New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Oct 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 770452: Stack-buffer-overflow in icu_59::NumberingSystem::createInstance

Reported by scdengy...@gmail.com, Sep 30 2017

Issue description

VULNERABILITY DETAILS
length of buffer on stack is ULOC_KEYWORDS_CAPACITY(96), but was filled with ULOC_KEYWORD_AND_VALUES_CAPACITY(100) bytes

```cpp
//uloc.h
#define ULOC_KEYWORDS_CAPACITY 96
#define ULOC_KEYWORD_AND_VALUES_CAPACITY 100

//uloc.cpp
U_CAPI int32_t U_EXPORT2
uloc_getKeywordValue(const char* localeID,
                     const char* keywordName,
                     char* buffer, int32_t bufferCapacity,
                     UErrorCode* status)
953:
              result = u_terminateChars(buffer, bufferCapacity, keyValueLen, status);


//uloc_tag.cpp
U_CAPI int32_t U_EXPORT2
uloc_toLanguageTag(const char* localeID,
                   char* langtag,
                   int32_t langtagCapacity,
                   UBool strict,
                   UErrorCode* status) {
2371:
                    char buf[ULOC_KEYWORD_AND_VALUES_CAPACITY];
                    buf[0] = PRIVATEUSE;
                    buf[1] = SEP;
                    len = uloc_getKeywordValue(localeID, key, &buf[2], sizeof(buf) - 2, &tmpStatus);


//numsys.cpp
NumberingSystem* U_EXPORT2
NumberingSystem::createInstance(const Locale & inLocale, UErrorCode& status) {

    if (U_FAILURE(status)) {
        return NULL;
    }

    UBool nsResolved = TRUE;
    UBool usingFallback = FALSE;
    char buffer[ULOC_KEYWORDS_CAPACITY];
    int32_t count = inLocale.getKeywordValue("numbers",buffer, sizeof(buffer),status);
    if ( count > 0 ) { // @numbers keyword was specified in the locale
        buffer[count] = '\0'; // Make sure it is null terminated.
        if ( !uprv_strcmp(buffer,gDefault) || !uprv_strcmp(buffer,gNative) || 
             !uprv_strcmp(buffer,gTraditional) || !uprv_strcmp(buffer,gFinance)) {
            nsResolved = FALSE;
        }
    } else {
        uprv_strcpy(buffer,gDefault);
        nsResolved = FALSE;
    }

VERSION
Version 60.0.3112.113 (Official Build) (64-bit)
Operating System: [Mac OS, 10.12.6]

REPRODUCTION CASE
var number = 5.0260805378947765e+223;
var nf = new Intl.NumberFormat('bs-u-nu-bzcu-cab-cabs-avnlubs-avnihu-zcu-cab-cbs-avnllubs-avnihq-zcu-cab-cbs-ubs-avnihu-cabs-flus-xxd-vnluy');
var f = nf.format(number);


FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
 
poc.js
208 bytes View Download
crash.log
5.8 KB View Download
patch.diff
322 bytes Download

Comment 1 by ClusterFuzz, Sep 30 2017

Project Member
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4745958029262848.

Comment 2 by ClusterFuzz, Sep 30 2017

Project Member
Labels: Security_Severity-High Security_Impact-Head
Summary: Stack-buffer-overflow in icu_59::NumberingSystem::createInstance (was: Security: Intl.Number_format NumberingSystem::createInstance stack-buffer-overflow)
Detailed report: https://clusterfuzz.com/testcase?key=4745958029262848

Job Type: linux_asan_d8_dbg
Crash Type: Stack-buffer-overflow WRITE 1
Crash Address: 0x7f753f07b283
Crash State:
  icu_59::NumberingSystem::createInstance
  icu_59::NumberFormat::makeInstance
  icu_59::NumberFormat::makeInstance
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=38691:38692

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4745958029262848

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

Comment 3 by infe...@chromium.org, Sep 30 2017

Cc: js...@chromium.org
Components: Blink>JavaScript
Labels: M-61 Pri-1
Owner: rossberg@chromium.org
Status: Assigned (was: Unconfirmed)
Regression from https://chromium.googlesource.com/v8/v8/+/339f08d2e9650e05d63c6a756b8302c60ee665b5

Comment 4 by ClusterFuzz, Oct 1 2017

Project Member
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 5 by sheriffbot@chromium.org, Oct 1 2017

Project Member
Labels: -Security_Impact-Head Security_Impact-Stable

Comment 6 by infe...@chromium.org, Oct 1 2017

Labels: -Security_Impact-Stable -M-61 Security_Impact-Head M-63

Comment 7 by sheriffbot@chromium.org, Oct 2 2017

Project Member
Labels: ReleaseBlock-Stable
This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by candr...@chromium.org, Oct 2 2017

Please add appropriate OSs.

