From 9e6880e777acf759dc23ebaac63e0971fea05037 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Fri, 28 Feb 2020 19:39:13 +0300
Subject: [PATCH] Fixed integer-overflow in Date() constructor.

Found by UndefinedBehaviorSanitizer.
---
 src/njs_date.c           | 17 +++++++++++------
 src/test/njs_unit_test.c | 18 ++++++++++++++++++
 2 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/src/njs_date.c b/src/njs_date.c
index 7e1e7a2e..01e10233 100644
--- a/src/njs_date.c
+++ b/src/njs_date.c
@@ -118,14 +118,19 @@ njs_days_from_year(int64_t y)
 }
 
 
-njs_inline int64_t
+njs_inline double
 njs_make_day(int64_t yr, int64_t month, int64_t date)
 {
-    int64_t  i, ym, mn, md, days;
+    double   days;
+    int64_t  i, ym, mn, md;
 
     static const int month_days[] = { 31, 28, 31, 30, 31, 30,
                                       31, 31, 30, 31, 30, 31 };
 
+    if (yr < -271822 || yr > 275761) {
+        return NAN;
+    }
+
     mn = njs_mod(month, 12);
     ym = yr + (month - mn) / 12;
 
@@ -228,15 +233,15 @@ njs_year_from_days(int64_t *days)
 njs_inline double
 njs_make_date(int64_t tm[], njs_bool_t local)
 {
-    int64_t  days, time;
+    double  time, days;
 
     days = njs_make_day(tm[NJS_DATE_YR], tm[NJS_DATE_MON],
                         tm[NJS_DATE_DAY]);
 
-    time = ((tm[NJS_DATE_HR] * 60 + tm[NJS_DATE_MIN]) * 60
-            + tm[NJS_DATE_SEC]) * 1000 + tm[NJS_DATE_MSEC];
+    time = ((tm[NJS_DATE_HR] * 60.0 + tm[NJS_DATE_MIN]) * 60.0
+            + tm[NJS_DATE_SEC]) * 1000.0 + tm[NJS_DATE_MSEC];
 
-    time += days * 86400000;
+    time += days * 86400000.0;
 
     if (local) {
         time += njs_tz_offset(time) * 60000;
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index bc3fd04b..614cf2ee 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -13270,6 +13270,24 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("new Date(8.65e15)"),
       njs_str("Invalid Date") },
 
+    { njs_str("var d = new Date(1308895200000); new Date(d.getTime(), d.getTime())"),
+      njs_str("Invalid Date") },
+
+    { njs_str("new Date(275760, 1, 2**61)"),
+      njs_str("Invalid Date") },
+
+    { njs_str("new Date(275760, 1, 1, 2**61)"),
+      njs_str("Invalid Date") },
+
+    { njs_str("new Date(275760, 1, 1, 1, 2**61)"),
+      njs_str("Invalid Date") },
+
+    { njs_str("new Date(275760, 1, 1, 1, 1, 2**61)"),
+      njs_str("Invalid Date") },
+
+    { njs_str("new Date(275760, 1, 1, 1, 1, 1, 2**61)"),
+      njs_str("Invalid Date") },
+
     { njs_str("njs.dump([new Date(8.65e15)])"),
       njs_str("[Invalid Date]") },
 
-- 
2.47.3