Added checks in PNG_pvt::write_info (fix SEGFAULT after "PCS illuminant is not D50" libpng error)

[DevilishSpirits]

Description

My change consist of additional setjmp() that catch errors on each step of PNG metadata writing to generate an accurate error message and avoid a longjmp() that lead to undefined behaviors and the following buggy behavior.

The bug

A project of mine read images and write a resized version back in PNG reusing the OIIO::ImageSpec of the loaded image. The image below (https://www.furaffinity.net/view/31141327/) have an ICC profile that libpng dislike and it generates an error in png_set_iCCP called from PNG_pvt::write_info that perform a longjmp() inside the previous call of PNG_pvt::create_write_struct that result in a SEGFAULT.

I can reproduce the bug with oiiotool :

curl 'https://d.furaffinity.net/art/alnix/1554932404/1554932404.alnix_apple_causticwyvernfinal2rowres.jpg' -o '/tmp/segfaulting-icc.jpg'
oiiotool -i '/tmp/segfaulting-icc.jpg' -o '/tmp/segfaulting-icc.png' # <-- Crash with the following output:

Output before my fix:

libpng error: profile 'Embedded Profile': 0h: PCS illuminant is not D50
 0# OpenImageIO_v2_3::Sysutil::stacktrace[abi:cxx11]() in /usr/lib/libOpenImageIO_Util.so.2.3
 1# 0x00007F6E4D94D031 in /usr/lib/libOpenImageIO_Util.so.2.3
 2# 0x00007F6E4D3A2A40 in /usr/lib/libc.so.6
 3# 0x00007F6E4E713A92 in /usr/lib/libOpenImageIO.so.2.3
 4# 0x00007F6E4E61ADE4 in /usr/lib/libOpenImageIO.so.2.3
 5# OpenImageIO_v2_3::PNGOutput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_3::ImageSpec const&, OpenImageIO_v2_3::ImageOutput::OpenMode) in /usr/lib/libOpenImageIO.so.2.3
 0# OpenImageIO_v2_3::Sysutil::stacktrace[abi:cxx11]() in /usr/lib/libOpenImageIO_Util.so.2.3
 1# 0x00007F6E4D94D031 in /usr/lib/libOpenImageIO_Util.so.2.3
 2# 0x00007F6E4D3A2A40 in /usr/lib/libc.so.6
 3# 0x00007F6E4D3F24DC in /usr/lib/libc.so.6
 4# gsignal in /usr/lib/libc.so.6
 5# 0x00007F6E4D3A2A40 in /usr/lib/libc.so.6
 6# 0x00007F6E4E713A92 in /usr/lib/libOpenImageIO.so.2.3
 7# 0x00007F6E4E61ADE4 in /usr/lib/libOpenImageIO.so.2.3
 8# OpenImageIO_v2_3::PNGOutput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v2_3::ImageSpec const&, OpenImageIO_v2_3::ImageOutput::OpenMode) in /usr/lib/libOpenImageIO.so.2.3
Abandon (core dumped)

Output after my fix:

libpng error: profile 'Embedded Profile': 0h: PCS illuminant is not D50
libpng error: No IDATs written into file
oiiotool ERROR: -o : PNG write error: profile 'Embedded Profile': 0h: PCS illuminant is not D50
PNG write error: No IDATs written into file
Could not set PNG iCCP chunk
Full command line was:
> oiiotool -i '/tmp/segfaulting-icc.jpg' -o '/tmp/segfaulting-icc.png'

Tests

My changes did not changed tests or tests results on my system (ArchLinux with -DUSE_OPENVBD=0 because of build errors already on master).

Checklist:

• I have read the contribution guidelines.
• If this is more extensive than a small change to existing code, I
  have previously submitted a Contributor License Agreement
  (individual, and if there is any way my
  employers might think my programming belongs to them, then also
  corporate).
• I have updated the documentation, if applicable.
• I have ensured that the change is tested somewhere in the testsuite
  (adding new test cases if necessary).
• My code follows the prevailing code style of this project.

[lgritz]

Let's change this to the modern form

errorfmt("{}", s);

[lgritz]

Mostly for my own curiosity: what purpose does the const serve here?

[DevilishSpirits]

This const is in every other functions returning an error std::string, so I kept it to keep a consistent code-style.

[lgritz]

This LGTM, thanks for the fixes.

Would you mind please looking at the failed CI test that is looking for clang-format compliance, I think there are just a couple lines for you to change to make the formatting pass.

[DevilishSpirits]

Changes made, clang-format is happy now.