Comment 9 Deleted

Comment 10 by sheriffbot@chromium.org, Oct 3 2017

Project Member
This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by hablich@chromium.org, Oct 4 2017

Cc: adamk@chromium.org
Labels: Test-Predator-Wrong-Components
Owner: js...@chromium.org

Comment 12 by js...@chromium.org, Oct 5 2017

Thanks a lot for the report. 

It should check |status| like this:

       int32_t len;
        char collVal[ULOC_KEYWORDS_CAPACITY];
        char tmpLocaleID[ULOC_FULLNAME_CAPACITY];

        len = uloc_getKeywordValue(localeID, "collation", collVal,
            UPRV_LENGTHOF(collVal) - 1, &status);

        if (U_SUCCESS(status) && len > 0) {
            collVal[len] = 0;

I'll prepare a CL.

Comment 13 by sheriffbot@chromium.org, Oct 6 2017

Project Member
This issue is marked as a release blocker with no OS labels associated. Please add an appropriate OS label.

All release blocking issues should have OS labels associated to it, so that the issue can tracked and promptly verified, once it gets fixed.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by js...@chromium.org, Oct 6 2017

Cc: jsauer@google.com

Comment 15 by js...@chromium.org, Oct 6 2017

Labels: OS-Android OS-Chrome OS-Fuchsia OS-Linux OS-Mac OS-Windows
For this particular issue, I'll take an upstream fix (in ToT; http://bugs.icu-project.org/trac/changeset/40494 ) instead of mine to make it simpler to merge later. 

I identified similar issues in a few other places. I also have a patch for them. 

I filed an upstream bug (http://bugs.icu-project.org/trac/ticket/13394 : it's not-public, though) with more of my findings.

Comment 16 by js...@chromium.org, Oct 6 2017

A CL is up at https://chromium-review.googlesource.com/#/c/chromium/deps/icu/+/705920 (it's private) 
taking care of other callers of uloc_getKeywordValue as well as the one in numsys.cpp .

Comment 17 by js...@chromium.org, Oct 6 2017

I confirmed that the above CL takes care of the reported case. 
Without that, I can reproduce while with the CL applied, I can't reproduce it.

Comment 18 by js...@chromium.org, Oct 6 2017

Cc: mark@chromium.org

Comment 20 by js...@chromium.org, Oct 10 2017

Labels: -M-63 M-62
This bug is present in M62 branch as well (and earlier branch all the way to August, 2016). 

inferno@ seems to have misread the year in the following CL to be 2017 instead of 2016. :-) 

https://chromium.googlesource.com/v8/v8/+/339f08d2e9650e05d63c6a756b8302c60ee665b5

Comment 21 by bugdroid1@chromium.org, Oct 10 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99d3c8f639b6ea5fb4e7931547c95cfc79b33d48

commit 99d3c8f639b6ea5fb4e7931547c95cfc79b33d48
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Oct 10 20:10:57 2017

Roll ICU to 7f873c45

There's only one change in the roll.

 https://chromium.googlesource.com/chromium/deps/icu/+log/08cb9568..7f873c45

TBR=mark@chromium.org

Bug:  770452 
Test: See the bug
Change-Id: I6e9c1b8a7e0d2f013517402e7cd7dd434f398b27
Reviewed-on: https://chromium-review.googlesource.com/709939
Reviewed-by: Jungshik Shin <jshin@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507752}
[modify] https://crrev.com/99d3c8f639b6ea5fb4e7931547c95cfc79b33d48/DEPS

Comment 22 by js...@chromium.org, Oct 10 2017

Status: Started (was: Assigned)
Fixed in ToT. 

will leave it open for me to get to this bug quickly to request for merge after a couple of days baking in canary.

Comment 23 by js...@chromium.org, Oct 10 2017

Will add a test to v8 so that we won't regress (asan bot should catch it if we regress).

