From fe42e2719f1ba92e04a530ca3910a7c8bfbbf1af Mon Sep 17 00:00:00 2001
From: Tim Ledbetter <tim.ledbetter@ladybird.org>
Date: Tue, 20 Aug 2024 21:56:04 +0100
Subject: [PATCH] LibWeb: Don't crash when parsing `HTMLInputElement` invalid
 time values

---
 .../HTML/HTMLInputElement-invalid-time-digits.txt   |  1 +
 .../HTML/HTMLInputElement-invalid-time-digits.html  | 13 +++++++++++++
 Userland/Libraries/LibWeb/HTML/Dates.cpp            |  6 ++++++
 3 files changed, 20 insertions(+)
 create mode 100644 Tests/LibWeb/Text/expected/HTML/HTMLInputElement-invalid-time-digits.txt
 create mode 100644 Tests/LibWeb/Text/input/HTML/HTMLInputElement-invalid-time-digits.html

diff --git a/Tests/LibWeb/Text/expected/HTML/HTMLInputElement-invalid-time-digits.txt b/Tests/LibWeb/Text/expected/HTML/HTMLInputElement-invalid-time-digits.txt
new file mode 100644
index 00000000000..47a5310842d
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/HTML/HTMLInputElement-invalid-time-digits.txt
@@ -0,0 +1 @@
+PASS (didn't crash)
\ No newline at end of file
diff --git a/Tests/LibWeb/Text/input/HTML/HTMLInputElement-invalid-time-digits.html b/Tests/LibWeb/Text/input/HTML/HTMLInputElement-invalid-time-digits.html
new file mode 100644
index 00000000000..f4e7cf19cc8
--- /dev/null
+++ b/Tests/LibWeb/Text/input/HTML/HTMLInputElement-invalid-time-digits.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        const inputElement = document.createElement("input");
+        inputElement.type = "time";
+        inputElement.value = "invalid";
+        inputElement.value = "xx:34:56";
+        inputElement.value = "12:xx:56";
+        inputElement.value = "12:34:xx";
+        println("PASS (didn't crash)");
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/HTML/Dates.cpp b/Userland/Libraries/LibWeb/HTML/Dates.cpp
index 74fc80c5773..d6e51b5d7c6 100644
--- a/Userland/Libraries/LibWeb/HTML/Dates.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Dates.cpp
@@ -183,11 +183,15 @@ bool is_valid_time_string(StringView value)
         return false;
     if (parts[0].length() != 2)
         return false;
+    if (!(is_ascii_digit(parts[0][0]) && is_ascii_digit(parts[0][1])))
+        return false;
     auto hour = (parse_ascii_digit(parts[0][0]) * 10) + parse_ascii_digit(parts[0][1]);
     if (hour > 23)
         return false;
     if (parts[1].length() != 2)
         return false;
+    if (!(is_ascii_digit(parts[1][0]) && is_ascii_digit(parts[1][1])))
+        return false;
     auto minute = (parse_ascii_digit(parts[1][0]) * 10) + parse_ascii_digit(parts[1][1]);
     if (minute > 59)
         return false;
@@ -196,6 +200,8 @@ bool is_valid_time_string(StringView value)
 
     if (parts[2].length() < 2)
         return false;
+    if (!(is_ascii_digit(parts[2][0]) && is_ascii_digit(parts[2][1])))
+        return false;
     auto second = (parse_ascii_digit(parts[2][0]) * 10) + parse_ascii_digit(parts[2][1]);
     if (second > 59)
         return false;