Google Git
Sign in
skia / third_party / libpng / 52c89ad0531eb97995bc8a2889e730aadb7c6fe9^! / .
commit52c89ad0531eb97995bc8a2889e730aadb7c6fe9[log] [tgz]
authorGlenn Randers-Pehrson <glennrp at users.sourceforge.net>Fri Oct 23 09:01:31 2015 -0500
committerGlenn Randers-Pehrson <glennrp at users.sourceforge.net>Fri Oct 23 09:01:31 2015 -0500
treeac91c6550aa7c4d771798dada99c91413635d703
parent67c4bc9f5ce885e7d3fb71f1f69490a1f5ff14b7 [diff]
[libpng14] Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

diff --git a/ANNOUNCE b/ANNOUNCE
index 103a57f..1717fdc 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.4.17beta03 - October 15, 2015
+Libpng 1.4.17beta03 - October 23, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -53,7 +53,8 @@
   Fixed png_save_int_32 when int is not 2's complement (John Bowler).
   Added sPLT support to pngtest.c
 
-version 1.4.17beta03 [October 15, 2015]
+version 1.4.17beta03 [October 23, 2015]
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

diff --git a/CHANGES b/CHANGES
index 654735a..d1195f4 100644
--- a/CHANGES
+++ b/CHANGES

@@ -2983,7 +2983,8 @@
   Fixed png_save_int_32 when int is not 2's complement (John Bowler).
   Added sPLT support to pngtest.c
 
-version 1.4.17beta03 [October 15, 2015]
+version 1.4.17beta03 [October 23, 2015]
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

diff --git a/png.c b/png.c
index 26f3700..df3d54a 100644
--- a/png.c
+++ b/png.c

@@ -520,6 +520,7 @@
 
    if (png_ptr == NULL)
       return (NULL);
+
    if (png_ptr->time_buffer == NULL)
    {
       png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
@@ -530,7 +531,7 @@
    {
       char near_time_buf[29];
       png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
           ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       png_memcpy(png_ptr->time_buffer, near_time_buf,
@@ -538,7 +539,7 @@
    }
 #else
    png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
-       ptime->day % 32, short_months[(ptime->month - 1) % 12],
+       ptime->day % 32, short_months[(ptime->month - 1U) % 12],
        ptime->year, ptime->hour % 24, ptime->minute % 60,
        ptime->second % 61);
 #endif
@@ -557,13 +558,13 @@
 #else
 #ifdef __STDC__
    return ((png_charp) PNG_STRING_NEWLINE \
-     "libpng version 1.4.17beta03 - October 15, 2015" PNG_STRING_NEWLINE \
+     "libpng version 1.4.17beta03 - October 23, 2015" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE);
 #else
-      return ((png_charp) "libpng version 1.4.17beta03 - October 15, 2015\
+      return ((png_charp) "libpng version 1.4.17beta03 - October 23, 2015\
       Copyright (c) 1998-2015 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");

diff --git a/pngset.c b/pngset.c
index 88b5034..cfc4688 100644
--- a/pngset.c
+++ b/pngset.c

@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.4.17 [October 15, 2015]
+ * Last changed in libpng 1.4.17 [October 23, 2015]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -809,6 +809,15 @@
        (png_ptr->mode & PNG_WROTE_tIME))
       return;
 
+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
    png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
    info_ptr->valid |= PNG_INFO_tIME;
 }