[libpng12] Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.2.54beta01 - July 30, 2015
+Libpng 1.2.54beta01 - October 23, 2015
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -43,7 +43,7 @@ Other information:
 
 Changes since the last public release (1.2.53):
 
-version 1.2.54beta01 [July 30, 2015]
+version 1.2.54beta01 [October 23, 2015]
   Fix typecast in a png_debug2() statement in png_set_text_2() to
     avoid a compiler warning in PNG_DEBUG builds.
   Fixed printf formats in pngtest.c to avoid compiler warnings and a
@@ -54,6 +54,8 @@ version 1.2.54beta01 [July 30, 2015]
   Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
   Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c
     because usleep() is deprecated (port from libpng16).
+  Fixed some bad links in the man page.
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -993,6 +993,7 @@ version 1.2.0beta3 [May 17, 2001]
   Modified png_create_struct so it passes user mem_ptr to user memory allocator.
   Increased png_mng_features flag from png_byte to png_uint_32.
   Bumped shared-library (so-number) and dll-number to 3.
+version 1.0.12 [June 8, 2001]
 version 1.2.0beta4 [June 23, 2001]
   Check for missing profile length field in iCCP chunk and free chunk_data
      in case of truncated iCCP chunk.
@@ -1418,7 +1419,7 @@ version 1.2.8rc4 [November 29, 2004]
 version 1.2.8rc5 [November 29, 2004]
   Fixed new typo in scripts/pngw32.rc
 
-version 1.2.8 [December 3, 2004]
+version 1.0.18, 1.2.8 [December 3, 2004]
   Removed projects/visualc7, added projects/visualc71.
 
 version 1.2.9beta1 [February 21, 2006]
@@ -2858,7 +2859,7 @@ version 1.2.53rc02 [February 21, 2015]
 versions 1.0.63 and 1.2.53 [February 26, 2015]
   No changes.
 
-version 1.2.54beta01 [July 30, 2015]
+version 1.2.54beta01 [October 23, 2015]
   Fixed typecast in a png_debug2() statement in png_set_text_2() to
     avoid a compiler warning in PNG_DEBUG builds.
   Fixed printf formats in pngtest.c to avoid compiler warnings and a
@@ -2869,6 +2870,8 @@ version 1.2.54beta01 [July 30, 2015]
   Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c
   Use nanosleep() instead of usleep() in contrib/gregbook/rpng2-x.c
     because usleep() is deprecated (port from libpng16).
+  Fixed some bad links in the man page.
+  Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

png.c

@@ -681,6 +681,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
 
    if (png_ptr == NULL)
       return (NULL);
+
    if (png_ptr->time_buffer == NULL)
    {
       png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
@@ -691,7 +692,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    {
       wchar_t time_buf[29];
       wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"),
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
         ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer,
@@ -702,7 +703,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    {
       char near_time_buf[29];
       png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
           ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       png_memcpy(png_ptr->time_buffer, near_time_buf,
@@ -710,7 +711,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    }
 #else
    png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
-       ptime->day % 32, short_months[(ptime->month - 1) % 12],
+       ptime->day % 32, short_months[(ptime->month - 1U) % 12],
        ptime->year, ptime->hour % 24, ptime->minute % 60,
        ptime->second % 61);
 #endif
@@ -730,13 +731,13 @@ png_get_copyright(png_structp png_ptr)
 #else
 #ifdef __STDC__
    return ((png_charp) PNG_STRING_NEWLINE \
-     "libpng version 1.2.54beta01 - July 30, 2015" PNG_STRING_NEWLINE \
+     "libpng version 1.2.54beta01 - October 23, 2015" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE);
 #else
-      return ((png_charp) "libpng version 1.2.54beta01 - July 30, 2015\
+      return ((png_charp) "libpng version 1.2.54beta01 - October 23, 2015\
       Copyright (c) 1998-2015 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.");

pngset.c

@@ -837,6 +837,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)
        (png_ptr->mode & PNG_WROTE_tIME))
       return;
 
+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
    png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
    info_ptr->valid |= PNG_INFO_tIME;
 }