1
2 /* pngerror.c - stub functions for i/o and memory allocation
3 *
4 * Copyright (c) 2018-2024 Cosmin Truta
5 * Copyright (c) 1998-2002,2004,2006-2017 Glenn Randers-Pehrson
6 * Copyright (c) 1996-1997 Andreas Dilger
7 * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
8 *
9 * This code is released under the libpng license.
10 * For conditions of distribution and use, see the disclaimer
11 * and license in png.h
12 *
13 * This file provides a location for all error handling. Users who
14 * need special error handling are expected to write replacement functions
15 * and use png_set_error_fn() to use those functions. See the instructions
16 * at each function.
17 */
18
19 #include "pngpriv.h"
20
21 #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED)
22
23 static PNG_FUNCTION(void /* PRIVATE */,
24 png_default_error,(png_const_structrp png_ptr, png_const_charp error_message),
25 PNG_NORETURN);
26
27 #ifdef PNG_WARNINGS_SUPPORTED
28 static void /* PRIVATE */
29 png_default_warning(png_const_structrp png_ptr,
30 png_const_charp warning_message);
31 #endif /* WARNINGS */
32
33 /* This function is called whenever there is a fatal error. This function
34 * should not be changed. If there is a need to handle errors differently,
35 * you should supply a replacement error function and use png_set_error_fn()
36 * to replace the error function at run-time.
37 */
38 #ifdef PNG_ERROR_TEXT_SUPPORTED
39 PNG_FUNCTION(void,PNGAPI
40 png_error,(png_const_structrp png_ptr, png_const_charp error_message),
41 PNG_NORETURN)
42 {
43 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
44 char msg[16];
45 if (png_ptr != NULL)
46 {
47 if ((png_ptr->flags &
48 (PNG_FLAG_STRIP_ERROR_NUMBERS|PNG_FLAG_STRIP_ERROR_TEXT)) != 0)
49 {
50 if (*error_message == PNG_LITERAL_SHARP)
51 {
52 /* Strip "#nnnn " from beginning of error message. */
53 int offset;
54 for (offset = 1; offset<15; offset++)
55 if (error_message[offset] == ' ')
56 break;
57
58 if ((png_ptr->flags & PNG_FLAG_STRIP_ERROR_TEXT) != 0)
59 {
60 int i;
61 for (i = 0; i < offset - 1; i++)
62 msg[i] = error_message[i + 1];
63 msg[i - 1] = '\0';
64 error_message = msg;
65 }
66
67 else
68 error_message += offset;
69 }
70
71 else
72 {
73 if ((png_ptr->flags & PNG_FLAG_STRIP_ERROR_TEXT) != 0)
74 {
75 msg[0] = '0';
76 msg[1] = '\0';
77 error_message = msg;
78 }
79 }
80 }
81 }
82 #endif
83 if (png_ptr != NULL && png_ptr->error_fn != NULL)
84 (*(png_ptr->error_fn))(png_constcast(png_structrp,png_ptr),
85 error_message);
86
87 /* If the custom handler doesn't exist, or if it returns,
88 use the default handler, which will not return. */
89 png_default_error(png_ptr, error_message);
90 }
91 #else
92 PNG_FUNCTION(void,PNGAPI
93 png_err,(png_const_structrp png_ptr),PNG_NORETURN)
94 {
95 /* Prior to 1.5.2 the error_fn received a NULL pointer, expressed
96 * erroneously as '\0', instead of the empty string "". This was
97 * apparently an error, introduced in libpng-1.2.20, and png_default_error
98 * will crash in this case.
99 */
100 if (png_ptr != NULL && png_ptr->error_fn != NULL)
101 (*(png_ptr->error_fn))(png_constcast(png_structrp,png_ptr), "");
102
103 /* If the custom handler doesn't exist, or if it returns,
104 use the default handler, which will not return. */
105 png_default_error(png_ptr, "");
106 }
107 #endif /* ERROR_TEXT */
108
109 /* Utility to safely appends strings to a buffer. This never errors out so
110 * error checking is not required in the caller.
111 */
112 size_t
png_safecat(png_charp buffer,size_t bufsize,size_t pos,png_const_charp string)113 png_safecat(png_charp buffer, size_t bufsize, size_t pos,
114 png_const_charp string)
115 {
116 if (buffer != NULL && pos < bufsize)
117 {
118 if (string != NULL)
119 while (*string != '\0' && pos < bufsize-1)
120 buffer[pos++] = *string++;
121
122 buffer[pos] = '\0';
123 }
124
125 return pos;
126 }
127
128 #if defined(PNG_WARNINGS_SUPPORTED) || defined(PNG_TIME_RFC1123_SUPPORTED)
129 /* Utility to dump an unsigned value into a buffer, given a start pointer and
130 * and end pointer (which should point just *beyond* the end of the buffer!)
