[int] Fix security bug in Intl.ListFormat

Also add test to ensure it won't crash. The crash is caused by int32_t overflow inside ICU68-1 Real fix in https://chromium.googlesource.com/chromium/deps/icu/+/3bf08c6a50f77921ae79d4e715b580b959e494c7 Bug: chromium:1150371 Change-Id: I71c7bb3c50453fe3fa40226cab83bee0d865b0f0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551212Reviewed-by: Shu-yu Guo <syg@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#71357}

[int] Fix security bug in Intl.ListFormat
Also add test to ensure it won't crash. The crash is caused by int32_t overflow inside ICU68-1 Real fix in https://chromium.googlesource.com/chromium/deps/icu/+/3bf08c6a50f77921ae79d4e715b580b959e494c7 Bug: chromium:1150371 Change-Id: I71c7bb3c50453fe3fa40226cab83bee0d865b0f0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551212Reviewed-by: Shu-yu Guo <syg@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#71357}
1341dbd2 · Frank Tang · Commit Bot · 0e0d1b0d · 1341dbd2
Commit 1341dbd2 authored Nov 23, 2020 by Frank Tang Committed by Commit Bot Nov 24, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

regress-1150371.js test/intl/regress-1150371.js +8 -0

No files found.
--- a/test/intl/regress-1150371.js
+++ b/test/intl/regress-1150371.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Make sure it won't crash
+var s = "b".repeat(0xAAAFFFF);
+assertThrows(() => new Intl.ListFormat().format(Array(16).fill(s)).length,
+    TypeError);