Sergio Solano (Gerrit)

unread,

Apr 1, 2026, 1:57:49 PM (yesterday) Apr 1

to Andres Calderon Jaramillo, Brandon Jones, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo and Brandon Jones

Sergio Solano added 1 comment

Patchset-level comments

File-level comment, Patchset 1 (Latest):

Sergio Solano . resolved

Hi guys, can you help me with a review of this qick fix about project Fortify? (Internal only) go/code-terracotta-review-explainer

Open in Gerrit

Related details

Attention is currently required from:

Andres Calderon Jaramillo
Brandon Jones

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

gwsq (Gerrit)

unread,

Apr 1, 2026, 3:13:52 PM (yesterday) Apr 1

to Sergio Solano, Chromium IPC Reviews, Tom Sepez, Colin Blundell, Andres Calderon Jaramillo, Brandon Jones, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo, Brandon Jones, Colin Blundell and Tom Sepez

Message from gwsq

From googleclient/chrome/chromium_gwsq/ipc/config.gwsq:
IPC: tse...@chromium.org

📎 It looks like you’re making a possibly security-sensitive change! 📎 IPC security review isn’t a rubberstamp, so your friendly security reviewer will need a fair amount of context to review your CL effectively. Please review your CL description and code comments to make sure they provide context for someone unfamiliar with your project/area. Pay special attention to where data comes from and which processes it flows between (and their privilege levels). Feel free to point your security reviewer at design docs, bugs, or other links if you can’t reasonably make a self-contained CL description. (Also see https://cbea.ms/git-commit/).

IPC reviewer(s): tse...@chromium.org

Reviewer source(s):
tse...@chromium.org is from context(googleclient/chrome/chromium_gwsq/ipc/config.gwsq)

Open in Gerrit

Related details

Attention is currently required from:

Andres Calderon Jaramillo
Brandon Jones

Colin Blundell
Tom Sepez

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Tom Sepez (Gerrit)

unread,

Apr 1, 2026, 3:57:01 PM (yesterday) Apr 1

to Sergio Solano, Chromium IPC Reviews, Colin Blundell, Andres Calderon Jaramillo, Brandon Jones, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo, Brandon Jones, Colin Blundell and Sergio Solano

Tom Sepez voted and added 1 comment

Votes added by Tom Sepez

Code-Review

+1

1 comment

File gpu/command_buffer/client/test_shared_image_interface.cc

Line 443, Patchset 1 (Latest): base::checked_cast<uint32_t>(stride), 0, height_in_pixels * stride,

Tom Sepez . unresolved

can this overflow as well? Then truncated from size_t to 32 bits?

Open in Gerrit

Related details

Attention is currently required from:

Andres Calderon Jaramillo
Brandon Jones
Colin Blundell

Sergio Solano

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Andres Calderon Jaramillo (Gerrit)

unread,

Apr 1, 2026, 7:37:36 PM (24 hours ago) Apr 1

to Sergio Solano, Tom Sepez, Chromium IPC Reviews, Colin Blundell, Brandon Jones, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Brandon Jones, Colin Blundell and Sergio Solano

Andres Calderon Jaramillo voted and added 5 comments

Votes added by Andres Calderon Jaramillo

Code-Review

+1

5 comments

File media/gpu/chromeos/mock_native_pixmap_dmabuf.cc

Line 63, Patchset 1 (Latest): plane.offset, plane.size,

Andres Calderon Jaramillo . unresolved

Should these maybe be `base::strict_cast<uint64_t>()` and `base::strict_cast<uint64_t>()`?

File media/gpu/chromeos/native_pixmap_frame_resource.cc

Line 129, Patchset 1 (Latest): plane.offset, plane.size,

Andres Calderon Jaramillo . unresolved

Should these maybe be `base::strict_cast<uint64_t>()` and `base::strict_cast<uint64_t>()`?

File media/gpu/chromeos/platform_video_frame_utils.cc

Line 525, Patchset 1 (Latest):

            base::checked_cast<uint32_t>(plane.stride), plane.offset,
            plane.size, std::move(duped_fds[i]));

Andres Calderon Jaramillo . unresolved

Should these maybe be `base::strict_cast<uint64_t>()` and `base::strict_cast<uint64_t>()`?

File media/gpu/test/test_gbm_buffer_manager.cc

Line 257, Patchset 1 (Latest):

    UNSAFE_TODO(import_data.strides[plane]) =
        base::checked_cast<uint32_t>(handle.planes[plane].stride);
    UNSAFE_TODO(import_data.offsets[plane]) =
        base::checked_cast<uint32_t>(handle.planes[plane].offset);

Andres Calderon Jaramillo . unresolved

These ones should remain `base::checked_cast<int>` because `int` is used in [`gbm_import_fd_modifier_data`](https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/minigbm/gbm.h;l=375-376;drc=698c5e9e8d94bc4ed988bd07b246cf37380851d0).