131 * Returns the pointer to the start of the formatted string.
132 */
133 png_charp
png_format_number(png_const_charp start,png_charp end,int format,png_alloc_size_t number)134 png_format_number(png_const_charp start, png_charp end, int format,
135 png_alloc_size_t number)
136 {
137 int count = 0; /* number of digits output */
138 int mincount = 1; /* minimum number required */
139 int output = 0; /* digit output (for the fixed point format) */
140
141 *--end = '\0';
142
143 /* This is written so that the loop always runs at least once, even with
144 * number zero.
145 */
146 while (end > start && (number != 0 || count < mincount))
147 {
148
149 static const char digits[] = "0123456789ABCDEF";
150
151 switch (format)
152 {
153 case PNG_NUMBER_FORMAT_fixed:
154 /* Needs five digits (the fraction) */
155 mincount = 5;
156 if (output != 0 || number % 10 != 0)
157 {
158 *--end = digits[number % 10];
159 output = 1;
160 }
161 number /= 10;
162 break;
163
164 case PNG_NUMBER_FORMAT_02u:
165 /* Expects at least 2 digits. */
166 mincount = 2;
167 /* FALLTHROUGH */
168
169 case PNG_NUMBER_FORMAT_u:
170 *--end = digits[number % 10];
171 number /= 10;
172 break;
173
174 case PNG_NUMBER_FORMAT_02x:
175 /* This format expects at least two digits */
176 mincount = 2;
177 /* FALLTHROUGH */
178
179 case PNG_NUMBER_FORMAT_x:
180 *--end = digits[number & 0xf];
181 number >>= 4;
182 break;
183
184 default: /* an error */
185 number = 0;
186 break;
187 }
188
189 /* Keep track of the number of digits added */
190 ++count;
191
192 /* Float a fixed number here: */
193 if ((format == PNG_NUMBER_FORMAT_fixed) && (count == 5) && (end > start))
194 {
195 /* End of the fraction, but maybe nothing was output? In that case
196 * drop the decimal point. If the number is a true zero handle that
197 * here.
198 */
199 if (output != 0)
200 *--end = '.';
201 else if (number == 0) /* and !output */
202 *--end = '0';
203 }
204 }
205
206 return end;
207 }
208 #endif
209
210 #ifdef PNG_WARNINGS_SUPPORTED
211 /* This function is called whenever there is a non-fatal error. This function
212 * should not be changed. If there is a need to handle warnings differently,
213 * you should supply a replacement warning function and use
214 * png_set_error_fn() to replace the warning function at run-time.
215 */
216 void PNGAPI
png_warning(png_const_structrp png_ptr,png_const_charp warning_message)217 png_warning(png_const_structrp png_ptr, png_const_charp warning_message)
218 {
219 int offset = 0;
220 if (png_ptr != NULL)
221 {
222 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
223 if ((png_ptr->flags &
224 (PNG_FLAG_STRIP_ERROR_NUMBERS|PNG_FLAG_STRIP_ERROR_TEXT)) != 0)
225 #endif
226 {
227 if (*warning_message == PNG_LITERAL_SHARP)
228 {
229 for (offset = 1; offset < 15; offset++)
230 if (warning_message[offset] == ' ')
231 break;
232 }
233 }
234 }
235 if (png_ptr != NULL && png_ptr->warning_fn != NULL)
236 (*(png_ptr->warning_fn))(png_constcast(png_structrp,png_ptr),
237 warning_message + offset);
238 else
239 png_default_warning(png_ptr, warning_message + offset);
240 }
241
242 /* These functions support 'formatted' warning messages with up to
243 * PNG_WARNING_PARAMETER_COUNT parameters. In the format string the parameter
244 * is introduced by @<number>, where 'number' starts at 1. This follows the
245 * standard established by X/Open for internationalizable error messages.
