstream));
981	}
982	#endif /* READ */
983
984	/ This function was added to libpng-1.0.7 /
985	png_uint_32 PNGAPI
986	png_access_version_number(void)
987	{
988	/ Version of .c files used when building libpng /*
989	return((png_uint_32)PNG_LIBPNG_VER);
990	}
991
992	#if defined(PNG_READ_SUPPORTED) \|\| defined(PNG_WRITE_SUPPORTED)
993	/ Ensure that png_ptr->zstream.msg holds some appropriate error message string.*
994	* If it doesn't 'ret' is used to set it to something appropriate, even in cases
995	* like Z_OK or Z_STREAM_END where the error code is apparently a success code.
996	*/
997	void / PRIVATE /
998	png_zstream_error(png_structrp png_ptr, int ret)
999	{
1000	/ Translate 'ret' into an appropriate error string, priority is given to the*
1001	* one in zstream if set. This always returns a string, even in cases like
1002	* Z_OK or Z_STREAM_END where the error code is a success code.
1003	*/
1004	if (png_ptr->zstream.msg == NULL) switch (ret)
1005	{
1006	default:
1007	case Z_OK:
1008	png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return code");
1009	break;
1010
1011	case Z_STREAM_END:
1012	/ Normal exit /
1013	png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected end of LZ stream");
1014	break;
1015
1016	case Z_NEED_DICT:
1017	/ This means the deflate stream did not have a dictionary; this*
1018	* indicates a bogus PNG.
1019	*/
1020	png_ptr->zstream.msg = PNGZ_MSG_CAST("missing LZ dictionary");
1021	break;
1022
1023	case Z_ERRNO:
1024	/ gz APIs only: should not happen /
1025	png_ptr->zstream.msg = PNGZ_MSG_CAST("zlib IO error");
1026	break;
1027
1028	case Z_STREAM_ERROR:
1029	/ internal libpng error /
1030	png_ptr->zstream.msg = PNGZ_MSG_CAST("bad parameters to zlib");
1031	break;
1032
1033	case Z_DATA_ERROR:
1034	png_ptr->zstream.msg = PNGZ_MSG_CAST("damaged LZ stream");
1035	break;
1036
1037	case Z_MEM_ERROR:
1038	png_ptr->zstream.msg = PNGZ_MSG_CAST("insufficient memory");
1039	break;
1040
1041	case Z_BUF_ERROR:
1042	/ End of input or output; not a problem if the caller is doing*
1043	* incremental read or write.
1044	*/
1045	png_ptr->zstream.msg = PNGZ_MSG_CAST("truncated");
1046	break;
1047
1048	case Z_VERSION_ERROR:
1049	png_ptr->zstream.msg = PNGZ_MSG_CAST("unsupported zlib version");
1050	break;
1051
1052	case PNG_UNEXPECTED_ZLIB_RETURN:
1053	/ Compile errors here mean that zlib now uses the value co-opted in*
1054	* pngpriv.h for PNG_UNEXPECTED_ZLIB_RETURN; update the switch above
1055	* and change pngpriv.h. Note that this message is "... return",
1056	* whereas the default/Z_OK one is "... return code".
1057	*/
1058	png_ptr->zstream.msg = PNGZ_MSG_CAST("unexpected zlib return");
1059	break;
1060	}
1061	}
1062
1063	/ png_convert_size: a PNGAPI but no longer in png.h, so deleted*
1064	* at libpng 1.5.5!
1065	*/
1066
1067	/ Added at libpng version 1.2.34 and 1.4.0 (moved from pngset.c) /
1068	#ifdef PNG_GAMMA_SUPPORTED /* always set if COLORSPACE */
1069	static int
1070	png_colorspace_check_gamma(png_const_structrp png_ptr,
1071	png_colorspacerp colorspace, png_fixed_point gAMA, int from)
1072	/ This is called to check a new gamma value against an existing one. The*
1073	* routine returns false if the new gamma value should not be written.
1074	*
1075	* 'from' says where the new gamma value comes from:
1076	*
1077	* 0: the new gamma value is the libpng estimate for an ICC profile
1078	* 1: the new gamma value comes from a gAMA chunk
1079	* 2: the new gamma value comes from an sRGB chunk
1080	*/
1081	{
1082	png_fixed_point gtest;
1083
1084	if ((colorspace->flags & PNG_COLORSPACE_HAVE_GAMMA) != `0` &&
1085	(png_muldiv(&gtest, colorspace->gamma, PNG_FP_1, gAMA) == `0` \|\|
1086	png_gamma_significant(gtest) != `0`))
1087	{
1088	/ Either this is an sRGB image, in which case the calculated gamma*
1089	* approximation should match, or this is an image with a profile and the
1090	* value libpng calculates for the gamma of the profile does not match the
1091	* value recorded in the file. The former, sRGB, case is an error, the
1092	* latter is just a warning.
1093	*/
1094	if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != `0` \|\| from == `2`)
1095	{
1096	png_chunk_report(png_ptr, "gamma value does not match sRGB",
1097	PNG_CHUNK_ERROR);
1098	/ Do not overwrite an sRGB value /
1099	return from == `2`;
1100	}
1101
1102	else / sRGB tag not involved /
1103	{
1104	png_chunk_report(png_ptr, "gamma value does not match libpng estimate",
1105	PNG_CHUNK_WARNING);
1106	return from == `1`;
1107	}
1108	}
1109
1110	return `1`;
1111	}
1112
1113	void / PRIVATE /
1114	png_colorspace_set_gamma(png_const_structrp png_ptr,
1115	png_colorspacerp colorspace, png_fixed_point gAMA)
1116	{
1117	/ Changed in libpng-1.5.4 to limit the values to ensure overflow can't*
1118	* occur. Since the fixed point representation is asymmetrical it is
1119	* possible for 1/gamma to overflow the limit of 21474 and this means the
1120	* gamma value must be at least 5/100000 and hence at most 20000.0. For
1121	* safety the limits here are a little narrower. The values are 0.00016 to
1122	* 6250.0, which are truly ridiculous gamma values (and will produce
1123	* displays that are all black or all white.)
1124	*
1125	* In 1.6.0 this test replaces the ones in pngrutil.c, in the gAMA chunk
1126	* handling code, which only required the value to be >0.
1127	*/
1128	png_const_charp errmsg;
1129
1130	if (gAMA < `16` \|\| gAMA > `625000000`)
1131	errmsg = "gamma value out of range";
1132
1133	# ifdef PNG_READ_gAMA_SUPPORTED
1134	/ Allow the application to set the gamma value more than once /
1135	else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != `0` &&
1136	(colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != `0`)
1137	errmsg = "duplicate";
1138	# endif
1139
1140	/ Do nothing if the colorspace is already invalid /
1141	else if ((colorspace->flags & PNG_COLORSPACE_INVALID) != `0`)
1142	return;
1143
1144	else
1145	{
1146	if (png_colorspace_check_gamma(png_ptr, colorspace, gAMA,
1147	`1`/from gAMA/) != `0`)
1148	{
1149	/ Store this gamma value. /
1150	colorspace->gamma = gAMA;
1151	colorspace->flags \|=
1152	(PNG_COLORSPACE_HAVE_GAMMA \| PNG_COLORSPACE_FROM_gAMA);
1153	}
1154
1155	/ At present if the check_gamma test fails the gamma of the colorspace is*
1156	* not updated however the colorspace is not invalidated. This
1157	* corresponds to the case where the existing gamma comes from an sRGB
1158	* chunk or profile. An error message has already been output.
1159	*/
1160	return;
1161	}
1162
1163	/ Error exit - errmsg has been set. /
1164	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1165	png_chunk_report(png_ptr, errmsg, PNG_CHUNK_WRITE_ERROR);
1166	}
1167
1168	void / PRIVATE /
1169	png_colorspace_sync_info(png_const_structrp png_ptr, png_inforp info_ptr)
1170	{
1171	if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) != `0`)
1172	{
1173	/ Everything is invalid /
1174	info_ptr->valid &= ~(PNG_INFO_gAMA\|PNG_INFO_cHRM\|PNG_INFO_sRGB\|
1175	PNG_INFO_iCCP);
1176
1177	# ifdef PNG_COLORSPACE_SUPPORTED
1178	/ Clean up the iCCP profile now if it won't be used. /
1179	png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -`1`/not used/);
1180	# else
1181	PNG_UNUSED(png_ptr)
1182	# endif
1183	}
1184
1185	else
1186	{
1187	# ifdef PNG_COLORSPACE_SUPPORTED
1188	/ Leave the INFO_iCCP flag set if the pngset.c code has already set*
1189	* it; this allows a PNG to contain a profile which matches sRGB and
1190	* yet still have that profile retrievable by the application.
1191	*/
1192	if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != `0`)
1193	info_ptr->valid \|= PNG_INFO_sRGB;
1194
1195	else
1196	info_ptr->valid &= ~PNG_INFO_sRGB;
1197
1198	if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != `0`)
1199	info_ptr->valid \|= PNG_INFO_cHRM;
1200
1201	else
1202	info_ptr->valid &= ~PNG_INFO_cHRM;
1203	# endif
1204
1205	if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != `0`)
1206	info_ptr->valid \|= PNG_INFO_gAMA;
1207
1208	else
1209	info_ptr->valid &= ~PNG_INFO_gAMA;
1210	}
1211	}
1212
1213	#ifdef PNG_READ_SUPPORTED
1214	void / PRIVATE /
1215	png_colorspace_sync(png_const_structrp png_ptr, png_inforp info_ptr)
1216	{
1217	if (info_ptr == NULL) / reduce code size; check here not in the caller /
1218	return;
1219
1220	info_ptr->colorspace = png_ptr->colorspace;
1221	png_colorspace_sync_info(png_ptr, info_ptr);
1222	}
1223	#endif
1224	#endif /* GAMMA */
1225
1226	#ifdef PNG_COLORSPACE_SUPPORTED
1227	/ Added at libpng-1.5.5 to support read and write of true CIEXYZ values for*
1228	* cHRM, as opposed to using chromaticities. These internal APIs return
1229	* non-zero on a parameter error. The X, Y and Z values are required to be
1230	* positive and less than 1.0.
1231	*/
1232	static int
1233	png_xy_from_XYZ(png_xy xy, const* png_XYZ *XYZ)
1234	{
1235	png_int_32 d, dwhite, whiteX, whiteY;
1236
1237	d = XYZ->red_X + XYZ->red_Y + XYZ->red_Z;
1238	if (png_muldiv(&xy->redx, XYZ->red_X, PNG_FP_1, d) == `0`)
1239	return `1`;
1240	if (png_muldiv(&xy->redy, XYZ->red_Y, PNG_FP_1, d) == `0`)
1241	return `1`;
1242	dwhite = d;
1243	whiteX = XYZ->red_X;
1244	whiteY = XYZ->red_Y;
1245
1246	d = XYZ->green_X + XYZ->green_Y + XYZ->green_Z;
1247	if (png_muldiv(&xy->greenx, XYZ->green_X, PNG_FP_1, d) == `0`)
1248	return `1`;
1249	if (png_muldiv(&xy->greeny, XYZ->green_Y, PNG_FP_1, d) == `0`)
1250	return `1`;
1251	dwhite += d;
1252	whiteX += XYZ->green_X;
1253	whiteY += XYZ->green_Y;
1254
1255	d = XYZ->blue_X + XYZ->blue_Y + XYZ->blue_Z;
1256	if (png_muldiv(&xy->bluex, XYZ->blue_X, PNG_FP_1, d) == `0`)
1257	return `1`;
1258	if (png_muldiv(&xy->bluey, XYZ->blue_Y, PNG_FP_1, d) == `0`)
1259	return `1`;
1260	dwhite += d;
1261	whiteX += XYZ->blue_X;
1262	whiteY += XYZ->blue_Y;
1263
1264	/ The reference white is simply the sum of the end-point (X,Y,Z) vectors,*
1265	* thus:
1266	*/
1267	if (png_muldiv(&xy->whitex, whiteX, PNG_FP_1, dwhite) == `0`)
1268	return `1`;
1269	if (png_muldiv(&xy->whitey, whiteY, PNG_FP_1, dwhite) == `0`)
1270	return `1`;
1271
1272	return `0`;
1273	}
1274
1275	static int
1276	png_XYZ_from_xy(png_XYZ XYZ, const* png_xy *xy)
1277	{
1278	png_fixed_point red_inverse, green_inverse, blue_scale;
1279	png_fixed_point left, right, denominator;
1280
1281	/ Check xy and, implicitly, z. Note that wide gamut color spaces typically*
1282	* have end points with 0 tristimulus values (these are impossible end
1283	* points, but they are used to cover the possible colors). We check
1284	* xy->whitey against 5, not 0, to avoid a possible integer overflow.
1285	*/
1286	if (xy->redx < `0` \|\| xy->redx > PNG_FP_1) return `1`;
1287	if (xy->redy < `0` \|\| xy->redy > PNG_FP_1-xy->redx) return `1`;
1288	if (xy->greenx < `0` \|\| xy->greenx > PNG_FP_1) return `1`;
1289	if (xy->greeny < `0` \|\| xy->greeny > PNG_FP_1-xy->greenx) return `1`;
1290	if (xy->bluex < `0` \|\| xy->bluex > PNG_FP_1) return `1`;
1291	if (xy->bluey < `0` \|\| xy->bluey > PNG_FP_1-xy->bluex) return `1`;
1292	if (xy->whitex < `0` \|\| xy->whitex > PNG_FP_1) return `1`;
1293	if (xy->whitey < `5` \|\| xy->whitey > PNG_FP_1-xy->whitex) return `1`;
1294
1295	/ The reverse calculation is more difficult because the original tristimulus*
1296	* value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8
1297	* derived values were recorded in the cHRM chunk;
1298	* (red,green,blue,white)x(x,y). This loses one degree of freedom and
1299	* therefore an arbitrary ninth value has to be introduced to undo the
1300	* original transformations.
1301	*
1302	* Think of the original end-points as points in (X,Y,Z) space. The
1303	* chromaticity values (c) have the property:
1304	*
1305	* C
1306	* c = ---------
1307	* X + Y + Z
1308	*
1309	* For each c (x,y,z) from the corresponding original C (X,Y,Z). Thus the
1310	* three chromaticity values (x,y,z) for each end-point obey the
1311	* relationship:
1312	*
1313	* x + y + z = 1
1314	*
1315	* This describes the plane in (X,Y,Z) space that intersects each axis at the
1316	* value 1.0; call this the chromaticity plane. Thus the chromaticity
1317	* calculation has scaled each end-point so that it is on the x+y+z=1 plane
1318	* and chromaticity is the intersection of the vector from the origin to the
1319	* (X,Y,Z) value with the chromaticity plane.
1320	*
1321	* To fully invert the chromaticity calculation we would need the three
1322	* end-point scale factors, (red-scale, green-scale, blue-scale), but these
1323	* were not recorded. Instead we calculated the reference white (X,Y,Z) and
1324	* recorded the chromaticity of this. The reference white (X,Y,Z) would have
1325	* given all three of the scale factors since:
1326	*
1327	* color-C = color-c * color-scale
1328	* white-C = red-C + green-C + blue-C
1329	* = red-cred-scale + green-cgreen-scale + blue-c*blue-scale
1330	*
1331	* But cHRM records only white-x and white-y, so we have lost the white scale
1332	* factor:
1333	*
1334	* white-C = white-c*white-scale
1335	*
1336	* To handle this the inverse transformation makes an arbitrary assumption
1337	* about white-scale:
1338	*
1339	* Assume: white-Y = 1.0
1340	* Hence: white-scale = 1/white-y
1341	* Or: red-Y + green-Y + blue-Y = 1.0
1342	*
1343	* Notice the last statement of the assumption gives an equation in three of
1344	* the nine values we want to calculate. 8 more equations come from the
1345	* above routine as summarised at the top above (the chromaticity
1346	* calculation):
1347	*
1348	* Given: color-x = color-X / (color-X + color-Y + color-Z)
1349	* Hence: (color-x - 1)color-X + color.xcolor-Y + color.x*color-Z = 0
1350	*
1351	* This is 9 simultaneous equations in the 9 variables "color-C" and can be
1352	* solved by Cramer's rule. Cramer's rule requires calculating 10 9x9 matrix
1353	* determinants, however this is not as bad as it seems because only 28 of
1354	* the total of 90 terms in the various matrices are non-zero. Nevertheless
1355	* Cramer's rule is notoriously numerically unstable because the determinant
1356	* calculation involves the difference of large, but similar, numbers. It is
1357	* difficult to be sure that the calculation is stable for real world values
1358	* and it is certain that it becomes unstable where the end points are close
1359	* together.
1360	*
1361	* So this code uses the perhaps slightly less optimal but more
1362	* understandable and totally obvious approach of calculating color-scale.
1363	*
1364	* This algorithm depends on the precision in white-scale and that is
1365	* (1/white-y), so we can immediately see that as white-y approaches 0 the
1366	* accuracy inherent in the cHRM chunk drops off substantially.
1367	*
1368	* libpng arithmetic: a simple inversion of the above equations
1369	* ------------------------------------------------------------
1370	*
1371	* white_scale = 1/white-y
1372	* white-X = white-x * white-scale
1373	* white-Y = 1.0
1374	* white-Z = (1 - white-x - white-y) * white_scale
1375	*
1376	* white-C = red-C + green-C + blue-C
1377	* = red-cred-scale + green-cgreen-scale + blue-c*blue-scale
1378	*
1379	* This gives us three equations in (red-scale,green-scale,blue-scale) where
1380	* all the coefficients are now known:
1381	*
1382	* red-xred-scale + green-xgreen-scale + blue-x*blue-scale
1383	* = white-x/white-y
1384	* red-yred-scale + green-ygreen-scale + blue-y*blue-scale = 1
1385	* red-zred-scale + green-zgreen-scale + blue-z*blue-scale
1386	* = (1 - white-x - white-y)/white-y
1387	*
1388	* In the last equation color-z is (1 - color-x - color-y) so we can add all
1389	* three equations together to get an alternative third:
1390	*
1391	* red-scale + green-scale + blue-scale = 1/white-y = white-scale
1392	*
1393	* So now we have a Cramer's rule solution where the determinants are just
1394	* 3x3 - far more tractible. Unfortunately 3x3 determinants still involve
1395	* multiplication of three coefficients so we can't guarantee to avoid
1396	* overflow in the libpng fixed point representation. Using Cramer's rule in
1397	* floating point is probably a good choice here, but it's not an option for
1398	* fixed point. Instead proceed to simplify the first two equations by
1399	* eliminating what is likely to be the largest value, blue-scale:
1400	*
1401	* blue-scale = white-scale - red-scale - green-scale
1402	*
1403	* Hence:
1404	*
1405	* (red-x - blue-x)red-scale + (green-x - blue-x)green-scale =
1406	* (white-x - blue-x)*white-scale
1407	*
1408	* (red-y - blue-y)red-scale + (green-y - blue-y)green-scale =
1409	* 1 - blue-y*white-scale
1410	*
1411	* And now we can trivially solve for (red-scale,green-scale):
1412	*
1413	* green-scale =
1414	* (white-x - blue-x)white-scale - (red-x - blue-x)red-scale
1415	* -----------------------------------------------------------
1416	* green-x - blue-x
1417	*
1418	* red-scale =
1419	* 1 - blue-ywhite-scale - (green-y - blue-y) green-scale
1420	* ---------------------------------------------------------
1421	* red-y - blue-y
1422	*
1423	* Hence:
1424	*
1425	* red-scale =
1426	* ( (green-x - blue-x) * (white-y - blue-y) -
1427	* (green-y - blue-y) * (white-x - blue-x) ) / white-y
1428	* -------------------------------------------------------------------------
1429	* (green-x - blue-x)(red-y - blue-y)-(green-y - blue-y)(red-x - blue-x)
1430	*
1431	* green-scale =
1432	* ( (red-y - blue-y) * (white-x - blue-x) -
1433	* (red-x - blue-x) * (white-y - blue-y) ) / white-y
1434	* -------------------------------------------------------------------------
1435	* (green-x - blue-x)(red-y - blue-y)-(green-y - blue-y)(red-x - blue-x)
1436	*
1437	* Accuracy:
1438	* The input values have 5 decimal digits of accuracy. The values are all in
1439	* the range 0 < value < 1, so simple products are in the same range but may
1440	* need up to 10 decimal digits to preserve the original precision and avoid
1441	* underflow. Because we are using a 32-bit signed representation we cannot
1442	* match this; the best is a little over 9 decimal digits, less than 10.
