Is the function supposed to validate it's input? If the user supplies a large, positive or negative, value for xt->tm_year then the calculation may overflow. If the user supplies an xt->tm_mon outside the range 0-11 the function will read arbitrary memory.
How is the "user" going to do that? Do you mean the API caller? They could just as easily read arbitrary memory on their own. AFAIK, none of the APR routines do input validation, though it might be good if they provided a single call to validate the tm structure.
....Roy