Comment 24 by sheriffbot@chromium.org, Oct 11 2017

Project Member
Labels: -Security_Impact-Head Security_Impact-Beta

Comment 25 by bugdroid1@chromium.org, Oct 12 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/69bd294affaf0dd567d8649f5c02e891473f3e1f

commit 69bd294affaf0dd567d8649f5c02e891473f3e1f
Author: Jungshik Shin <jshin@chromium.org>
Date: Thu Oct 12 06:33:35 2017

Correct the misuse of uloc_{to,from}LanguageTag

- remove unused Runtime_GetLanguageTagVariants
- add test for another related bug (chromium:770452) as well as for 
chromium:770450 . 

Bug:  chromium:770450 ,  chromium:770452 
Test: intl/general/invalid-locale.js
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I4496a4a5421000faa0e37aed85fea21ceb487998
Reviewed-on: https://chromium-review.googlesource.com/710816
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48483}
[modify] https://crrev.com/69bd294affaf0dd567d8649f5c02e891473f3e1f/src/runtime/runtime-intl.cc
[modify] https://crrev.com/69bd294affaf0dd567d8649f5c02e891473f3e1f/src/runtime/runtime.h
[add] https://crrev.com/69bd294affaf0dd567d8649f5c02e891473f3e1f/test/intl/general/invalid-locale.js

Comment 26 by ClusterFuzz, Oct 12 2017

Project Member
ClusterFuzz has detected this issue as fixed in range 48480:48481.

Detailed report: https://clusterfuzz.com/testcase?key=4745958029262848

Job Type: linux_asan_d8_dbg
Crash Type: Stack-buffer-overflow WRITE 1
Crash Address: 0x7f753f07b283
Crash State:
  icu_59::NumberingSystem::createInstance
  icu_59::NumberFormat::makeInstance
  icu_59::NumberFormat::makeInstance
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=38691:38692
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48480:48481

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4745958029262848

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 27 by ClusterFuzz, Oct 12 2017

Project Member
Labels: ClusterFuzz-Verified
Status: Verified (was: Started)
ClusterFuzz testcase 4745958029262848 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 28 by sheriffbot@chromium.org, Oct 12 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 29 by js...@chromium.org, Oct 13 2017

Labels: Merge-Request-62
A change in comment 19 is safe and simple. Asking for merge-approval to M-62. 

If my request for merge to M62 for  bug 754053  is also approved, I'll roll ICU to include the fixes for both this and  bug 754053 . If not, I'll just roll ICU to include the fix for this CL.

Comment 30 by sheriffbot@chromium.org, Oct 13 2017

Project Member
Labels: -Merge-Request-62 Merge-Review-62 Hotlist-Merge-Review
This bug requires manual review: We are only 3 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 31 by abdulsyed@chromium.org, Oct 13 2017

Labels: -Merge-Review-62 Merge-Approved-62
Safe and simple merge, tested in canary. Approving for merge: branch:3202

Comment 32 by bugdroid1@chromium.org, Oct 14 2017

Project Member

Comment 33 by awhalley@google.com, Oct 16 2017

Labels: reward-topanel

Comment 34 by awhalley@google.com, Oct 16 2017

Labels: -ReleaseBlock-Stable

Comment 35 by bugdroid1@chromium.org, Oct 16 2017

Project Member
Labels: merge-merged-6.3
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/593b0d895d9adea24ab0a0a51d8a5e891485674c

commit 593b0d895d9adea24ab0a0a51d8a5e891485674c
Author: Jungshik Shin <jshin@chromium.org>
Date: Mon Oct 16 20:56:39 2017

Merged: Correct the misuse of uloc_{to,from}LanguageTag

Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f

Merge to 6.3 branch

- remove unused Runtime_GetLanguageTagVariants
- add test for another related bug (chromium:770452) as well as for
chromium:770450 .

BUG= chromium:770450 , chromium:770452 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: Ia2c6dd2156c51995fb18228fc3062a86e78d719c
Reviewed-on: https://chromium-review.googlesource.com/721844
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#9}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/593b0d895d9adea24ab0a0a51d8a5e891485674c/src/runtime/runtime-intl.cc
[modify] https://crrev.com/593b0d895d9adea24ab0a0a51d8a5e891485674c/src/runtime/runtime.h
[add] https://crrev.com/593b0d895d9adea24ab0a0a51d8a5e891485674c/test/intl/general/invalid-locale.js

Comment 36 by js...@chromium.org, Oct 16 2017

Labels: -Merge-Approved-62 merge-merged-3202

Comment 37 by bugdroid1@chromium.org, Oct 17 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9a132a9e7208a042a4c7cc2b71248573f74a4e3e

commit 9a132a9e7208a042a4c7cc2b71248573f74a4e3e
Author: Michael Hablich <hablich@chromium.org>
Date: Tue Oct 17 16:10:36 2017

Revert "Merged: Correct the misuse of uloc_{to,from}LanguageTag"

This reverts commit 593b0d895d9adea24ab0a0a51d8a5e891485674c.