1443	*
1444	* The approach used here is to preserve the maximum precision within the
1445	* signed representation. Because the red-scale calculation above uses the
1446	* difference between two products of values that must be in the range -1..+1
1447	* it is sufficient to divide the product by 7; ceil(100,000/32767*2). The
1448	* factor is irrelevant in the calculation because it is applied to both
1449	* numerator and denominator.
1450	*
1451	* Note that the values of the differences of the products of the
1452	* chromaticities in the above equations tend to be small, for example for
1453	* the sRGB chromaticities they are:
1454	*
1455	* red numerator: -0.04751
1456	* green numerator: -0.08788
1457	* denominator: -0.2241 (without white-y multiplication)
1458	*
1459	* The resultant Y coefficients from the chromaticities of some widely used
1460	* color space definitions are (to 15 decimal places):
1461	*
1462	* sRGB
1463	* 0.212639005871510 0.715168678767756 0.072192315360734
1464	* Kodak ProPhoto
1465	* 0.288071128229293 0.711843217810102 0.000085653960605
1466	* Adobe RGB
1467	* 0.297344975250536 0.627363566255466 0.075291458493998
1468	* Adobe Wide Gamut RGB
1469	* 0.258728243040113 0.724682314948566 0.016589442011321
1470	*/
1471	/ By the argument, above overflow should be impossible here. The return*
1472	* value of 2 indicates an internal error to the caller.
1473	*/
1474	if (png_muldiv(&left, xy->greenx-xy->bluex, xy->redy - xy->bluey, `7`) == `0`)
1475	return `2`;
1476	if (png_muldiv(&right, xy->greeny-xy->bluey, xy->redx - xy->bluex, `7`) == `0`)
1477	return `2`;
1478	denominator = left - right;
1479
1480	/ Now find the red numerator. /
1481	if (png_muldiv(&left, xy->greenx-xy->bluex, xy->whitey-xy->bluey, `7`) == `0`)
1482	return `2`;
1483	if (png_muldiv(&right, xy->greeny-xy->bluey, xy->whitex-xy->bluex, `7`) == `0`)
1484	return `2`;
1485
1486	/ Overflow is possible here and it indicates an extreme set of PNG cHRM*
1487	* chunk values. This calculation actually returns the reciprocal of the
1488	* scale value because this allows us to delay the multiplication of white-y
1489	* into the denominator, which tends to produce a small number.
1490	*/
1491	if (png_muldiv(&red_inverse, xy->whitey, denominator, left-right) == `0` \|\|
1492	red_inverse <= xy->whitey / r+g+b scales = white scale /)
1493	return `1`;
1494
1495	/ Similarly for green_inverse: /
1496	if (png_muldiv(&left, xy->redy-xy->bluey, xy->whitex-xy->bluex, `7`) == `0`)
1497	return `2`;
1498	if (png_muldiv(&right, xy->redx-xy->bluex, xy->whitey-xy->bluey, `7`) == `0`)
1499	return `2`;
1500	if (png_muldiv(&green_inverse, xy->whitey, denominator, left-right) == `0` \|\|
1501	green_inverse <= xy->whitey)
1502	return `1`;
1503
1504	/ And the blue scale, the checks above guarantee this can't overflow but it*
1505	* can still produce 0 for extreme cHRM values.
1506	*/
1507	blue_scale = png_reciprocal(xy->whitey) - png_reciprocal(red_inverse) -
1508	png_reciprocal(green_inverse);
1509	if (blue_scale <= `0`)
1510	return `1`;
1511
1512
1513	/ And fill in the png_XYZ: /
1514	if (png_muldiv(&XYZ->red_X, xy->redx, PNG_FP_1, red_inverse) == `0`)
1515	return `1`;
1516	if (png_muldiv(&XYZ->red_Y, xy->redy, PNG_FP_1, red_inverse) == `0`)
1517	return `1`;
1518	if (png_muldiv(&XYZ->red_Z, PNG_FP_1 - xy->redx - xy->redy, PNG_FP_1,
1519	red_inverse) == `0`)
1520	return `1`;
1521
1522	if (png_muldiv(&XYZ->green_X, xy->greenx, PNG_FP_1, green_inverse) == `0`)
1523	return `1`;
1524	if (png_muldiv(&XYZ->green_Y, xy->greeny, PNG_FP_1, green_inverse) == `0`)
1525	return `1`;
1526	if (png_muldiv(&XYZ->green_Z, PNG_FP_1 - xy->greenx - xy->greeny, PNG_FP_1,
1527	green_inverse) == `0`)
1528	return `1`;
1529
1530	if (png_muldiv(&XYZ->blue_X, xy->bluex, blue_scale, PNG_FP_1) == `0`)
1531	return `1`;
1532	if (png_muldiv(&XYZ->blue_Y, xy->bluey, blue_scale, PNG_FP_1) == `0`)
1533	return `1`;
1534	if (png_muldiv(&XYZ->blue_Z, PNG_FP_1 - xy->bluex - xy->bluey, blue_scale,
1535	PNG_FP_1) == `0`)
1536	return `1`;
1537
1538	return `0`; /success/
1539	}
1540
1541	static int
1542	png_XYZ_normalize(png_XYZ *XYZ)
1543	{
1544	png_int_32 Y;
1545
1546	if (XYZ->red_Y < `0` \|\| XYZ->green_Y < `0` \|\| XYZ->blue_Y < `0` \|\|
1547	XYZ->red_X < `0` \|\| XYZ->green_X < `0` \|\| XYZ->blue_X < `0` \|\|
1548	XYZ->red_Z < `0` \|\| XYZ->green_Z < `0` \|\| XYZ->blue_Z < `0`)
1549	return `1`;
1550
1551	/ Normalize by scaling so the sum of the end-point Y values is PNG_FP_1.*
1552	* IMPLEMENTATION NOTE: ANSI requires signed overflow not to occur, therefore
1553	* relying on addition of two positive values producing a negative one is not
1554	* safe.
1555	*/
1556	Y = XYZ->red_Y;
1557	if (`0x7fffffff` - Y < XYZ->green_X)
1558	return `1`;
1559	Y += XYZ->green_Y;
1560	if (`0x7fffffff` - Y < XYZ->blue_X)
1561	return `1`;
1562	Y += XYZ->blue_Y;
1563
1564	if (Y != PNG_FP_1)
1565	{
1566	if (png_muldiv(&XYZ->red_X, XYZ->red_X, PNG_FP_1, Y) == `0`)
1567	return `1`;
1568	if (png_muldiv(&XYZ->red_Y, XYZ->red_Y, PNG_FP_1, Y) == `0`)
1569	return `1`;
1570	if (png_muldiv(&XYZ->red_Z, XYZ->red_Z, PNG_FP_1, Y) == `0`)
1571	return `1`;
1572
1573	if (png_muldiv(&XYZ->green_X, XYZ->green_X, PNG_FP_1, Y) == `0`)
1574	return `1`;
1575	if (png_muldiv(&XYZ->green_Y, XYZ->green_Y, PNG_FP_1, Y) == `0`)
1576	return `1`;
1577	if (png_muldiv(&XYZ->green_Z, XYZ->green_Z, PNG_FP_1, Y) == `0`)
1578	return `1`;
1579
1580	if (png_muldiv(&XYZ->blue_X, XYZ->blue_X, PNG_FP_1, Y) == `0`)
1581	return `1`;
1582	if (png_muldiv(&XYZ->blue_Y, XYZ->blue_Y, PNG_FP_1, Y) == `0`)
1583	return `1`;
1584	if (png_muldiv(&XYZ->blue_Z, XYZ->blue_Z, PNG_FP_1, Y) == `0`)
1585	return `1`;
1586	}
1587
1588	return `0`;
1589	}
1590
1591	static int
1592	png_colorspace_endpoints_match(const png_xy xy1, const* png_xy xy2, int* delta)
1593	{
1594	/ Allow an error of +/-0.01 (absolute value) on each chromaticity /
1595	if (PNG_OUT_OF_RANGE(xy1->whitex, xy2->whitex,delta) \|\|
1596	PNG_OUT_OF_RANGE(xy1->whitey, xy2->whitey,delta) \|\|
1597	PNG_OUT_OF_RANGE(xy1->redx, xy2->redx, delta) \|\|
1598	PNG_OUT_OF_RANGE(xy1->redy, xy2->redy, delta) \|\|
1599	PNG_OUT_OF_RANGE(xy1->greenx, xy2->greenx,delta) \|\|
1600	PNG_OUT_OF_RANGE(xy1->greeny, xy2->greeny,delta) \|\|
1601	PNG_OUT_OF_RANGE(xy1->bluex, xy2->bluex, delta) \|\|
1602	PNG_OUT_OF_RANGE(xy1->bluey, xy2->bluey, delta))
1603	return `0`;
1604	return `1`;
1605	}
1606
1607	/ Added in libpng-1.6.0, a different check for the validity of a set of cHRM*
1608	* chunk chromaticities. Earlier checks used to simply look for the overflow
1609	* condition (where the determinant of the matrix to solve for XYZ ends up zero
1610	* because the chromaticity values are not all distinct.) Despite this it is
1611	* theoretically possible to produce chromaticities that are apparently valid
1612	* but that rapidly degrade to invalid, potentially crashing, sets because of
1613	* arithmetic inaccuracies when calculations are performed on them. The new
1614	* check is to round-trip xy -> XYZ -> xy and then check that the result is
1615	* within a small percentage of the original.
1616	*/
1617	static int
1618	png_colorspace_check_xy(png_XYZ XYZ, const* png_xy *xy)
1619	{
1620	int result;
1621	png_xy xy_test;
1622
1623	/ As a side-effect this routine also returns the XYZ endpoints. /
1624	result = png_XYZ_from_xy(XYZ, xy);
1625	if (result != `0`)
1626	return result;
1627
1628	result = png_xy_from_XYZ(&xy_test, XYZ);
1629	if (result != `0`)
1630	return result;
1631
1632	if (png_colorspace_endpoints_match(xy, &xy_test,
1633	`5`/actually, the math is pretty accurate/) != `0`)
1634	return `0`;
1635
1636	/ Too much slip /
1637	return `1`;
1638	}
1639
1640	/ This is the check going the other way. The XYZ is modified to normalize it*
1641	* (another side-effect) and the xy chromaticities are returned.
1642	*/
1643	static int
1644	png_colorspace_check_XYZ(png_xy xy, png_XYZ XYZ)
1645	{
1646	int result;
1647	png_XYZ XYZtemp;
1648
1649	result = png_XYZ_normalize(XYZ);
1650	if (result != `0`)
1651	return result;
1652
1653	result = png_xy_from_XYZ(xy, XYZ);
1654	if (result != `0`)
1655	return result;
1656
1657	XYZtemp = *XYZ;
1658	return png_colorspace_check_xy(&XYZtemp, xy);
1659	}
1660
1661	/ Used to check for an endpoint match against sRGB /
1662	static const png_xy sRGB_xy = / From ITU-R BT.709-3 /
1663	{
1664	/ color x y /
1665	/ red / `64000`, `33000`,
1666	/ green / `30000`, `60000`,
1667	/ blue / `15000`, `6000`,
1668	/ white / `31270`, `32900`
1669	};
1670
1671	static int
1672	png_colorspace_set_xy_and_XYZ(png_const_structrp png_ptr,
1673	png_colorspacerp colorspace, const png_xy xy, const* png_XYZ *XYZ,
1674	int preferred)
1675	{
1676	if ((colorspace->flags & PNG_COLORSPACE_INVALID) != `0`)
1677	return `0`;
1678
1679	/ The consistency check is performed on the chromaticities; this factors out*
1680	* variations because of the normalization (or not) of the end point Y
1681	* values.
1682	*/
1683	if (preferred < `2` &&
1684	(colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != `0`)
1685	{
1686	/ The end points must be reasonably close to any we already have. The*
1687	* following allows an error of up to +/-.001
1688	*/
1689	if (png_colorspace_endpoints_match(xy, &colorspace->end_points_xy,
1690	`100`) == `0`)
1691	{
1692	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1693	png_benign_error(png_ptr, "inconsistent chromaticities");
1694	return `0`; / failed /
1695	}
1696
1697	/ Only overwrite with preferred values /
1698	if (preferred == `0`)
1699	return `1`; / ok, but no change /
1700	}
1701
1702	colorspace->end_points_xy = *xy;
1703	colorspace->end_points_XYZ = *XYZ;
1704	colorspace->flags \|= PNG_COLORSPACE_HAVE_ENDPOINTS;
1705
1706	/ The end points are normally quoted to two decimal digits, so allow +/-0.01*
1707	* on this test.
1708	*/
1709	if (png_colorspace_endpoints_match(xy, &sRGB_xy, `1000`) != `0`)
1710	colorspace->flags \|= PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB;
1711
1712	else
1713	colorspace->flags &= PNG_COLORSPACE_CANCEL(
1714	PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1715
1716	return `2`; / ok and changed /
1717	}
1718
1719	int / PRIVATE /
1720	png_colorspace_set_chromaticities(png_const_structrp png_ptr,
1721	png_colorspacerp colorspace, const png_xy xy, int* preferred)
1722	{
1723	/ We must check the end points to ensure they are reasonable - in the past*
1724	* color management systems have crashed as a result of getting bogus
1725	* colorant values, while this isn't the fault of libpng it is the
1726	* responsibility of libpng because PNG carries the bomb and libpng is in a
1727	* position to protect against it.
1728	*/
1729	png_XYZ XYZ;
1730
1731	switch (png_colorspace_check_xy(&XYZ, xy))
1732	{
1733	case `0`: / success /
1734	return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, xy, &XYZ,
1735	preferred);
1736
1737	case `1`:
1738	/ We can't invert the chromaticities so we can't produce value XYZ*
1739	* values. Likely as not a color management system will fail too.
1740	*/
1741	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1742	png_benign_error(png_ptr, "invalid chromaticities");
1743	break;
1744
1745	default:
1746	/ libpng is broken; this should be a warning but if it happens we*
1747	* want error reports so for the moment it is an error.
1748	*/
1749	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1750	png_error(png_ptr, "internal error checking chromaticities");
1751	}
1752
1753	return `0`; / failed /
1754	}
1755
1756	int / PRIVATE /
1757	png_colorspace_set_endpoints(png_const_structrp png_ptr,
1758	png_colorspacerp colorspace, const png_XYZ XYZ_in, int* preferred)
1759	{
1760	png_XYZ XYZ = *XYZ_in;
1761	png_xy xy;
1762
1763	switch (png_colorspace_check_XYZ(&xy, &XYZ))
1764	{
1765	case `0`:
1766	return png_colorspace_set_xy_and_XYZ(png_ptr, colorspace, &xy, &XYZ,
1767	preferred);
1768
1769	case `1`:
1770	/ End points are invalid. /
1771	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1772	png_benign_error(png_ptr, "invalid end points");
1773	break;
1774
1775	default:
1776	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1777	png_error(png_ptr, "internal error checking chromaticities");
1778	}
1779
1780	return `0`; / failed /
1781	}
1782
1783	#if defined(PNG_sRGB_SUPPORTED) \|\| defined(PNG_iCCP_SUPPORTED)
1784	/ Error message generation /
1785	static char
1786	png_icc_tag_char(png_uint_32 byte)
1787	{
1788	byte &= `0xff`;
1789	if (byte >= `32` && byte <= `126`)
1790	return (char)byte;
1791	else
1792	return `'?'`;
1793	}
1794
1795	static void
1796	png_icc_tag_name(char *name, png_uint_32 tag)
1797	{
1798	name[`0`] = `'\''`;
1799	name[`1`] = png_icc_tag_char(tag >> `24`);
1800	name[`2`] = png_icc_tag_char(tag >> `16`);
1801	name[`3`] = png_icc_tag_char(tag >> `8`);
1802	name[`4`] = png_icc_tag_char(tag );
1803	name[`5`] = `'\''`;
1804	}
1805
1806	static int
1807	is_ICC_signature_char(png_alloc_size_t it)
1808	{
1809	return it == `32` \|\| (it >= `48` && it <= `57`) \|\| (it >= `65` && it <= `90`) \|\|
1810	(it >= `97` && it <= `122`);
1811	}
1812
1813	static int
1814	is_ICC_signature(png_alloc_size_t it)
1815	{
1816	return is_ICC_signature_char(it >> `24`) / checks all the top bits / &&
1817	is_ICC_signature_char((it >> `16`) & `0xff`) &&
1818	is_ICC_signature_char((it >> `8`) & `0xff`) &&
1819	is_ICC_signature_char(it & `0xff`);
1820	}
1821
1822	static int
1823	png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace,
1824	png_const_charp name, png_alloc_size_t value, png_const_charp reason)
1825	{
1826	size_t pos;
1827	char message[`196`]; / see below for calculation /
1828
1829	if (colorspace != NULL)
1830	colorspace->flags \|= PNG_COLORSPACE_INVALID;
1831
1832	pos = png_safecat(message, (sizeof message), `0`, "profile '"); / 9 chars /
1833	pos = png_safecat(message, pos+`79`, pos, name); / Truncate to 79 chars /
1834	pos = png_safecat(message, (sizeof message), pos, "': "); / +2 = 90 /
1835	if (is_ICC_signature(value) != `0`)
1836	{
1837	/ So 'value' is at most 4 bytes and the following cast is safe /
1838	png_icc_tag_name(message+pos, (png_uint_32)value);
1839	pos += `6`; / total +8; less than the else clause /
1840	message[pos++] = `':'`;
1841	message[pos++] = `' '`;
1842	}
1843	# ifdef PNG_WARNINGS_SUPPORTED
1844	else
1845	{
1846	char number[PNG_NUMBER_BUFFER_SIZE]; / +24 = 114/
1847
1848	pos = png_safecat(message, (sizeof message), pos,
1849	png_format_number(number, number+(sizeof number),
1850	PNG_NUMBER_FORMAT_x, value));
1851	pos = png_safecat(message, (sizeof message), pos, "h: "); /+2 = 116/
1852	}
1853	# endif
1854	/ The 'reason' is an arbitrary message, allow +79 maximum 195 /
1855	pos = png_safecat(message, (sizeof message), pos, reason);
1856	PNG_UNUSED(pos)
1857
1858	/ This is recoverable, but make it unconditionally an app_error on write to*
1859	* avoid writing invalid ICC profiles into PNG files (i.e., we handle them
1860	* on read, with a warning, but on write unless the app turns off
1861	* application errors the PNG won't be written.)
1862	*/
1863	png_chunk_report(png_ptr, message,
1864	(colorspace != NULL) ? PNG_CHUNK_ERROR : PNG_CHUNK_WRITE_ERROR);
1865
1866	return `0`;
1867	}
1868	#endif /* sRGB \|\| iCCP */
1869
1870	#ifdef PNG_sRGB_SUPPORTED
1871	int / PRIVATE /
1872	png_colorspace_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace,
1873	int intent)
1874	{
1875	/ sRGB sets known gamma, end points and (from the chunk) intent. /
1876	/ IMPORTANT: these are not necessarily the values found in an ICC profile*
1877	* because ICC profiles store values adapted to a D50 environment; it is
1878	* expected that the ICC profile mediaWhitePointTag will be D50; see the
1879	* checks and code elsewhere to understand this better.
