From fbf0f024346ca0a4ffc64b082a95c6b6bb6d29c4 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Fri, 23 Oct 2015 08:44:51 -0500 Subject: [PATCH] [libpng12] Added a safety check in png_set_tIME() (Bug report from Qixue Xiao). --- ANNOUNCE | 6 ++++-- CHANGES | 7 +++++-- png.c | 11 ++++++----- pngset.c | 9 +++++++++ 4 files changed, 24 insertions(+), 9 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index db820e0e..46f9e834 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,5 +1,5 @@ -Libpng 1.2.54beta01 - July 30, 2015 +Libpng 1.2.54beta01 - October 23, 2015 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -43,7 +43,7 @@ Other information: Changes since the last public release (1.2.53): -version 1.2.54beta01 [July 30, 2015] +version 1.2.54beta01 [October 23, 2015] Fix typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Fixed printf formats in pngtest.c to avoid compiler warnings and a @@ -54,6 +54,8 @@ version 1.2.54beta01 [July 30, 2015] Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c because usleep() is deprecated (port from libpng16). + Fixed some bad links in the man page. + Added a safety check in png_set_tIME() (Bug report from Qixue Xiao). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 88a4b7e2..77fc7737 100644 --- a/CHANGES +++ b/CHANGES @@ -993,6 +993,7 @@ version 1.2.0beta3 [May 17, 2001] Modified png_create_struct so it passes user mem_ptr to user memory allocator. Increased png_mng_features flag from png_byte to png_uint_32. Bumped shared-library (so-number) and dll-number to 3. +version 1.0.12 [June 8, 2001] version 1.2.0beta4 [June 23, 2001] Check for missing profile length field in iCCP chunk and free chunk_data in case of truncated iCCP chunk. @@ -1418,7 +1419,7 @@ version 1.2.8rc4 [November 29, 2004] version 1.2.8rc5 [November 29, 2004] Fixed new typo in scripts/pngw32.rc -version 1.2.8 [December 3, 2004] +version 1.0.18, 1.2.8 [December 3, 2004] Removed projects/visualc7, added projects/visualc71. version 1.2.9beta1 [February 21, 2006] @@ -2858,7 +2859,7 @@ version 1.2.53rc02 [February 21, 2015] versions 1.0.63 and 1.2.53 [February 26, 2015] No changes. -version 1.2.54beta01 [July 30, 2015] +version 1.2.54beta01 [October 23, 2015] Fixed typecast in a png_debug2() statement in png_set_text_2() to avoid a compiler warning in PNG_DEBUG builds. Fixed printf formats in pngtest.c to avoid compiler warnings and a @@ -2869,6 +2870,8 @@ version 1.2.54beta01 [July 30, 2015] Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c because usleep() is deprecated (port from libpng16). + Fixed some bad links in the man page. + Added a safety check in png_set_tIME() (Bug report from Qixue Xiao). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/png.c b/png.c index 2edf6181..b053e39a 100644 --- a/png.c +++ b/png.c @@ -681,6 +681,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime) if (png_ptr == NULL) return (NULL); + if (png_ptr->time_buffer == NULL) { png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29* @@ -691,7 +692,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime) { wchar_t time_buf[29]; wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"), - ptime->day % 32, short_months[(ptime->month - 1) % 12], + ptime->day % 32, short_months[(ptime->month - 1U) % 12], ptime->year, ptime->hour % 24, ptime->minute % 60, ptime->second % 61); WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer, @@ -702,7 +703,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime) { char near_time_buf[29]; png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000", - ptime->day % 32, short_months[(ptime->month - 1) % 12], + ptime->day % 32, short_months[(ptime->month - 1U) % 12], ptime->year, ptime->hour % 24, ptime->minute % 60, ptime->second % 61); png_memcpy(png_ptr->time_buffer, near_time_buf, @@ -710,7 +711,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime) } #else png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000", - ptime->day % 32, short_months[(ptime->month - 1) % 12], + ptime->day % 32, short_months[(ptime->month - 1U) % 12], ptime->year, ptime->hour % 24, ptime->minute % 60, ptime->second % 61); #endif @@ -730,13 +731,13 @@ png_get_copyright(png_structp png_ptr) #else #ifdef __STDC__ return ((png_charp) PNG_STRING_NEWLINE \ - "libpng version 1.2.54beta01 - July 30, 2015" PNG_STRING_NEWLINE \ + "libpng version 1.2.54beta01 - October 23, 2015" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ PNG_STRING_NEWLINE); #else - return ((png_charp) "libpng version 1.2.54beta01 - July 30, 2015\ + return ((png_charp) "libpng version 1.2.54beta01 - October 23, 2015\ Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."); diff --git a/pngset.c b/pngset.c index a681a31a..47327700 100644 --- a/pngset.c +++ b/pngset.c @@ -837,6 +837,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time) (png_ptr->mode & PNG_WROTE_tIME)) return; + if (mod_time->month == 0 || mod_time->month > 12 || + mod_time->day == 0 || mod_time->day > 31 || + mod_time->hour > 23 || mod_time->minute > 59 || + mod_time->second > 60) + { + png_warning(png_ptr, "Ignoring invalid time value"); + return; + } + png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time)); info_ptr->valid |= PNG_INFO_tIME; }