raven-rhel6/png/compat-libpng12/libpng12-CVE-2015-7981.patch

diff --git a/png.c b/png.c
index 18d26db..3cf2b19 100644
--- a/png.c
+++ b/png.c
@@ -675,6 +675,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
 
    if (png_ptr == NULL)
       return (NULL);
+
    if (png_ptr->time_buffer == NULL)
    {
       png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*
@@ -685,7 +686,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    {
       wchar_t time_buf[29];
       wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"),
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
         ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer,
@@ -696,7 +697,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    {
       char near_time_buf[29];
       png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",
-          ptime->day % 32, short_months[(ptime->month - 1) % 12],
+          ptime->day % 32, short_months[(ptime->month - 1U) % 12],
           ptime->year, ptime->hour % 24, ptime->minute % 60,
           ptime->second % 61);
       png_memcpy(png_ptr->time_buffer, near_time_buf,
@@ -704,7 +705,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)
    }
 #else
    png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",
-       ptime->day % 32, short_months[(ptime->month - 1) % 12],
+       ptime->day % 32, short_months[(ptime->month - 1U) % 12],
        ptime->year, ptime->hour % 24, ptime->minute % 60,
        ptime->second % 61);
 #endif
diff --git a/pngset.c b/pngset.c
index b1ce91d..7a47b1e 100644
--- a/pngset.c
+++ b/pngset.c
@@ -845,6 +845,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)
        (png_ptr->mode & PNG_WROTE_tIME))
       return;
 
+   if (mod_time->month == 0   || mod_time->month > 12  ||
+       mod_time->day   == 0   || mod_time->day   > 31  ||
+       mod_time->hour  > 23   || mod_time->minute > 59 ||
+       mod_time->second > 60)
+   {
+      png_warning(png_ptr, "Ignoring invalid time value");
+      return;
+   }
+
    png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));
    info_ptr->valid |= PNG_INFO_tIME;
 }
first commit 2024-02-21 20:14:44 +06:00			`diff --git a/png.c b/png.c`
			`index 18d26db..3cf2b19 100644`
			`--- a/png.c`
			`+++ b/png.c`
			`@@ -675,6 +675,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)`

			`if (png_ptr == NULL)`
			`return (NULL);`
			`+`
			`if (png_ptr->time_buffer == NULL)`
			`{`
			`png_ptr->time_buffer = (png_charp)png_malloc(png_ptr, (png_uint_32)(29*`
			`@@ -685,7 +686,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)`
			`{`
			`wchar_t time_buf[29];`
			`wsprintf(time_buf, TEXT("%d %S %d %02d:%02d:%02d +0000"),`
			`- ptime->day % 32, short_months[(ptime->month - 1) % 12],`
			`+ ptime->day % 32, short_months[(ptime->month - 1U) % 12],`
			`ptime->year, ptime->hour % 24, ptime->minute % 60,`
			`ptime->second % 61);`
			`WideCharToMultiByte(CP_ACP, 0, time_buf, -1, png_ptr->time_buffer,`
			`@@ -696,7 +697,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)`
			`{`
			`char near_time_buf[29];`
			`png_snprintf6(near_time_buf, 29, "%d %s %d %02d:%02d:%02d +0000",`
			`- ptime->day % 32, short_months[(ptime->month - 1) % 12],`
			`+ ptime->day % 32, short_months[(ptime->month - 1U) % 12],`
			`ptime->year, ptime->hour % 24, ptime->minute % 60,`
			`ptime->second % 61);`
			`png_memcpy(png_ptr->time_buffer, near_time_buf,`
			`@@ -704,7 +705,7 @@ png_convert_to_rfc1123(png_structp png_ptr, png_timep ptime)`
			`}`
			`#else`
			`png_snprintf6(png_ptr->time_buffer, 29, "%d %s %d %02d:%02d:%02d +0000",`
			`- ptime->day % 32, short_months[(ptime->month - 1) % 12],`
			`+ ptime->day % 32, short_months[(ptime->month - 1U) % 12],`
			`ptime->year, ptime->hour % 24, ptime->minute % 60,`
			`ptime->second % 61);`
			`#endif`
			`diff --git a/pngset.c b/pngset.c`
			`index b1ce91d..7a47b1e 100644`
			`--- a/pngset.c`
			`+++ b/pngset.c`
			`@@ -845,6 +845,15 @@ png_set_tIME(png_structp png_ptr, png_infop info_ptr, png_timep mod_time)`
			`(png_ptr->mode & PNG_WROTE_tIME))`
			`return;`

			`+ if (mod_time->month == 0 \|\| mod_time->month > 12 \|\|`
			`+ mod_time->day == 0 \|\| mod_time->day > 31 \|\|`
			`+ mod_time->hour > 23 \|\| mod_time->minute > 59 \|\|`
			`+ mod_time->second > 60)`
			`+ {`
			`+ png_warning(png_ptr, "Ignoring invalid time value");`
			`+ return;`
			`+ }`
			`+`
			`png_memcpy(&(info_ptr->mod_time), mod_time, png_sizeof(png_time));`
			`info_ptr->valid \|= PNG_INFO_tIME;`
			`}`