Fix Integer-overflow in base::Time::FromExploded.

base/time/time_posix.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/time/time.h"
 
 #include <stdint.h>
 #include <sys/time.h>
 #include <time.h>
 #if defined(OS_ANDROID) && !defined(__LP64__)
@@ skipping 95 matching lines @@
   struct timespec ts;
   if (clock_gettime(clk_id, &ts) != 0) {
     NOTREACHED() << "clock_gettime(" << clk_id << ") failed.";
     return 0;
   }
   return ConvertTimespecToMicros(ts);
 }
 #else  // _POSIX_MONOTONIC_CLOCK
 #error No usable tick clock function on this platform.
 #endif  // _POSIX_MONOTONIC_CLOCK
+
+// Safely multiplies |init_value| by |multiply_value| and adds |add_value|
+// to that. Returns result or 0 value avoiding overflows.
+int64_t MultiplyAndAdd(int64_t init_value,

[miu, 2016/10/18 19:55:13]

This helper hides whether overflow occurs (i.e., it will always return zero
whether a non-overflowing result is zero or an overflow occurred). I suggest
getting rid of this method (see comments below).

[maksims (do not use this acc), 2016/10/19 16:41:04]

Removed

+                       int64_t multiply_value,
+                       int64_t add_value) {
+  base::CheckedNumeric<int64_t> result(init_value);
+  result *= multiply_value;
+  result += add_value;
+  return result.ValueOrDefault(0);
+}
+
 #endif  // !defined(OS_MACOSX)
 
 }  // namespace
 
 namespace base {
 
 // static
 TimeDelta TimeDelta::FromTimeSpec(const timespec& ts) {
   return TimeDelta(ts.tv_sec * Time::kMicrosecondsPerSecond +
                    ts.tv_nsec / Time::kNanosecondsPerMicrosecond);
@@ skipping 109 matching lines @@
   timestruct.tm_mon    = exploded.month - 1;
   timestruct.tm_year   = exploded.year - 1900;
   timestruct.tm_wday   = exploded.day_of_week;  // mktime/timegm ignore this
   timestruct.tm_yday   = 0;     // mktime/timegm ignore this
   timestruct.tm_isdst  = -1;    // attempt to figure it out
 #if !defined(OS_NACL) && !defined(OS_SOLARIS)
   timestruct.tm_gmtoff = 0;     // not a POSIX field, so mktime/timegm ignore
   timestruct.tm_zone   = NULL;  // not a POSIX field, so mktime/timegm ignore
 #endif
 
-  int64_t milliseconds;
+  int64_t milliseconds = 0;

[miu, 2016/10/18 19:55:13]

nit: Please move the declaration of |milliseconds| down to around where it is
first used (approx. line 294).

[maksims (do not use this acc), 2016/10/19 16:41:04]

Done.

   SysTime seconds;
 
   // Certain exploded dates do not really exist due to daylight saving times,
   // and this causes mktime() to return implementation-defined values when
   // tm_isdst is set to -1. On Android, the function will return -1, while the
   // C libraries of other platforms typically return a liberally-chosen value.
   // Handling this requires the special code below.
 
   // SysTimeFromTimeStruct() modifies the input structure, save current value.
   struct tm timestruct0 = timestruct;
@@ skipping 49 matching lines @@
     const int64_t max_seconds = (sizeof(SysTime) < sizeof(int64_t))
                                     ? std::numeric_limits<SysTime>::max()
                                     : std::numeric_limits<int32_t>::max();
     if (exploded.year < 1969) {
       milliseconds = min_seconds * kMillisecondsPerSecond;
     } else {
       milliseconds = max_seconds * kMillisecondsPerSecond;
       milliseconds += (kMillisecondsPerSecond - 1);
     }
   } else {
-    milliseconds = seconds * kMillisecondsPerSecond + exploded.millisecond;
+    milliseconds =

[miu, 2016/10/18 19:55:13]

Suggestion (to return false if overflow occurs):

  base::CheckedNumeric<int64_t> checked_millis = seconds;
  checked_millis *= kMillisecondsPerSecond;
  checked_millis += exploded.millisecond;
  if (!checked_millis.is_valid()) {
    *time = base::Time(0);
    return false;
  }
  milliseconds = checked_millis.value();

[maksims (do not use this acc), 2016/10/19 16:41:04]

Done.

+        MultiplyAndAdd(seconds, kMillisecondsPerSecond, exploded.millisecond);
   }
 
   // Adjust from Unix (1970) to Windows (1601) epoch.
-  base::Time converted_time =
-      Time((milliseconds * kMicrosecondsPerMillisecond) +
-           kWindowsEpochDeltaMicroseconds);
+  int64_t microseconds_win_epoch =

[miu, 2016/10/18 19:55:13]

Similar suggestion here: Declare |microseconds_win_epoch| as a
base::CheckedNumeric<int64_t> rather than a plain int64_t, and return false if
!is_valid() after the math.

[maksims (do not use this acc), 2016/10/19 16:41:04]

Done.

+      MultiplyAndAdd(milliseconds, kMicrosecondsPerMillisecond,
+                     kWindowsEpochDeltaMicroseconds);
+  base::Time converted_time(microseconds_win_epoch);
 
   // If |exploded.day_of_month| is set to 31 on a 28-30 day month, it will
   // return the first day of the next month. Thus round-trip the time and
   // compare the initial |exploded| with |utc_to_exploded| time.
   base::Time::Exploded to_exploded;
   if (!is_local)
     converted_time.UTCExplode(&to_exploded);
   else
     converted_time.LocalExplode(&to_exploded);
 
@@ skipping 65 matching lines @@
     result.tv_usec = static_cast<suseconds_t>(Time::kMicrosecondsPerSecond) - 1;
     return result;
   }
   int64_t us = us_ - kTimeTToMicrosecondsOffset;
   result.tv_sec = us / Time::kMicrosecondsPerSecond;
   result.tv_usec = us % Time::kMicrosecondsPerSecond;
   return result;
 }
 
 }  // namespace base