File ui/gfx/mojom/mojom_traits_unittest.cc

Line 287, Patchset 1 (Latest): native_pixmap_handle, output);

Andres Calderon Jaramillo . unresolved

nit: Add `ASSERT_FALSE(output.planes.empty());`

Open in Gerrit

Related details

Attention is currently required from:

Brandon Jones
Colin Blundell
Sergio Solano

Submit Requirements:

Code-Coverage
Code-Owners

Code-Review

No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Sergio Solano (Gerrit)

unread,

3:12 AM (16 hours ago) 3:12 AM

to Stephen Nusko, Andres Calderon Jaramillo, Tom Sepez, Chromium IPC Reviews, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo, Stephen Nusko and Tom Sepez

Sergio Solano voted and added 7 comments

Votes added by Sergio Solano

Commit-Queue

+1

7 comments

Patchset-level comments

File-level comment, Patchset 2 (Latest):

Sergio Solano . resolved

Hi Tom and Andres,

Thanks for the reviews. To land this safety fix as quickly as possible and avoid cross-component approval delays, I've decided to split the original CL into two parts:

1. This CL (Mojo Security): Focused strictly on the Mojo boundary. I've added range validation to the Traits to prevent the sign-extension exploit from a compromised renderer. This is the core fix for b:497542537.
2. Follow-up CL (Media Safety): I've moved the internal hygiene and safety improvements for media/gpu and chromeos/ash call sites here: https://crrev.com/c/7724047

In this patchset, I have also:

Restored the ui/gfx headers and .mojom files to their base state to keep the public API unchanged for this quick fix.
Included the requested Mojo regression test with Andres' nits (ASSERT_FALSE).
Addressed the security concerns while avoiding unnecessary structural changes.

Do you agree to leave the full type migration (to uint32_t/uint64_t) and the overflow checks in test_shared_image_interface.cc in the subsequent permanent fix?

File gpu/command_buffer/client/test_shared_image_interface.cc

Line 443, Patchset 1: base::checked_cast<uint32_t>(stride), 0, height_in_pixels * stride,

Tom Sepez . resolved

can this overflow as well? Then truncated from size_t to 32 bits?

Sergio Solano

Agree, however, to land the core security fix as quickly as possible and avoid cross-component approval delays, I have focused this CL strictly on the Mojo boundary and reverted changes to this test-only file.

For the internal Media/ChromeOS safety improvements, I've made follow-up CL: https://crrev.com/c/7724047

File media/gpu/chromeos/mock_native_pixmap_dmabuf.cc

Line 63, Patchset 1: plane.offset, plane.size,

Andres Calderon Jaramillo . resolved

Should these maybe be `base::strict_cast<uint64_t>()` and `base::strict_cast<uint64_t>()`?

Sergio Solano

I've kept the constructor parameters as int (matching base state) to land the safety fix quickly. Since strict_cast to uint64_t would cause a compile error, I've used base::checked_cast<int> instead. This provides the same security guarantee by crashing on overflow.

You can see these updated call sites in the follow-up CL: https://crrev.com/c/7724047. The full header migration to uint64_t will follow in the permanent fix.

File media/gpu/chromeos/native_pixmap_frame_resource.cc

Line 129, Patchset 1: plane.offset, plane.size,

Andres Calderon Jaramillo . resolved

Should these maybe be `base::strict_cast<uint64_t>()` and `base::strict_cast<uint64_t>()`?

Sergio Solano

Same as above. Updated in the follow-up CL: https://crrev.com/c/7724047

File media/gpu/chromeos/platform_video_frame_utils.cc

Line 525, Patchset 1: base::checked_cast<uint32_t>(plane.stride), plane.offset,


            plane.size, std::move(duped_fds[i]));

Andres Calderon Jaramillo . resolved

Should these maybe be `base::strict_cast<uint64_t>()` and `base::strict_cast<uint64_t>()`?

Sergio Solano

Same as my previous comment. I've used checked_cast<int> where the destination is the NativePixmapPlane constructor (to match the int parameters in the header), and safe casts where the destination allows uint64_t.