1880	*
1881	* These XYZ values, which are accurate to 5dp, produce rgb to gray
1882	* coefficients of (6968,23435,2366), which are reduced (because they add up
1883	* to 32769 not 32768) to (6968,23434,2366). These are the values that
1884	* libpng has traditionally used (and are the best values given the 15bit
1885	* algorithm used by the rgb to gray code.)
1886	*/
1887	static const png_XYZ sRGB_XYZ = / D65 XYZ (not the D50 adapted values!) /
1888	{
1889	/ color X Y Z /
1890	/ red / `41239`, `21264`, `1933`,
1891	/ green / `35758`, `71517`, `11919`,
1892	/ blue / `18048`, `7219`, `95053`
1893	};
1894
1895	/ Do nothing if the colorspace is already invalidated. /
1896	if ((colorspace->flags & PNG_COLORSPACE_INVALID) != `0`)
1897	return `0`;
1898
1899	/ Check the intent, then check for existing settings. It is valid for the*
1900	* PNG file to have cHRM or gAMA chunks along with sRGB, but the values must
1901	* be consistent with the correct values. If, however, this function is
1902	* called below because an iCCP chunk matches sRGB then it is quite
1903	* conceivable that an older app recorded incorrect gAMA and cHRM because of
1904	* an incorrect calculation based on the values in the profile - this does
1905	* not invalidate the profile (though it still produces an error, which can
1906	* be ignored.)
1907	*/
1908	if (intent < `0` \|\| intent >= PNG_sRGB_INTENT_LAST)
1909	return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1910	(png_alloc_size_t)intent, "invalid sRGB rendering intent");
1911
1912	if ((colorspace->flags & PNG_COLORSPACE_HAVE_INTENT) != `0` &&
1913	colorspace->rendering_intent != intent)
1914	return png_icc_profile_error(png_ptr, colorspace, "sRGB",
1915	(png_alloc_size_t)intent, "inconsistent rendering intents");
1916
1917	if ((colorspace->flags & PNG_COLORSPACE_FROM_sRGB) != `0`)
1918	{
1919	png_benign_error(png_ptr, "duplicate sRGB information ignored");
1920	return `0`;
1921	}
1922
1923	/ If the standard sRGB cHRM chunk does not match the one from the PNG file*
1924	* warn but overwrite the value with the correct one.
1925	*/
1926	if ((colorspace->flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != `0` &&
1927	!png_colorspace_endpoints_match(&sRGB_xy, &colorspace->end_points_xy,
1928	`100`))
1929	png_chunk_report(png_ptr, "cHRM chunk does not match sRGB",
1930	PNG_CHUNK_ERROR);
1931
1932	/ This check is just done for the error reporting - the routine always*
1933	* returns true when the 'from' argument corresponds to sRGB (2).
1934	*/
1935	(void)png_colorspace_check_gamma(png_ptr, colorspace, PNG_GAMMA_sRGB_INVERSE,
1936	`2`/from sRGB/);
1937
1938	/ intent: bugs in GCC force 'int' to be used as the parameter type. /
1939	colorspace->rendering_intent = (png_uint_16)intent;
1940	colorspace->flags \|= PNG_COLORSPACE_HAVE_INTENT;
1941
1942	/ endpoints /
1943	colorspace->end_points_xy = sRGB_xy;
1944	colorspace->end_points_XYZ = sRGB_XYZ;
1945	colorspace->flags \|=
1946	(PNG_COLORSPACE_HAVE_ENDPOINTS\|PNG_COLORSPACE_ENDPOINTS_MATCH_sRGB);
1947
1948	/ gamma /
1949	colorspace->gamma = PNG_GAMMA_sRGB_INVERSE;
1950	colorspace->flags \|= PNG_COLORSPACE_HAVE_GAMMA;
1951
1952	/ Finally record that we have an sRGB profile /
1953	colorspace->flags \|=
1954	(PNG_COLORSPACE_MATCHES_sRGB\|PNG_COLORSPACE_FROM_sRGB);
1955
1956	return `1`; / set /
1957	}
1958	#endif /* sRGB */
1959
1960	#ifdef PNG_iCCP_SUPPORTED
1961	/ Encoded value of D50 as an ICC XYZNumber. From the ICC 2010 spec the value*
1962	* is XYZ(0.9642,1.0,0.8249), which scales to:
1963	*
1964	* (63189.8112, 65536, 54060.6464)
1965	*/
1966	static const png_byte D50_nCIEXYZ[`12`] =
1967	{ `0x00`, `0x00`, `0xf6`, `0xd6`, `0x00`, `0x01`, `0x00`, `0x00`, `0x00`, `0x00`, `0xd3`, `0x2d` };
1968
1969	static int / bool /
1970	icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1971	png_const_charp name, png_uint_32 profile_length)
1972	{
1973	if (profile_length < `132`)
1974	return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1975	"too short");
1976	return `1`;
1977	}
1978
1979	#ifdef PNG_READ_iCCP_SUPPORTED
1980	int / PRIVATE /
1981	png_icc_check_length(png_const_structrp png_ptr, png_colorspacerp colorspace,
1982	png_const_charp name, png_uint_32 profile_length)
1983	{
1984	if (!icc_check_length(png_ptr, colorspace, name, profile_length))
1985	return `0`;
1986
1987	/ This needs to be here because the 'normal' check is in*
1988	* png_decompress_chunk, yet this happens after the attempt to
1989	* png_malloc_base the required data. We only need this on read; on write
1990	* the caller supplies the profile buffer so libpng doesn't allocate it. See
1991	* the call to icc_check_length below (the write case).
1992	*/
1993	# ifdef PNG_SET_USER_LIMITS_SUPPORTED
1994	else if (png_ptr->user_chunk_malloc_max > `0` &&
1995	png_ptr->user_chunk_malloc_max < profile_length)
1996	return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
1997	"exceeds application limits");
1998	# elif PNG_USER_CHUNK_MALLOC_MAX > 0
1999	else if (PNG_USER_CHUNK_MALLOC_MAX < profile_length)
2000	return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2001	"exceeds libpng limits");
2002	# else /* !SET_USER_LIMITS */
2003	/ This will get compiled out on all 32-bit and better systems. /
2004	else if (PNG_SIZE_MAX < profile_length)
2005	return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2006	"exceeds system limits");
2007	# endif /* !SET_USER_LIMITS */
2008
2009	return `1`;
2010	}
2011	#endif /* READ_iCCP */
2012
2013	int / PRIVATE /
2014	png_icc_check_header(png_const_structrp png_ptr, png_colorspacerp colorspace,
2015	png_const_charp name, png_uint_32 profile_length,
2016	png_const_bytep profile/* first 132 bytes only /, int* color_type)
2017	{
2018	png_uint_32 temp;
2019
2020	/ Length check; this cannot be ignored in this code because profile_length*
2021	* is used later to check the tag table, so even if the profile seems over
2022	* long profile_length from the caller must be correct. The caller can fix
2023	* this up on read or write by just passing in the profile header length.
2024	*/
2025	temp = png_get_uint_32(profile);
2026	if (temp != profile_length)
2027	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2028	"length does not match profile");
2029
2030	temp = (png_uint_32) (*(profile+`8`));
2031	if (temp > `3` && (profile_length & `3`))
2032	return png_icc_profile_error(png_ptr, colorspace, name, profile_length,
2033	"invalid length");
2034
2035	temp = png_get_uint_32(profile+`128`); / tag count: 12 bytes/tag /
2036	if (temp > `357913930` \|\| / (2^32-4-132)/12: maximum possible tag count /
2037	profile_length < `132`+`12`temp) /* truncated tag table /
2038	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2039	"tag count too large");
2040
2041	/ The 'intent' must be valid or we can't store it, ICC limits the intent to*
2042	* 16 bits.
2043	*/
2044	temp = png_get_uint_32(profile+`64`);
2045	if (temp >= `0xffff`) / The ICC limit /
2046	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2047	"invalid rendering intent");
2048
2049	/ This is just a warning because the profile may be valid in future*
2050	* versions.
2051	*/
2052	if (temp >= PNG_sRGB_INTENT_LAST)
2053	(void)png_icc_profile_error(png_ptr, NULL, name, temp,
2054	"intent outside defined range");
2055
2056	/ At this point the tag table can't be checked because it hasn't necessarily*
2057	* been loaded; however, various header fields can be checked. These checks
2058	* are for values permitted by the PNG spec in an ICC profile; the PNG spec
2059	* restricts the profiles that can be passed in an iCCP chunk (they must be
2060	* appropriate to processing PNG data!)
2061	*/
2062
2063	/ Data checks (could be skipped). These checks must be independent of the*
2064	* version number; however, the version number doesn't accommodate changes in
2065	* the header fields (just the known tags and the interpretation of the
2066	* data.)
2067	*/
2068	temp = png_get_uint_32(profile+`36`); / signature 'ascp' /
2069	if (temp != `0x61637370`)
2070	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2071	"invalid signature");
2072
2073	/ Currently the PCS illuminant/adopted white point (the computational*
2074	* white point) are required to be D50,
2075	* however the profile contains a record of the illuminant so perhaps ICC
2076	* expects to be able to change this in the future (despite the rationale in
2077	* the introduction for using a fixed PCS adopted white.) Consequently the
2078	* following is just a warning.
2079	*/
2080	if (memcmp(profile+`68`, D50_nCIEXYZ, `12`) != `0`)
2081	(void)png_icc_profile_error(png_ptr, NULL, name, `0`/no tag value/,
2082	"PCS illuminant is not D50");
2083
2084	/ The PNG spec requires this:*
2085	* "If the iCCP chunk is present, the image samples conform to the colour
2086	* space represented by the embedded ICC profile as defined by the
2087	* International Color Consortium [ICC]. The colour space of the ICC profile
2088	* shall be an RGB colour space for colour images (PNG colour types 2, 3, and
2089	* 6), or a greyscale colour space for greyscale images (PNG colour types 0
2090	* and 4)."
2091	*
2092	* This checking code ensures the embedded profile (on either read or write)
2093	* conforms to the specification requirements. Notice that an ICC 'gray'
2094	* color-space profile contains the information to transform the monochrome
2095	* data to XYZ or Lab (according to which PCS the profile uses) and this
2096	* should be used in preference to the standard libpng K channel replication
2097	* into R, G and B channels.
2098	*
2099	* Previously it was suggested that an RGB profile on grayscale data could be
2100	* handled. However it it is clear that using an RGB profile in this context
2101	* must be an error - there is no specification of what it means. Thus it is
2102	* almost certainly more correct to ignore the profile.
2103	*/
2104	temp = png_get_uint_32(profile+`16`); / data colour space field /
2105	switch (temp)
2106	{
2107	case `0x52474220`: / 'RGB ' /
2108	if ((color_type & PNG_COLOR_MASK_COLOR) == `0`)
2109	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2110	"RGB color space not permitted on grayscale PNG");
2111	break;
2112
2113	case `0x47524159`: / 'GRAY' /
2114	if ((color_type & PNG_COLOR_MASK_COLOR) != `0`)
2115	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2116	"Gray color space not permitted on RGB PNG");
2117	break;
2118
2119	default:
2120	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2121	"invalid ICC profile color space");
2122	}
2123
2124	/ It is up to the application to check that the profile class matches the*
2125	* application requirements; the spec provides no guidance, but it's pretty
2126	* weird if the profile is not scanner ('scnr'), monitor ('mntr'), printer
2127	* ('prtr') or 'spac' (for generic color spaces). Issue a warning in these
2128	* cases. Issue an error for device link or abstract profiles - these don't
2129	* contain the records necessary to transform the color-space to anything
2130	* other than the target device (and not even that for an abstract profile).
2131	* Profiles of these classes may not be embedded in images.
2132	*/
2133	temp = png_get_uint_32(profile+`12`); / profile/device class /
2134	switch (temp)
2135	{
2136	case `0x73636e72`: / 'scnr' /
2137	case `0x6d6e7472`: / 'mntr' /
2138	case `0x70727472`: / 'prtr' /
2139	case `0x73706163`: / 'spac' /
2140	/ All supported /
2141	break;
2142
2143	case `0x61627374`: / 'abst' /
2144	/ May not be embedded in an image /
2145	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2146	"invalid embedded Abstract ICC profile");
2147
2148	case `0x6c696e6b`: / 'link' /
2149	/ DeviceLink profiles cannot be interpreted in a non-device specific*
2150	* fashion, if an app uses the AToB0Tag in the profile the results are
2151	* undefined unless the result is sent to the intended device,
2152	* therefore a DeviceLink profile should not be found embedded in a
2153	* PNG.
2154	*/
2155	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2156	"unexpected DeviceLink ICC profile class");
2157
2158	case `0x6e6d636c`: / 'nmcl' /
2159	/ A NamedColor profile is also device specific, however it doesn't*
2160	* contain an AToB0 tag that is open to misinterpretation. Almost
2161	* certainly it will fail the tests below.
2162	*/
2163	(void)png_icc_profile_error(png_ptr, NULL, name, temp,
2164	"unexpected NamedColor ICC profile class");
2165	break;
2166
2167	default:
2168	/ To allow for future enhancements to the profile accept unrecognized*
2169	* profile classes with a warning, these then hit the test below on the
2170	* tag content to ensure they are backward compatible with one of the
2171	* understood profiles.
2172	*/
2173	(void)png_icc_profile_error(png_ptr, NULL, name, temp,
2174	"unrecognized ICC profile class");
2175	break;
2176	}
2177
2178	/ For any profile other than a device link one the PCS must be encoded*
2179	* either in XYZ or Lab.
2180	*/
2181	temp = png_get_uint_32(profile+`20`);
2182	switch (temp)
2183	{
2184	case `0x58595a20`: / 'XYZ ' /
2185	case `0x4c616220`: / 'Lab ' /
2186	break;
2187
2188	default:
2189	return png_icc_profile_error(png_ptr, colorspace, name, temp,
2190	"unexpected ICC PCS encoding");
2191	}
2192
2193	return `1`;
2194	}
2195
2196	int / PRIVATE /
2197	png_icc_check_tag_table(png_const_structrp png_ptr, png_colorspacerp colorspace,
2198	png_const_charp name, png_uint_32 profile_length,
2199	png_const_bytep profile / header plus whole tag table /)
2200	{
2201	png_uint_32 tag_count = png_get_uint_32(profile+`128`);
2202	png_uint_32 itag;
2203	png_const_bytep tag = profile+`132`; / The first tag /
2204
2205	/ First scan all the tags in the table and add bits to the icc_info value*
2206	* (temporarily in 'tags').
2207	*/
2208	for (itag=`0`; itag < tag_count; ++itag, tag += `12`)
2209	{
2210	png_uint_32 tag_id = png_get_uint_32(tag+`0`);
2211	png_uint_32 tag_start = png_get_uint_32(tag+`4`); / must be aligned /
2212	png_uint_32 tag_length = png_get_uint_32(tag+`8`);/ not padded /
2213
2214	/ The ICC specification does not exclude zero length tags, therefore the*
2215	* start might actually be anywhere if there is no data, but this would be
2216	* a clear abuse of the intent of the standard so the start is checked for
2217	* being in range. All defined tag types have an 8 byte header - a 4 byte
2218	* type signature then 0.
2219	*/
2220
2221	/ This is a hard error; potentially it can cause read outside the*
2222	* profile.
2223	*/
2224	if (tag_start > profile_length \|\| tag_length > profile_length - tag_start)
2225	return png_icc_profile_error(png_ptr, colorspace, name, tag_id,
2226	"ICC profile tag outside profile");
2227
2228	if ((tag_start & `3`) != `0`)
2229	{
2230	/ CNHP730S.icc shipped with Microsoft Windows 64 violates this; it is*
2231	* only a warning here because libpng does not care about the
2232	* alignment.
2233	*/
2234	(void)png_icc_profile_error(png_ptr, NULL, name, tag_id,
2235	"ICC profile tag start not a multiple of 4");
2236	}
2237	}
2238
2239	return `1`; / success, maybe with warnings /
2240	}
2241
2242	#ifdef PNG_sRGB_SUPPORTED
2243	#if PNG_sRGB_PROFILE_CHECKS >= 0
2244	/ Information about the known ICC sRGB profiles /
2245	static const struct
2246	{
2247	png_uint_32 adler, crc, length;
2248	png_uint_32 md5[`4`];
2249	png_byte have_md5;
2250	png_byte is_broken;
2251	png_uint_16 intent;
2252
2253	# define PNG_MD5(a,b,c,d) { a, b, c, d }, (a!=0)\|\|(b!=0)\|\|(c!=0)\|\|(d!=0)
2254	# define PNG_ICC_CHECKSUM(adler, crc, md5, intent, broke, date, length, fname)\
2255	{ adler, crc, length, md5, broke, intent },
2256
2257	} png_sRGB_checks[] =
2258	{
2259	/ This data comes from contrib/tools/checksum-icc run on downloads of*
2260	* all four ICC sRGB profiles from www.color.org.
2261	*/
2262	/ adler32, crc32, MD5[4], intent, date, length, file-name /
2263	PNG_ICC_CHECKSUM(`0x0a3fd9f6`, `0x3b8772b9`,
2264	PNG_MD5(`0x29f83dde`, `0xaff255ae`, `0x7842fae4`, `0xca83390d`), `0`, `0`,
2265	"2009/03/27 21:36:31", `3048`, "sRGB_IEC61966-2-1_black_scaled.icc")
2266
2267	/ ICC sRGB v2 perceptual no black-compensation: /
2268	PNG_ICC_CHECKSUM(`0x4909e5e1`, `0x427ebb21`,
2269	PNG_MD5(`0xc95bd637`, `0xe95d8a3b`, `0x0df38f99`, `0xc1320389`), `1`, `0`,
2270	"2009/03/27 21:37:45", `3052`, "sRGB_IEC61966-2-1_no_black_scaling.icc")
2271
2272	PNG_ICC_CHECKSUM(`0xfd2144a1`, `0x306fd8ae`,
2273	PNG_MD5(`0xfc663378`, `0x37e2886b`, `0xfd72e983`, `0x8228f1b8`), `0`, `0`,
2274	"2009/08/10 17:28:01", `60988`, "sRGB_v4_ICC_preference_displayclass.icc")
2275
2276	/ ICC sRGB v4 perceptual /
2277	PNG_ICC_CHECKSUM(`0x209c35d2`, `0xbbef7812`,
2278	PNG_MD5(`0x34562abf`, `0x994ccd06`, `0x6d2c5721`, `0xd0d68c5d`), `0`, `0`,
2279	"2007/07/25 00:05:37", `60960`, "sRGB_v4_ICC_preference.icc")
2280
2281	/ The following profiles have no known MD5 checksum. If there is a match*
2282	* on the (empty) MD5 the other fields are used to attempt a match and
2283	* a warning is produced. The first two of these profiles have a 'cprt' tag
2284	* which suggests that they were also made by Hewlett Packard.
2285	*/
2286	PNG_ICC_CHECKSUM(`0xa054d762`, `0x5d5129ce`,
2287	PNG_MD5(`0x00000000`, `0x00000000`, `0x00000000`, `0x00000000`), `1`, `0`,
2288	"2004/07/21 18:57:42", `3024`, "sRGB_IEC61966-2-1_noBPC.icc")
2289
2290	/ This is a 'mntr' (display) profile with a mediaWhitePointTag that does not*
2291	* match the D50 PCS illuminant in the header (it is in fact the D65 values,
2292	* so the white point is recorded as the un-adapted value.) The profiles
2293	* below only differ in one byte - the intent - and are basically the same as
2294	* the previous profile except for the mediaWhitePointTag error and a missing
2295	* chromaticAdaptationTag.
