search

time-rs / time

The most used Rust library for date and time handling.
https://time-rs.github.io
Apache License 2.0
1.1k stars 277 forks source link

Serialization data corruption with Duration and `serde_human_readable` for negative subsecond durations #691

Open vriesk opened 3 months ago

vriesk commented 3 months ago

The issue is here: https://github.com/time-rs/time/blob/aca5c3652aff6fc7df3fbd8591c3e324d3a6ffb2/time/src/serde/mod.rs#L257

When feature serde_human_readable is enabled, the serializing code incorrectly assumes that for a sub-second negative duration, the self.whole_seconds() will provide the sign during printing. Similar issue exists with deserialization code.

The bug will result with subsecond negative Durations being serialized into positive ones, and negative elsewhere-serialized Durations to be deserialized into positive ones.

Also the comment here: https://github.com/time-rs/time/blob/aca5c3652aff6fc7df3fbd8591c3e324d3a6ffb2/time/src/duration.rs#L44 is incorrect - the nanoseconds sign will NOT match the seconds sign when seconds is 0 and nanoseconds is negative.

vriesk commented 3 months ago

Suggested fix here: https://github.com/time-rs/time/pull/692