[M150] [Ozone/Wayland]Fix Use-After-Free in OnPointerFrameEvent [chromium/src : refs/branch-heads/7871]
0 views
Skip to first unread message
rubber-stamper@appspot.gserviceaccount.com (Gerrit)
Jun 22, 2026, 4:08:49 PM (7 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org, nickdiego+wa...@igalia.com, max+watc...@igalia.com
rubber-...@appspot.gserviceaccount.com voted![]( "Open in Gerrit")
| Bot-Commit | +1 |
| Commit-Queue | +2 |
Related details
Attention set is empty
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Chromium LUCI CQ (Gerrit)
Jun 22, 2026, 6:36:10 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Kramer Ge, rubber-...@appspot.gserviceaccount.com, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org, nickdiego+wa...@igalia.com, max+watc...@igalia.com
Chromium LUCI CQ submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[M150] [Ozone/Wayland]Fix Use-After-Free in OnPointerFrameEvent
Original change's description:
> [Ozone/Wayland]Fix Use-After-Free in OnPointerFrameEvent
>
> In WaylandEventSource::OnPointerFrameEvent, a raw pointer to the
> focused WaylandWindow was cached outside the loop that drains
> pointer_frames_. If the window is synchronously closed during event
> dispatch, subsequent events in the same frame would use the dangling
> pointer, leading to a Use-After-Free.
>
> This CL fixes the issue by caching the target window as a WeakPtr
> and verifying its validity before each event dispatch.
>
> BUG=523725277
> TAG=agy
> CONV=600e2394-2a5e-4d13-93b9-91470f489eeb
>
> Change-Id: I8cd33570342fc1592ef5f78c5a2ec72064af1ea7
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7958261
> Reviewed-by: Jonathan Ross <jon...@chromium.org>
> Commit-Queue: Kramer Ge <fang...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1649050}
(cherry picked from commit 45daaa0cb895d8e01f34b3138316bcb83bb7a845)
Bug: 525661570
Change-Id: I8cd33570342fc1592ef5f78c5a2ec72064af1ea7
Auto-Submit: chrome-che...@chops-service-accounts.iam.gserviceaccount.com <chrome-che...@chops-service-accounts.iam.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/7871@{#1939}
Cr-Branched-From: f542126b8c1b3e80104b26bb05ec830bd1206f29-refs/heads/main@{#1639810}
Files:
- M ui/ozone/platform/wayland/host/wayland_event_source.cc
- M ui/ozone/platform/wayland/host/wayland_pointer_unittest.cc
Change size: S
Delta: 2 files changed, 44 insertions(+), 3 deletions(-)
Branch: refs/branch-heads/7871
Submit Requirements:
Code-Review: Bot-Commit+1 by rubber-...@appspot.gserviceaccount.com
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages