[PATCH v2] fix integer overflow of tm_year in __secs_to_tm

[PATCH v2] fix integer overflow of tm_year in __secs_to_tm

[Daniel Sabogal]

From: Daniel Sabogal <dsabogal@ufl.edu>

the overflow check for years+100 did not account for the extra
year computed from the remaining months. instead, perform this
check after obtaining the final number of years.
---
v2: Subtract 12 from months, not 10.

#include <time.h>
#include <stdio.h>
extern int __secs_to_tm(long long t, struct tm *tm);
int main(void)
{
	struct tm tm = {0};
	if (__secs_to_tm(67768036191676800LL, &tm) < 0) return 1;
	printf("%d\n", tm.tm_year);
}

 src/time/__secs_to_tm.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/time/__secs_to_tm.c b/src/time/__secs_to_tm.c
index 3a3123a..c1cc28c 100644
--- a/src/time/__secs_to_tm.c
+++ b/src/time/__secs_to_tm.c
@@ -60,15 +60,16 @@ int __secs_to_tm(long long t, struct tm *tm)
 	for (months=0; days_in_month[months] <= remdays; months++)
 		remdays -= days_in_month[months];
 
+	if (months >= 10) {
+		months -= 12;
+		years++;
+	}
+
 	if (years+100 > INT_MAX || years+100 < INT_MIN)
 		return -1;
 
 	tm->tm_year = years + 100;
 	tm->tm_mon = months + 2;
-	if (tm->tm_mon >= 12) {
-		tm->tm_mon -=12;
-		tm->tm_year++;
-	}
 	tm->tm_mday = remdays + 1;
 	tm->tm_wday = wday;
 	tm->tm_yday = yday;
-- 
2.10.1

Re: [PATCH v2] fix integer overflow of tm_year in __secs_to_tm

[Rich Felker]

On Wed, Nov 02, 2016 at 10:29:36PM -0400, Daniel Sabogal wrote:
> From: Daniel Sabogal <dsabogal@ufl.edu>
> 
> the overflow check for years+100 did not account for the extra
> year computed from the remaining months. instead, perform this
> check after obtaining the final number of years.
> ---
> v2: Subtract 12 from months, not 10.

Thanks. I almost accepted the old patch with the error. Maybe in the
future consider including a test case with the patch.

I don't want to make testcases a prerequisite for bug fixes because
that leads to bugs going unfixed for a long time, but perhaps for
obscure issues like this unlikely to be hit in real-world use, it
would be good to strongly encourage submission of test cases with
patches.

Rich

Re: [PATCH v2] fix integer overflow of tm_year in __secs_to_tm

[Daniel Sabogal]

On Mon, Nov 7, 2016 at 12:09 PM, Rich Felker <dalias@libc.org> wrote:
> On Wed, Nov 02, 2016 at 10:29:36PM -0400, Daniel Sabogal wrote:
>> From: Daniel Sabogal <dsabogal@ufl.edu>
>>
>> the overflow check for years+100 did not account for the extra
>> year computed from the remaining months. instead, perform this
>> check after obtaining the final number of years.
>> ---
>> v2: Subtract 12 from months, not 10.
>
> Thanks. I almost accepted the old patch with the error. Maybe in the
> future consider including a test case with the patch.

I provided a sample program within the patch.
Did you have something else in mind for test cases?

> I don't want to make testcases a prerequisite for bug fixes because
> that leads to bugs going unfixed for a long time, but perhaps for
> obscure issues like this unlikely to be hit in real-world use, it
> would be good to strongly encourage submission of test cases with
> patches.

I agree.

Re: [PATCH v2] fix integer overflow of tm_year in __secs_to_tm

[Rich Felker]

On Mon, Nov 07, 2016 at 10:40:52PM -0500, Daniel Sabogal wrote:
> On Mon, Nov 7, 2016 at 12:09 PM, Rich Felker <dalias@libc.org> wrote:
> > On Wed, Nov 02, 2016 at 10:29:36PM -0400, Daniel Sabogal wrote:
> >> From: Daniel Sabogal <dsabogal@ufl.edu>
> >>
> >> the overflow check for years+100 did not account for the extra
> >> year computed from the remaining months. instead, perform this
> >> check after obtaining the final number of years.
> >> ---
> >> v2: Subtract 12 from months, not 10.
> >
> > Thanks. I almost accepted the old patch with the error. Maybe in the
> > future consider including a test case with the patch.
> 
> I provided a sample program within the patch.
> Did you have something else in mind for test cases?

Admittedly I missed it somehow, but I guess to call it a test case I'd
want to see expected results and a justification for them. In this
case diff of old vs new output for various inputs would have caught
the bug in v1.

It might be nice to have a test in libc-test that just runs a bunch of
time_t-tm-time_t and tm-time_t-tm round trips for random inputs and
checks that they round-trip successfully...

> > I don't want to make testcases a prerequisite for bug fixes because
> > that leads to bugs going unfixed for a long time, but perhaps for
> > obscure issues like this unlikely to be hit in real-world use, it
> > would be good to strongly encourage submission of test cases with
> > patches.
> 
> I agree.

...but the above ideas are getting well beyond what I'd want to impose
on bug reporters/minor patch authors. So it's more just brainstorming
about the tests that would be helpful for someone with the time to
help with testing to implement.

Rich