[libpng14] Added a safety check in png_set_tIME() (Bug report from Qixue Xiao).

author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2015-10-23 09:01:31 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2015-10-23 09:01:31 -0500
commit: 52c89ad0531eb97995bc8a2889e730aadb7c6fe9 (patch)
tree: ac91c6550aa7c4d771798dada99c91413635d703 /pngset.c
parent: 67c4bc9f5ce885e7d3fb71f1f69490a1f5ff14b7 (diff)
download: libpng-52c89ad0531eb97995bc8a2889e730aadb7c6fe9.tar.gz
1 files changed, 10 insertions, 1 deletions
diff --git a/pngset.c b/pngset.c
index 88b503429..cfc4688dc 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Last changed in libpng 1.4.17 [October 15, 2015]
+ * Last changed in libpng 1.4.17 [October 23, 2015]
  * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -809,6 +809,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)
        (png_ptr->mode & PNG_WROTE_tIME))
       return;
 
+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
    png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
    info_ptr->valid |= PNG_INFO_tIME;
 }
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2015-10-23 09:01:31 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2015-10-23 09:01:31 -0500
commit	52c89ad0531eb97995bc8a2889e730aadb7c6fe9 (patch)
tree	ac91c6550aa7c4d771798dada99c91413635d703 /pngset.c
parent	67c4bc9f5ce885e7d3fb71f1f69490a1f5ff14b7 (diff)
download	libpng-52c89ad0531eb97995bc8a2889e730aadb7c6fe9.tar.gz