[libpng14] Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

2025-07-10 18:04:09 +02:00 · 2015-10-23 09:01:31 -05:00 · 2015-10-23 09:01:31 -05:00 · 52c89ad053
commit 52c89ad053
parent 67c4bc9f5c
4 changed files with 20 additions and 8 deletions
--- a/5
+++ b/5
@ -1,5 +1,5 @@

-Libpng 1.4.17beta03 - October 15, 2015
+Libpng 1.4.17beta03 - October 23, 2015

 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -53,7 +53,8 @@ version 1.4.17beta02 [October 15, 2015]
  Fixed png_save_int_32 when int is not 2's complement (John Bowler).
  Added sPLT support to pngtest.c

-version 1.4.17beta03 [October 15, 2015]
+version 1.4.17beta03 [October 23, 2015]
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
--- a/3
+++ b/3
@ -2983,7 +2983,8 @@ version 1.4.17beta02 [October 15, 2015]
  Fixed png_save_int_32 when int is not 2's complement (John Bowler).
  Added sPLT support to pngtest.c

-version 1.4.17beta03 [October 15, 2015]
+version 1.4.17beta03 [October 23, 2015]
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
--- a/png.c
+++ b/png.c
@ -520,6 +520,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)

   if (png_ptr == NULL)
      return (NULL);
+
   if (png_ptr->time_buffer == NULL)
   {
      png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
@ -530,7 +531,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
   {
      char near_time_buf[29];
      png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
          ptime->year, ptime->hour % 24, ptime->minute % 60,
          ptime->second % 61);
      png_memcpy(png_ptr->time_buffer, near_time_buf,
@ -538,7 +539,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
   }
 #else
   png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
-       ptime->day % 32, short_months[(ptime->month - 1) % 12],
+       ptime->day % 32, short_months[(ptime->month - 1U) % 12],
       ptime->year, ptime->hour % 24, ptime->minute % 60,
       ptime->second % 61);
 #endif
@ -557,13 +558,13 @@ png_get_copyright(png_const_structp png_ptr)
 #else
 #ifdef __STDC__
   return ((png_charp) PNG_STRING_NEWLINE \
-     "libpng version 1.4.17beta03 - October 15, 2015" PNG_STRING_NEWLINE \
+     "libpng version 1.4.17beta03 - October 23, 2015" PNG_STRING_NEWLINE \
     "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
     "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
     "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
     PNG_STRING_NEWLINE);
 #else
-      return ((png_charp) "libpng version 1.4.17beta03 - October 15, 2015\
+      return ((png_charp) "libpng version 1.4.17beta03 - October 23, 2015\
      Copyright (c) 1998-2015 Glenn Randers-Pehrson\
      Copyright (c) 1996-1997 Andreas Dilger\
      Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");
--- a/pngset.c
+++ b/pngset.c
@ -1,7 +1,7 @@

 /* pngset.c - storage of image information into info struct
 *
- * Last changed in libpng 1.4.17 [October 15, 2015]
+ * Last changed in libpng 1.4.17 [October 23, 2015]
 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@ -809,6 +809,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)
       (png_ptr->mode & PNG_WROTE_tIME))
      return;

+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
   png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
   info_ptr->valid |= PNG_INFO_tIME;
 }