time-util: refuse formatting/parsing times that we can't store

usec_t is always 64bit, which means it can cover quite a number of
years. However, 4 digit year display and glibc limitations around time_t
limit what we can actually parse and format. Let's make this explicit,
so that we never end up formatting dates we can#t parse and vice versa.

Note that this is really just about formatting/parsing. Internal
calculations with times outside of the formattable range are not
affected.

6 files changed, 65 insertions, 3 deletions

diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c
index 35dfb6a3db..3fa1c51ace 100644
--- a/src/basic/calendarspec.c
+++ b/src/basic/calendarspec.c
@@ -1228,6 +1228,9 @@ int calendar_spec_next_usec(const CalendarSpec *spec, usec_t usec, usec_t *next)
         assert(spec);
         assert(next);
 
+        if (usec > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return -EINVAL;
+
         usec++;
         t = (time_t) (usec / USEC_PER_SEC);
         assert_se(localtime_or_gmtime_r(&t, &tm, spec->utc));
diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index 2b44cdf0b1..eefbf90923 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -287,9 +287,11 @@ static char *format_timestamp_internal(
         if (t <= 0 || t == USEC_INFINITY)
                 return NULL; /* Timestamp is unset */
 
+        /* Let's not format times with years > 9999 */
+        if (t > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return NULL;
+
         sec = (time_t) (t / USEC_PER_SEC); /* Round down */
-        if ((usec_t) sec != (t / USEC_PER_SEC))
-                return NULL; /* overflow? */
 
         if (!localtime_or_gmtime_r(&sec, &tm, utc))
                 return NULL;
@@ -836,9 +838,14 @@ from_tm:
                 return -EINVAL;
 
         ret = (usec_t) x * USEC_PER_SEC + x_usec;
+        if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return -EINVAL;
 
 finish:
         ret += plus;
+        if (ret > USEC_TIMESTAMP_FORMATTABLE_MAX)
+                return -EINVAL;
+
         if (ret > minus)
                 ret -= minus;
         else
diff --git a/src/basic/time-util.h b/src/basic/time-util.h
index f67a4474ed..7463507f51 100644
--- a/src/basic/time-util.h
+++ b/src/basic/time-util.h
@@ -181,3 +181,14 @@ static inline usec_t usec_sub(usec_t timestamp, int64_t delta) {
 
         return timestamp - delta;
 }
+
+#if SIZEOF_TIME_T == 8
+/* The last second we can format is 31. Dec 9999, 1s before midnight, because otherwise we'd enter 5 digit year
+ * territory. However, since we want to stay away from this in all timezones we take one day off. */
+#define USEC_TIMESTAMP_FORMATTABLE_MAX ((usec_t) 253402214399000000)
+#elif SIZEOF_TIME_T == 4
+/* With a 32bit time_t we can't go beyond 2038... */
+#define USEC_TIMESTAMP_FORMATTABLE_MAX ((usec_t) 2147483647000000)
+#else
+#error "Yuck, time_t is neither 4 not 8 bytes wide?"
+#endif
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 75ea25c8ac..72c43e80cb 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -246,6 +246,11 @@ static int output_timestamp_realtime(FILE *f, sd_journal *j, OutputMode mode, Ou
         if (r < 0)
                 return log_error_errno(r, "Failed to get realtime timestamp: %m");
 
+        if (x > USEC_TIMESTAMP_FORMATTABLE_MAX) {
+                log_error("Timestamp cannot be printed");
+                return -EINVAL;
+        }
+
         if (mode == OUTPUT_SHORT_FULL) {
                 const char *k;
 
diff --git a/src/test/test-date.c b/src/test/test-date.c
index a8d3f1e083..b77598c81d 100644
--- a/src/test/test-date.c
+++ b/src/test/test-date.c
@@ -95,6 +95,16 @@ int main(int argc, char *argv[]) {
         test_one_noutc("@1395716396");
         test_should_parse("today UTC");
         test_should_fail("today UTC UTC");
+        test_should_parse("1970-1-1 UTC");
+        test_should_fail("1969-1-1 UTC");
+#if SIZEOF_TIME_T == 8
+        test_should_parse("9999-12-30 23:59:59 UTC");
+        test_should_fail("9999-12-31 00:00:00 UTC");
+        test_should_fail("10000-01-01 00:00:00 UTC");
+#elif SIZEOF_TIME_T == 4
+        test_should_parse("2038-01-19 03:14:07 UTC");
+        test_should_fail( "2038-01-19 03:14:08 UTC");
+#endif
 
         return 0;
 }
diff --git a/src/test/test-time.c b/src/test/test-time.c
index 8259491813..911282bf0c 100644
--- a/src/test/test-time.c
+++ b/src/test/test-time.c
@@ -17,9 +17,10 @@
   along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/
 
+#include "random-util.h"
+#include "string-util.h"
 #include "strv.h"
 #include "time-util.h"
-#include "random-util.h"
 
 static void test_parse_sec(void) {
         usec_t u;
@@ -248,6 +249,30 @@ static void test_format_timestamp(void) {
         }
 }
 
+static void test_format_timestamp_utc_one(usec_t t, const char *result) {
+        char buf[FORMAT_TIMESTAMP_MAX];
+
+        assert_se(!format_timestamp_utc(buf, sizeof(buf), t) == !result);
+
+        if (result)
+                assert_se(streq(result, buf));
+}
+
+static void test_format_timestamp_utc(void) {
+        test_format_timestamp_utc_one(0, NULL);
+        test_format_timestamp_utc_one(1, "Thu 1970-01-01 00:00:00 UTC");
+        test_format_timestamp_utc_one(USEC_PER_SEC, "Thu 1970-01-01 00:00:01 UTC");
+
+#if SIZEOF_TIME_T == 8
+        test_format_timestamp_utc_one(USEC_TIMESTAMP_FORMATTABLE_MAX, "Thu 9999-12-30 23:59:59 UTC");
+#elif SIZEOF_TIME_T == 4
+        test_format_timestamp_utc_one(USEC_TIMESTAMP_FORMATTABLE_MAX, "Tue 2038-01-19 03:14:07 UTC");
+#endif
+
+        test_format_timestamp_utc_one(USEC_TIMESTAMP_FORMATTABLE_MAX+1, NULL);
+        test_format_timestamp_utc_one(USEC_INFINITY, NULL);
+}
+
 int main(int argc, char *argv[]) {
         uintmax_t x;
 
@@ -262,6 +287,7 @@ int main(int argc, char *argv[]) {
         test_usec_add();
         test_usec_sub();
         test_format_timestamp();
+        test_format_timestamp_utc();
 
         /* Ensure time_t is signed */
         assert_cc((time_t) -1 < (time_t) 1);