From 96d03be3e06649f9c9ed277622709e7a732bbcf9 Mon Sep 17 00:00:00 2001
From: Romain Pokrzywka <romain.pokrzywka@gmail.com>
Date: Fri, 23 Aug 2019 11:26:17 -0500
Subject: Fix crash when handling QEvent::TouchCancel

TouchCancel events have an empty touchPoints() list, which first trips
when accessing touchPoints[0], and later on crashes Chromium if we pass
the empty list to m_touchSelectionController.
Rework handleTouchEvent() to route TouchCancel events like other touch
events, and make sure we pass a non-empty touchpoints list to Chromium.

Task-number: QTBUG-80893
Change-Id: Ie8396a1191f72b5bbb2b047f131794b37cfded48
Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
---
 src/core/render_widget_host_view_qt.cpp | 47 ++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 18 deletions(-)

(limited to 'src')

diff --git a/src/core/render_widget_host_view_qt.cpp b/src/core/render_widget_host_view_qt.cpp
index 0adf8091f..901cbf0bd 100644
--- a/src/core/render_widget_host_view_qt.cpp
+++ b/src/core/render_widget_host_view_qt.cpp
@@ -1575,7 +1575,12 @@ void RenderWidgetHostViewQt::handleTouchEvent(QTouchEvent *ev)
     eventTimestamp += m_eventsToNowDelta;
 
     QList<QTouchEvent::TouchPoint> touchPoints = mapTouchPointIds(ev->touchPoints());
-    {
+    // Make sure that ACTION_POINTER_DOWN is delivered before ACTION_MOVE,
+    // and ACTION_MOVE before ACTION_POINTER_UP.
+    std::sort(touchPoints.begin(), touchPoints.end(), compareTouchPoints);
+
+    // Check first if the touch event should be routed to the selectionController
+    if (!touchPoints.isEmpty()) {
         ui::MotionEvent::Action action;
         switch (touchPoints[0].state()) {
         case Qt::TouchPointPressed:
@@ -1594,6 +1599,23 @@ void RenderWidgetHostViewQt::handleTouchEvent(QTouchEvent *ev)
 
         MotionEventQt motionEvent(touchPoints, eventTimestamp, action, ev->modifiers(), 0);
         if (m_touchSelectionController->WillHandleTouchEvent(motionEvent)) {
+            m_previousTouchPoints = touchPoints;
+            ev->accept();
+            return;
+        }
+    } else {
+        // An empty touchPoints always corresponds to a TouchCancel event.
+        // We can't forward touch cancellations without a previously processed touch event,
+        // as Chromium expects the previous touchPoints for Action::CANCEL.
+        // If both are empty that means the TouchCancel was sent without an ongoing touch,
+        // so there's nothing to cancel anyway.
+        touchPoints = m_previousTouchPoints;
+        if (touchPoints.isEmpty())
+            return;
+
+        MotionEventQt cancelEvent(touchPoints, eventTimestamp, ui::MotionEvent::Action::CANCEL, ev->modifiers());
+        if (m_touchSelectionController->WillHandleTouchEvent(cancelEvent)) {
+            m_previousTouchPoints.clear();
             ev->accept();
             return;
         }
@@ -1610,21 +1632,13 @@ void RenderWidgetHostViewQt::handleTouchEvent(QTouchEvent *ev)
         break;
     case QEvent::TouchCancel:
     {
-        // Don't process a TouchCancel event if no motion was started beforehand, or if there are
-        // no touch points in the current event or in the previously processed event.
-        if (!m_touchMotionStarted || (touchPoints.isEmpty() && m_previousTouchPoints.isEmpty())) {
-            clearPreviousTouchMotionState();
-            return;
+        // Only process TouchCancel events received following a TouchBegin or TouchUpdate event
+        if (m_touchMotionStarted) {
+            MotionEventQt cancelEvent(touchPoints, eventTimestamp, ui::MotionEvent::Action::CANCEL, ev->modifiers());
+            processMotionEvent(cancelEvent);
         }
 
-        // Use last saved touch points for the cancel event, to get rid of a QList assert,
-        // because Chromium expects a MotionEvent::ACTION_CANCEL instance to contain at least
-        // one touch point, whereas a QTouchCancel may not contain any touch points at all.
-        if (touchPoints.isEmpty())
-            touchPoints = m_previousTouchPoints;
         clearPreviousTouchMotionState();
-        MotionEventQt cancelEvent(touchPoints, eventTimestamp, ui::MotionEvent::Action::CANCEL, ev->modifiers());
-        processMotionEvent(cancelEvent);
         return;
     }
     case QEvent::TouchEnd:
@@ -1648,11 +1662,6 @@ void RenderWidgetHostViewQt::handleTouchEvent(QTouchEvent *ev)
 #endif
     }
 
-    // Make sure that ACTION_POINTER_DOWN is delivered before ACTION_MOVE,
-    // and ACTION_MOVE before ACTION_POINTER_UP.
-    std::sort(touchPoints.begin(), touchPoints.end(), compareTouchPoints);
-
-    m_previousTouchPoints = touchPoints;
     for (int i = 0; i < touchPoints.size(); ++i) {
         ui::MotionEvent::Action action;
         switch (touchPoints[i].state()) {
@@ -1679,6 +1688,8 @@ void RenderWidgetHostViewQt::handleTouchEvent(QTouchEvent *ev)
         MotionEventQt motionEvent(touchPoints, eventTimestamp, action, ev->modifiers(), i);
         processMotionEvent(motionEvent);
     }
+
+    m_previousTouchPoints = touchPoints;
 }
 
 #if QT_CONFIG(tabletevent)
-- 
cgit v1.2.3