246 */
247 void
png_warning_parameter(png_warning_parameters p,int number,png_const_charp string)248 png_warning_parameter(png_warning_parameters p, int number,
249 png_const_charp string)
250 {
251 if (number > 0 && number <= PNG_WARNING_PARAMETER_COUNT)
252 (void)png_safecat(p[number-1], (sizeof p[number-1]), 0, string);
253 }
254
255 void
png_warning_parameter_unsigned(png_warning_parameters p,int number,int format,png_alloc_size_t value)256 png_warning_parameter_unsigned(png_warning_parameters p, int number, int format,
257 png_alloc_size_t value)
258 {
259 char buffer[PNG_NUMBER_BUFFER_SIZE] = {0};
260 png_warning_parameter(p, number, PNG_FORMAT_NUMBER(buffer, format, value));
261 }
262
263 void
png_warning_parameter_signed(png_warning_parameters p,int number,int format,png_int_32 value)264 png_warning_parameter_signed(png_warning_parameters p, int number, int format,
265 png_int_32 value)
266 {
267 png_alloc_size_t u;
268 png_charp str;
269 char buffer[PNG_NUMBER_BUFFER_SIZE] = {0};
270
271 /* Avoid overflow by doing the negate in a png_alloc_size_t: */
272 u = (png_alloc_size_t)value;
273 if (value < 0)
274 u = ~u + 1;
275
276 str = PNG_FORMAT_NUMBER(buffer, format, u);
277
278 if (value < 0 && str > buffer)
279 *--str = '-';
280
281 png_warning_parameter(p, number, str);
282 }
283
284 void
png_formatted_warning(png_const_structrp png_ptr,png_warning_parameters p,png_const_charp message)285 png_formatted_warning(png_const_structrp png_ptr, png_warning_parameters p,
286 png_const_charp message)
287 {
288 /* The internal buffer is just 192 bytes - enough for all our messages,
289 * overflow doesn't happen because this code checks! If someone figures
290 * out how to send us a message longer than 192 bytes, all that will
291 * happen is that the message will be truncated appropriately.
292 */
293 size_t i = 0; /* Index in the msg[] buffer: */
294 char msg[192];
295
296 /* Each iteration through the following loop writes at most one character
297 * to msg[i++] then returns here to validate that there is still space for
298 * the trailing '\0'. It may (in the case of a parameter) read more than
299 * one character from message[]; it must check for '\0' and continue to the
300 * test if it finds the end of string.
301 */
302 while (i<(sizeof msg)-1 && *message != '\0')
303 {
304 /* '@' at end of string is now just printed (previously it was skipped);
305 * it is an error in the calling code to terminate the string with @.
306 */
307 if (p != NULL && *message == '@' && message[1] != '\0')
308 {
309 int parameter_char = *++message; /* Consume the '@' */
310 static const char valid_parameters[] = "123456789";
311 int parameter = 0;
312
313 /* Search for the parameter digit, the index in the string is the
314 * parameter to use.
315 */
316 while (valid_parameters[parameter] != parameter_char &&
317 valid_parameters[parameter] != '\0')
318 ++parameter;
319
320 /* If the parameter digit is out of range it will just get printed. */
321 if (parameter < PNG_WARNING_PARAMETER_COUNT)
322 {
323 /* Append this parameter */
324 png_const_charp parm = p[parameter];
325 png_const_charp pend = p[parameter] + (sizeof p[parameter]);
326
327 /* No need to copy the trailing '\0' here, but there is no guarantee
328 * that parm[] has been initialized, so there is no guarantee of a
329 * trailing '\0':
330 */
331 while (i<(sizeof msg)-1 && *parm != '\0' && parm < pend)
332 msg[i++] = *parm++;
333
334 /* Consume the parameter digit too: */
335 ++message;
336 continue;
337 }
338
339 /* else not a parameter and there is a character after the @ sign; just
340 * copy that. This is known not to be '\0' because of the test above.
341 */
342 }
343
344 /* At this point *message can't be '\0', even in the bad parameter case
345 * above where there is a lone '@' at the end of the message string.
346 */
347 msg[i++] = *message++;
348 }
349
350 /* i is always less than (sizeof msg), so: */
351 msg[i] = '\0';
352
353 /* And this is the formatted message. It may be larger than
354 * PNG_MAX_ERROR_TEXT, but that is only used for 'chunk' errors and these
355 * are not (currently) formatted.
