[int] Fix security bug in Intl.ListFormat

Also add test to ensure it won't crash. The crash is caused by int32_t overflow inside ICU68-1 Real fix in 3bf08c6a50 Bug: chromium:1150371 Change-Id: I71c7bb3c50453fe3fa40226cab83bee0d865b0f0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2551212 Reviewed-by: Shu-yu Guo <syg@chromium.org> Reviewed-by: Michael Achenbach <machenbach@chromium.org> Commit-Queue: Frank Tang <ftang@chromium.org> Cr-Commit-Position: refs/heads/master@{#71357}
2020-11-23 12:16:45 -08:00 · 2020-11-23 12:16:45 -08:00 · 1341dbd209
commit 1341dbd209
parent 0e0d1b0d7c
1 changed files with 8 additions and 0 deletions
--- a/test/intl/regress-1150371.js
+++ b/test/intl/regress-1150371.js
@ -0,0 +1,8 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Make sure it won't crash
+var s = "b".repeat(0xAAAFFFF);
+assertThrows(() => new Intl.ListFormat().format(Array(16).fill(s)).length,
+    TypeError);