Updated in: https://crrev.com/c/7724047

File media/gpu/test/test_gbm_buffer_manager.cc

Line 257, Patchset 1: UNSAFE_TODO(import_data.strides[plane]) =


        base::checked_cast<uint32_t>(handle.planes[plane].stride);
    UNSAFE_TODO(import_data.offsets[plane]) =
        base::checked_cast<uint32_t>(handle.planes[plane].offset);

Andres Calderon Jaramillo . resolved

These ones should remain `base::checked_cast<int>` because `int` is used in [`gbm_import_fd_modifier_data`](https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/platform/minigbm/gbm.h;l=375-376;drc=698c5e9e8d94bc4ed988bd07b246cf37380851d0).

Sergio Solano

Done

File ui/gfx/mojom/mojom_traits_unittest.cc

Line 287, Patchset 1: native_pixmap_handle, output);

Andres Calderon Jaramillo . resolved

nit: Add `ASSERT_FALSE(output.planes.empty());`

Sergio Solano

Done

Open in Gerrit

Related details

Attention is currently required from:

Andres Calderon Jaramillo
Stephen Nusko
Tom Sepez

Submit Requirements:

Code-Coverage
Code-Owners

Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Stephen Nusko (Gerrit)

unread,

3:47 AM (16 hours ago) 3:47 AM

to Sergio Solano, Andres Calderon Jaramillo, Tom Sepez, Chromium IPC Reviews, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo, Sergio Solano and Tom Sepez

Stephen Nusko voted and added 1 comment

Votes added by Stephen Nusko

Code-Review

+1

1 comment

File ui/gfx/mojom/native_handle_types_mojom_traits.cc

Line 103, Patchset 2 (Latest): out->stride = base::checked_cast<int>(data.stride());

Stephen Nusko . unresolved

can't these just be static_cast? Because we've already checked that the data will fit inside the requested `int`? We don't need the runtime check of base::checked_cast right?

Open in Gerrit

Related details

Attention is currently required from:

Andres Calderon Jaramillo
Sergio Solano
Tom Sepez

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Stephen Nusko (Gerrit)

unread,

3:51 AM (16 hours ago) 3:51 AM

to Sergio Solano, Andres Calderon Jaramillo, Tom Sepez, Chromium IPC Reviews, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo, Sergio Solano and Tom Sepez

Stephen Nusko added 1 comment

File gpu/command_buffer/client/test_shared_image_interface.cc

Line 443, Patchset 1: base::checked_cast<uint32_t>(stride), 0, height_in_pixels * stride,

Tom Sepez . resolved

can this overflow as well? Then truncated from size_t to 32 bits?

Sergio Solano

Agree, however, to land the core security fix as quickly as possible and avoid cross-component approval delays, I have focused this CL strictly on the Mojo boundary and reverted changes to this test-only file.
For the internal Media/ChromeOS safety improvements, I've made follow-up CL: https://crrev.com/c/7724047

Stephen Nusko

I don't see the this file being changed in your follow up CL? Looks like we might have needed CheckMul?

satisfied_requirement

unsatisfied_requirement

open

diffy

Tom Sepez (Gerrit)

unread,

2:06 PM (5 hours ago) 2:06 PM

to Sergio Solano, Stephen Nusko, Andres Calderon Jaramillo, Chromium IPC Reviews, Chromium LUCI CQ, chromium...@chromium.org, arc-review...@google.com, chromeos-gfx-...@google.com, feature-me...@chromium.org, hidehik...@chromium.org, ipc-securi...@chromium.org, media-cro...@chromium.org, oshima...@chromium.org, vaapi-...@chromium.org, yhanada+...@chromium.org

Attention needed from Andres Calderon Jaramillo and Sergio Solano

Tom Sepez voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Andres Calderon Jaramillo
Sergio Solano

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Reply all

Reply to author

Forward

[ui/gfx] Fix NativePixmapPlane offset corruption [chromium/src : main]

Sergio Solano (Gerrit)

Sergio Solano added 1 comment

Related details

gwsq (Gerrit)

Message from gwsq

Related details

Tom Sepez (Gerrit)

Tom Sepez voted and added 1 comment

Votes added by Tom Sepez

1 comment

Related details

Andres Calderon Jaramillo (Gerrit)

Andres Calderon Jaramillo voted and added 5 comments

Votes added by Andres Calderon Jaramillo

5 comments

Related details

Sergio Solano (Gerrit)

Sergio Solano voted and added 7 comments

Votes added by Sergio Solano

7 comments

Related details

Stephen Nusko (Gerrit)

Stephen Nusko voted and added 1 comment

Votes added by Stephen Nusko

1 comment

Related details

Stephen Nusko (Gerrit)

Stephen Nusko added 1 comment

Tom Sepez (Gerrit)

Tom Sepez voted Code-Review+1

Related details