Fix a crash in png_convert_from_time_t with an invalid time_t argument

This bug was found by FUTAG, a program for generating automated
fuzz-targets of libraries.

TODO:
Implement a safe function, alternative to png_convert_from_time_t,
which takes a png_ptr argument and raises a png_error if the time_t
argument is invalid.

Reported-by: Tran Chi Thien <thientc@ispras.ru>
Reported-by: Shamil Kurmangaleev <kursh@ispras.ru>
This commit is contained in:
Cosmin Truta 2022-09-13 13:49:02 +03:00
parent 0406deb1ca
commit 36bd1bbd54

View File

@ -1,7 +1,7 @@
/* pngwrite.c - general routines to write a PNG file
*
* Copyright (c) 2018-2019 Cosmin Truta
* Copyright (c) 2018-2022 Cosmin Truta
* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
* Copyright (c) 1996-1997 Andreas Dilger
* Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@ -484,6 +484,16 @@ png_convert_from_time_t(png_timep ptime, time_t ttime)
png_debug(1, "in png_convert_from_time_t");
tbuf = gmtime(&ttime);
if (tbuf == NULL)
{
/* TODO: add a safe function which takes a png_ptr argument and raises
* a png_error if the ttime argument is invalid and the call to gmtime
* fails as a consequence.
*/
memset(ptime, 0, sizeof(*ptime));
return;
}
png_convert_from_struct_tm(ptime, tbuf);
}
#endif