2296	*/
2297	PNG_ICC_CHECKSUM(`0xf784f3fb`, `0x182ea552`,
2298	PNG_MD5(`0x00000000`, `0x00000000`, `0x00000000`, `0x00000000`), `0`, `1`/broken/,
2299	"1998/02/09 06:49:00", `3144`, "HP-Microsoft sRGB v2 perceptual")
2300
2301	PNG_ICC_CHECKSUM(`0x0398f3fc`, `0xf29e526d`,
2302	PNG_MD5(`0x00000000`, `0x00000000`, `0x00000000`, `0x00000000`), `1`, `1`/broken/,
2303	"1998/02/09 06:49:00", `3144`, "HP-Microsoft sRGB v2 media-relative")
2304	};
2305
2306	static int
2307	png_compare_ICC_profile_with_sRGB(png_const_structrp png_ptr,
2308	png_const_bytep profile, uLong adler)
2309	{
2310	/ The quick check is to verify just the MD5 signature and trust the*
2311	* rest of the data. Because the profile has already been verified for
2312	* correctness this is safe. png_colorspace_set_sRGB will check the 'intent'
2313	* field too, so if the profile has been edited with an intent not defined
2314	* by sRGB (but maybe defined by a later ICC specification) the read of
2315	* the profile will fail at that point.
2316	*/
2317
2318	png_uint_32 length = `0`;
2319	png_uint_32 intent = `0x10000`; / invalid /
2320	#if PNG_sRGB_PROFILE_CHECKS > 1
2321	uLong crc = `0`; / the value for 0 length data /
2322	#endif
2323	unsigned int i;
2324
2325	#ifdef PNG_SET_OPTION_SUPPORTED
2326	/ First see if PNG_SKIP_sRGB_CHECK_PROFILE has been set to "on" /
2327	if (((png_ptr->options >> PNG_SKIP_sRGB_CHECK_PROFILE) & `3`) ==
2328	PNG_OPTION_ON)
2329	return `0`;
2330	#endif
2331
2332	for (i=`0`; i < (sizeof png_sRGB_checks) / (sizeof png_sRGB_checks[`0`]); ++i)
2333	{
2334	if (png_get_uint_32(profile+`84`) == png_sRGB_checks[i].md5[`0`] &&
2335	png_get_uint_32(profile+`88`) == png_sRGB_checks[i].md5[`1`] &&
2336	png_get_uint_32(profile+`92`) == png_sRGB_checks[i].md5[`2`] &&
2337	png_get_uint_32(profile+`96`) == png_sRGB_checks[i].md5[`3`])
2338	{
2339	/ This may be one of the old HP profiles without an MD5, in that*
2340	* case we can only use the length and Adler32 (note that these
2341	* are not used by default if there is an MD5!)
2342	*/
2343	# if PNG_sRGB_PROFILE_CHECKS == 0
2344	if (png_sRGB_checks[i].have_md5 != `0`)
2345	return `1`+png_sRGB_checks[i].is_broken;
2346	# endif
2347
2348	/ Profile is unsigned or more checks have been configured in. /
2349	if (length == `0`)
2350	{
2351	length = png_get_uint_32(profile);
2352	intent = png_get_uint_32(profile+`64`);
2353	}
2354
2355	/ Length and intent must match /
2356	if (length == (png_uint_32) png_sRGB_checks[i].length &&
2357	intent == (png_uint_32) png_sRGB_checks[i].intent)
2358	{
2359	/ Now calculate the adler32 if not done already. /
2360	if (adler == `0`)
2361	{
2362	adler = adler32(`0`, NULL, `0`);
2363	adler = adler32(adler, profile, length);
2364	}
2365
2366	if (adler == png_sRGB_checks[i].adler)
2367	{
2368	/ These basic checks suggest that the data has not been*
2369	* modified, but if the check level is more than 1 perform
2370	* our own crc32 checksum on the data.
2371	*/
2372	# if PNG_sRGB_PROFILE_CHECKS > 1
2373	if (crc == `0`)
2374	{
2375	crc = crc32(`0`, NULL, `0`);
2376	crc = crc32(crc, profile, length);
2377	}
2378
2379	/ So this check must pass for the 'return' below to happen.*
2380	*/
2381	if (crc == png_sRGB_checks[i].crc)
2382	# endif
2383	{
2384	if (png_sRGB_checks[i].is_broken != `0`)
2385	{
2386	/ These profiles are known to have bad data that may cause*
2387	* problems if they are used, therefore attempt to
2388	* discourage their use, skip the 'have_md5' warning below,
2389	* which is made irrelevant by this error.
2390	*/
2391	png_chunk_report(png_ptr, "known incorrect sRGB profile",
2392	PNG_CHUNK_ERROR);
2393	}
2394
2395	/ Warn that this being done; this isn't even an error since*
2396	* the profile is perfectly valid, but it would be nice if
2397	* people used the up-to-date ones.
2398	*/
2399	else if (png_sRGB_checks[i].have_md5 == `0`)
2400	{
2401	png_chunk_report(png_ptr,
2402	"out-of-date sRGB profile with no signature",
2403	PNG_CHUNK_WARNING);
2404	}
2405
2406	return `1`+png_sRGB_checks[i].is_broken;
2407	}
2408	}
2409
2410	# if PNG_sRGB_PROFILE_CHECKS > 0
2411	/ The signature matched, but the profile had been changed in some*
2412	* way. This probably indicates a data error or uninformed hacking.
2413	* Fall through to "no match".
2414	*/
2415	png_chunk_report(png_ptr,
2416	"Not recognizing known sRGB profile that has been edited",
2417	PNG_CHUNK_WARNING);
2418	break;
2419	# endif
2420	}
2421	}
2422	}
2423
2424	return `0`; / no match /
2425	}
2426
2427	void / PRIVATE /
2428	png_icc_set_sRGB(png_const_structrp png_ptr,
2429	png_colorspacerp colorspace, png_const_bytep profile, uLong adler)
2430	{
2431	/ Is this profile one of the known ICC sRGB profiles? If it is, just set*
2432	* the sRGB information.
2433	*/
2434	if (png_compare_ICC_profile_with_sRGB(png_ptr, profile, adler) != `0`)
2435	(void)png_colorspace_set_sRGB(png_ptr, colorspace,
2436	(int)/already checked/png_get_uint_32(profile+`64`));
2437	}
2438	#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */
2439	#endif /* sRGB */
2440
2441	int / PRIVATE /
2442	png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace,
2443	png_const_charp name, png_uint_32 profile_length, png_const_bytep profile,
2444	int color_type)
2445	{
2446	if ((colorspace->flags & PNG_COLORSPACE_INVALID) != `0`)
2447	return `0`;
2448
2449	if (icc_check_length(png_ptr, colorspace, name, profile_length) != `0` &&
2450	png_icc_check_header(png_ptr, colorspace, name, profile_length, profile,
2451	color_type) != `0` &&
2452	png_icc_check_tag_table(png_ptr, colorspace, name, profile_length,
2453	profile) != `0`)
2454	{
2455	# if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0
2456	/ If no sRGB support, don't try storing sRGB information /
2457	png_icc_set_sRGB(png_ptr, colorspace, profile, `0`);
2458	# endif
2459	return `1`;
2460	}
2461
2462	/ Failure case /
2463	return `0`;
2464	}
2465	#endif /* iCCP */
2466
2467	#ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED
2468	void / PRIVATE /
2469	png_colorspace_set_rgb_coefficients(png_structrp png_ptr)
2470	{
2471	/ Set the rgb_to_gray coefficients from the colorspace. /
2472	if (png_ptr->rgb_to_gray_coefficients_set == `0` &&
2473	(png_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != `0`)
2474	{
2475	/ png_set_background has not been called, get the coefficients from the Y*
2476	* values of the colorspace colorants.
2477	*/
2478	png_fixed_point r = png_ptr->colorspace.end_points_XYZ.red_Y;
2479	png_fixed_point g = png_ptr->colorspace.end_points_XYZ.green_Y;
2480	png_fixed_point b = png_ptr->colorspace.end_points_XYZ.blue_Y;
2481	png_fixed_point total = r+g+b;
2482
2483	if (total > `0` &&
2484	r >= `0` && png_muldiv(&r, r, `32768`, total) && r >= `0` && r <= `32768` &&
2485	g >= `0` && png_muldiv(&g, g, `32768`, total) && g >= `0` && g <= `32768` &&
2486	b >= `0` && png_muldiv(&b, b, `32768`, total) && b >= `0` && b <= `32768` &&
2487	r+g+b <= `32769`)
2488	{
2489	/ We allow 0 coefficients here. r+g+b may be 32769 if two or*
2490	* all of the coefficients were rounded up. Handle this by
2491	* reducing the largest coefficient by 1; this matches the
2492	* approach used for the default coefficients in pngrtran.c
2493	*/
2494	int add = `0`;
2495
2496	if (r+g+b > `32768`)
2497	add = -`1`;
2498	else if (r+g+b < `32768`)
2499	add = `1`;
2500
2501	if (add != `0`)
2502	{
2503	if (g >= r && g >= b)
2504	g += add;
2505	else if (r >= g && r >= b)
2506	r += add;
2507	else
2508	b += add;
2509	}
2510
2511	/ Check for an internal error. /
2512	if (r+g+b != `32768`)
2513	png_error(png_ptr,
2514	"internal error handling cHRM coefficients");
2515
2516	else
2517	{
2518	png_ptr->rgb_to_gray_red_coeff = (png_uint_16)r;
2519	png_ptr->rgb_to_gray_green_coeff = (png_uint_16)g;
2520	}
2521	}
2522
2523	/ This is a png_error at present even though it could be ignored -*
2524	* it should never happen, but it is important that if it does, the
2525	* bug is fixed.
2526	*/
2527	else
2528	png_error(png_ptr, "internal error handling cHRM->XYZ");
2529	}
2530	}
2531	#endif /* READ_RGB_TO_GRAY */
2532
2533	#endif /* COLORSPACE */
2534
2535	#ifdef __GNUC__
2536	/ This exists solely to work round a warning from GNU C. /
2537	static int / PRIVATE /
2538	png_gt(size_t a, size_t b)
2539	{
2540	return a > b;
2541	}
2542	#else
2543	# define png_gt(a,b) ((a) > (b))
2544	#endif
2545
2546	void / PRIVATE /
2547	png_check_IHDR(png_const_structrp png_ptr,
2548	png_uint_32 width, png_uint_32 height, int bit_depth,
2549	int color_type, int interlace_type, int compression_type,
2550	int filter_type)
2551	{
2552	int error = `0`;
2553
2554	/ Check for width and height valid values /
2555	if (width == `0`)
2556	{
2557	png_warning(png_ptr, "Image width is zero in IHDR");
2558	error = `1`;
2559	}
2560
2561	if (width > PNG_UINT_31_MAX)
2562	{
2563	png_warning(png_ptr, "Invalid image width in IHDR");
2564	error = `1`;
2565	}
2566
2567	if (png_gt(((width + `7`) & (~`7U`)),
2568	((PNG_SIZE_MAX
2569	- `48` / big_row_buf hack /
2570	- `1`) / filter byte /
2571	/ `8`) / 8-byte RGBA pixels /
2572	- `1`)) / extra max_pixel_depth pad /
2573	{
2574	/ The size of the row must be within the limits of this architecture.*
2575	* Because the read code can perform arbitrary transformations the
2576	* maximum size is checked here. Because the code in png_read_start_row
2577	* adds extra space "for safety's sake" in several places a conservative
2578	* limit is used here.
2579	*
2580	* NOTE: it would be far better to check the size that is actually used,
2581	* but the effect in the real world is minor and the changes are more
2582	* extensive, therefore much more dangerous and much more difficult to
2583	* write in a way that avoids compiler warnings.
2584	*/
2585	png_warning(png_ptr, "Image width is too large for this architecture");
2586	error = `1`;
2587	}
2588
2589	#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2590	if (width > png_ptr->user_width_max)
2591	#else
2592	if (width > PNG_USER_WIDTH_MAX)
2593	#endif
2594	{
2595	png_warning(png_ptr, "Image width exceeds user limit in IHDR");
2596	error = `1`;
2597	}
2598
2599	if (height == `0`)
2600	{
2601	png_warning(png_ptr, "Image height is zero in IHDR");
2602	error = `1`;
2603	}
2604
2605	if (height > PNG_UINT_31_MAX)
2606	{
2607	png_warning(png_ptr, "Invalid image height in IHDR");
2608	error = `1`;
2609	}
2610
2611	#ifdef PNG_SET_USER_LIMITS_SUPPORTED
2612	if (height > png_ptr->user_height_max)
2613	#else
2614	if (height > PNG_USER_HEIGHT_MAX)
2615	#endif
2616	{
2617	png_warning(png_ptr, "Image height exceeds user limit in IHDR");
2618	error = `1`;
2619	}
2620
2621	/ Check other values /
2622	if (bit_depth != `1` && bit_depth != `2` && bit_depth != `4` &&
2623	bit_depth != `8` && bit_depth != `16`)
2624	{
2625	png_warning(png_ptr, "Invalid bit depth in IHDR");
2626	error = `1`;
2627	}
2628
2629	if (color_type < `0` \|\| color_type == `1` \|\|
2630	color_type == `5` \|\| color_type > `6`)
2631	{
2632	png_warning(png_ptr, "Invalid color type in IHDR");
2633	error = `1`;
2634	}
2635
2636	if (((color_type == PNG_COLOR_TYPE_PALETTE) && bit_depth > `8`) \|\|
2637	((color_type == PNG_COLOR_TYPE_RGB \|\|
2638	color_type == PNG_COLOR_TYPE_GRAY_ALPHA \|\|
2639	color_type == PNG_COLOR_TYPE_RGB_ALPHA) && bit_depth < `8`))
2640	{
2641	png_warning(png_ptr, "Invalid color type/bit depth combination in IHDR");
2642	error = `1`;
2643	}
2644
2645	if (interlace_type >= PNG_INTERLACE_LAST)
2646	{
2647	png_warning(png_ptr, "Unknown interlace method in IHDR");
2648	error = `1`;
2649	}
2650
2651	if (compression_type != PNG_COMPRESSION_TYPE_BASE)
2652	{
2653	png_warning(png_ptr, "Unknown compression method in IHDR");
2654	error = `1`;
2655	}
2656
2657	#ifdef PNG_MNG_FEATURES_SUPPORTED
2658	/ Accept filter_method 64 (intrapixel differencing) only if*
2659	* 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and
2660	* 2. Libpng did not read a PNG signature (this filter_method is only
2661	* used in PNG datastreams that are embedded in MNG datastreams) and
2662	* 3. The application called png_permit_mng_features with a mask that
2663	* included PNG_FLAG_MNG_FILTER_64 and
2664	* 4. The filter_method is 64 and
2665	* 5. The color_type is RGB or RGBA
2666	*/
2667	if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != `0` &&
2668	png_ptr->mng_features_permitted != `0`)
2669	png_warning(png_ptr, "MNG features are not allowed in a PNG datastream");
2670
2671	if (filter_type != PNG_FILTER_TYPE_BASE)
2672	{
2673	if (!((png_ptr->mng_features_permitted & PNG_FLAG_MNG_FILTER_64) != `0` &&
2674	(filter_type == PNG_INTRAPIXEL_DIFFERENCING) &&
2675	((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) == `0`) &&
2676	(color_type == PNG_COLOR_TYPE_RGB \|\|
2677	color_type == PNG_COLOR_TYPE_RGB_ALPHA)))
2678	{
2679	png_warning(png_ptr, "Unknown filter method in IHDR");
2680	error = `1`;
2681	}
2682
2683	if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != `0`)
2684	{
2685	png_warning(png_ptr, "Invalid filter method in IHDR");
2686	error = `1`;
2687	}
2688	}
2689
2690	#else
2691	if (filter_type != PNG_FILTER_TYPE_BASE)
2692	{
2693	png_warning(png_ptr, "Unknown filter method in IHDR");
2694	error = `1`;
2695	}
2696	#endif
2697
2698	if (error == `1`)
2699	png_error(png_ptr, "Invalid IHDR data");
2700	}
2701
2702	#if defined(PNG_sCAL_SUPPORTED) \|\| defined(PNG_pCAL_SUPPORTED)
2703	/ ASCII to fp functions /
2704	/ Check an ASCII formatted floating point value, see the more detailed*
2705	* comments in pngpriv.h
2706	*/
2707	/ The following is used internally to preserve the sticky flags /
2708	#define png_fp_add(state, flags) ((state) \|= (flags))
2709	#define png_fp_set(state, value) ((state) = (value) \| ((state) & PNG_FP_STICKY))
2710
2711	int / PRIVATE /
2712	png_check_fp_number(png_const_charp string, size_t size, int *statep,
2713	png_size_tp whereami)
2714	{
2715	int state = *statep;
2716	size_t i = *whereami;
2717
2718	while (i < size)
2719	{
2720	int type;
2721	/ First find the type of the next character /
2722	switch (string[i])
2723	{
2724	case `43`: type = PNG_FP_SAW_SIGN; break;
2725	case `45`: type = PNG_FP_SAW_SIGN + PNG_FP_NEGATIVE; break;
2726	case `46`: type = PNG_FP_SAW_DOT; break;
2727	case `48`: type = PNG_FP_SAW_DIGIT; break;
2728	case `49`: case `50`: case `51`: case `52`:
2729	case `53`: case `54`: case `55`: case `56`:
2730	case `57`: type = PNG_FP_SAW_DIGIT + PNG_FP_NONZERO; break;
2731	case `69`:
2732	case `101`: type = PNG_FP_SAW_E; break;
2733	default: goto PNG_FP_End;
2734	}
2735
2736	/ Now deal with this type according to the current*
2737	* state, the type is arranged to not overlap the
2738	* bits of the PNG_FP_STATE.
2739	*/
2740	switch ((state & PNG_FP_STATE) + (type & PNG_FP_SAW_ANY))
2741	{
2742	case PNG_FP_INTEGER + PNG_FP_SAW_SIGN:
2743	if ((state & PNG_FP_SAW_ANY) != `0`)
2744	goto PNG_FP_End; / not a part of the number /
2745
2746	png_fp_add(state, type);
2747	break;
2748
2749	case PNG_FP_INTEGER + PNG_FP_SAW_DOT:
2750	/ Ok as trailer, ok as lead of fraction. /
2751	if ((state & PNG_FP_SAW_DOT) != `0`) / two dots /
2752	goto PNG_FP_End;
2753
2754	else if ((state & PNG_FP_SAW_DIGIT) != `0`) / trailing dot? /
2755	png_fp_add(state, type);
2756
2757	else
2758	png_fp_set(state, PNG_FP_FRACTION \| type);
2759
2760	break;
2761
2762	case PNG_FP_INTEGER + PNG_FP_SAW_DIGIT:
2763	if ((state & PNG_FP_SAW_DOT) != `0`) / delayed fraction /
2764	png_fp_set(state, PNG_FP_FRACTION \| PNG_FP_SAW_DOT);
2765
2766	png_fp_add(state, type \| PNG_FP_WAS_VALID);
2767
2768	break;
2769
2770	case PNG_FP_INTEGER + PNG_FP_SAW_E:
2771	if ((state & PNG_FP_SAW_DIGIT) == `0`)
2772	goto PNG_FP_End;
2773
2774	png_fp_set(state, PNG_FP_EXPONENT);
2775
2776	break;
2777
2778	/ case PNG_FP_FRACTION + PNG_FP_SAW_SIGN:*
2779	goto PNG_FP_End; * no sign in fraction /
2780
2781	/ case PNG_FP_FRACTION + PNG_FP_SAW_DOT:*
2782	goto PNG_FP_End; * Because SAW_DOT is always set /
2783
2784	case PNG_FP_FRACTION + PNG_FP_SAW_DIGIT:
2785	png_fp_add(state, type \| PNG_FP_WAS_VALID);
2786	break;
2787
2788	case PNG_FP_FRACTION + PNG_FP_SAW_E:
2789	/ This is correct because the trailing '.' on an*
2790	* integer is handled above - so we can only get here
2791	* with the sequence ".E" (with no preceding digits).
