From d0f1054087094e5c353aead6bc3370635b69b278 Mon Sep 17 00:00:00 2001
From: Lei Zhang <thestig@chromium.org>
Date: Tue, 18 Jul 2017 17:29:46 -0700
Subject: Prevent more crashes in wcsftime.

BUG=chromium:738303

Change-Id: If36cdc0f53fc224c0c4c8cf775fd2c916f2d0add
Reviewed-on: https://pdfium-review.googlesource.com/8210
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
---
 core/fxcrt/fx_system.cpp          | 11 ++++++-----
 core/fxcrt/fx_system_unittest.cpp |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/core/fxcrt/fx_system.cpp b/core/fxcrt/fx_system.cpp
index af883882b1..83f761ff85 100644
--- a/core/fxcrt/fx_system.cpp
+++ b/core/fxcrt/fx_system.cpp
@@ -24,11 +24,12 @@ size_t FXSYS_wcsftime(wchar_t* strDest,
                       const struct tm* timeptr) {
   // Avoid tripping an invalid parameter handler and crashing process.
   // Note: leap seconds may cause tm_sec == 60.
-  if (timeptr->tm_year < -1900 || timeptr->tm_mon < 0 || timeptr->tm_mon > 11 ||
-      timeptr->tm_mday < 1 || timeptr->tm_mday > 31 || timeptr->tm_hour < 0 ||
-      timeptr->tm_hour > 23 || timeptr->tm_min < 0 || timeptr->tm_min > 59 ||
-      timeptr->tm_sec < 0 || timeptr->tm_sec > 60 || timeptr->tm_wday < 0 ||
-      timeptr->tm_wday > 6 || timeptr->tm_yday < 0 || timeptr->tm_yday > 365) {
+  if (timeptr->tm_year < -1900 || timeptr->tm_year > 8099 ||
+      timeptr->tm_mon < 0 || timeptr->tm_mon > 11 || timeptr->tm_mday < 1 ||
+      timeptr->tm_mday > 31 || timeptr->tm_hour < 0 || timeptr->tm_hour > 23 ||
+      timeptr->tm_min < 0 || timeptr->tm_min > 59 || timeptr->tm_sec < 0 ||
+      timeptr->tm_sec > 60 || timeptr->tm_wday < 0 || timeptr->tm_wday > 6 ||
+      timeptr->tm_yday < 0 || timeptr->tm_yday > 365) {
     strDest[0] = L'\0';
     return 0;
   }
diff --git a/core/fxcrt/fx_system_unittest.cpp b/core/fxcrt/fx_system_unittest.cpp
index da616b4ee6..958d295a24 100644
--- a/core/fxcrt/fx_system_unittest.cpp
+++ b/core/fxcrt/fx_system_unittest.cpp
@@ -182,7 +182,7 @@ TEST(fxcrt, FXSYS_wcsftime) {
   year_time.tm_min = 59;
   year_time.tm_sec = 59;
 
-  for (int year = -2500; year <= 2500; ++year) {
+  for (int year = -2500; year <= 8500; ++year) {
     year_time.tm_year = year;
     wchar_t year_buf[100] = {};
     FXSYS_wcsftime(year_buf, FX_ArraySize(year_buf), L"%Y-%m-%dT%H:%M:%S",
-- 
cgit v1.2.3