Menu
▾
▴
[png-mng-implement] iTXt handling
|
From: Frank B. <s88...@ma...> - 2011-11-20 22:31:02
|
Hi,
I find the following text in png.h a little bit misleading:
--
png_text holds the contents of a text/ztxt/itxt chunk in a PNG file,
and whether that contents is compressed or not. The "key" field points
to a regular zero-terminated C string. The "text", "lang", and
"lang_key" fields can be regular C strings, empty strings, or NULL
pointers. However, the structure returned by png_get_text() will always
contain regular zero-terminated C strings (possibly empty), never NULL
pointers, so they can be safely used in printf() and other
string-handling functions.
--
Only key and text are non-NULL, not lang and lang_key. Another oddity
is the compression field:
--
int compression; /* compression value:
-1: tEXt, none
0: zTXt, deflate
1: iTXt, none
2: iTXt, deflate */
--
In 1.2 there is no range check, in 1.4 (and 1.5) there is a check in
png_set_text_2():
--
if (text_ptr[i].compression < PNG_TEXT_COMPRESSION_NONE ||
text_ptr[i].compression >= PNG_TEXT_COMPRESSION_LAST)
--
but this check is inconsequent. For instance png_handle_iTXt() reads the
compression flag, ignores the real value if it's non-zero, decompresses
the text and sets the successor as compression:
--
comp_flag = *lang++;
...
if (comp_flag)
png_decompress_chunk(png_ptr, comp_type,
(size_t)length, prefix_len, &data_len);
...
text_ptr->compression = (int)comp_flag + 1;
--
and then the check in pngset.c prevents that lang and lang_key were
set. Even worse, if one sets the compression flag in a file to 0xFE or
0xFF the API (compression) signals a tEXt resp. compr. zTXt chunk with
itxt_length = 0 and text_length set. No way to tell the difference
between the latin-1 and utf-8 chunks without extra code... I know there
is no string validation in libpng, but the handling of erroneous chunks
should be consistent.
Kind regards,
Frank |