356 */
357 png_warning(png_ptr, msg);
358 }
359 #endif /* WARNINGS */
360
361 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
362 void PNGAPI
png_benign_error(png_const_structrp png_ptr,png_const_charp error_message)363 png_benign_error(png_const_structrp png_ptr, png_const_charp error_message)
364 {
365 if ((png_ptr->flags & PNG_FLAG_BENIGN_ERRORS_WARN) != 0)
366 {
367 # ifdef PNG_READ_SUPPORTED
368 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
369 png_ptr->chunk_name != 0)
370 png_chunk_warning(png_ptr, error_message);
371 else
372 # endif
373 png_warning(png_ptr, error_message);
374 }
375
376 else
377 {
378 # ifdef PNG_READ_SUPPORTED
379 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 &&
380 png_ptr->chunk_name != 0)
381 png_chunk_error(png_ptr, error_message);
382 else
383 # endif
384 png_error(png_ptr, error_message);
385 }
386
387 # ifndef PNG_ERROR_TEXT_SUPPORTED
388 PNG_UNUSED(error_message)
389 # endif
390 }
391
392 void /* PRIVATE */
png_app_warning(png_const_structrp png_ptr,png_const_charp error_message)393 png_app_warning(png_const_structrp png_ptr, png_const_charp error_message)
394 {
395 if ((png_ptr->flags & PNG_FLAG_APP_WARNINGS_WARN) != 0)
396 png_warning(png_ptr, error_message);
397 else
398 png_error(png_ptr, error_message);
399
400 # ifndef PNG_ERROR_TEXT_SUPPORTED
401 PNG_UNUSED(error_message)
402 # endif
403 }
404
405 void /* PRIVATE */
png_app_error(png_const_structrp png_ptr,png_const_charp error_message)406 png_app_error(png_const_structrp png_ptr, png_const_charp error_message)
407 {
408 if ((png_ptr->flags & PNG_FLAG_APP_ERRORS_WARN) != 0)
409 png_warning(png_ptr, error_message);
410 else
411 png_error(png_ptr, error_message);
412
413 # ifndef PNG_ERROR_TEXT_SUPPORTED
414 PNG_UNUSED(error_message)
415 # endif
416 }
417 #endif /* BENIGN_ERRORS */
418
419 #define PNG_MAX_ERROR_TEXT 196 /* Currently limited by profile_error in png.c */
420 #if defined(PNG_WARNINGS_SUPPORTED) || \
421 (defined(PNG_READ_SUPPORTED) && defined(PNG_ERROR_TEXT_SUPPORTED))
422 /* These utilities are used internally to build an error message that relates
423 * to the current chunk. The chunk name comes from png_ptr->chunk_name,
424 * which is used to prefix the message. The message is limited in length
425 * to 63 bytes. The name characters are output as hex digits wrapped in []
426 * if the character is invalid.
427 */
428 #define isnonalpha(c) ((c) < 65 || (c) > 122 || ((c) > 90 && (c) < 97))
429 static const char png_digit[16] = {
430 '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
431 'A', 'B', 'C', 'D', 'E', 'F'
432 };
433
434 static void /* PRIVATE */
png_format_buffer(png_const_structrp png_ptr,png_charp buffer,png_const_charp error_message)435 png_format_buffer(png_const_structrp png_ptr, png_charp buffer, png_const_charp
436 error_message)
437 {
438 png_uint_32 chunk_name = png_ptr->chunk_name;
439 int iout = 0, ishift = 24;
440
441 while (ishift >= 0)
442 {
443 int c = (int)(chunk_name >> ishift) & 0xff;
444
445 ishift -= 8;
446 if (isnonalpha(c) != 0)
447 {
448 buffer[iout++] = PNG_LITERAL_LEFT_SQUARE_BRACKET;
449 buffer[iout++] = png_digit[(c & 0xf0) >> 4];
450 buffer[iout++] = png_digit[c & 0x0f];
451 buffer[iout++] = PNG_LITERAL_RIGHT_SQUARE_BRACKET;
452 }
453
454 else
455 {
456 buffer[iout++] = (char)c;
457 }
458 }
459
460 if (error_message == NULL)
461 buffer[iout] = '\0';
462
463 else
464 {
465 int iin = 0;
466
467 buffer[iout++] = ':';
468 buffer[iout++] = ' ';
469
470 while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
471 buffer[iout++] = error_message[iin++];
472
473 /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
474 buffer[iout] = '\0';
475 }
476 }
477 #endif /* WARNINGS || ERROR_TEXT */
478
479 #if defined(PNG_READ_SUPPORTED) && defined(PNG_ERROR_TEXT_SUPPORTED)
480 PNG_FUNCTION(void,PNGAPI
481 png_chunk_error,(png_const_structrp png_ptr, png_const_charp error_message),
482 PNG_NORETURN)
483 {
