[webkit-reviews] review granted: [Bug 195683] REGRESSION(r240634): Element::hasPointerCapture() passes a JS-controlled value directly into a HashMap as a key : [Attachment 364545] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Mar 13 11:00:29 PDT 2019
Alex Christensen <achristensen at apple.com> has granted Antoine Quint
<graouts at apple.com>'s request for review:
Bug 195683: REGRESSION(r240634): Element::hasPointerCapture() passes a
JS-controlled value directly into a HashMap as a key
https://bugs.webkit.org/show_bug.cgi?id=195683
Attachment 364545: Patch
https://bugs.webkit.org/attachment.cgi?id=364545&action=review
--- Comment #3 from Alex Christensen <achristensen at apple.com> ---
Comment on attachment 364545
--> https://bugs.webkit.org/attachment.cgi?id=364545
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=364545&action=review
code looks good, needs better test. rs=me
> LayoutTests/pointerevents/zero-pointer-id-crash-expected.txt:2
> +PASS Checking 0 can be used as a Pointer ID.
You should also check INT_MAX, INT_MIN, INT_MAX + 1, INT_MIN - 1
More information about the webkit-reviews
mailing list