New issue
Advanced search Search tips

Issue 824629 link

Starred by 1 user
Status: Assigned
Owner:
sadrul@chromium.org
Cc:
msw@chromium.org
jamescook@chromium.org
sky@chromium.org
osh...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

ash: DragDropTracker creates incorrect events

Project Member Reported by sadrul@chromium.org, Mar 22 2018 
DragDropTracker::ConvertEvent() [1] takes in a LocatedEvent as input, and always returns a new ui::MouseEvent, constructed from the input-param. However, the input event can sometimes be a ui::GestureEvent [2]. So the code ends up creating a ui::MouseEvent, with an event-type appropriate for a ui::GestureEvent. A lot of the code does casting from a LocatedEvent to a more specific event based on the type. So it would be easy for some code to look at the returned MouseEvent with type == ET_GESTURE_TAP (as an example), and cast it to a ui::GestureEvent, and operate on it. This can end up reading beyond the memory-bounds. This should be fixed to return a ui::GestureEvent if the input is a ui::GestureEvent, etc.


[1] https://cs.chromium.org/chromium/src/ash/drag_drop/drag_drop_tracker.cc?l=76
[2] https://cs.chromium.org/chromium/src/ash/drag_drop/drag_drop_controller.cc?l=370

Comment 1 by jamescook@chromium.org, Mar 22 2018

Cc: msw@chromium.org
+msw who worked on event conversions recently
Project Member

Comment 2 by bugdroid1@chromium.org, Mar 22 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8694ad2645fdc83cde4d813646ed8944322ae2eb

commit 8694ad2645fdc83cde4d813646ed8944322ae2eb
Author: Sadrul Habib Chowdhury <sadrul@chromium.org>
Date: Thu Mar 22 17:04:56 2018

events: Make it difficult to set the wrong flag.

Validate that the |changed_button_flags_| field is allowed only the
set of flags that makes sense.

BUG= 779372 , 824629

Change-Id: I5e4d8b8f07fbf6d881d8510f45414814d074278d
Reviewed-on: https://chromium-review.googlesource.com/974078
Commit-Queue: Sadrul Chowdhury <sadrul@chromium.org>
Reviewed-by: Scott Violet <sky@chromium.org>
Cr-Commit-Position: refs/heads/master@{#545120}
[modify] https://crrev.com/8694ad2645fdc83cde4d813646ed8944322ae2eb/ash/drag_drop/drag_drop_tracker.cc
[modify] https://crrev.com/8694ad2645fdc83cde4d813646ed8944322ae2eb/ui/events/event.cc
[modify] https://crrev.com/8694ad2645fdc83cde4d813646ed8944322ae2eb/ui/views/controls/label_unittest.cc
[modify] https://crrev.com/8694ad2645fdc83cde4d813646ed8944322ae2eb/ui/views/controls/textfield/textfield_unittest.cc

Comment 3 by ovanieva@chromium.org, Jun 1 2018

Owner: msw@chromium.org
Status: Assigned (was: Available)
msw@ could you please triage?

Comment 4 by msw@chromium.org, Jun 1 2018

Owner: sadrul@chromium.org
Sadrul, you probably know if this is still relevant, and what's left to do.

Sign in to add a comment