484 char msg[18+PNG_MAX_ERROR_TEXT];
485 if (png_ptr == NULL)
486 png_error(png_ptr, error_message);
487
488 else
489 {
490 png_format_buffer(png_ptr, msg, error_message);
491 png_error(png_ptr, msg);
492 }
493 }
494 #endif /* READ && ERROR_TEXT */
495
496 #ifdef PNG_WARNINGS_SUPPORTED
497 void PNGAPI
png_chunk_warning(png_const_structrp png_ptr,png_const_charp warning_message)498 png_chunk_warning(png_const_structrp png_ptr, png_const_charp warning_message)
499 {
500 char msg[18+PNG_MAX_ERROR_TEXT];
501 if (png_ptr == NULL)
502 png_warning(png_ptr, warning_message);
503
504 else
505 {
506 png_format_buffer(png_ptr, msg, warning_message);
507 png_warning(png_ptr, msg);
508 }
509 }
510 #endif /* WARNINGS */
511
512 #ifdef PNG_READ_SUPPORTED
513 #ifdef PNG_BENIGN_ERRORS_SUPPORTED
514 void PNGAPI
png_chunk_benign_error(png_const_structrp png_ptr,png_const_charp error_message)515 png_chunk_benign_error(png_const_structrp png_ptr, png_const_charp
516 error_message)
517 {
518 if ((png_ptr->flags & PNG_FLAG_BENIGN_ERRORS_WARN) != 0)
519 png_chunk_warning(png_ptr, error_message);
520
521 else
522 png_chunk_error(png_ptr, error_message);
523
524 # ifndef PNG_ERROR_TEXT_SUPPORTED
525 PNG_UNUSED(error_message)
526 # endif
527 }
528 #endif
529 #endif /* READ */
530
531 void /* PRIVATE */
png_chunk_report(png_const_structrp png_ptr,png_const_charp message,int error)532 png_chunk_report(png_const_structrp png_ptr, png_const_charp message, int error)
533 {
534 # ifndef PNG_WARNINGS_SUPPORTED
535 PNG_UNUSED(message)
536 # endif
537
538 /* This is always supported, but for just read or just write it
539 * unconditionally does the right thing.
540 */
541 # if defined(PNG_READ_SUPPORTED) && defined(PNG_WRITE_SUPPORTED)
542 if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
543 # endif
544
545 # ifdef PNG_READ_SUPPORTED
546 {
547 if (error < PNG_CHUNK_ERROR)
548 png_chunk_warning(png_ptr, message);
549
550 else
551 png_chunk_benign_error(png_ptr, message);
552 }
553 # endif
554
555 # if defined(PNG_READ_SUPPORTED) && defined(PNG_WRITE_SUPPORTED)
556 else if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0)
557 # endif
558
559 # ifdef PNG_WRITE_SUPPORTED
560 {
561 if (error < PNG_CHUNK_WRITE_ERROR)
562 png_app_warning(png_ptr, message);
563
564 else
565 png_app_error(png_ptr, message);
566 }
567 # endif
568 }
569
570 #ifdef PNG_ERROR_TEXT_SUPPORTED
571 #ifdef PNG_FLOATING_POINT_SUPPORTED
572 PNG_FUNCTION(void,
573 png_fixed_error,(png_const_structrp png_ptr, png_const_charp name),PNG_NORETURN)
574 {
575 # define fixed_message "fixed point overflow in "
576 # define fixed_message_ln ((sizeof fixed_message)-1)
577 unsigned int iin;
578 char msg[fixed_message_ln+PNG_MAX_ERROR_TEXT];
579 memcpy(msg, fixed_message, fixed_message_ln);
580 iin = 0;
581 if (name != NULL)
582 while (iin < (PNG_MAX_ERROR_TEXT-1) && name[iin] != 0)
583 {
584 msg[fixed_message_ln + iin] = name[iin];
585 ++iin;
586 }
587 msg[fixed_message_ln + iin] = 0;
588 png_error(png_ptr, msg);
589 }
590 #endif
591 #endif
592
593 #ifdef PNG_SETJMP_SUPPORTED
594 /* This API only exists if ANSI-C style error handling is used,
595 * otherwise it is necessary for png_default_error to be overridden.
596 */
597 jmp_buf* PNGAPI
png_set_longjmp_fn(png_structrp png_ptr,png_longjmp_ptr longjmp_fn,size_t jmp_buf_size)598 png_set_longjmp_fn(png_structrp png_ptr, png_longjmp_ptr longjmp_fn,
599 size_t jmp_buf_size)
600 {
601 /* From libpng 1.6.0 the app gets one chance to set a 'jmpbuf_size' value
602 * and it must not change after that. Libpng doesn't care how big the
603 * buffer is, just that it doesn't change.
604 *
605 * If the buffer size is no *larger* than the size of jmp_buf when libpng is
606 * compiled a built in jmp_buf is returned; this preserves the pre-1.6.0
607 * semantics that this call will not fail. If the size is larger, however,
608 * the buffer is allocated and this may fail, causing the function to return
609 * NULL.
