From da7be4587f5e1a792cb05c91cda6b8e7f8e78191 Mon Sep 17 00:00:00 2001
From: Martin Schuster <schuster@schul-logistik.de>
Date: Sun, 24 Nov 2024 19:36:10 +0100
Subject: [PATCH] Avoid overflow during conversion from ms to ticks.

E.g. when having predivSync=255, a value of subSeconds=2^24 (still well below UINT32_MAX and thus using the 32bit computation branch) would be multiplied by 256 and result in an overflow during computation. In fact, 2^24 ms is about 4 hours 40 minutes.
---
 src/rtc.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/rtc.c b/src/rtc.c
index 15fa727..904c11c 100644
--- a/src/rtc.c
+++ b/src/rtc.c
@@ -947,14 +947,11 @@ void RTC_StartAlarm64(alarm_t name, uint8_t day, uint8_t hours, uint8_t minutes,
     if ((initMode == MODE_BINARY_ONLY) || (initMode == MODE_BINARY_MIX)) {
       /* We have an SubSecond alarm to set in RTC_BINARY_MIX or RTC_BINARY_ONLY mode */
       /* The subsecond in ms is converted in ticks unit 1 tick is 1000 / fqce_apre
-       * It keeps the subsecond accuracy on 64 bits if needed
+       * For the conversion, we keep the accuracy on 64 bits, since otherwise we might
+       * have an overflow even though the conversion result still fits in 32 bits.
        */
-      if (subSeconds > (uint64_t)UINT32_MAX) {
-        uint64_t tmp = (subSeconds * (uint64_t)(predivSync + 1)) / (uint64_t)1000;
-        RTC_AlarmStructure.AlarmTime.SubSeconds = (uint32_t)UINT32_MAX - (uint32_t)tmp;
-      } else {
-        RTC_AlarmStructure.AlarmTime.SubSeconds = (uint32_t)((uint32_t)UINT32_MAX - (uint32_t)(subSeconds * (predivSync + 1)) / 1000);
-      }
+      uint64_t tmp = (subSeconds * (uint64_t)(predivSync + 1)) / (uint64_t)1000;
+      RTC_AlarmStructure.AlarmTime.SubSeconds = (uint32_t)UINT32_MAX - (uint32_t)tmp;
     } else
 #endif /* RTC_ICSR_BIN */
     {