Reject years outside 0000-9999 in ASN1_GENERALIZEDTIME_adj.

They would previously output syntax errors.

Change-Id: I7817a91d0c8ed8d6ac6a5a1fd9c9ed1223c5960e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48667
Commit-Queue: David Benjamin <[email protected]>
Reviewed-by: Adam Langley <[email protected]>

Author: davidben

crypto/asn1/a_gentm.c

@@ -237,6 +237,11 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
             goto err;
     }
 
+    if (ts->tm_year < 0 - 1900 || ts->tm_year > 9999 - 1900) {
+        OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_TIME_VALUE);
+        goto err;
+    }
+
     p = (char *)tmps->data;
     if ((p == NULL) || ((size_t)tmps->length < len)) {
         p = OPENSSL_malloc(len);

crypto/asn1/asn1_test.cc

@@ -478,8 +478,11 @@ TEST(ASN1Test, SetTime) {
     // disable the tests on 32-bit. Re-enable them once the bug is fixed.
     {2524607999, "20491231235959Z", "491231235959Z"},
     {2524608000, "20500101000000Z", nullptr},
-    // TODO(davidben): Fix and then test boundary conditions for GeneralizedTime
-    // years.
+    // Test boundary conditions.
+    {-62167219200, "00000101000000Z", nullptr},
+    {-62167219201, nullptr, nullptr},
+    {253402300799, "99991231235959Z", nullptr},
+    {253402300800, nullptr, nullptr},
 #endif
   };
   for (const auto &t : kTests) {