610 */
611 if (png_ptr == NULL)
612 return NULL;
613
614 if (png_ptr->jmp_buf_ptr == NULL)
615 {
616 png_ptr->jmp_buf_size = 0; /* not allocated */
617
618 if (jmp_buf_size <= (sizeof png_ptr->jmp_buf_local))
619 png_ptr->jmp_buf_ptr = &png_ptr->jmp_buf_local;
620
621 else
622 {
623 png_ptr->jmp_buf_ptr = png_voidcast(jmp_buf *,
624 png_malloc_warn(png_ptr, jmp_buf_size));
625
626 if (png_ptr->jmp_buf_ptr == NULL)
627 return NULL; /* new NULL return on OOM */
628
629 png_ptr->jmp_buf_size = jmp_buf_size;
630 }
631 }
632
633 else /* Already allocated: check the size */
634 {
635 size_t size = png_ptr->jmp_buf_size;
636
637 if (size == 0)
638 {
639 size = (sizeof png_ptr->jmp_buf_local);
640 if (png_ptr->jmp_buf_ptr != &png_ptr->jmp_buf_local)
641 {
642 /* This is an internal error in libpng: somehow we have been left
643 * with a stack allocated jmp_buf when the application regained
644 * control. It's always possible to fix this up, but for the moment
645 * this is a png_error because that makes it easy to detect.
646 */
647 png_error(png_ptr, "Libpng jmp_buf still allocated");
648 /* png_ptr->jmp_buf_ptr = &png_ptr->jmp_buf_local; */
649 }
650 }
651
652 if (size != jmp_buf_size)
653 {
654 png_warning(png_ptr, "Application jmp_buf size changed");
655 return NULL; /* caller will probably crash: no choice here */
656 }
657 }
658
659 /* Finally fill in the function, now we have a satisfactory buffer. It is
660 * valid to change the function on every call.
661 */
662 png_ptr->longjmp_fn = longjmp_fn;
663 return png_ptr->jmp_buf_ptr;
664 }
665
666 void /* PRIVATE */
png_free_jmpbuf(png_structrp png_ptr)667 png_free_jmpbuf(png_structrp png_ptr)
668 {
669 if (png_ptr != NULL)
670 {
671 jmp_buf *jb = png_ptr->jmp_buf_ptr;
672
673 /* A size of 0 is used to indicate a local, stack, allocation of the
674 * pointer; used here and in png.c
675 */
676 if (jb != NULL && png_ptr->jmp_buf_size > 0)
677 {
678
679 /* This stuff is so that a failure to free the error control structure
680 * does not leave libpng in a state with no valid error handling: the
681 * free always succeeds, if there is an error it gets ignored.
682 */
683 if (jb != &png_ptr->jmp_buf_local)
684 {
685 /* Make an internal, libpng, jmp_buf to return here */
686 jmp_buf free_jmp_buf;
687
688 if (!setjmp(free_jmp_buf))
689 {
690 png_ptr->jmp_buf_ptr = &free_jmp_buf; /* come back here */
691 png_ptr->jmp_buf_size = 0; /* stack allocation */
692 png_ptr->longjmp_fn = longjmp;
693 png_free(png_ptr, jb); /* Return to setjmp on error */
694 }
695 }
696 }
697
698 /* *Always* cancel everything out: */
699 png_ptr->jmp_buf_size = 0;
700 png_ptr->jmp_buf_ptr = NULL;
701 png_ptr->longjmp_fn = 0;
702 }
703 }
704 #endif
705
706 /* This is the default error handling function. Note that replacements for
707 * this function MUST NOT RETURN, or the program will likely crash. This
708 * function is used by default, or if the program supplies NULL for the
709 * error function pointer in png_set_error_fn().
