RESOLVED FIXED 195683
REGRESSION(r240634): Element::hasPointerCapture() passes a JS-controlled value directly into a HashMap as a key 
https://bugs.webkit.org/show_bug.cgi?id=195683
Summary REGRESSION(r240634): Element::hasPointerCapture() passes a JS-controlled valu...
Antoine Quint
Reported 2019-03-13 10:26:00 PDT
We need to allow 0 as a valid pointer ID passed through the Element methods.
Attachments
Patch (4.24 KB, patch)
2019-03-13 10:29 PDT, Antoine Quint 		achristensen: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antoine Quint
Comment 1 2019-03-13 10:26:11 PDT
<rdar://problem/48659950>
Antoine Quint
Comment 2 2019-03-13 10:29:57 PDT
Created attachment 364545 [details] Patch
Alex Christensen
Comment 3 2019-03-13 11:00:29 PDT
Comment on attachment 364545 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=364545&action=review code looks good, needs better test. rs=me > LayoutTests/pointerevents/zero-pointer-id-crash-expected.txt:2 > +PASS Checking 0 can be used as a Pointer ID. You should also check INT_MAX, INT_MIN, INT_MAX + 1, INT_MIN - 1
Antoine Quint
Comment 4 2019-03-13 11:12:24 PDT
(In reply to Alex Christensen from comment #3) > Comment on attachment 364545 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=364545&action=review > > code looks good, needs better test. rs=me > > > LayoutTests/pointerevents/zero-pointer-id-crash-expected.txt:2 > > +PASS Checking 0 can be used as a Pointer ID. > > You should also check INT_MAX, INT_MIN, INT_MAX + 1, INT_MIN - 1 Will fix in commit.
Antoine Quint
Comment 5 2019-03-13 11:14:25 PDT
Committed r242893: <https://trac.webkit.org/changeset/242893>
Antoine Quint
Comment 6 2019-03-20 13:35:30 PDT
Committed r243235: <https://trac.webkit.org/changeset/243235>
Note You need to log in before you can comment on or make changes to this bug.