2792	*/
2793	if ((state & PNG_FP_SAW_DIGIT) == `0`)
2794	goto PNG_FP_End;
2795
2796	png_fp_set(state, PNG_FP_EXPONENT);
2797
2798	break;
2799
2800	case PNG_FP_EXPONENT + PNG_FP_SAW_SIGN:
2801	if ((state & PNG_FP_SAW_ANY) != `0`)
2802	goto PNG_FP_End; / not a part of the number /
2803
2804	png_fp_add(state, PNG_FP_SAW_SIGN);
2805
2806	break;
2807
2808	/ case PNG_FP_EXPONENT + PNG_FP_SAW_DOT:*
2809	goto PNG_FP_End; /*
2810
2811	case PNG_FP_EXPONENT + PNG_FP_SAW_DIGIT:
2812	png_fp_add(state, PNG_FP_SAW_DIGIT \| PNG_FP_WAS_VALID);
2813
2814	break;
2815
2816	/ case PNG_FP_EXPONEXT + PNG_FP_SAW_E:*
2817	goto PNG_FP_End; /*
2818
2819	default: goto PNG_FP_End; / I.e. break 2 /
2820	}
2821
2822	/ The character seems ok, continue. /
2823	++i;
2824	}
2825
2826	PNG_FP_End:
2827	/ Here at the end, update the state and return the correct*
2828	* return code.
2829	*/
2830	*statep = state;
2831	*whereami = i;
2832
2833	return (state & PNG_FP_SAW_DIGIT) != `0`;
2834	}
2835
2836
2837	/ The same but for a complete string. /
2838	int
2839	png_check_fp_string(png_const_charp string, size_t size)
2840	{
2841	int state=`0`;
2842	size_t char_index=`0`;
2843
2844	if (png_check_fp_number(string, size, &state, &char_index) != `0` &&
2845	(char_index == size \|\| string[char_index] == `0`))
2846	return state / must be non-zero - see above /;
2847
2848	return `0`; / i.e. fail /
2849	}
2850	#endif /* pCAL \|\| sCAL */
2851
2852	#ifdef PNG_sCAL_SUPPORTED
2853	# ifdef PNG_FLOATING_POINT_SUPPORTED
2854	/ Utility used below - a simple accurate power of ten from an integral*
2855	* exponent.
2856	*/
2857	static double
2858	png_pow10(int power)
2859	{
2860	int recip = `0`;
2861	double d = `1`;
2862
2863	/ Handle negative exponent with a reciprocal at the end because*
2864	* 10 is exact whereas .1 is inexact in base 2
2865	*/
2866	if (power < `0`)
2867	{
2868	if (power < DBL_MIN_10_EXP) return `0`;
2869	recip = `1`; power = -power;
2870	}
2871
2872	if (power > `0`)
2873	{
2874	/ Decompose power bitwise. /
2875	double mult = `10`;
2876	do
2877	{
2878	if (power & `1`) d *= mult;
2879	mult *= mult;
2880	power >>= `1`;
2881	}
2882	while (power > `0`);
2883
2884	if (recip != `0`) d = `1`/d;
2885	}
2886	/ else power is 0 and d is 1 /
2887
2888	return d;
2889	}
2890
2891	/ Function to format a floating point value in ASCII with a given*
2892	* precision.
2893	*/
2894	#if GCC_STRICT_OVERFLOW
2895	#pragma GCC diagnostic push
2896	/ The problem arises below with exp_b10, which can never overflow because it*
2897	* comes, originally, from frexp and is therefore limited to a range which is
2898	* typically +/-710 (log2(DBL_MAX)/log2(DBL_MIN)).
2899	*/
2900	#pragma GCC diagnostic warning "-Wstrict-overflow=2"
2901	#endif /* GCC_STRICT_OVERFLOW */
2902	void / PRIVATE /
2903	png_ascii_from_fp(png_const_structrp png_ptr, png_charp ascii, size_t size,
2904	double fp, unsigned int precision)
2905	{
2906	/ We use standard functions from math.h, but not printf because*
2907	* that would require stdio. The caller must supply a buffer of
2908	* sufficient size or we will png_error. The tests on size and
2909	* the space in ascii[] consumed are indicated below.
2910	*/
2911	if (precision < `1`)
2912	precision = DBL_DIG;
2913
2914	/ Enforce the limit of the implementation precision too. /
2915	if (precision > DBL_DIG+`1`)
2916	precision = DBL_DIG+`1`;
2917
2918	/ Basic sanity checks /
2919	if (size >= precision+`5`) / See the requirements below. /
2920	{
2921	if (fp < `0`)
2922	{
2923	fp = -fp;
2924	ascii++ = `45`; /* '-' PLUS 1 TOTAL 1 /
2925	--size;
2926	}
2927
2928	if (fp >= DBL_MIN && fp <= DBL_MAX)
2929	{
2930	int exp_b10; / A base 10 exponent /
2931	double base; / 10^exp_b10 /
2932
2933	/ First extract a base 10 exponent of the number,*
2934	* the calculation below rounds down when converting
2935	* from base 2 to base 10 (multiply by log10(2) -
2936	* 0.3010, but 77/256 is 0.3008, so exp_b10 needs to
2937	* be increased. Note that the arithmetic shift
2938	* performs a floor() unlike C arithmetic - using a
2939	* C multiply would break the following for negative
2940	* exponents.
2941	*/
2942	(void)frexp(fp, &exp_b10); / exponent to base 2 /
2943
2944	exp_b10 = (exp_b10 * `77`) >> `8`; / <= exponent to base 10 /
2945
2946	/ Avoid underflow here. /
2947	base = png_pow10(exp_b10); / May underflow /
2948
2949	while (base < DBL_MIN \|\| base < fp)
2950	{
2951	/ And this may overflow. /
2952	double test = png_pow10(exp_b10+`1`);
2953
2954	if (test <= DBL_MAX)
2955	{
2956	++exp_b10; base = test;
2957	}
2958
2959	else
2960	break;
2961	}
2962
2963	/ Normalize fp and correct exp_b10, after this fp is in the*
2964	* range [.1,1) and exp_b10 is both the exponent and the digit
2965	* before which the decimal point should be inserted
2966	* (starting with 0 for the first digit). Note that this
2967	* works even if 10^exp_b10 is out of range because of the
2968	* test on DBL_MAX above.
2969	*/
2970	fp /= base;
2971	while (fp >= `1`)
2972	{
2973	fp /= `10`; ++exp_b10;
2974	}
2975
2976	/ Because of the code above fp may, at this point, be*
2977	* less than .1, this is ok because the code below can
2978	* handle the leading zeros this generates, so no attempt
2979	* is made to correct that here.
2980	*/
2981
2982	{
2983	unsigned int czero, clead, cdigits;
2984	char exponent[`10`];
2985
2986	/ Allow up to two leading zeros - this will not lengthen*
2987	* the number compared to using E-n.
2988	*/
2989	if (exp_b10 < `0` && exp_b10 > -`3`) / PLUS 3 TOTAL 4 /
2990	{
2991	czero = `0U`-exp_b10; / PLUS 2 digits: TOTAL 3 /
2992	exp_b10 = `0`; / Dot added below before first output. /
2993	}
2994	else
2995	czero = `0`; / No zeros to add /
2996
2997	/ Generate the digit list, stripping trailing zeros and*
2998	* inserting a '.' before a digit if the exponent is 0.
2999	*/
3000	clead = czero; / Count of leading zeros /
3001	cdigits = `0`; / Count of digits in list. /
3002
3003	do
3004	{
3005	double d;
3006
3007	fp *= `10`;
3008	/ Use modf here, not floor and subtract, so that*
3009	* the separation is done in one step. At the end
3010	* of the loop don't break the number into parts so
3011	* that the final digit is rounded.
3012	*/
3013	if (cdigits+czero+`1` < precision+clead)
3014	fp = modf(fp, &d);
3015
3016	else
3017	{
3018	d = floor(fp + `.5`);
3019
3020	if (d > `9`)
3021	{
3022	/ Rounding up to 10, handle that here. /
3023	if (czero > `0`)
3024	{
3025	--czero; d = `1`;
3026	if (cdigits == `0`) --clead;
3027	}
3028	else
3029	{
3030	while (cdigits > `0` && d > `9`)
3031	{
3032	int ch = *--ascii;
3033
3034	if (exp_b10 != (-`1`))
3035	++exp_b10;
3036
3037	else if (ch == `46`)
3038	{
3039	ch = *--ascii; ++size;
3040	/ Advance exp_b10 to '1', so that the*
3041	* decimal point happens after the
3042	* previous digit.
3043	*/
3044	exp_b10 = `1`;
3045	}
3046
3047	--cdigits;
3048	d = ch - `47`; / I.e. 1+(ch-48) /
3049	}
3050
3051	/ Did we reach the beginning? If so adjust the*
3052	* exponent but take into account the leading
3053	* decimal point.
3054	*/
3055	if (d > `9`) / cdigits == 0 /
3056	{
3057	if (exp_b10 == (-`1`))
3058	{
3059	/ Leading decimal point (plus zeros?), if*
3060	* we lose the decimal point here it must
3061	* be reentered below.
3062	*/
3063	int ch = *--ascii;
3064
3065	if (ch == `46`)
3066	{
3067	++size; exp_b10 = `1`;
3068	}
3069
3070	/ Else lost a leading zero, so 'exp_b10' is*
3071	* still ok at (-1)
3072	*/
3073	}
3074	else
3075	++exp_b10;
3076
3077	/ In all cases we output a '1' /
3078	d = `1`;
3079	}
3080	}
3081	}
3082	fp = `0`; / Guarantees termination below. /
3083	}
3084
3085	if (d == `0`)
3086	{
3087	++czero;
3088	if (cdigits == `0`) ++clead;
3089	}
3090	else
3091	{
3092	/ Included embedded zeros in the digit count. /
3093	cdigits += czero - clead;
3094	clead = `0`;
3095
3096	while (czero > `0`)
3097	{
3098	/ exp_b10 == (-1) means we just output the decimal*
3099	* place - after the DP don't adjust 'exp_b10' any
3100	* more!
3101	*/
3102	if (exp_b10 != (-`1`))
3103	{
3104	if (exp_b10 == `0`)
3105	{
3106	*ascii++ = `46`; --size;
3107	}
3108	/ PLUS 1: TOTAL 4 /
3109	--exp_b10;
3110	}
3111	*ascii++ = `48`; --czero;
3112	}
3113
3114	if (exp_b10 != (-`1`))
3115	{
3116	if (exp_b10 == `0`)
3117	{
3118	ascii++ = `46`; --size; /* counted above /
3119	}
3120
3121	--exp_b10;
3122	}
3123	ascii++ = (char)(`48` + (int*)d); ++cdigits;
3124	}
3125	}
3126	while (cdigits+czero < precision+clead && fp > DBL_MIN);
3127
3128	/ The total output count (max) is now 4+precision /
3129
3130	/ Check for an exponent, if we don't need one we are*
3131	* done and just need to terminate the string. At this
3132	* point, exp_b10==(-1) is effectively a flag: it got
3133	* to '-1' because of the decrement, after outputting
3134	* the decimal point above. (The exponent required is
3135	* not -1.)
3136	*/
3137	if (exp_b10 >= (-`1`) && exp_b10 <= `2`)
3138	{
3139	/ The following only happens if we didn't output the*
3140	* leading zeros above for negative exponent, so this
3141	* doesn't add to the digit requirement. Note that the
3142	* two zeros here can only be output if the two leading
3143	* zeros were not output, so this doesn't increase
3144	* the output count.
3145	*/
3146	while (exp_b10-- > `0`) *ascii++ = `48`;
3147
3148	*ascii = `0`;
3149
3150	/ Total buffer requirement (including the '\0') is*
3151	* 5+precision - see check at the start.
3152	*/
3153	return;
3154	}
3155
3156	/ Here if an exponent is required, adjust size for*
3157	* the digits we output but did not count. The total
3158	* digit output here so far is at most 1+precision - no
3159	* decimal point and no leading or trailing zeros have
3160	* been output.
3161	*/
3162	size -= cdigits;
3163
3164	ascii++ = `69`; --size; /* 'E': PLUS 1 TOTAL 2+precision /
3165
3166	/ The following use of an unsigned temporary avoids ambiguities in*
3167	* the signed arithmetic on exp_b10 and permits GCC at least to do
3168	* better optimization.
3169	*/
3170	{
3171	unsigned int uexp_b10;
3172
3173	if (exp_b10 < `0`)
3174	{
3175	ascii++ = `45`; --size; /* '-': PLUS 1 TOTAL 3+precision /
3176	uexp_b10 = `0U`-exp_b10;
3177	}
3178
3179	else
3180	uexp_b10 = `0U`+exp_b10;
3181
3182	cdigits = `0`;
3183
3184	while (uexp_b10 > `0`)
3185	{
3186	exponent[cdigits++] = (char)(`48` + uexp_b10 % `10`);
3187	uexp_b10 /= `10`;
3188	}
3189	}
3190
3191	/ Need another size check here for the exponent digits, so*
3192	* this need not be considered above.
3193	*/
3194	if (size > cdigits)
3195	{
3196	while (cdigits > `0`) *ascii++ = exponent[--cdigits];
3197
3198	*ascii = `0`;
3199
3200	return;
3201	}
3202	}
3203	}
3204	else if (!(fp >= DBL_MIN))
3205	{
3206	ascii++ = `48`; /* '0' /
3207	*ascii = `0`;
3208	return;
3209	}
3210	else
3211	{
3212	ascii++ = `105`; /* 'i' /
3213	ascii++ = `110`; /* 'n' /
3214	ascii++ = `102`; /* 'f' /
3215	*ascii = `0`;
3216	return;
3217	}
3218	}
3219
3220	/ Here on buffer too small. /
3221	png_error(png_ptr, "ASCII conversion buffer too small");
3222	}
3223	#if GCC_STRICT_OVERFLOW
3224	#pragma GCC diagnostic pop
3225	#endif /* GCC_STRICT_OVERFLOW */
3226
3227	# endif /* FLOATING_POINT */
3228
3229	# ifdef PNG_FIXED_POINT_SUPPORTED
3230	/ Function to format a fixed point value in ASCII.*
3231	*/
3232	void / PRIVATE /
3233	png_ascii_from_fixed(png_const_structrp png_ptr, png_charp ascii,
3234	size_t size, png_fixed_point fp)
3235	{
3236	/ Require space for 10 decimal digits, a decimal point, a minus sign and a*
3237	* trailing \0, 13 characters:
3238	*/
3239	if (size > `12`)
3240	{
3241	png_uint_32 num;
3242
3243	/ Avoid overflow here on the minimum integer. /
3244	if (fp < `0`)
3245	{
3246	*ascii++ = `45`; num = (png_uint_32)(-fp);
3247	}
3248	else
3249	num = (png_uint_32)fp;
3250
3251	if (num <= `0x80000000`) / else overflowed /
3252	{
3253	unsigned int ndigits = `0`, first = `16` / flag value /;
3254	char digits[`10`];
3255
3256	while (num)
3257	{
3258	/ Split the low digit off num: /
3259	unsigned int tmp = num/`10`;
3260	num -= tmp*`10`;
3261	digits[ndigits++] = (char)(`48` + num);
3262	/ Record the first non-zero digit, note that this is a number*
3263	* starting at 1, it's not actually the array index.
3264	*/
3265	if (first == `16` && num > `0`)
3266	first = ndigits;
3267	num = tmp;
3268	}
3269
3270	if (ndigits > `0`)
3271	{
3272	while (ndigits > `5`) *ascii++ = digits[--ndigits];
3273	/ The remaining digits are fractional digits, ndigits is '5' or*
3274	* smaller at this point. It is certainly not zero. Check for a
3275	* non-zero fractional digit:
3276	*/
3277	if (first <= `5`)
3278	{
3279	unsigned int i;
3280	ascii++ = `46`; /* decimal point /
3281	/ ndigits may be <5 for small numbers, output leading zeros*
3282	* then ndigits digits to first:
3283	*/
3284	i = `5`;
3285	while (ndigits < i)
3286	{
3287	*ascii++ = `48`; --i;
3288	}
3289	while (ndigits >= first) *ascii++ = digits[--ndigits];
3290	/ Don't output the trailing zeros! /
3291	}
3292	}
3293	else
3294	*ascii++ = `48`;
3295
3296	/ And null terminate the string: /
3297	*ascii = `0`;
3298	return;
3299	}
3300	}
3301
3302	/ Here on buffer too small. /
3303	png_error(png_ptr, "ASCII conversion buffer too small");
3304	}
3305	# endif /* FIXED_POINT */
3306	#endif /* SCAL */
3307
3308	#if defined(PNG_FLOATING_POINT_SUPPORTED) && \
3309	!defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \
3310	(defined(PNG_gAMA_SUPPORTED) \|\| defined(PNG_cHRM_SUPPORTED) \|\| \
3311	defined(PNG_sCAL_SUPPORTED) \|\| defined(PNG_READ_BACKGROUND_SUPPORTED) \|\| \
3312	defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)) \|\| \
3313	(defined(PNG_sCAL_SUPPORTED) && \
3314	defined(PNG_FLOATING_ARITHMETIC_SUPPORTED))
3315	png_fixed_point
3316	png_fixed(png_const_structrp png_ptr, double fp, png_const_charp text)
3317	{
3318	double r = floor(`100000` * fp + `.5`);
3319
3320	if (r > `2147483647.` \|\| r < -`2147483648.`)
3321	png_fixed_error(png_ptr, text);
3322
3323	# ifndef PNG_ERROR_TEXT_SUPPORTED
3324	PNG_UNUSED(text)
3325	# endif
3326
3327	return (png_fixed_point)r;
3328	}
3329	#endif
3330
3331	#if defined(PNG_GAMMA_SUPPORTED) \|\| defined(PNG_COLORSPACE_SUPPORTED) \|\|\
3332	defined(PNG_INCH_CONVERSIONS_SUPPORTED) \|\| defined(PNG_READ_pHYs_SUPPORTED)
3333	/ muldiv functions /
3334	/ This API takes signed arguments and rounds the result to the nearest*
3335	* integer (or, for a fixed point number - the standard argument - to
3336	* the nearest .00001). Overflow and divide by zero are signalled in
3337	* the result, a boolean - true on success, false on overflow.
3338	*/
3339	#if GCC_STRICT_OVERFLOW /* from above */
3340	/ It is not obvious which comparison below gets optimized in such a way that*
3341	* signed overflow would change the result; looking through the code does not
3342	* reveal any tests which have the form GCC complains about, so presumably the
3343	* optimizer is moving an add or subtract into the 'if' somewhere.
3344	*/
3345	#pragma GCC diagnostic push
3346	#pragma GCC diagnostic warning "-Wstrict-overflow=2"
3347	#endif /* GCC_STRICT_OVERFLOW */
3348	int
3349	png_muldiv(png_fixed_point_p res, png_fixed_point a, png_int_32 times,
3350	png_int_32 divisor)
3351	{
3352	/ Return a * times / divisor, rounded. /
3353	if (divisor != `0`)
3354	{
3355	if (a == `0` \|\| times == `0`)
3356	{
3357	*res = `0`;
3358	return `1`;
3359	}
3360	else
3361	{
3362	#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3363	double r = a;
3364	r *= times;
3365	r /= divisor;
3366	r = floor(r+`.5`);
3367
3368	/ A png_fixed_point is a 32-bit integer. /
3369	if (r <= `2147483647.` && r >= -`2147483648.`)
3370	{
3371	*res = (png_fixed_point)r;
3372	return `1`;
3373	}
3374	#else
3375	int negative = `0`;
3376	png_uint_32 A, T, D;
3377	png_uint_32 s16, s32, s00;
3378
3379	if (a < `0`)
3380	negative = `1`, A = -a;
3381	else
3382	A = a;
3383
3384	if (times < `0`)
3385	negative = !negative, T = -times;
3386	else
3387	T = times;
3388
3389	if (divisor < `0`)
3390	negative = !negative, D = -divisor;
3391	else
3392	D = divisor;
3393
3394	/ Following can't overflow because the arguments only*
3395	* have 31 bits each, however the result may be 32 bits.