710 */
711 static PNG_FUNCTION(void /* PRIVATE */,
712 png_default_error,(png_const_structrp png_ptr, png_const_charp error_message),
713 PNG_NORETURN)
714 {
715 #ifdef PNG_CONSOLE_IO_SUPPORTED
716 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
717 /* Check on NULL only added in 1.5.4 */
718 if (error_message != NULL && *error_message == PNG_LITERAL_SHARP)
719 {
720 /* Strip "#nnnn " from beginning of error message. */
721 int offset;
722 char error_number[16];
723 for (offset = 0; offset<15; offset++)
724 {
725 error_number[offset] = error_message[offset + 1];
726 if (error_message[offset] == ' ')
727 break;
728 }
729
730 if ((offset > 1) && (offset < 15))
731 {
732 error_number[offset - 1] = '\0';
733 fprintf(stderr, "libpng error no. %s: %s",
734 error_number, error_message + offset + 1);
735 fprintf(stderr, PNG_STRING_NEWLINE);
736 }
737
738 else
739 {
740 fprintf(stderr, "libpng error: %s, offset=%d",
741 error_message, offset);
742 fprintf(stderr, PNG_STRING_NEWLINE);
743 }
744 }
745 else
746 #endif
747 {
748 fprintf(stderr, "libpng error: %s", error_message ? error_message :
749 "undefined");
750 fprintf(stderr, PNG_STRING_NEWLINE);
751 }
752 #else
753 PNG_UNUSED(error_message) /* Make compiler happy */
754 #endif
755 png_longjmp(png_ptr, 1);
756 }
757
758 PNG_FUNCTION(void,PNGAPI
759 png_longjmp,(png_const_structrp png_ptr, int val),PNG_NORETURN)
760 {
761 #ifdef PNG_SETJMP_SUPPORTED
762 if (png_ptr != NULL && png_ptr->longjmp_fn != NULL &&
763 png_ptr->jmp_buf_ptr != NULL)
764 png_ptr->longjmp_fn(*png_ptr->jmp_buf_ptr, val);
765 #else
766 PNG_UNUSED(png_ptr)
767 PNG_UNUSED(val)
768 #endif
769
770 /* If control reaches this point, png_longjmp() must not return. The only
771 * choice is to terminate the whole process (or maybe the thread); to do
772 * this the ANSI-C abort() function is used unless a different method is
773 * implemented by overriding the default configuration setting for
774 * PNG_ABORT().
775 */
776 PNG_ABORT();
777 }
778
779 #ifdef PNG_WARNINGS_SUPPORTED
780 /* This function is called when there is a warning, but the library thinks
781 * it can continue anyway. Replacement functions don't have to do anything
782 * here if you don't want them to. In the default configuration, png_ptr is
783 * not used, but it is passed in case it may be useful.
784 */
785 static void /* PRIVATE */
png_default_warning(png_const_structrp png_ptr,png_const_charp warning_message)786 png_default_warning(png_const_structrp png_ptr, png_const_charp warning_message)
787 {
788 #ifdef PNG_CONSOLE_IO_SUPPORTED
789 # ifdef PNG_ERROR_NUMBERS_SUPPORTED
790 if (*warning_message == PNG_LITERAL_SHARP)
791 {
792 int offset;
793 char warning_number[16];
794 for (offset = 0; offset < 15; offset++)
795 {
796 warning_number[offset] = warning_message[offset + 1];
797 if (warning_message[offset] == ' ')
798 break;
799 }
800
801 if ((offset > 1) && (offset < 15))
802 {
803 warning_number[offset + 1] = '\0';
804 fprintf(stderr, "libpng warning no. %s: %s",
805 warning_number, warning_message + offset);
806 fprintf(stderr, PNG_STRING_NEWLINE);
807 }
808
809 else
810 {
811 fprintf(stderr, "libpng warning: %s",
812 warning_message);
813 fprintf(stderr, PNG_STRING_NEWLINE);
814 }
815 }
816 else
817 # endif
818
819 {
820 fprintf(stderr, "libpng warning: %s", warning_message);
821 fprintf(stderr, PNG_STRING_NEWLINE);
822 }
823 #else
824 PNG_UNUSED(warning_message) /* Make compiler happy */
825 #endif
826 PNG_UNUSED(png_ptr) /* Make compiler happy */
827 }
828 #endif /* WARNINGS */
829
830 /* This function is called when the application wants to use another method
831 * of handling errors and warnings. Note that the error function MUST NOT
832 * return to the calling routine or serious problems will occur. The return
833 * method used in the default routine calls longjmp(png_ptr->jmp_buf_ptr, 1)
834 */
835 void PNGAPI
png_set_error_fn(png_structrp png_ptr,png_voidp error_ptr,png_error_ptr error_fn,png_error_ptr warning_fn)836 png_set_error_fn(png_structrp png_ptr, png_voidp error_ptr,
837 png_error_ptr error_fn, png_error_ptr warning_fn)
838 {
839 if (png_ptr == NULL)
840 return;
841
842 png_ptr->error_ptr = error_ptr;
843 png_ptr->error_fn = error_fn;
844 #ifdef PNG_WARNINGS_SUPPORTED
845 png_ptr->warning_fn = warning_fn;
846 #else
847 PNG_UNUSED(warning_fn)
848 #endif
849 }
850
851
852 /* This function returns a pointer to the error_ptr associated with the user
853 * functions. The application should free any memory associated with this
854 * pointer before png_write_destroy and png_read_destroy are called.
