From 03eb3b5e87ea18bfbfe3731a23ae103ab48198a4 Mon Sep 17 00:00:00 2001
From: "Yukihiro \"Matz\" Matsumoto" <matz@ruby.or.jp>
Date: Sun, 28 Feb 2021 19:33:57 +0900
Subject: time.c: check overflow in addition and subtraction of `Time`.

---
 mrbgems/mruby-time/src/time.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/mrbgems/mruby-time/src/time.c b/mrbgems/mruby-time/src/time.c
index 33a20b5cf..0a8b30233 100644
--- a/mrbgems/mruby-time/src/time.c
+++ b/mrbgems/mruby-time/src/time.c
@@ -565,7 +565,10 @@ mrb_time_plus(mrb_state *mrb, mrb_value self)
 
   tm = time_get_ptr(mrb, self);
   sec = mrb_to_time_t(mrb, o, &usec);
-  return mrb_time_make_time(mrb, mrb_obj_class(mrb, self), tm->sec+sec, tm->usec+usec, tm->timezone);
+  if (mrb_int_add_overflow(tm->sec, sec, &sec)) {
+    mrb_raise(mrb, E_RANGE_ERROR, "time_t overflow in Time");
+  }
+  return mrb_time_make_time(mrb, mrb_obj_class(mrb, self), sec, tm->usec+usec, tm->timezone);
 }
 
 static mrb_value
@@ -592,7 +595,10 @@ mrb_time_minus(mrb_state *mrb, mrb_value self)
   else {
     time_t sec, usec;
     sec = mrb_to_time_t(mrb, other, &usec);
-    return mrb_time_make_time(mrb, mrb_obj_class(mrb, self), tm->sec-sec, tm->usec-usec, tm->timezone);
+    if (mrb_int_sub_overflow(tm->sec, sec, &sec)) {
+      mrb_raise(mrb, E_RANGE_ERROR, "time_t overflow in Time");
+    }
+    return mrb_time_make_time(mrb, mrb_obj_class(mrb, self), sec, tm->usec-usec, tm->timezone);
   }
 }
 
-- 
cgit v1.2.3