3396	*/
3397	s16 = (A >> `16`) * (T & `0xffff`) +
3398	(A & `0xffff`) * (T >> `16`);
3399	/ Can't overflow because the atimes bit is only 30
3400	* bits at most.
3401	*/
3402	s32 = (A >> `16`) * (T >> `16`) + (s16 >> `16`);
3403	s00 = (A & `0xffff`) * (T & `0xffff`);
3404
3405	s16 = (s16 & `0xffff`) << `16`;
3406	s00 += s16;
3407
3408	if (s00 < s16)
3409	++s32; / carry /
3410
3411	if (s32 < D) / else overflow /
3412	{
3413	/ s32.s00 is now the 64-bit product, do a standard*
3414	* division, we know that s32 < D, so the maximum
3415	* required shift is 31.
3416	*/
3417	int bitshift = `32`;
3418	png_fixed_point result = `0`; / NOTE: signed /
3419
3420	while (--bitshift >= `0`)
3421	{
3422	png_uint_32 d32, d00;
3423
3424	if (bitshift > `0`)
3425	d32 = D >> (`32`-bitshift), d00 = D << bitshift;
3426
3427	else
3428	d32 = `0`, d00 = D;
3429
3430	if (s32 > d32)
3431	{
3432	if (s00 < d00) --s32; / carry /
3433	s32 -= d32, s00 -= d00, result += `1`<<bitshift;
3434	}
3435
3436	else
3437	if (s32 == d32 && s00 >= d00)
3438	s32 = `0`, s00 -= d00, result += `1`<<bitshift;
3439	}
3440
3441	/ Handle the rounding. /
3442	if (s00 >= (D >> `1`))
3443	++result;
3444
3445	if (negative != `0`)
3446	result = -result;
3447
3448	/ Check for overflow. /
3449	if ((negative != `0` && result <= `0`) \|\|
3450	(negative == `0` && result >= `0`))
3451	{
3452	*res = result;
3453	return `1`;
3454	}
3455	}
3456	#endif
3457	}
3458	}
3459
3460	return `0`;
3461	}
3462	#if GCC_STRICT_OVERFLOW
3463	#pragma GCC diagnostic pop
3464	#endif /* GCC_STRICT_OVERFLOW */
3465	#endif /* READ_GAMMA \|\| INCH_CONVERSIONS */
3466
3467	#if defined(PNG_READ_GAMMA_SUPPORTED) \|\| defined(PNG_INCH_CONVERSIONS_SUPPORTED)
3468	/ The following is for when the caller doesn't much care about the*
3469	* result.
3470	*/
3471	png_fixed_point
3472	png_muldiv_warn(png_const_structrp png_ptr, png_fixed_point a, png_int_32 times,
3473	png_int_32 divisor)
3474	{
3475	png_fixed_point result;
3476
3477	if (png_muldiv(&result, a, times, divisor) != `0`)
3478	return result;
3479
3480	png_warning(png_ptr, "fixed point overflow ignored");
3481	return `0`;
3482	}
3483	#endif
3484
3485	#ifdef PNG_GAMMA_SUPPORTED /* more fixed point functions for gamma */
3486	/ Calculate a reciprocal, return 0 on div-by-zero or overflow. /
3487	png_fixed_point
3488	png_reciprocal(png_fixed_point a)
3489	{
3490	#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3491	double r = floor(`1E10`/a+`.5`);
3492
3493	if (r <= `2147483647.` && r >= -`2147483648.`)
3494	return (png_fixed_point)r;
3495	#else
3496	png_fixed_point res;
3497
3498	if (png_muldiv(&res, `100000`, `100000`, a) != `0`)
3499	return res;
3500	#endif
3501
3502	return `0`; / error/overflow /
3503	}
3504
3505	/ This is the shared test on whether a gamma value is 'significant' - whether*
3506	* it is worth doing gamma correction.
3507	*/
3508	int / PRIVATE /
3509	png_gamma_significant(png_fixed_point gamma_val)
3510	{
3511	return gamma_val < PNG_FP_1 - PNG_GAMMA_THRESHOLD_FIXED \|\|
3512	gamma_val > PNG_FP_1 + PNG_GAMMA_THRESHOLD_FIXED;
3513	}
3514	#endif
3515
3516	#ifdef PNG_READ_GAMMA_SUPPORTED
3517	#ifdef PNG_16BIT_SUPPORTED
3518	/ A local convenience routine. /
3519	static png_fixed_point
3520	png_product2(png_fixed_point a, png_fixed_point b)
3521	{
3522	/ The required result is 1/a * 1/b; the following preserves accuracy. /
3523	#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3524	double r = a * `1E-5`;
3525	r *= b;
3526	r = floor(r+`.5`);
3527
3528	if (r <= `2147483647.` && r >= -`2147483648.`)
3529	return (png_fixed_point)r;
3530	#else
3531	png_fixed_point res;
3532
3533	if (png_muldiv(&res, a, b, `100000`) != `0`)
3534	return res;
3535	#endif
3536
3537	return `0`; / overflow /
3538	}
3539	#endif /* 16BIT */
3540
3541	/ The inverse of the above. /
3542	png_fixed_point
3543	png_reciprocal2(png_fixed_point a, png_fixed_point b)
3544	{
3545	/ The required result is 1/a * 1/b; the following preserves accuracy. /
3546	#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3547	if (a != `0` && b != `0`)
3548	{
3549	double r = `1E15`/a;
3550	r /= b;
3551	r = floor(r+`.5`);
3552
3553	if (r <= `2147483647.` && r >= -`2147483648.`)
3554	return (png_fixed_point)r;
3555	}
3556	#else
3557	/ This may overflow because the range of png_fixed_point isn't symmetric,*
3558	* but this API is only used for the product of file and screen gamma so it
3559	* doesn't matter that the smallest number it can produce is 1/21474, not
3560	* 1/100000
3561	*/
3562	png_fixed_point res = png_product2(a, b);
3563
3564	if (res != `0`)
3565	return png_reciprocal(res);
3566	#endif
3567
3568	return `0`; / overflow /
3569	}
3570	#endif /* READ_GAMMA */
3571
3572	#ifdef PNG_READ_GAMMA_SUPPORTED /* gamma table code */
3573	#ifndef PNG_FLOATING_ARITHMETIC_SUPPORTED
3574	/ Fixed point gamma.*
3575	*
3576	* The code to calculate the tables used below can be found in the shell script
3577	* contrib/tools/intgamma.sh
3578	*
3579	* To calculate gamma this code implements fast log() and exp() calls using only
3580	* fixed point arithmetic. This code has sufficient precision for either 8-bit
3581	* or 16-bit sample values.
3582	*
3583	* The tables used here were calculated using simple 'bc' programs, but C double
3584	* precision floating point arithmetic would work fine.
3585	*
3586	* 8-bit log table
3587	* This is a table of -log(value/255)/log(2) for 'value' in the range 128 to
3588	* 255, so it's the base 2 logarithm of a normalized 8-bit floating point
3589	* mantissa. The numbers are 32-bit fractions.
3590	*/
3591	static const png_uint_32
3592	png_8bit_l2[`128`] =
3593	{
3594	`4270715492U`, `4222494797U`, `4174646467U`, `4127164793U`, `4080044201U`, `4033279239U`,
3595	`3986864580U`, `3940795015U`, `3895065449U`, `3849670902U`, `3804606499U`, `3759867474U`,
3596	`3715449162U`, `3671346997U`, `3627556511U`, `3584073329U`, `3540893168U`, `3498011834U`,
3597	`3455425220U`, `3413129301U`, `3371120137U`, `3329393864U`, `3287946700U`, `3246774933U`,
3598	`3205874930U`, `3165243125U`, `3124876025U`, `3084770202U`, `3044922296U`, `3005329011U`,
3599	`2965987113U`, `2926893432U`, `2888044853U`, `2849438323U`, `2811070844U`, `2772939474U`,
3600	`2735041326U`, `2697373562U`, `2659933400U`, `2622718104U`, `2585724991U`, `2548951424U`,
3601	`2512394810U`, `2476052606U`, `2439922311U`, `2404001468U`, `2368287663U`, `2332778523U`,
3602	`2297471715U`, `2262364947U`, `2227455964U`, `2192742551U`, `2158222529U`, `2123893754U`,
3603	`2089754119U`, `2055801552U`, `2022034013U`, `1988449497U`, `1955046031U`, `1921821672U`,
3604	`1888774511U`, `1855902668U`, `1823204291U`, `1790677560U`, `1758320682U`, `1726131893U`,
3605	`1694109454U`, `1662251657U`, `1630556815U`, `1599023271U`, `1567649391U`, `1536433567U`,
3606	`1505374214U`, `1474469770U`, `1443718700U`, `1413119487U`, `1382670639U`, `1352370686U`,
3607	`1322218179U`, `1292211689U`, `1262349810U`, `1232631153U`, `1203054352U`, `1173618059U`,
3608	`1144320946U`, `1115161701U`, `1086139034U`, `1057251672U`, `1028498358U`, `999877854U`,
3609	`971388940U`, `943030410U`, `914801076U`, `886699767U`, `858725327U`, `830876614U`,
3610	`803152505U`, `775551890U`, `748073672U`, `720716771U`, `693480120U`, `666362667U`,
3611	`639363374U`, `612481215U`, `585715177U`, `559064263U`, `532527486U`, `506103872U`,
3612	`479792461U`, `453592303U`, `427502463U`, `401522014U`, `375650043U`, `349885648U`,
3613	`324227938U`, `298676034U`, `273229066U`, `247886176U`, `222646516U`, `197509248U`,
3614	`172473545U`, `147538590U`, `122703574U`, `97967701U`, `73330182U`, `48790236U`,
3615	`24347096U`, `0U`
3616
3617	#if 0
3618	/ The following are the values for 16-bit tables - these work fine for the*
3619	* 8-bit conversions but produce very slightly larger errors in the 16-bit
3620	* log (about 1.2 as opposed to 0.7 absolute error in the final value). To
3621	* use these all the shifts below must be adjusted appropriately.
3622	*/
3623	`65166`, `64430`, `63700`, `62976`, `62257`, `61543`, `60835`, `60132`, `59434`, `58741`, `58054`,
3624	`57371`, `56693`, `56020`, `55352`, `54689`, `54030`, `53375`, `52726`, `52080`, `51439`, `50803`,
3625	`50170`, `49542`, `48918`, `48298`, `47682`, `47070`, `46462`, `45858`, `45257`, `44661`, `44068`,
3626	`43479`, `42894`, `42312`, `41733`, `41159`, `40587`, `40020`, `39455`, `38894`, `38336`, `37782`,
3627	`37230`, `36682`, `36137`, `35595`, `35057`, `34521`, `33988`, `33459`, `32932`, `32408`, `31887`,
3628	`31369`, `30854`, `30341`, `29832`, `29325`, `28820`, `28319`, `27820`, `27324`, `26830`, `26339`,
3629	`25850`, `25364`, `24880`, `24399`, `23920`, `23444`, `22970`, `22499`, `22029`, `21562`, `21098`,
3630	`20636`, `20175`, `19718`, `19262`, `18808`, `18357`, `17908`, `17461`, `17016`, `16573`, `16132`,
3631	`15694`, `15257`, `14822`, `14390`, `13959`, `13530`, `13103`, `12678`, `12255`, `11834`, `11415`,
3632	`10997`, `10582`, `10168`, `9756`, `9346`, `8937`, `8531`, `8126`, `7723`, `7321`, `6921`, `6523`,
3633	`6127`, `5732`, `5339`, `4947`, `4557`, `4169`, `3782`, `3397`, `3014`, `2632`, `2251`, `1872`, `1495`,
3634	`1119`, `744`, `372`
3635	#endif
3636	};
3637
3638	static png_int_32
3639	png_log8bit(unsigned int x)
3640	{
3641	unsigned int lg2 = `0`;
3642	/ Each time 'x' is multiplied by 2, 1 must be subtracted off the final log,*
3643	* because the log is actually negate that means adding 1. The final
3644	* returned value thus has the range 0 (for 255 input) to 7.994 (for 1
3645	* input), return -1 for the overflow (log 0) case, - so the result is
3646	* always at most 19 bits.
3647	*/
3648	if ((x &= `0xff`) == `0`)
3649	return -`1`;
3650
3651	if ((x & `0xf0`) == `0`)
3652	lg2 = `4`, x <<= `4`;
3653
3654	if ((x & `0xc0`) == `0`)
3655	lg2 += `2`, x <<= `2`;
3656
3657	if ((x & `0x80`) == `0`)
3658	lg2 += `1`, x <<= `1`;
3659
3660	/ result is at most 19 bits, so this cast is safe: /
3661	return (png_int_32)((lg2 << `16`) + ((png_8bit_l2[x-`128`]+`32768`)>>`16`));
3662	}
3663
3664	/ The above gives exact (to 16 binary places) log2 values for 8-bit images,*
3665	* for 16-bit images we use the most significant 8 bits of the 16-bit value to
3666	* get an approximation then multiply the approximation by a correction factor
3667	* determined by the remaining up to 8 bits. This requires an additional step
3668	* in the 16-bit case.
3669	*
3670	* We want log2(value/65535), we have log2(v'/255), where:
3671	*
3672	* value = v' * 256 + v''
3673	* = v' * f
3674	*
3675	* So f is value/v', which is equal to (256+v''/v') since v' is in the range 128
3676	* to 255 and v'' is in the range 0 to 255 f will be in the range 256 to less
3677	* than 258. The final factor also needs to correct for the fact that our 8-bit
3678	* value is scaled by 255, whereas the 16-bit values must be scaled by 65535.
3679	*
3680	* This gives a final formula using a calculated value 'x' which is value/v' and
3681	* scaling by 65536 to match the above table:
3682	*
3683	* log2(x/257) * 65536
3684	*
3685	* Since these numbers are so close to '1' we can use simple linear
3686	* interpolation between the two end values 256/257 (result -368.61) and 258/257
3687	* (result 367.179). The values used below are scaled by a further 64 to give
3688	* 16-bit precision in the interpolation:
3689	*
3690	* Start (256): -23591
3691	* Zero (257): 0
3692	* End (258): 23499
3693	*/
3694	#ifdef PNG_16BIT_SUPPORTED
3695	static png_int_32
3696	png_log16bit(png_uint_32 x)
3697	{
3698	unsigned int lg2 = `0`;
3699
3700	/ As above, but now the input has 16 bits. /
3701	if ((x &= `0xffff`) == `0`)
3702	return -`1`;
3703
3704	if ((x & `0xff00`) == `0`)
3705	lg2 = `8`, x <<= `8`;
3706
3707	if ((x & `0xf000`) == `0`)
3708	lg2 += `4`, x <<= `4`;
3709
3710	if ((x & `0xc000`) == `0`)
3711	lg2 += `2`, x <<= `2`;
3712
3713	if ((x & `0x8000`) == `0`)
3714	lg2 += `1`, x <<= `1`;
3715
3716	/ Calculate the base logarithm from the top 8 bits as a 28-bit fractional*
3717	* value.
3718	*/
3719	lg2 <<= `28`;
3720	lg2 += (png_8bit_l2[(x>>`8`)-`128`]+`8`) >> `4`;
3721
3722	/ Now we need to interpolate the factor, this requires a division by the top*
3723	* 8 bits. Do this with maximum precision.
3724	*/
3725	x = ((x << `16`) + (x >> `9`)) / (x >> `8`);
3726
3727	/ Since we divided by the top 8 bits of 'x' there will be a '1' at 1<<24,*
3728	* the value at 1<<16 (ignoring this) will be 0 or 1; this gives us exactly
3729	* 16 bits to interpolate to get the low bits of the result. Round the
3730	* answer. Note that the end point values are scaled by 64 to retain overall
3731	* precision and that 'lg2' is current scaled by an extra 12 bits, so adjust
3732	* the overall scaling by 6-12. Round at every step.
3733	*/
3734	x -= `1U` << `24`;
3735
3736	if (x <= `65536U`) / <= '257' /
3737	lg2 += ((`23591U` * (`65536U`-x)) + (`1U` << (`16`+`6`-`12`-`1`))) >> (`16`+`6`-`12`);
3738
3739	else
3740	lg2 -= ((`23499U` * (x-`65536U`)) + (`1U` << (`16`+`6`-`12`-`1`))) >> (`16`+`6`-`12`);
3741
3742	/ Safe, because the result can't have more than 20 bits: /
3743	return (png_int_32)((lg2 + `2048`) >> `12`);
3744	}
3745	#endif /* 16BIT */
3746
3747	/ The 'exp()' case must invert the above, taking a 20-bit fixed point*
3748	* logarithmic value and returning a 16 or 8-bit number as appropriate. In
3749	* each case only the low 16 bits are relevant - the fraction - since the
3750	* integer bits (the top 4) simply determine a shift.
3751	*
3752	* The worst case is the 16-bit distinction between 65535 and 65534. This
3753	* requires perhaps spurious accuracy in the decoding of the logarithm to
3754	* distinguish log2(65535/65534.5) - 10^-5 or 17 bits. There is little chance
3755	* of getting this accuracy in practice.
3756	*
3757	* To deal with this the following exp() function works out the exponent of the
3758	* fractional part of the logarithm by using an accurate 32-bit value from the
3759	* top four fractional bits then multiplying in the remaining bits.
3760	*/
3761	static const png_uint_32
3762	png_32bit_exp[`16`] =
3763	{
3764	/ NOTE: the first entry is deliberately set to the maximum 32-bit value. /
3765	`4294967295U`, `4112874773U`, `3938502376U`, `3771522796U`, `3611622603U`, `3458501653U`,
3766	`3311872529U`, `3171459999U`, `3037000500U`, `2908241642U`, `2784941738U`, `2666869345U`,
3767	`2553802834U`, `2445529972U`, `2341847524U`, `2242560872U`
3768	};
3769
3770	/ Adjustment table; provided to explain the numbers in the code below. /
3771	#if 0
3772	for (i=`11`;i>=`0`;--i){ print i, " ", (`1` - e(-(`2`^i)/`65536`l(`2`))) `2`^(`32`-i), "\n"}
3773	`11` `44937.64284865548751208448`
3774	`10` `45180.98734845585101160448`
3775	`9` `45303.31936980687359311872`
3776	`8` `45364.65110595323018870784`
3777	`7` `45395.35850361789624614912`
3778	`6` `45410.72259715102037508096`
3779	`5` `45418.40724413220722311168`
3780	`4` `45422.25021786898173001728`
3781	`3` `45424.17186732298419044352`
3782	`2` `45425.13273269940811464704`
3783	`1` `45425.61317555035558641664`
3784	`0` `45425.85339951654943850496`
3785	#endif
3786
3787	static png_uint_32
3788	png_exp(png_fixed_point x)
3789	{
3790	if (x > `0` && x <= `0xfffff`) / Else overflow or zero (underflow) /
3791	{
3792	/ Obtain a 4-bit approximation /
3793	png_uint_32 e = png_32bit_exp[(x >> `12`) & `0x0f`];
3794
3795	/ Incorporate the low 12 bits - these decrease the returned value by*
3796	* multiplying by a number less than 1 if the bit is set. The multiplier
3797	* is determined by the above table and the shift. Notice that the values
3798	* converge on 45426 and this is used to allow linear interpolation of the
3799	* low bits.