855 */
856 png_voidp PNGAPI
png_get_error_ptr(png_const_structrp png_ptr)857 png_get_error_ptr(png_const_structrp png_ptr)
858 {
859 if (png_ptr == NULL)
860 return NULL;
861
862 return (png_voidp)png_ptr->error_ptr;
863 }
864
865
866 #ifdef PNG_ERROR_NUMBERS_SUPPORTED
867 void PNGAPI
png_set_strip_error_numbers(png_structrp png_ptr,png_uint_32 strip_mode)868 png_set_strip_error_numbers(png_structrp png_ptr, png_uint_32 strip_mode)
869 {
870 if (png_ptr != NULL)
871 {
872 png_ptr->flags &=
873 ((~(PNG_FLAG_STRIP_ERROR_NUMBERS |
874 PNG_FLAG_STRIP_ERROR_TEXT))&strip_mode);
875 }
876 }
877 #endif
878
879 #if defined(PNG_SIMPLIFIED_READ_SUPPORTED) ||\
880 defined(PNG_SIMPLIFIED_WRITE_SUPPORTED)
881 /* Currently the above both depend on SETJMP_SUPPORTED, however it would be
882 * possible to implement without setjmp support just so long as there is some
883 * way to handle the error return here:
884 */
885 PNG_FUNCTION(void /* PRIVATE */, (PNGCBAPI
886 png_safe_error),(png_structp png_nonconst_ptr, png_const_charp error_message),
887 PNG_NORETURN)
888 {
889 png_const_structrp png_ptr = png_nonconst_ptr;
890 png_imagep image = png_voidcast(png_imagep, png_ptr->error_ptr);
891
892 /* An error is always logged here, overwriting anything (typically a warning)
893 * that is already there:
894 */
895 if (image != NULL)
896 {
897 png_safecat(image->message, (sizeof image->message), 0, error_message);
898 image->warning_or_error |= PNG_IMAGE_ERROR;
899
900 /* Retrieve the jmp_buf from within the png_control, making this work for
901 * C++ compilation too is pretty tricky: C++ wants a pointer to the first
902 * element of a jmp_buf, but C doesn't tell us the type of that.
903 */
904 if (image->opaque != NULL && image->opaque->error_buf != NULL)
905 longjmp(png_control_jmp_buf(image->opaque), 1);
906
907 /* Missing longjmp buffer, the following is to help debugging: */
908 {
909 size_t pos = png_safecat(image->message, (sizeof image->message), 0,
910 "bad longjmp: ");
911 png_safecat(image->message, (sizeof image->message), pos,
912 error_message);
913 }
914 }
915
916 /* Here on an internal programming error. */
917 abort();
918 }
919
920 #ifdef PNG_WARNINGS_SUPPORTED
921 void /* PRIVATE */ PNGCBAPI
png_safe_warning(png_structp png_nonconst_ptr,png_const_charp warning_message)922 png_safe_warning(png_structp png_nonconst_ptr, png_const_charp warning_message)
923 {
924 png_const_structrp png_ptr = png_nonconst_ptr;
925 png_imagep image = png_voidcast(png_imagep, png_ptr->error_ptr);
926
927 /* A warning is only logged if there is no prior warning or error. */
928 if (image->warning_or_error == 0)
929 {
930 png_safecat(image->message, (sizeof image->message), 0, warning_message);
931 image->warning_or_error |= PNG_IMAGE_WARNING;
932 }
933 }
934 #endif
935
936 int /* PRIVATE */
png_safe_execute(png_imagep image,int (* function)(png_voidp),png_voidp arg)937 png_safe_execute(png_imagep image, int (*function)(png_voidp), png_voidp arg)
938 {
939 png_voidp saved_error_buf = image->opaque->error_buf;
940 jmp_buf safe_jmpbuf;
941 int result;
942
943 /* Safely execute function(arg), with png_error returning back here. */
944 if (setjmp(safe_jmpbuf) == 0)
945 {
946 image->opaque->error_buf = safe_jmpbuf;
947 result = function(arg);
948 image->opaque->error_buf = saved_error_buf;
949 return result;
950 }
951
952 /* On png_error, return via longjmp, pop the jmpbuf, and free the image. */
953 image->opaque->error_buf = saved_error_buf;
954 png_image_free(image);
955 return 0;
956 }
957 #endif /* SIMPLIFIED READ || SIMPLIFIED_WRITE */
958 #endif /* READ || WRITE */
959