Package: libpng / 1.2.50-2+deb8u3

CVE-2015-7981.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Description: Added a safety check in png_set_tIME()
Origin: upstream, https://github.com/glennrp/libpng/commit/fbf0f024346ca0a4ffc64b082a95c6b6bb6d29c4
Bug: http://sourceforge.net/p/libpng/bugs/241/
Bug-Debian: https://bugs.debian.org/803078 
Forwarded: not-needed
Author: Glenn Randers-Pehrson <glennrp@users.sourceforge.net>
Last-Update: 2015-11-17
Applied-Upstream: v1.2.54

---
--- a/png.c
+++ b/png.c
@@ -675,6 +675,7 @@ png_convert_to_rfc1123(png_structp png_p
 
    if (png_ptr == NULL)
       return (NULL);
+
    if (png_ptr->time_buffer == NULL)
    {
       png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
@@ -685,7 +686,7 @@ png_convert_to_rfc1123(png_structp png_p
    {
       wchar_t time_buf[29];
       wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"),
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
         ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer,
@@ -696,7 +697,7 @@ png_convert_to_rfc1123(png_structp png_p
    {
       char near_time_buf[29];
       png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
           ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       png_memcpy(png_ptr->time_buffer, near_time_buf,
@@ -704,7 +705,7 @@ png_convert_to_rfc1123(png_structp png_p
    }
 #else
    png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
-       ptime->day % 32, short_months[(ptime->month - 1) % 12],
+       ptime->day % 32, short_months[(ptime->month - 1U) % 12],
        ptime->year, ptime->hour % 24, ptime->minute % 60,
        ptime->second % 61);
 #endif
--- a/pngset.c
+++ b/pngset.c
@@ -835,6 +835,15 @@ png_set_tIME(png_structp png_ptr, png_in
        (png_ptr->mode & PNG_WROTE_tIME))
       return;
 
+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
    png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
    info_ptr->valid |= PNG_INFO_tIME;
 }