3800	*/
3801	if (x & `0x800`)
3802	e -= (((e >> `16`) * `44938U`) + `16U`) >> `5`;
3803
3804	if (x & `0x400`)
3805	e -= (((e >> `16`) * `45181U`) + `32U`) >> `6`;
3806
3807	if (x & `0x200`)
3808	e -= (((e >> `16`) * `45303U`) + `64U`) >> `7`;
3809
3810	if (x & `0x100`)
3811	e -= (((e >> `16`) * `45365U`) + `128U`) >> `8`;
3812
3813	if (x & `0x080`)
3814	e -= (((e >> `16`) * `45395U`) + `256U`) >> `9`;
3815
3816	if (x & `0x040`)
3817	e -= (((e >> `16`) * `45410U`) + `512U`) >> `10`;
3818
3819	/ And handle the low 6 bits in a single block. /
3820	e -= (((e >> `16`) * `355U` * (x & `0x3fU`)) + `256U`) >> `9`;
3821
3822	/ Handle the upper bits of x. /
3823	e >>= x >> `16`;
3824	return e;
3825	}
3826
3827	/ Check for overflow /
3828	if (x <= `0`)
3829	return png_32bit_exp[`0`];
3830
3831	/ Else underflow /
3832	return `0`;
3833	}
3834
3835	static png_byte
3836	png_exp8bit(png_fixed_point lg2)
3837	{
3838	/ Get a 32-bit value: /
3839	png_uint_32 x = png_exp(lg2);
3840
3841	/ Convert the 32-bit value to 0..255 by multiplying by 256-1. Note that the*
3842	* second, rounding, step can't overflow because of the first, subtraction,
3843	* step.
3844	*/
3845	x -= x >> `8`;
3846	return (png_byte)(((x + `0x7fffffU`) >> `24`) & `0xff`);
3847	}
3848
3849	#ifdef PNG_16BIT_SUPPORTED
3850	static png_uint_16
3851	png_exp16bit(png_fixed_point lg2)
3852	{
3853	/ Get a 32-bit value: /
3854	png_uint_32 x = png_exp(lg2);
3855
3856	/ Convert the 32-bit value to 0..65535 by multiplying by 65536-1: /
3857	x -= x >> `16`;
3858	return (png_uint_16)((x + `32767U`) >> `16`);
3859	}
3860	#endif /* 16BIT */
3861	#endif /* FLOATING_ARITHMETIC */
3862
3863	png_byte
3864	png_gamma_8bit_correct(unsigned int value, png_fixed_point gamma_val)
3865	{
3866	if (value > `0` && value < `255`)
3867	{
3868	# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3869	/ 'value' is unsigned, ANSI-C90 requires the compiler to correctly*
3870	* convert this to a floating point value. This includes values that
3871	* would overflow if 'value' were to be converted to 'int'.
3872	*
3873	* Apparently GCC, however, does an intermediate conversion to (int)
3874	* on some (ARM) but not all (x86) platforms, possibly because of
3875	* hardware FP limitations. (E.g. if the hardware conversion always
3876	* assumes the integer register contains a signed value.) This results
3877	* in ANSI-C undefined behavior for large values.
3878	*
3879	* Other implementations on the same machine might actually be ANSI-C90
3880	* conformant and therefore compile spurious extra code for the large
3881	* values.
3882	*
3883	* We can be reasonably sure that an unsigned to float conversion
3884	* won't be faster than an int to float one. Therefore this code
3885	* assumes responsibility for the undefined behavior, which it knows
3886	* can't happen because of the check above.
3887	*
3888	* Note the argument to this routine is an (unsigned int) because, on
3889	* 16-bit platforms, it is assigned a value which might be out of
3890	* range for an (int); that would result in undefined behavior in the
3891	* caller if the argument ('value') were to be declared (int).
3892	*/
3893	double r = floor(`255`pow((int)/SAFE/value/`255.`,gamma_val`.00001`)+`.5`);
3894	return (png_byte)r;
3895	# else
3896	png_int_32 lg2 = png_log8bit(value);
3897	png_fixed_point res;
3898
3899	if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != `0`)
3900	return png_exp8bit(res);
3901
3902	/ Overflow. /
3903	value = `0`;
3904	# endif
3905	}
3906
3907	return (png_byte)(value & `0xff`);
3908	}
3909
3910	#ifdef PNG_16BIT_SUPPORTED
3911	png_uint_16
3912	png_gamma_16bit_correct(unsigned int value, png_fixed_point gamma_val)
3913	{
3914	if (value > `0` && value < `65535`)
3915	{
3916	# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3917	/ The same (unsigned int)->(double) constraints apply here as above,*
3918	* however in this case the (unsigned int) to (int) conversion can
3919	* overflow on an ANSI-C90 compliant system so the cast needs to ensure
3920	* that this is not possible.
3921	*/
3922	double r = floor(`65535`*pow((png_int_32)value/`65535.`,
3923	gamma_val*`.00001`)+`.5`);
3924	return (png_uint_16)r;
3925	# else
3926	png_int_32 lg2 = png_log16bit(value);
3927	png_fixed_point res;
3928
3929	if (png_muldiv(&res, gamma_val, lg2, PNG_FP_1) != `0`)
3930	return png_exp16bit(res);
3931
3932	/ Overflow. /
3933	value = `0`;
3934	# endif
3935	}
3936
3937	return (png_uint_16)value;
3938	}
3939	#endif /* 16BIT */
3940
3941	/ This does the right thing based on the bit_depth field of the*
3942	* png_struct, interpreting values as 8-bit or 16-bit. While the result
3943	* is nominally a 16-bit value if bit depth is 8 then the result is
3944	* 8-bit (as are the arguments.)
3945	*/
3946	png_uint_16 / PRIVATE /
3947	png_gamma_correct(png_structrp png_ptr, unsigned int value,
3948	png_fixed_point gamma_val)
3949	{
3950	if (png_ptr->bit_depth == `8`)
3951	return png_gamma_8bit_correct(value, gamma_val);
3952
3953	#ifdef PNG_16BIT_SUPPORTED
3954	else
3955	return png_gamma_16bit_correct(value, gamma_val);
3956	#else
3957	/ should not reach this /
3958	return `0`;
3959	#endif /* 16BIT */
3960	}
3961
3962	#ifdef PNG_16BIT_SUPPORTED
3963	/ Internal function to build a single 16-bit table - the table consists of*
3964	* 'num' 256 entry subtables, where 'num' is determined by 'shift' - the amount
3965	* to shift the input values right (or 16-number_of_signifiant_bits).
3966	*
3967	* The caller is responsible for ensuring that the table gets cleaned up on
3968	* png_error (i.e. if one of the mallocs below fails) - i.e. the *table argument
3969	* should be somewhere that will be cleaned.
3970	*/
3971	static void
3972	png_build_16bit_table(png_structrp png_ptr, png_uint_16pp *ptable,
3973	unsigned int shift, png_fixed_point gamma_val)
3974	{
3975	/ Various values derived from 'shift': /
3976	unsigned int num = `1U` << (`8U` - shift);
3977	#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
3978	/ CSE the division and work round wacky GCC warnings (see the comments*
3979	* in png_gamma_8bit_correct for where these come from.)
3980	*/
3981	double fmax = `1.0` / (((png_int_32)`1` << (`16U` - shift)) - `1`);
3982	#endif
3983	unsigned int max = (`1U` << (`16U` - shift)) - `1U`;
3984	unsigned int max_by_2 = `1U` << (`15U` - shift);
3985	unsigned int i;
3986
3987	png_uint_16pp table = *ptable =
3988	(png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
3989
3990	for (i = `0`; i < num; i++)
3991	{
3992	png_uint_16p sub_table = table[i] =
3993	(png_uint_16p)png_malloc(png_ptr, `256` * (sizeof (png_uint_16)));
3994
3995	/ The 'threshold' test is repeated here because it can arise for one of*
3996	* the 16-bit tables even if the others don't hit it.
3997	*/
3998	if (png_gamma_significant(gamma_val) != `0`)
3999	{
4000	/ The old code would overflow at the end and this would cause the*
4001	* 'pow' function to return a result >1, resulting in an
4002	* arithmetic error. This code follows the spec exactly; ig is
4003	* the recovered input sample, it always has 8-16 bits.
4004	*
4005	* We want input * 65535/max, rounded, the arithmetic fits in 32
4006	* bits (unsigned) so long as max <= 32767.
4007	*/
4008	unsigned int j;
4009	for (j = `0`; j < `256`; j++)
4010	{
4011	png_uint_32 ig = (j << (`8`-shift)) + i;
4012	# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED
4013	/ Inline the 'max' scaling operation: /
4014	/ See png_gamma_8bit_correct for why the cast to (int) is*
4015	* required here.
4016	*/
4017	double d = floor(`65535.`pow(igfmax, gamma_val*`.00001`)+`.5`);
4018	sub_table[j] = (png_uint_16)d;
4019	# else
4020	if (shift != `0`)
4021	ig = (ig * `65535U` + max_by_2)/max;
4022
4023	sub_table[j] = png_gamma_16bit_correct(ig, gamma_val);
4024	# endif
4025	}
4026	}
4027	else
4028	{
4029	/ We must still build a table, but do it the fast way. /
4030	unsigned int j;
4031
4032	for (j = `0`; j < `256`; j++)
4033	{
4034	png_uint_32 ig = (j << (`8`-shift)) + i;
4035
4036	if (shift != `0`)
4037	ig = (ig * `65535U` + max_by_2)/max;
4038
4039	sub_table[j] = (png_uint_16)ig;
4040	}
4041	}
4042	}
4043	}
4044
4045	/ NOTE: this function expects the inverse of the overall gamma transformation*
4046	* required.
4047	*/
4048	static void
4049	png_build_16to8_table(png_structrp png_ptr, png_uint_16pp *ptable,
4050	unsigned int shift, png_fixed_point gamma_val)
4051	{
4052	unsigned int num = `1U` << (`8U` - shift);
4053	unsigned int max = (`1U` << (`16U` - shift))-`1U`;
4054	unsigned int i;
4055	png_uint_32 last;
4056
4057	png_uint_16pp table = *ptable =
4058	(png_uint_16pp)png_calloc(png_ptr, num * (sizeof (png_uint_16p)));
4059
4060	/ 'num' is the number of tables and also the number of low bits of low*
4061	* bits of the input 16-bit value used to select a table. Each table is
4062	* itself indexed by the high 8 bits of the value.
4063	*/
4064	for (i = `0`; i < num; i++)
4065	table[i] = (png_uint_16p)png_malloc(png_ptr,
4066	`256` * (sizeof (png_uint_16)));
4067
4068	/ 'gamma_val' is set to the reciprocal of the value calculated above, so*
4069	* pow(out,g) is an input value. 'last' is the last input value set.
4070	*
4071	* In the loop 'i' is used to find output values. Since the output is
4072	* 8-bit there are only 256 possible values. The tables are set up to
4073	* select the closest possible output value for each input by finding
4074	* the input value at the boundary between each pair of output values
4075	* and filling the table up to that boundary with the lower output
4076	* value.
4077	*
4078	* The boundary values are 0.5,1.5..253.5,254.5. Since these are 9-bit
4079	* values the code below uses a 16-bit value in i; the values start at
4080	* 128.5 (for 0.5) and step by 257, for a total of 254 values (the last
4081	* entries are filled with 255). Start i at 128 and fill all 'last'
4082	* table entries <= 'max'
4083	*/
4084	last = `0`;
4085	for (i = `0`; i < `255`; ++i) / 8-bit output value /
4086	{
4087	/ Find the corresponding maximum input value /
4088	png_uint_16 out = (png_uint_16)(i * `257U`); / 16-bit output value /
4089
4090	/ Find the boundary value in 16 bits: /
4091	png_uint_32 bound = png_gamma_16bit_correct(out+`128U`, gamma_val);
4092
4093	/ Adjust (round) to (16-shift) bits: /
4094	bound = (bound * max + `32768U`)/`65535U` + `1U`;
4095
4096	while (last < bound)
4097	{
4098	table[last & (`0xffU` >> shift)][last >> (`8U` - shift)] = out;
4099	last++;
4100	}
4101	}
4102
4103	/ And fill in the final entries. /
4104	while (last < (num << `8`))
4105	{
4106	table[last & (`0xff` >> shift)][last >> (`8U` - shift)] = `65535U`;
4107	last++;
4108	}
4109	}
4110	#endif /* 16BIT */
4111
4112	/ Build a single 8-bit table: same as the 16-bit case but much simpler (and*
4113	* typically much faster). Note that libpng currently does no sBIT processing
4114	* (apparently contrary to the spec) so a 256-entry table is always generated.
4115	*/
4116	static void
4117	png_build_8bit_table(png_structrp png_ptr, png_bytepp ptable,
4118	png_fixed_point gamma_val)
4119	{
4120	unsigned int i;
4121	png_bytep table = *ptable = (png_bytep)png_malloc(png_ptr, `256`);
4122
4123	if (png_gamma_significant(gamma_val) != `0`)
4124	for (i=`0`; i<`256`; i++)
4125	table[i] = png_gamma_8bit_correct(i, gamma_val);
4126
4127	else
4128	for (i=`0`; i<`256`; ++i)
4129	table[i] = (png_byte)(i & `0xff`);
4130	}
4131
4132	/ Used from png_read_destroy and below to release the memory used by the gamma*
4133	* tables.
4134	*/
4135	void / PRIVATE /
4136	png_destroy_gamma_table(png_structrp png_ptr)
4137	{
4138	png_free(png_ptr, png_ptr->gamma_table);
4139	png_ptr->gamma_table = NULL;
4140
4141	#ifdef PNG_16BIT_SUPPORTED
4142	if (png_ptr->gamma_16_table != NULL)
4143	{
4144	int i;
4145	int istop = (`1` << (`8` - png_ptr->gamma_shift));
4146	for (i = `0`; i < istop; i++)
4147	{
4148	png_free(png_ptr, png_ptr->gamma_16_table[i]);
4149	}
4150	png_free(png_ptr, png_ptr->gamma_16_table);
4151	png_ptr->gamma_16_table = NULL;
4152	}
4153	#endif /* 16BIT */
4154
4155	#if defined(PNG_READ_BACKGROUND_SUPPORTED) \|\| \
4156	defined(PNG_READ_ALPHA_MODE_SUPPORTED) \|\| \
4157	defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4158	png_free(png_ptr, png_ptr->gamma_from_1);
4159	png_ptr->gamma_from_1 = NULL;
4160	png_free(png_ptr, png_ptr->gamma_to_1);
4161	png_ptr->gamma_to_1 = NULL;
4162
4163	#ifdef PNG_16BIT_SUPPORTED
4164	if (png_ptr->gamma_16_from_1 != NULL)
4165	{
4166	int i;
4167	int istop = (`1` << (`8` - png_ptr->gamma_shift));
4168	for (i = `0`; i < istop; i++)
4169	{
4170	png_free(png_ptr, png_ptr->gamma_16_from_1[i]);
4171	}
4172	png_free(png_ptr, png_ptr->gamma_16_from_1);
4173	png_ptr->gamma_16_from_1 = NULL;
4174	}
4175	if (png_ptr->gamma_16_to_1 != NULL)
4176	{
4177	int i;
4178	int istop = (`1` << (`8` - png_ptr->gamma_shift));
4179	for (i = `0`; i < istop; i++)
4180	{
4181	png_free(png_ptr, png_ptr->gamma_16_to_1[i]);
4182	}
4183	png_free(png_ptr, png_ptr->gamma_16_to_1);
4184	png_ptr->gamma_16_to_1 = NULL;
4185	}
4186	#endif /* 16BIT */
4187	#endif /* READ_BACKGROUND \|\| READ_ALPHA_MODE \|\| RGB_TO_GRAY */
4188	}
4189
4190	/ We build the 8- or 16-bit gamma tables here. Note that for 16-bit*
4191	* tables, we don't make a full table if we are reducing to 8-bit in
4192	* the future. Note also how the gamma_16 tables are segmented so that
4193	* we don't need to allocate > 64K chunks for a full 16-bit table.
4194	*/
4195	void / PRIVATE /
4196	png_build_gamma_table(png_structrp png_ptr, int bit_depth)
4197	{
4198	png_debug(`1`, "in png_build_gamma_table");
4199
4200	/ Remove any existing table; this copes with multiple calls to*
4201	* png_read_update_info. The warning is because building the gamma tables
4202	* multiple times is a performance hit - it's harmless but the ability to
4203	* call png_read_update_info() multiple times is new in 1.5.6 so it seems
4204	* sensible to warn if the app introduces such a hit.
4205	*/
4206	if (png_ptr->gamma_table != NULL \|\| png_ptr->gamma_16_table != NULL)
4207	{
4208	png_warning(png_ptr, "gamma table being rebuilt");
4209	png_destroy_gamma_table(png_ptr);
4210	}
4211
4212	if (bit_depth <= `8`)
4213	{
4214	png_build_8bit_table(png_ptr, &png_ptr->gamma_table,
4215	png_ptr->screen_gamma > `0` ?
4216	png_reciprocal2(png_ptr->colorspace.gamma,
4217	png_ptr->screen_gamma) : PNG_FP_1);
4218
4219	#if defined(PNG_READ_BACKGROUND_SUPPORTED) \|\| \
4220	defined(PNG_READ_ALPHA_MODE_SUPPORTED) \|\| \
4221	defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4222	if ((png_ptr->transformations & (PNG_COMPOSE \| PNG_RGB_TO_GRAY)) != `0`)
4223	{
4224	png_build_8bit_table(png_ptr, &png_ptr->gamma_to_1,
4225	png_reciprocal(png_ptr->colorspace.gamma));
4226
4227	png_build_8bit_table(png_ptr, &png_ptr->gamma_from_1,
4228	png_ptr->screen_gamma > `0` ?
4229	png_reciprocal(png_ptr->screen_gamma) :
4230	png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4231	}
4232	#endif /* READ_BACKGROUND \|\| READ_ALPHA_MODE \|\| RGB_TO_GRAY */
4233	}
4234	#ifdef PNG_16BIT_SUPPORTED
4235	else
4236	{
4237	png_byte shift, sig_bit;
4238
4239	if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != `0`)
4240	{
4241	sig_bit = png_ptr->sig_bit.red;
4242
4243	if (png_ptr->sig_bit.green > sig_bit)
4244	sig_bit = png_ptr->sig_bit.green;
4245
4246	if (png_ptr->sig_bit.blue > sig_bit)
4247	sig_bit = png_ptr->sig_bit.blue;
4248	}
4249	else
4250	sig_bit = png_ptr->sig_bit.gray;
4251
4252	/ 16-bit gamma code uses this equation:*
4253	*
4254	* ov = table[(iv & 0xff) >> gamma_shift][iv >> 8]
4255	*
4256	* Where 'iv' is the input color value and 'ov' is the output value -
4257	* pow(iv, gamma).
4258	*
4259	* Thus the gamma table consists of up to 256 256-entry tables. The table
4260	* is selected by the (8-gamma_shift) most significant of the low 8 bits
4261	* of the color value then indexed by the upper 8 bits:
4262	*
4263	* table[low bits][high 8 bits]
4264	*
4265	* So the table 'n' corresponds to all those 'iv' of:
4266	*
4267	* <all high 8-bit values><n << gamma_shift>..<(n+1 << gamma_shift)-1>
4268	*
4269	*/
4270	if (sig_bit > `0` && sig_bit < `16U`)
4271	/ shift == insignificant bits /
4272	shift = (png_byte)((`16U` - sig_bit) & `0xff`);
4273
4274	else
4275	shift = `0`; / keep all 16 bits /
4276
4277	if ((png_ptr->transformations & (PNG_16_TO_8 \| PNG_SCALE_16_TO_8)) != `0`)
4278	{
4279	/ PNG_MAX_GAMMA_8 is the number of bits to keep - effectively*
4280	* the significant bits in the input when the output will
4281	* eventually be 8 bits. By default it is 11.
4282	*/
4283	if (shift < (`16U` - PNG_MAX_GAMMA_8))
4284	shift = (`16U` - PNG_MAX_GAMMA_8);
4285	}
4286
4287	if (shift > `8U`)
4288	shift = `8U`; / Guarantees at least one table! /
4289
4290	png_ptr->gamma_shift = shift;
4291
4292	/ NOTE: prior to 1.5.4 this test used to include PNG_BACKGROUND (now*
4293	* PNG_COMPOSE). This effectively smashed the background calculation for
4294	* 16-bit output because the 8-bit table assumes the result will be
4295	* reduced to 8 bits.
