From 68d80d239b09db3f4e6d1a2d90e3e9405078b930 Mon Sep 17 00:00:00 2001
From: Linus Groh <mail@linusgroh.de>
Date: Sun, 7 Nov 2021 20:01:31 +0000
Subject: [PATCH] LibJS: Fix fraction substring in
 parse_time_zone_offset_string()

We're supposed to get the substring from `fraction`, which is guaranteed
to have the required length. `fraction_part` is the user-supplied value
and trying to get a substring view from 0-9 might crash.
---
 Userland/Libraries/LibJS/Runtime/Temporal/TimeZone.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Userland/Libraries/LibJS/Runtime/Temporal/TimeZone.cpp b/Userland/Libraries/LibJS/Runtime/Temporal/TimeZone.cpp
index 46af02a2da..7a4479b927 100644
--- a/Userland/Libraries/LibJS/Runtime/Temporal/TimeZone.cpp
+++ b/Userland/Libraries/LibJS/Runtime/Temporal/TimeZone.cpp
@@ -285,7 +285,7 @@ ThrowCompletionOr<double> parse_time_zone_offset_string(GlobalObject& global_obj
         auto fraction = String::formatted("{}000000000", *fraction_part);
         // b. Let nanoseconds be the String value equal to the substring of fraction consisting of the code units with indices 0 (inclusive) through 9 (exclusive).
         // c. Set nanoseconds to ! ToIntegerOrInfinity(nanoseconds).
-        nanoseconds = MUST(Value(js_string(vm, fraction_part->substring_view(0, 9))).to_integer_or_infinity(global_object));
+        nanoseconds = MUST(Value(js_string(vm, fraction.substring_view(0, 9))).to_integer_or_infinity(global_object));
     }
     // 11. Else,
     else {