Last Comment Bug 779078 - nsFrame::HandleRelease may cast aEvent to nsMouseEvent even if aEvent is a TouchEvent
: nsFrame::HandleRelease may cast aEvent to nsMouseEvent even if aEvent is a To...
Status: RESOLVED FIXED
: csectype-wildptr, regression, sec-moderate
Product: Core
Classification: Components
Component: Event Handling (show other bugs)
: unspecified
: x86 Linux
: -- normal (vote)
: mozilla17
Assigned To: Wesley Johnston (:wesj)
:
Mentors:
Depends on:
Blocks: 732052
  Show dependency treegraph
 
Reported: 2012-07-31 03:24 PDT by Olli Pettay [:smaug]
Modified: 2012-09-23 17:17 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
+
fixed
fixed
unaffected


Attachments
Patch (893 bytes, patch)
2012-07-31 10:16 PDT, Wesley Johnston (:wesj)
bugs: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
Details | Diff | Splinter Review

Description Olli Pettay [:smaug] 2012-07-31 03:24:58 PDT
This is a recent regression from the bug where we started to call ::HandleRelease with
non-nsMouseEvents
Comment 1 Wesley Johnston (:wesj) 2012-07-31 10:16:59 PDT
Created attachment 647586 [details] [diff] [review]
Patch

::HandlePress just bails for touch events. I guess handleRelease should as well?
Comment 2 Olli Pettay [:smaug] 2012-07-31 10:26:44 PDT
Comment on attachment 647586 [details] [diff] [review]
Patch

Perhaps
if (aEvent->eventStructType != NS_MOUSE_EVENT) {
  return NS_OK;
}
Comment 3 Wesley Johnston (:wesj) 2012-07-31 10:37:05 PDT
Updated patch and pushed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/be1b9c66071a
Comment 4 Wesley Johnston (:wesj) 2012-07-31 10:47:39 PDT
Comment on attachment 647586 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 732052
User impact if declined: bad behavior with setCapture and touch events. bug 774190.
Testing completed (on m-c, etc.): landed on inbound today 7/31/13
Risk to taking this patch (and alternatives if risky): low risk. This is reverting us back to old behavior.
String or UUID changes made by this patch: none.
Comment 5 Wesley Johnston (:wesj) 2012-07-31 21:40:31 PDT
http://hg.mozilla.org/mozilla-central/rev/be1b9c66071a
Comment 6 Lukas Blakk [:lsblakk] use ?needinfo 2012-08-01 17:30:47 PDT
Comment on attachment 647586 [details] [diff] [review]
Patch

Low risk, approving for Aurora.
Comment 7 Wesley Johnston (:wesj) 2012-08-02 09:53:07 PDT
https://hg.mozilla.org/releases/mozilla-aurora/rev/747b9e6ee86a
Comment 8 Daniel Veditz [:dveditz] 2012-09-23 17:10:27 PDT
Possibly exploitable because there are virtual methods and data members all in different locations in the two kinds of events, although there's not a lot of precision you could elicit out of a victim on a touch event.

Note You need to log in before you can comment on or make changes to this bug.