[Intl] Fix Null-der READ IsValidExtension<icu_64::Calendar>

Consider the case that uloc_toLegacyType may return nullptr while
the specified keyword value cannot be mapped to a well-formed legacy type.

Bug: chromium:966285
Change-Id: I40511c54e4835599c002f1c678121341276a4e58
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1627902
Commit-Queue: Frank Tang <ftang@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61829}

src/objects/intl-objects.cc

@@ -1461,20 +1461,25 @@ namespace {
 template <typename T>
 bool IsValidExtension(const icu::Locale& locale, const char* key,
                       const std::string& value) {
+  const char* legacy_type = uloc_toLegacyType(key, value.c_str());
+  if (legacy_type == nullptr) {
+    return false;
+  }
   UErrorCode status = U_ZERO_ERROR;
   std::unique_ptr<icu::StringEnumeration> enumeration(
       T::getKeywordValuesForLocale(key, icu::Locale(locale.getBaseName()),
                                    false, status));
-  if (U_SUCCESS(status)) {
+  if (U_FAILURE(status)) {
+    return false;
+  }
   int32_t length;
-    std::string legacy_type(uloc_toLegacyType(key, value.c_str()));
-    for (const char* item = enumeration->next(&length, status); item != nullptr;
+  for (const char* item = enumeration->next(&length, status);
+       U_SUCCESS(status) && item != nullptr;
        item = enumeration->next(&length, status)) {
-      if (U_SUCCESS(status) && legacy_type == item) {
+    if (strcmp(legacy_type, item) == 0) {
       return true;
     }
   }
-  }
   return false;
 }
 

test/intl/regress-966285.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-intl-add-calendar-numbering-system
+
+var v = {};
+Object.defineProperty(v.__proto__, "calendar",
+    { get: function() { return -1; } });
+assertThrows(() => new Intl.DateTimeFormat(v, 0), RangeError);