Reason for revert: broke some branch builders like https://build.chromium.org/p/client.v8.branches/builders/V8%20arm%20-%20sim%20-%20beta%20branch%20-%20debug

Original change's description:
> Merged: Correct the misuse of uloc_{to,from}LanguageTag
> 
> Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f
> 
> Merge to 6.3 branch
> 
> - remove unused Runtime_GetLanguageTagVariants
> - add test for another related bug (chromium:770452) as well as for
> chromium:770450 .
> 
> BUG= chromium:770450 , chromium:770452 
> LOG=N
> NOTRY=true
> NOPRESUBMIT=true
> NOTREECHECKS=true
> R=​adamk@chromium.org
> 
> Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> Change-Id: Ia2c6dd2156c51995fb18228fc3062a86e78d719c
> Reviewed-on: https://chromium-review.googlesource.com/721844
> Reviewed-by: Adam Klein <adamk@chromium.org>
> Commit-Queue: Jungshik Shin <jshin@chromium.org>
> Cr-Commit-Position: refs/branch-heads/6.3@{#9}
> Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
> Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}

TBR=adamk@chromium.org,hablich@chromium.org,jshin@chromium.org

Change-Id: I37018f8241efe1431f453ff55cf8216a5daa66de
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:770450 ,  chromium:770452 
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/723323
Reviewed-by: Michael Hablich <hablich@chromium.org>
Commit-Queue: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#17}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/9a132a9e7208a042a4c7cc2b71248573f74a4e3e/src/runtime/runtime-intl.cc
[modify] https://crrev.com/9a132a9e7208a042a4c7cc2b71248573f74a4e3e/src/runtime/runtime.h
[delete] https://crrev.com/f435a180d199eda0c6777be153aa0ca5541ef599/test/intl/general/invalid-locale.js

Comment 38 by bugdroid1@chromium.org, Oct 17 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bb1e70a61fbf93488ce9e4e6e943e549732ed65d

commit bb1e70a61fbf93488ce9e4e6e943e549732ed65d
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Oct 17 20:58:47 2017

Revert "Revert "Merged: Correct the misuse of uloc_{to,from}LanguageTag""

This reverts commit 9a132a9e7208a042a4c7cc2b71248573f74a4e3e.

Reason for revert: ICU was not rolled in 6.3 branch leading invalid-locale test failure (that was added to test an ICU fix). Now, ICU is rolled in 6.3 branch ( https://chromium-review.googlesource.com/c/v8/v8/+/723564 ). 


Original change's description:
> Revert "Merged: Correct the misuse of uloc_{to,from}LanguageTag"
> 
> This reverts commit 593b0d895d9adea24ab0a0a51d8a5e891485674c.
> 
> Reason for revert: broke some branch builders like https://build.chromium.org/p/client.v8.branches/builders/V8%20arm%20-%20sim%20-%20beta%20branch%20-%20debug
> 
> Original change's description:
> > Merged: Correct the misuse of uloc_{to,from}LanguageTag
> > 
> > Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f
> > 
> > Merge to 6.3 branch
> > 
> > - remove unused Runtime_GetLanguageTagVariants
> > - add test for another related bug (chromium:770452) as well as for
> > chromium:770450 .
