[ozone/wayland] Fix Use-After-Free in WaylandWindow::MaybeApplyLatestStateRequest [chromium/src : main]
0 views
Skip to first unread message
Mitsuru Oshima (Gerrit)
May 19, 2026, 6:03:59 PM (5 days ago) May 19
to Keishi Hattori, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Attention needed from Keishi Hattori
Mitsuru Oshima voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Keishi Hattori
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Keishi Hattori (Gerrit)
May 20, 2026, 1:34:36 AM (5 days ago) May 20
to Mitsuru Oshima, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Attention needed from Mitsuru Oshima
Keishi Hattori voted and added 1 comment![]( "Open in Gerrit")
Votes added by Keishi Hattori
| Code-Review | +1 |
1 comment
Patchset-level comments
Related details
Attention is currently required from:
- Mitsuru Oshima
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Mitsuru Oshima (Gerrit)
May 20, 2026, 1:37:03 AM (5 days ago) May 20
to Keishi Hattori, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Mitsuru Oshima voted Commit-Queue+2![]( "Open in Gerrit")
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Chromium LUCI CQ (Gerrit)
May 20, 2026, 1:45:17 AM (5 days ago) May 20
to Mitsuru Oshima, Keishi Hattori, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, max+watc...@igalia.com, nickdiego+wa...@igalia.com, ozone-...@chromium.org
Chromium LUCI CQ submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[ozone/wayland] Fix Use-After-Free in WaylandWindow::MaybeApplyLatestStateRequest
In WaylandWindow::MaybeApplyLatestStateRequest, the call to
delegate()->OnStateUpdate() can trigger observer notifications that
synchronously destroy the WaylandWindow. This commit avoids accessing
member variables like `applying_state_` and the `latest` reference
(which points to a destroyed `in_flight_requests_` queue element) after
the window is destroyed. This prevents a potential Remote Code Execution
vulnerability due to a heap-use-after-free write.
Bug: 495948109
Change-Id: I1964a73b644c9e5f132dc913b50b5a5235886a7a
Commit-Queue: Mitsuru Oshima <osh...@chromium.org>
Reviewed-by: Keishi Hattori <kei...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1633356}
Files:
- M ui/ozone/platform/wayland/host/wayland_window.cc
- M ui/ozone/platform/wayland/host/wayland_window_unittest.cc
- M ui/ozone/platform/wayland/test/mock_wayland_platform_window_delegate.cc
- M ui/ozone/platform/wayland/test/mock_wayland_platform_window_delegate.h
Change size: S
Delta: 4 files changed, 32 insertions(+), 10 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Keishi Hattori
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages