From 52c89ad0531eb97995bc8a2889e730aadb7c6fe9 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Fri, 23 Oct 2015 09:01:31 -0500
Subject: [PATCH] [libpng14] Added a safety check in png_set_tIME() (Bug report
 from Qixue Xiao).

---
 ANNOUNCE |  5 +++--
 CHANGES  |  3 ++-
 png.c    |  9 +++++----
 pngset.c | 11 ++++++++++-
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 103a57f29..1717fdc7f 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,5 +1,5 @@
 
-Libpng 1.4.17beta03 - October 15, 2015
+Libpng 1.4.17beta03 - October 23, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -53,7 +53,8 @@ version 1.4.17beta02 [October 15, 2015]
   Fixed png_save_int_32 when int is not 2's complement (John Bowler).
   Added sPLT support to pngtest.c
 
-version 1.4.17beta03 [October 15, 2015]
+version 1.4.17beta03 [October 23, 2015]
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/CHANGES b/CHANGES
index 654735a4a..d1195f48c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2983,7 +2983,8 @@ version 1.4.17beta02 [October 15, 2015]
   Fixed png_save_int_32 when int is not 2's complement (John Bowler).
   Added sPLT support to pngtest.c
 
-version 1.4.17beta03 [October 15, 2015]
+version 1.4.17beta03 [October 23, 2015]
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit
diff --git a/png.c b/png.c
index 26f370050..df3d54aa3 100644
--- a/png.c
+++ b/png.c
@@ -520,6 +520,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
 
    if (png_ptr == NULL)
       return (NULL);
+
    if (png_ptr->time_buffer == NULL)
    {
       png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
@@ -530,7 +531,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    {
       char near_time_buf[29];
       png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
           ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       png_memcpy(png_ptr->time_buffer, near_time_buf,
@@ -538,7 +539,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    }
 #else
    png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
-       ptime->day % 32, short_months[(ptime->month - 1) % 12],
+       ptime->day % 32, short_months[(ptime->month - 1U) % 12],
        ptime->year, ptime->hour % 24, ptime->minute % 60,
        ptime->second % 61);
 #endif
@@ -557,13 +558,13 @@ png_get_copyright(png_const_structp png_ptr)
 #else
 #ifdef __STDC__
    return ((png_charp) PNG_STRING_NEWLINE \
-     "libpng version 1.4.17beta03 - October 15, 2015" PNG_STRING_NEWLINE \
+     "libpng version 1.4.17beta03 - October 23, 2015" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE);
 #else
-      return ((png_charp) "libpng version 1.4.17beta03 - October 15, 2015\
+      return ((png_charp) "libpng version 1.4.17beta03 - October 23, 2015\
       Copyright (c) 1998-2015 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");
diff --git a/pngset.c b/pngset.c
index 88b503429..cfc4688dc 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.4.17 [October 15, 2015]
+ * Last changed in libpng 1.4.17 [October 23, 2015]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -809,6 +809,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)
        (png_ptr->mode & PNG_WROTE_tIME))
       return;
 
+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
    png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
    info_ptr->valid |= PNG_INFO_tIME;
 }