Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 31e50e893a11dd6a8e8502611d74898dc12dd7fc
https://github.com/WebKit/WebKit/commit/31e50e893a11dd6a8e8502611d74898dc12dd7fc
Author: Sosuke Suzuki <[email protected]>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
A JSTests/stress/temporal-japanese-ce-bce-era-validation.js
M Source/JavaScriptCore/runtime/temporal/core/CalendarICUBridge.cpp
Log Message:
-----------
[JSC][Temporal] Validate `month` and `eraYear` in Japanese "ce"/"bce" era
fast path
https://bugs.webkit.org/show_bug.cgi?id=316477
Reviewed by Yusuke Suzuki.
The Japanese "ce"/"bce" fast path in calendarDateFromFields passed
user-controlled fields to ISO8601::PlainDate without validation:
month > 12 caused an out-of-bounds read in ISO8601::daysInMonth,
an eraYear outside the ISO year limits was silently truncated by
PlainDate's 21-bit year bitfield, and 1 - INT32_MIN overflowed int32.
Compute the ISO year with CheckedInt32 and reject it when outside the
ISO year limits, and constrain or reject month > 12 the same way the
regular non-ISO path does.
* JSTests/stress/temporal-japanese-ce-bce-era-validation.js: Added.
* Source/JavaScriptCore/runtime/temporal/core/CalendarICUBridge.cpp:
(JSC::TemporalCore::calendarDateFromFields):
Canonical link: https://commits.webkit.org/314786@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
