tai64: add TryFrom<Tai64N> for SystemTime to avoid panic

dshulyak · dshulyak · commit 357ce4fd6639 · 2025-12-19T10:05:16.000+01:00
diff --git a/tai64/src/lib.rs b/tai64/src/lib.rs
@@ -203,7 +203,15 @@ impl Tai64N {
         }
     }
 
-    /// Convert `TAI64N`to `SystemTime`.
+    /// Convert `TAI64N` to `SystemTime`.
+    ///
+    /// # Panics
+    ///
+    /// Panics if the timestamp cannot be represented as `SystemTime`. This can
+    /// occur when the `Tai64N` value is outside the range representable by the
+    /// platform's `SystemTime` (typically backed by `i64` seconds from Unix epoch).
+    ///
+    /// For a non-panicking alternative, use `SystemTime::try_from(tai64n)`.
     #[cfg(feature = "std")]
     pub fn to_system_time(self) -> SystemTime {
         match self.duration_since(&Self::UNIX_EPOCH) {
@@ -265,6 +273,19 @@ impl From<SystemTime> for Tai64N {
     }
 }
 
+#[cfg(feature = "std")]
+impl TryFrom<Tai64N> for SystemTime {
+    type Error = Error;
+
+    fn try_from(tai: Tai64N) -> Result<Self, Self::Error> {
+        match tai.duration_since(&Tai64N::UNIX_EPOCH) {
+            Ok(d) => UNIX_EPOCH.checked_add(d),
+            Err(d) => UNIX_EPOCH.checked_sub(d),
+        }
+        .ok_or(Error::TimestampOverflow)
+    }
+}
+
 #[allow(clippy::suspicious_arithmetic_impl)]
 impl ops::Add<Duration> for Tai64N {
     type Output = Self;
@@ -320,13 +341,17 @@ pub enum Error {
 
     /// Nanosecond part must be <= 999999999.
     NanosInvalid,
+
+    /// Timestamp cannot be represented as `SystemTime` (overflow/underflow).
+    TimestampOverflow,
 }
 
 impl fmt::Display for Error {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         let description = match self {
             Error::LengthInvalid => "length invalid",
             Error::NanosInvalid => "invalid number of nanoseconds",
+            Error::TimestampOverflow => "timestamp cannot be represented as SystemTime",
         };
 
         write!(f, "{description}")
@@ -360,4 +385,42 @@ mod tests {
 
         assert_eq!(t, t1);
     }
+
+    #[test]
+    #[should_panic(expected = "overflow when adding duration to instant")]
+    fn to_system_time_panics_from_slice() {
+        let malicious_timestamp: [u8; 12] = [
+            0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+            0x00, 0x00, 0x00, 0x00,                         
+        ];
+
+        let timestamp = Tai64N::from_slice(&malicious_timestamp).unwrap();
+        let _ = timestamp.to_system_time(); // panics here
+    }
+
+    #[test]
+    fn try_into_system_time_success() {
+        let tai = Tai64N::now();
+        let result: Result<SystemTime, _> = tai.try_into();
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn try_into_system_time_overflow() {
+        let malicious: [u8; 12] = [
+            0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+            0x00, 0x00, 0x00, 0x00,
+        ];
+        let tai = Tai64N::from_slice(&malicious).unwrap();
+        let result: Result<SystemTime, _> = tai.try_into();
+        assert_eq!(result, Err(Error::TimestampOverflow));
+    }
+
+    #[test]
+    fn try_into_system_time_roundtrip() {
+        let original = SystemTime::now();
+        let tai = Tai64N::from(original);
+        let recovered: SystemTime = tai.try_into().expect("should be representable");
+        assert_eq!(original, recovered);
+    }
 }
