From 2e51608a8b7d883f5e187ccc83ed871e248442c2 Mon Sep 17 00:00:00 2001
From: "teor (Tim Wilson-Brown)" <teor2345@gmail.com>
Date: Wed, 29 Jun 2016 12:53:50 +1000
Subject: Fix an integer overflow bug in the tv_mdiff range check

The temporary second used for rounding can cause overflow,
depending on the order the compiler performs the operations.
---
 src/common/util.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/common/util.c b/src/common/util.c
index 4b6df81b7d..44994fb9c3 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -1394,6 +1394,7 @@ tv_udiff(const struct timeval *start, const struct timeval *end)
   long udiff;
   long secdiff = end->tv_sec - start->tv_sec;
 
+  /* end->tv_usec - start->tv_usec can be up to 1 second */
   if (labs(secdiff)+1 > LONG_MAX/1000000) {
     log_warn(LD_GENERAL, "comparing times on microsecond detail too far "
              "apart: %ld seconds", secdiff);
@@ -1412,7 +1413,9 @@ tv_mdiff(const struct timeval *start, const struct timeval *end)
   long mdiff;
   long secdiff = end->tv_sec - start->tv_sec;
 
-  if (labs(secdiff)+1 > LONG_MAX/1000) {
+  /* end->tv_usec - start->tv_usec can be up to 1 second,
+   * but the mdiff calculation adds another temporary second */
+  if (labs(secdiff)+2 > LONG_MAX/1000) {
     log_warn(LD_GENERAL, "comparing times on millisecond detail too far "
              "apart: %ld seconds", secdiff);
     return LONG_MAX;
-- 
cgit v1.2.3-54-g00ecf