Bug 195683

Summary: REGRESSION(r240634): Element::hasPointerCapture() passes a JS-controlled value directly into a HashMap as a key
Product: WebKit Reporter: Antoine Quint <graouts>
Component: DOMAssignee: Antoine Quint <graouts>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, mmaxfield, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch achristensen: review+

Description Antoine Quint 2019-03-13 10:26:00 PDT 
We need to allow 0 as a valid pointer ID passed through the Element methods.
Comment 1 Antoine Quint 2019-03-13 10:26:11 PDT 
<rdar://problem/48659950>
Comment 2 Antoine Quint 2019-03-13 10:29:57 PDT 
Created attachment 364545 [details]
Patch
Comment 3 Alex Christensen 2019-03-13 11:00:29 PDT 
Comment on attachment 364545 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=364545&action=review

code looks good, needs better test.  rs=me

> LayoutTests/pointerevents/zero-pointer-id-crash-expected.txt:2
> +PASS Checking 0 can be used as a Pointer ID. 

You should also check INT_MAX, INT_MIN, INT_MAX + 1, INT_MIN - 1
Comment 4 Antoine Quint 2019-03-13 11:12:24 PDT 
(In reply to Alex Christensen from comment #3)
> Comment on attachment 364545 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=364545&action=review
> 
> code looks good, needs better test.  rs=me
> 
> > LayoutTests/pointerevents/zero-pointer-id-crash-expected.txt:2
> > +PASS Checking 0 can be used as a Pointer ID. 
> 
> You should also check INT_MAX, INT_MIN, INT_MAX + 1, INT_MIN - 1

Will fix in commit.
Comment 5 Antoine Quint 2019-03-13 11:14:25 PDT 
Committed r242893: <https://trac.webkit.org/changeset/242893>
Comment 6 Antoine Quint 2019-03-20 13:35:30 PDT 
Committed r243235: <https://trac.webkit.org/changeset/243235>