Closed
Bug 779078
Opened 12 years ago
Closed 12 years ago
nsFrame::HandleRelease may cast aEvent to nsMouseEvent even if aEvent is a TouchEvent
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
RESOLVED
FIXED
mozilla17
Tracking | Status | |
---|---|---|
firefox15 | --- | unaffected |
firefox16 | + | fixed |
firefox17 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: smaug, Assigned: wesj)
References
Details
(Keywords: csectype-wildptr, regression, sec-moderate)
Attachments
(1 file)
893 bytes,
patch
|
smaug
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This is a recent regression from the bug where we started to call ::HandleRelease with non-nsMouseEvents
Assignee | ||
Comment 1•12 years ago
|
||
::HandlePress just bails for touch events. I guess handleRelease should as well?
Attachment #647586 -
Flags: review?(bugs)
Reporter | ||
Comment 2•12 years ago
|
||
Comment on attachment 647586 [details] [diff] [review] Patch Perhaps if (aEvent->eventStructType != NS_MOUSE_EVENT) { return NS_OK; }
Attachment #647586 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 3•12 years ago
|
||
Updated patch and pushed: https://hg.mozilla.org/integration/mozilla-inbound/rev/be1b9c66071a
Assignee | ||
Comment 4•12 years ago
|
||
Comment on attachment 647586 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 732052 User impact if declined: bad behavior with setCapture and touch events. bug 774190. Testing completed (on m-c, etc.): landed on inbound today 7/31/13 Risk to taking this patch (and alternatives if risky): low risk. This is reverting us back to old behavior. String or UUID changes made by this patch: none.
Attachment #647586 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 5•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/be1b9c66071a
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•12 years ago
|
status-firefox15:
--- → unaffected
status-firefox16:
--- → affected
status-firefox17:
--- → fixed
tracking-firefox16:
--- → ?
Comment 6•12 years ago
|
||
Comment on attachment 647586 [details] [diff] [review] Patch Low risk, approving for Aurora.
Attachment #647586 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Updated•12 years ago
|
Updated•12 years ago
|
Comment 8•12 years ago
|
||
Possibly exploitable because there are virtual methods and data members all in different locations in the two kinds of events, although there's not a lot of precision you could elicit out of a victim on a touch event.
Group: core-security
Keywords: csec-wildptr,
sec-moderate
Updated•12 years ago
|
Target Milestone: --- → mozilla17
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•