From f47bc301ccbc5e6d8110afab5a1e9bac1d4ef058 Mon Sep 17 00:00:00 2001
From: fionaxu <fionaxu@google.com>
Date: Mon, 20 Jun 2016 19:11:57 -0700
Subject: backport security fix: avoid set NITZ time to 2038

Bug: 29083635
Change-Id: I21c5f4147d8146f92b7e33f0967a179ae644a263
---
 .../android/internal/telephony/cdma/CdmaServiceStateTracker.java    | 6 ++++++
 .../com/android/internal/telephony/gsm/GsmServiceStateTracker.java  | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/src/java/com/android/internal/telephony/cdma/CdmaServiceStateTracker.java b/src/java/com/android/internal/telephony/cdma/CdmaServiceStateTracker.java
index e6b0867ab..85980e99c 100644
--- a/src/java/com/android/internal/telephony/cdma/CdmaServiceStateTracker.java
+++ b/src/java/com/android/internal/telephony/cdma/CdmaServiceStateTracker.java
@@ -101,6 +101,8 @@ public class CdmaServiceStateTracker extends ServiceStateTracker {
     private static final int NITZ_UPDATE_DIFF_DEFAULT = 2000;
     private int mNitzUpdateDiff = SystemProperties.getInt("ro.nitz_update_diff",
             NITZ_UPDATE_DIFF_DEFAULT);
+    /** Time stamp after 19 January 2038 is not supported under 32 bit */
+    private static final int MAX_NITZ_YEAR = 2037;
 
     private int mRoamingIndicator;
     private boolean mIsInPrl;
@@ -1614,6 +1616,10 @@ public class CdmaServiceStateTracker extends ServiceStateTracker {
             String[] nitzSubs = nitz.split("[/:,+-]");
 
             int year = 2000 + Integer.parseInt(nitzSubs[0]);
+            if (year > MAX_NITZ_YEAR) {
+              if (DBG) loge("NITZ year: " + year + " exceeds limit, skip NITZ time update");
+              return;
+            }
             c.set(Calendar.YEAR, year);
 
             // month is 0 based!
diff --git a/src/java/com/android/internal/telephony/gsm/GsmServiceStateTracker.java b/src/java/com/android/internal/telephony/gsm/GsmServiceStateTracker.java
index 8d3a84d41..03fbd7f76 100755
--- a/src/java/com/android/internal/telephony/gsm/GsmServiceStateTracker.java
+++ b/src/java/com/android/internal/telephony/gsm/GsmServiceStateTracker.java
@@ -136,6 +136,8 @@ final class GsmServiceStateTracker extends ServiceStateTracker {
 
     /** Boolean is true is setTimeFromNITZString was called */
     private boolean mNitzUpdatedTime = false;
+    /** Time stamp after 19 January 2038 is not supported under 32 bit */
+    private static final int MAX_NITZ_YEAR = 2037;
 
     String mSavedTimeZone;
     long mSavedTime;
@@ -1739,6 +1741,10 @@ final class GsmServiceStateTracker extends ServiceStateTracker {
             String[] nitzSubs = nitz.split("[/:,+-]");
 
             int year = 2000 + Integer.parseInt(nitzSubs[0]);
+            if (year > MAX_NITZ_YEAR) {
+              if (DBG) loge("NITZ year: " + year + " exceeds limit, skip NITZ time update");
+              return;
+            }
             c.set(Calendar.YEAR, year);
 
             // month is 0 based!
-- 
cgit v1.2.3