[libpng14] Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

2025-07-10 18:04:09 +02:00 · 2015-10-23 09:01:31 -05:00
parent 67c4bc9f5c
commit 52c89ad053
4 changed files with 20 additions and 8 deletions
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@

 /* pngset.c - storage of image information into info struct
 *
- * Last changed in libpng 1.4.17 [October 15, 2015]
+ * Last changed in libpng 1.4.17 [October 23, 2015]
 * Copyright (c) 1998-2015 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -809,6 +809,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)
       (png_ptr->mode & PNG_WROTE_tIME))
      return;

+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
   png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
   info_ptr->valid |= PNG_INFO_tIME;
 }