time: Fix Windows' SystemTime::checked_sub

The Windows implementation of `SystemTime::checked_sub` contains a bug,
namely that it does not return `None` on values below 1601.

This bug stems from the fact that internally, the time gets converted to
an i64, with zero representing the anchor in 1601.  Of course,
performing checked subtraction on a signed integer generally works fine.
However, the resulting value delivers undefined behavior on Windows
systems.

To mitigate this issue, we immediately convert the i64 to an u64, on
which subtraction resulting in values below zero will obviously fail.

Author: cvengler

library/std/src/sys/pal/windows/time.rs

@@ -1,7 +1,7 @@
 use core::hash::{Hash, Hasher};
 use core::ops::Neg;
 
-use crate::cmp::Ordering;
+use crate::cmp::{Ord, Ordering};
 use crate::ptr::null;
 use crate::sys::c;
 use crate::sys_common::IntoInner;
@@ -111,7 +111,13 @@ impl SystemTime {
     }
 
     pub fn checked_sub_duration(&self, other: &Duration) -> Option<SystemTime> {
-        let intervals = self.intervals().checked_sub(checked_dur2intervals(other)?)?;
+        // Windows does not support times before 1601, hence why we don't
+        // support negatives. In order to tackle this, we simply try to convert
+        // the resulting i64 into an u64, returning None on failure, following
+        // an ordinary call to u64::checked_sub_signed, which will then
+        // obviously use zero as the lower bound.
+        let intervals: u64 = self.intervals.try_into().ok()?;
+        let intervals = intervals.checked_sub_signed(checked_dur2intervals(other)?)?;
         Some(SystemTime::from_intervals(intervals))
     }
 }