REGRESSION(r240634): Element::hasPointerCapture() passes a JS-controlled value direct...
authorgraouts@webkit.org <graouts@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Mar 2019 18:14:21 +0000 (18:14 +0000)
committergraouts@webkit.org <graouts@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Mar 2019 18:14:21 +0000 (18:14 +0000)
commit2babba5ea6c4366c0815b8cd754a4726b040926c
tree9cb1a1a2c541826701bdf58ef2b05d2e0485a819
parent20ededb2d121a1b6904c9cda573727fa763ec259
REGRESSION(r240634): Element::hasPointerCapture() passes a JS-controlled value directly into a HashMap as a key
https://bugs.webkit.org/show_bug.cgi?id=195683
<rdar://problem/48659950>

Reviewed by Alex Christensen.

Source/WebCore:

While PointerID is defined as int32_t, we now use int64_t as the key of the HashMap mapping PointerID to CapturingData so that we use
a value outside of the int32_t range as a safe empty and removed values, allowing any int32_t to be provided through the API for
lookup in this HashMap.

Test: pointerevents/pointer-id-crash.html

* page/PointerCaptureController.h:

LayoutTests:

Add a new test which would crash in debug builds prior to this fix.

* pointerevents/pointer-id-crash-expected.txt: Added.
* pointerevents/pointer-id-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242893 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
Source/WebCore/ChangeLog
Source/WebCore/page/PointerCaptureController.h