From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 2 Feb 2017 17:30:29 +0000 (+0100)
Subject: time-util: refuse formatting/parsing times that we can't store
X-Git-Tag: v233.3~80
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=cb4c5148b5dab1eaf42347bde0368b6df916a206;p=elogind.git

time-util: refuse formatting/parsing times that we can't store

usec_t is always 64bit, which means it can cover quite a number of
years. However, 4 digit year display and glibc limitations around time_t
limit what we can actually parse and format. Let's make this explicit,
so that we never end up formatting dates we can#t parse and vice versa.

Note that this is really just about formatting/parsing. Internal
calculations with times outside of the formattable range are not
affected.
---

diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index 2333f6a66..b8f56544d 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -293,9 +293,11 @@ static char *format_timestamp_internal(
         if (t <= 0 || t == USEC_INFINITY)
                 return NULL; /* Timestamp is unset */
 
+        /* Let's not format times with years > 9999 */
+        if (t > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return NULL;
+
         sec = (time_t) (t / USEC_PER_SEC); /* Round down */
-        if ((usec_t) sec != (t / USEC_PER_SEC))
-                return NULL; /* overflow? */
 
         if (!localtime_or_gmtime_r(&sec, &tm, utc))
                 return NULL;
@@ -849,9 +851,14 @@ from_tm:
                 return -EINVAL;
 
         ret = (usec_t) x * USEC_PER_SEC + x_usec;
+        if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return -EINVAL;
 
 finish:
         ret += plus;
+        if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return -EINVAL;
+
         if (ret > minus)
                 ret -= minus;
         else
diff --git a/src/basic/time-util.h b/src/basic/time-util.h
index 4485d7eb0..2ea7e8b51 100644
--- a/src/basic/time-util.h
+++ b/src/basic/time-util.h
@@ -203,3 +203,14 @@ static inline usec_t usec_sub(usec_t timestamp, int64_t delta) {
 
         return timestamp - delta;
 }
+
+#if SIZEOF_TIME_T == 8
+/* The last second we can format is 31. Dec 9999, 1s before midnight, because otherwise we'd enter 5 digit year
+ * territory. However, since we want to stay away from this in all timezones we take one day off. */
+#define USEC_TIMESTAMP_FORMATTABLE_MAX ((usec_t) 253402214399000000)
+#elif SIZEOF_TIME_T == 4
+/* With a 32bit time_t we can't go beyond 2038... */
+#define USEC_TIMESTAMP_FORMATTABLE_MAX ((usec_t) 2147483647000000)
+#else
+#error "Yuck, time_t is neither 4 not 8 bytes wide?"
+#endif