4296	*/
4297	if ((png_ptr->transformations & (PNG_16_TO_8 \| PNG_SCALE_16_TO_8)) != `0`)
4298	png_build_16to8_table(png_ptr, &png_ptr->gamma_16_table, shift,
4299	png_ptr->screen_gamma > `0` ? png_product2(png_ptr->colorspace.gamma,
4300	png_ptr->screen_gamma) : PNG_FP_1);
4301
4302	else
4303	png_build_16bit_table(png_ptr, &png_ptr->gamma_16_table, shift,
4304	png_ptr->screen_gamma > `0` ? png_reciprocal2(png_ptr->colorspace.gamma,
4305	png_ptr->screen_gamma) : PNG_FP_1);
4306
4307	#if defined(PNG_READ_BACKGROUND_SUPPORTED) \|\| \
4308	defined(PNG_READ_ALPHA_MODE_SUPPORTED) \|\| \
4309	defined(PNG_READ_RGB_TO_GRAY_SUPPORTED)
4310	if ((png_ptr->transformations & (PNG_COMPOSE \| PNG_RGB_TO_GRAY)) != `0`)
4311	{
4312	png_build_16bit_table(png_ptr, &png_ptr->gamma_16_to_1, shift,
4313	png_reciprocal(png_ptr->colorspace.gamma));
4314
4315	/ Notice that the '16 from 1' table should be full precision, however*
4316	* the lookup on this table still uses gamma_shift, so it can't be.
4317	* TODO: fix this.
4318	*/
4319	png_build_16bit_table(png_ptr, &png_ptr->gamma_16_from_1, shift,
4320	png_ptr->screen_gamma > `0` ? png_reciprocal(png_ptr->screen_gamma) :
4321	png_ptr->colorspace.gamma/* Probably doing rgb_to_gray */);
4322	}
4323	#endif /* READ_BACKGROUND \|\| READ_ALPHA_MODE \|\| RGB_TO_GRAY */
4324	}
4325	#endif /* 16BIT */
4326	}
4327	#endif /* READ_GAMMA */
4328
4329	/ HARDWARE OR SOFTWARE OPTION SUPPORT /
4330	#ifdef PNG_SET_OPTION_SUPPORTED
4331	int PNGAPI
4332	png_set_option(png_structrp png_ptr, int option, int onoff)
4333	{
4334	if (png_ptr != NULL && option >= `0` && option < PNG_OPTION_NEXT &&
4335	(option & `1`) == `0`)
4336	{
4337	png_uint_32 mask = `3U` << option;
4338	png_uint_32 setting = (`2U` + (onoff != `0`)) << option;
4339	png_uint_32 current = png_ptr->options;
4340
4341	png_ptr->options = (png_uint_32)((current & ~mask) \| setting);
4342
4343	return (int)(current & mask) >> option;
4344	}
4345
4346	return PNG_OPTION_INVALID;
4347	}
4348	#endif
4349
4350	/ sRGB support /
4351	#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) \|\|\
4352	defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4353	/ sRGB conversion tables; these are machine generated with the code in*
4354	* contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the
4355	* specification (see the article at https://en.wikipedia.org/wiki/SRGB)
4356	* is used, not the gamma=1/2.2 approximation use elsewhere in libpng.
4357	* The sRGB to linear table is exact (to the nearest 16-bit linear fraction).
4358	* The inverse (linear to sRGB) table has accuracies as follows:
4359	*
4360	* For all possible (255*65535+1) input values:
4361	*
4362	* error: -0.515566 - 0.625971, 79441 (0.475369%) of readings inexact
4363	*
4364	* For the input values corresponding to the 65536 16-bit values:
4365	*
4366	* error: -0.513727 - 0.607759, 308 (0.469978%) of readings inexact
4367	*
4368	* In all cases the inexact readings are only off by one.
4369	*/
4370
4371	#ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4372	/ The convert-to-sRGB table is only currently required for read. /
4373	const png_uint_16 png_sRGB_table[`256`] =
4374	{
4375	`0`,`20`,`40`,`60`,`80`,`99`,`119`,`139`,
4376	`159`,`179`,`199`,`219`,`241`,`264`,`288`,`313`,
4377	`340`,`367`,`396`,`427`,`458`,`491`,`526`,`562`,
4378	`599`,`637`,`677`,`718`,`761`,`805`,`851`,`898`,
4379	`947`,`997`,`1048`,`1101`,`1156`,`1212`,`1270`,`1330`,
4380	`1391`,`1453`,`1517`,`1583`,`1651`,`1720`,`1790`,`1863`,
4381	`1937`,`2013`,`2090`,`2170`,`2250`,`2333`,`2418`,`2504`,
4382	`2592`,`2681`,`2773`,`2866`,`2961`,`3058`,`3157`,`3258`,
4383	`3360`,`3464`,`3570`,`3678`,`3788`,`3900`,`4014`,`4129`,
4384	`4247`,`4366`,`4488`,`4611`,`4736`,`4864`,`4993`,`5124`,
4385	`5257`,`5392`,`5530`,`5669`,`5810`,`5953`,`6099`,`6246`,
4386	`6395`,`6547`,`6700`,`6856`,`7014`,`7174`,`7335`,`7500`,
4387	`7666`,`7834`,`8004`,`8177`,`8352`,`8528`,`8708`,`8889`,
4388	`9072`,`9258`,`9445`,`9635`,`9828`,`10022`,`10219`,`10417`,
4389	`10619`,`10822`,`11028`,`11235`,`11446`,`11658`,`11873`,`12090`,
4390	`12309`,`12530`,`12754`,`12980`,`13209`,`13440`,`13673`,`13909`,
4391	`14146`,`14387`,`14629`,`14874`,`15122`,`15371`,`15623`,`15878`,
4392	`16135`,`16394`,`16656`,`16920`,`17187`,`17456`,`17727`,`18001`,
4393	`18277`,`18556`,`18837`,`19121`,`19407`,`19696`,`19987`,`20281`,
4394	`20577`,`20876`,`21177`,`21481`,`21787`,`22096`,`22407`,`22721`,
4395	`23038`,`23357`,`23678`,`24002`,`24329`,`24658`,`24990`,`25325`,
4396	`25662`,`26001`,`26344`,`26688`,`27036`,`27386`,`27739`,`28094`,
4397	`28452`,`28813`,`29176`,`29542`,`29911`,`30282`,`30656`,`31033`,
4398	`31412`,`31794`,`32179`,`32567`,`32957`,`33350`,`33745`,`34143`,
4399	`34544`,`34948`,`35355`,`35764`,`36176`,`36591`,`37008`,`37429`,
4400	`37852`,`38278`,`38706`,`39138`,`39572`,`40009`,`40449`,`40891`,
4401	`41337`,`41785`,`42236`,`42690`,`43147`,`43606`,`44069`,`44534`,
4402	`45002`,`45473`,`45947`,`46423`,`46903`,`47385`,`47871`,`48359`,
4403	`48850`,`49344`,`49841`,`50341`,`50844`,`51349`,`51858`,`52369`,
4404	`52884`,`53401`,`53921`,`54445`,`54971`,`55500`,`56032`,`56567`,
4405	`57105`,`57646`,`58190`,`58737`,`59287`,`59840`,`60396`,`60955`,
4406	`61517`,`62082`,`62650`,`63221`,`63795`,`64372`,`64952`,`65535`
4407	};
4408	#endif /* SIMPLIFIED_READ */
4409
4410	/ The base/delta tables are required for both read and write (but currently*
4411	* only the simplified versions.)
4412	*/
4413	const png_uint_16 png_sRGB_base[`512`] =
4414	{
4415	`128`,`1782`,`3383`,`4644`,`5675`,`6564`,`7357`,`8074`,
4416	`8732`,`9346`,`9921`,`10463`,`10977`,`11466`,`11935`,`12384`,
4417	`12816`,`13233`,`13634`,`14024`,`14402`,`14769`,`15125`,`15473`,
4418	`15812`,`16142`,`16466`,`16781`,`17090`,`17393`,`17690`,`17981`,
4419	`18266`,`18546`,`18822`,`19093`,`19359`,`19621`,`19879`,`20133`,
4420	`20383`,`20630`,`20873`,`21113`,`21349`,`21583`,`21813`,`22041`,
4421	`22265`,`22487`,`22707`,`22923`,`23138`,`23350`,`23559`,`23767`,
4422	`23972`,`24175`,`24376`,`24575`,`24772`,`24967`,`25160`,`25352`,
4423	`25542`,`25730`,`25916`,`26101`,`26284`,`26465`,`26645`,`26823`,
4424	`27000`,`27176`,`27350`,`27523`,`27695`,`27865`,`28034`,`28201`,
4425	`28368`,`28533`,`28697`,`28860`,`29021`,`29182`,`29341`,`29500`,
4426	`29657`,`29813`,`29969`,`30123`,`30276`,`30429`,`30580`,`30730`,
4427	`30880`,`31028`,`31176`,`31323`,`31469`,`31614`,`31758`,`31902`,
4428	`32045`,`32186`,`32327`,`32468`,`32607`,`32746`,`32884`,`33021`,
4429	`33158`,`33294`,`33429`,`33564`,`33697`,`33831`,`33963`,`34095`,
4430	`34226`,`34357`,`34486`,`34616`,`34744`,`34873`,`35000`,`35127`,
4431	`35253`,`35379`,`35504`,`35629`,`35753`,`35876`,`35999`,`36122`,
4432	`36244`,`36365`,`36486`,`36606`,`36726`,`36845`,`36964`,`37083`,
4433	`37201`,`37318`,`37435`,`37551`,`37668`,`37783`,`37898`,`38013`,
4434	`38127`,`38241`,`38354`,`38467`,`38580`,`38692`,`38803`,`38915`,
4435	`39026`,`39136`,`39246`,`39356`,`39465`,`39574`,`39682`,`39790`,
4436	`39898`,`40005`,`40112`,`40219`,`40325`,`40431`,`40537`,`40642`,
4437	`40747`,`40851`,`40955`,`41059`,`41163`,`41266`,`41369`,`41471`,
4438	`41573`,`41675`,`41777`,`41878`,`41979`,`42079`,`42179`,`42279`,
4439	`42379`,`42478`,`42577`,`42676`,`42775`,`42873`,`42971`,`43068`,
4440	`43165`,`43262`,`43359`,`43456`,`43552`,`43648`,`43743`,`43839`,
4441	`43934`,`44028`,`44123`,`44217`,`44311`,`44405`,`44499`,`44592`,
4442	`44685`,`44778`,`44870`,`44962`,`45054`,`45146`,`45238`,`45329`,
4443	`45420`,`45511`,`45601`,`45692`,`45782`,`45872`,`45961`,`46051`,
4444	`46140`,`46229`,`46318`,`46406`,`46494`,`46583`,`46670`,`46758`,
4445	`46846`,`46933`,`47020`,`47107`,`47193`,`47280`,`47366`,`47452`,
4446	`47538`,`47623`,`47709`,`47794`,`47879`,`47964`,`48048`,`48133`,
4447	`48217`,`48301`,`48385`,`48468`,`48552`,`48635`,`48718`,`48801`,
4448	`48884`,`48966`,`49048`,`49131`,`49213`,`49294`,`49376`,`49458`,
4449	`49539`,`49620`,`49701`,`49782`,`49862`,`49943`,`50023`,`50103`,
4450	`50183`,`50263`,`50342`,`50422`,`50501`,`50580`,`50659`,`50738`,
4451	`50816`,`50895`,`50973`,`51051`,`51129`,`51207`,`51285`,`51362`,
4452	`51439`,`51517`,`51594`,`51671`,`51747`,`51824`,`51900`,`51977`,
4453	`52053`,`52129`,`52205`,`52280`,`52356`,`52432`,`52507`,`52582`,
4454	`52657`,`52732`,`52807`,`52881`,`52956`,`53030`,`53104`,`53178`,
4455	`53252`,`53326`,`53400`,`53473`,`53546`,`53620`,`53693`,`53766`,
4456	`53839`,`53911`,`53984`,`54056`,`54129`,`54201`,`54273`,`54345`,
4457	`54417`,`54489`,`54560`,`54632`,`54703`,`54774`,`54845`,`54916`,
4458	`54987`,`55058`,`55129`,`55199`,`55269`,`55340`,`55410`,`55480`,
4459	`55550`,`55620`,`55689`,`55759`,`55828`,`55898`,`55967`,`56036`,
4460	`56105`,`56174`,`56243`,`56311`,`56380`,`56448`,`56517`,`56585`,
4461	`56653`,`56721`,`56789`,`56857`,`56924`,`56992`,`57059`,`57127`,
4462	`57194`,`57261`,`57328`,`57395`,`57462`,`57529`,`57595`,`57662`,
4463	`57728`,`57795`,`57861`,`57927`,`57993`,`58059`,`58125`,`58191`,
4464	`58256`,`58322`,`58387`,`58453`,`58518`,`58583`,`58648`,`58713`,
4465	`58778`,`58843`,`58908`,`58972`,`59037`,`59101`,`59165`,`59230`,
4466	`59294`,`59358`,`59422`,`59486`,`59549`,`59613`,`59677`,`59740`,
4467	`59804`,`59867`,`59930`,`59993`,`60056`,`60119`,`60182`,`60245`,
4468	`60308`,`60370`,`60433`,`60495`,`60558`,`60620`,`60682`,`60744`,
4469	`60806`,`60868`,`60930`,`60992`,`61054`,`61115`,`61177`,`61238`,
4470	`61300`,`61361`,`61422`,`61483`,`61544`,`61605`,`61666`,`61727`,
4471	`61788`,`61848`,`61909`,`61969`,`62030`,`62090`,`62150`,`62211`,
4472	`62271`,`62331`,`62391`,`62450`,`62510`,`62570`,`62630`,`62689`,
4473	`62749`,`62808`,`62867`,`62927`,`62986`,`63045`,`63104`,`63163`,
4474	`63222`,`63281`,`63340`,`63398`,`63457`,`63515`,`63574`,`63632`,
4475	`63691`,`63749`,`63807`,`63865`,`63923`,`63981`,`64039`,`64097`,
4476	`64155`,`64212`,`64270`,`64328`,`64385`,`64443`,`64500`,`64557`,
4477	`64614`,`64672`,`64729`,`64786`,`64843`,`64900`,`64956`,`65013`,
4478	`65070`,`65126`,`65183`,`65239`,`65296`,`65352`,`65409`,`65465`
4479	};
4480
4481	const png_byte png_sRGB_delta[`512`] =
4482	{
4483	`207`,`201`,`158`,`129`,`113`,`100`,`90`,`82`,`77`,`72`,`68`,`64`,`61`,`59`,`56`,`54`,
4484	`52`,`50`,`49`,`47`,`46`,`45`,`43`,`42`,`41`,`40`,`39`,`39`,`38`,`37`,`36`,`36`,
4485	`35`,`34`,`34`,`33`,`33`,`32`,`32`,`31`,`31`,`30`,`30`,`30`,`29`,`29`,`28`,`28`,
4486	`28`,`27`,`27`,`27`,`27`,`26`,`26`,`26`,`25`,`25`,`25`,`25`,`24`,`24`,`24`,`24`,
4487	`23`,`23`,`23`,`23`,`23`,`22`,`22`,`22`,`22`,`22`,`22`,`21`,`21`,`21`,`21`,`21`,
4488	`21`,`20`,`20`,`20`,`20`,`20`,`20`,`20`,`20`,`19`,`19`,`19`,`19`,`19`,`19`,`19`,
4489	`19`,`18`,`18`,`18`,`18`,`18`,`18`,`18`,`18`,`18`,`18`,`17`,`17`,`17`,`17`,`17`,
4490	`17`,`17`,`17`,`17`,`17`,`17`,`16`,`16`,`16`,`16`,`16`,`16`,`16`,`16`,`16`,`16`,
4491	`16`,`16`,`16`,`16`,`15`,`15`,`15`,`15`,`15`,`15`,`15`,`15`,`15`,`15`,`15`,`15`,
4492	`15`,`15`,`15`,`15`,`14`,`14`,`14`,`14`,`14`,`14`,`14`,`14`,`14`,`14`,`14`,`14`,
4493	`14`,`14`,`14`,`14`,`14`,`14`,`14`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,
4494	`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`13`,`12`,`12`,
4495	`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,
4496	`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`12`,`11`,`11`,`11`,`11`,
4497	`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,
4498	`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,`11`,
4499	`11`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,
4500	`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,
4501	`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,`10`,
4502	`10`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,
4503	`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,
4504	`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,
4505	`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,`9`,
4506	`9`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,
4507	`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,
4508	`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,
4509	`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,
4510	`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,
4511	`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`8`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,
4512	`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,
4513	`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,
4514	`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`,`7`
4515	};
4516	#endif /* SIMPLIFIED READ/WRITE sRGB support */
4517
4518	/ SIMPLIFIED READ/WRITE SUPPORT /
4519	#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) \|\|\
4520	defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
4521	static int
4522	png_image_free_function(png_voidp argument)
4523	{
4524	png_imagep image = png_voidcast(png_imagep, argument);
4525	png_controlp cp = image->opaque;
4526	png_control c;
4527
4528	/ Double check that we have a png_ptr - it should be impossible to get here*
4529	* without one.
4530	*/
4531	if (cp->png_ptr == NULL)
4532	return `0`;
4533
4534	/ First free any data held in the control structure. /
4535	# ifdef PNG_STDIO_SUPPORTED
4536	if (cp->owned_file != `0`)
4537	{
4538	FILE fp = png_voidcast(FILE, cp->png_ptr->io_ptr);
4539	cp->owned_file = `0`;
4540
4541	/ Ignore errors here. /
4542	if (fp != NULL)
4543	{
4544	cp->png_ptr->io_ptr = NULL;
4545	(void)fclose(fp);
4546	}
4547	}
4548	# endif
4549
4550	/ Copy the control structure so that the original, allocated, version can be*
4551	* safely freed. Notice that a png_error here stops the remainder of the
4552	* cleanup, but this is probably fine because that would indicate bad memory
4553	* problems anyway.
4554	*/
4555	c = *cp;
4556	image->opaque = &c;
4557	png_free(c.png_ptr, cp);
4558
4559	/ Then the structures, calling the correct API. /
4560	if (c.for_write != `0`)
4561	{
4562	# ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED
4563	png_destroy_write_struct(&c.png_ptr, &c.info_ptr);
4564	# else
4565	png_error(c.png_ptr, "simplified write not supported");
4566	# endif
4567	}
4568	else
4569	{
4570	# ifdef PNG_SIMPLIFIED_READ_SUPPORTED
4571	png_destroy_read_struct(&c.png_ptr, &c.info_ptr, NULL);
4572	# else
4573	png_error(c.png_ptr, "simplified read not supported");
4574	# endif
4575	}
4576
4577	/ Success. /
4578	return `1`;
4579	}
4580
4581	void PNGAPI
4582	png_image_free(png_imagep image)
4583	{
4584	/ Safely call the real function, but only if doing so is safe at this point*
4585	* (if not inside an error handling context). Otherwise assume
4586	* png_safe_execute will call this API after the return.
4587	*/
4588	if (image != NULL && image->opaque != NULL &&
4589	image->opaque->error_buf == NULL)
4590	{
4591	png_image_free_function(image);
4592	image->opaque = NULL;
4593	}
4594	}
4595
4596	int / PRIVATE /
4597	png_image_error(png_imagep image, png_const_charp error_message)
4598	{
4599	/ Utility to log an error. /
4600	png_safecat(image->message, (sizeof image->message), `0`, error_message);
4601	image->warning_or_error \|= PNG_IMAGE_ERROR;
4602	png_image_free(image);
4603	return `0`;
4604	}
4605
4606	#endif /* SIMPLIFIED READ/WRITE */
4607	#endif /* READ \|\| WRITE */
4608

Browse the source code of tensorflow/external/png/png.c