Constrain durations into a range that will produce valid Temporal dates before passing to ICU4X (#615)

We have some panics we should be avoiding here

unicode-org/icu4x#7206

Author: Manishearth

src/builtins/compiled/duration/tests.rs

@@ -1,7 +1,8 @@
 use crate::{
     duration::DateDuration,
     options::{
-        OffsetDisambiguation, RelativeTo, RoundingIncrement, RoundingMode, RoundingOptions, Unit,
+        OffsetDisambiguation, Overflow, RelativeTo, RoundingIncrement, RoundingMode,
+        RoundingOptions, Unit,
     },
     partial::PartialDuration,
     Calendar, PlainDate, TimeZone, ZonedDateTime,
@@ -626,6 +627,24 @@ fn add_normalized_time_duration_out_of_range() {
     assert!(err.is_err())
 }
 
+#[test]
+fn add_large_durations() {
+    // Testcases found by fuzzing <https://github.com/unicode-org/icu4x/pull/7206>
+    let base = PlainDate::new(2000, 1, 1, Calendar::from_str("dangi").unwrap()).unwrap();
+
+    let test_duration = Duration::from(DateDuration::new(4294901760, 256, 0, 0).unwrap());
+    assert!(base.add(&test_duration, Some(Overflow::Constrain)).is_err());
+
+    let test_duration = Duration::from(DateDuration::new(0, 1281, 0, 8589934592).unwrap());
+    assert!(base.add(&test_duration, Some(Overflow::Constrain)).is_err());
+
+    let test_duration = Duration::from(DateDuration::new(2046820352, 0, 0, 0).unwrap());
+    assert!(base.add(&test_duration, Some(Overflow::Constrain)).is_err());
+
+    let test_duration = Duration::from(DateDuration::new(0, 0, 2516582400, 0).unwrap());
+    assert!(base.add(&test_duration, Some(Overflow::Constrain)).is_err());
+}
+
 #[test]
 fn test_rounding_boundaries() {
     let relative_to = PlainDate::new(2000, 1, 1, Calendar::default()).unwrap();

src/builtins/core/calendar.rs

@@ -250,6 +250,43 @@ impl<'a> TryFrom<&'a CalendarFields> for DateFields<'a> {
         Ok(this)
     }
 }
+
+/// See <https://github.com/unicode-org/icu4x/issues/7207>
+///
+/// We don't want to trigger any pathological or panicky testcases in ICU4X.
+///
+/// To aid in that, we early constrain date durations to things that have no hope of producing a datetime
+/// that is within Temporal range.
+fn early_constrain_date_duration(duration: &IcuDateDuration) -> Result<(), TemporalError> {
+    // Temporal range is -271821-04-20 to +275760-09-13
+    // This is (roughly) the maximum year duration that can exist for ISO
+    const TEMPORAL_MAX_ISO_YEAR_DURATION: u32 = 275760 + 271821;
+    // Double it. No calendar has years that are half the size of ISO years.
+    const YEAR_DURATION: u32 = 2 * TEMPORAL_MAX_ISO_YEAR_DURATION;
+    // Assume every year is a leap year, calculate a month range
+    const MONTH_DURATION: u32 = YEAR_DURATION * 13;
+    // Our longest year is 390 days
+    const DAY_DURATION: u32 = YEAR_DURATION * 390;
+    const WEEK_DURATION: u32 = DAY_DURATION / 7;
+
+    let err = Err(TemporalError::range().with_enum(ErrorMessage::IntermediateDateTimeOutOfRange));
+
+    if duration.years > YEAR_DURATION {
+        return err;
+    }
+    if duration.months > MONTH_DURATION {
+        return err;
+    }
+    if duration.weeks > WEEK_DURATION {
+        return err;
+    }
+    if duration.days > DAY_DURATION.into() {
+        return err;
+    }
+
+    Ok(())
+}
+
 // ==== Public `CalendarSlot` methods ====
 
 impl Calendar {
@@ -437,6 +474,8 @@ impl Calendar {
             weeks: u32::try_from(duration.weeks.abs()).map_err(|_| invalid)?,
             days: u64::try_from(duration.days.abs()).map_err(|_| invalid)?,
         };
+
+        early_constrain_date_duration(&duration)?;
         let mut options = DateAddOptions::default();
         options.overflow = Some(overflow.into());
         let calendar_date = self.0.from_iso(*date.to_icu4x().inner());