Fix a crash in png_convert_from_time_t with an invalid time_t argument

This bug was found by FUTAG, a program for generating automated
fuzz-targets of libraries.

TODO:
Implement a safe function, alternative to png_convert_from_time_t,
which takes a png_ptr argument and raises a png_error if the time_t
argument is invalid.

Reported-by: Tran Chi Thien <thientc@ispras.ru>
Reported-by: Shamil Kurmangaleev <kursh@ispras.ru>

1 files changed, 11 insertions, 1 deletions

diff --git a/pngwrite.c b/pngwrite.c
index d2867a4b2..abbca558f 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -1,7 +1,7 @@
 
 /* pngwrite.c - general routines to write a PNG file
  *
- * Copyright (c) 2018-2019 Cosmin Truta
+ * Copyright (c) 2018-2022 Cosmin Truta
  * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson
  * Copyright (c) 1996-1997 Andreas Dilger
  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@@ -484,6 +484,16 @@ png_convert_from_time_t(png_timep ptime, time_t ttime)
    png_debug(1, "in png_convert_from_time_t");
 
    tbuf = gmtime(&ttime);
+   if (tbuf == NULL)
+   {
+      /* TODO: add a safe function which takes a png_ptr argument and raises
+       * a png_error if the ttime argument is invalid and the call to gmtime
+       * fails as a consequence.
+       */
+      memset(ptime, 0, sizeof(*ptime));
+      return;
+   }
+
    png_convert_from_struct_tm(ptime, tbuf);
 }
 #endif