> > 
> > BUG= chromium:770450 , chromium:770452 
> > LOG=N
> > NOTRY=true
> > NOPRESUBMIT=true
> > NOTREECHECKS=true
> > R=​adamk@chromium.org
> > 
> > Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> > Change-Id: Ia2c6dd2156c51995fb18228fc3062a86e78d719c
> > Reviewed-on: https://chromium-review.googlesource.com/721844
> > Reviewed-by: Adam Klein <adamk@chromium.org>
> > Commit-Queue: Jungshik Shin <jshin@chromium.org>
> > Cr-Commit-Position: refs/branch-heads/6.3@{#9}
> > Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
> > Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
> 
> TBR=adamk@chromium.org,hablich@chromium.org,jshin@chromium.org
> 
> Change-Id: I37018f8241efe1431f453ff55cf8216a5daa66de
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug:  chromium:770450 ,  chromium:770452 
> Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
> Reviewed-on: https://chromium-review.googlesource.com/723323
> Reviewed-by: Michael Hablich <hablich@chromium.org>
> Commit-Queue: Michael Hablich <hablich@chromium.org>
> Cr-Commit-Position: refs/branch-heads/6.3@{#17}
> Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
> Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}

TBR=adamk@chromium.org,hablich@chromium.org,jshin@chromium.org

Change-Id: Ie7eac96859c8053c4f1b41b0a9b4f79a44883295
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:770450 ,  chromium:770452 
Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Reviewed-on: https://chromium-review.googlesource.com/723608
Reviewed-by: Michael Hablich <hablich@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#23}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/bb1e70a61fbf93488ce9e4e6e943e549732ed65d/src/runtime/runtime-intl.cc
[modify] https://crrev.com/bb1e70a61fbf93488ce9e4e6e943e549732ed65d/src/runtime/runtime.h
[add] https://crrev.com/bb1e70a61fbf93488ce9e4e6e943e549732ed65d/test/intl/general/invalid-locale.js

Comment 39 by awhalley@chromium.org, Oct 19 2017

Labels: -reward-topanel reward-unpaid reward-3000
*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Comment 40 by awhalley@google.com, Oct 20 2017

Congratulations scdengyuan@! The Chrome VRP panel has decided to reward $3,000 for this report.  A member of our finance team will be in touch shortly to arrange the details.

Comment 41 by awhalley@chromium.org, Oct 20 2017

Labels: -reward-unpaid reward-inprocess

Comment 42 by bugdroid1@chromium.org, Oct 24 2017

Project Member
Labels: merge-merged-6.2
The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/dad541bf46354b0ce2cf40b9419673f5edc3564a

commit dad541bf46354b0ce2cf40b9419673f5edc3564a
Author: Jungshik Shin <jshin@chromium.org>
Date: Tue Oct 24 20:45:07 2017

Merged: Correct the misuse of uloc_{to,from}LanguageTag

Merge to 6.2 branch

Revision: 69bd294affaf0dd567d8649f5c02e891473f3e1f

In addition, roll ICU to  21d33b1a09

There are only two changes in the roll. This is to match
Chromium M62's ICU in v8's 6.2 branch

 https://chromium.googlesource.com/chromium/deps/icu/+log/08cb9568..21d33b1a

BUG= chromium:770450 , chromium:770452 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=hablich@chromium.org

Cq-Include-Trybots: master.tryserver.v8:v8_linux_noi18n_rel_ng
Change-Id: I79123ff567b822dc9afd9f1a4ebd007353033d8a
Reviewed-on: https://chromium-review.googlesource.com/736032
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jungshik Shin <jshin@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.2@{#70}
Cr-Branched-From: efa2ac4129d30c7c72e84c16af3d20b44829f990-refs/heads/6.2.414@{#1}
Cr-Branched-From: a861ebb762a60bf5cc2a274faee3620abfb06311-refs/heads/master@{#47693}
[modify] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/DEPS
[modify] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/src/runtime/runtime-intl.cc
[modify] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/src/runtime/runtime.h
[add] https://crrev.com/dad541bf46354b0ce2cf40b9419673f5edc3564a/test/intl/general/invalid-locale.js

Comment 43 by scdengy...@gmail.com, Oct 26 2017

thx @awhalley, that's great

Comment 44 by awhalley@google.com, Oct 26 2017

Labels: -Security_Impact-Beta Security_Impact-Stable Release-1-M62

Comment 45 by awhalley@google.com, Oct 26 2017

Labels: CVE-2017-15396

Comment 46 by scdengy...@gmail.com, Oct 27 2017

hi, @awhalley, the credit here(https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html) has a mistake, can you plz rename the credit to "Yuan Deng of Ant-financial Light-Year Security Lab" ?

Comment 47 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Comment 48 by sheriffbot@chromium.org, Jan 18 2018

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 49 by ofrobots@google.com, Mar 6 2018

Labels: NodeJS-Backport-Rejected
Node.js back-port triage: I don't think this is needed for supported versions of Node.

Comment 50 by sheriffbot@chromium.org, Mar 27 2018

Project Member
Labels: -M-62 M-65

Comment 51 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-missing

Comment 52 by awhalley@google.com, Oct 5

Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment