Fix heap out-of-bounds read in DeviceDataManagerX11 [chromium/src : main]
0 views
Skip to first unread message
Andrew Paseltiner (Gerrit)
Apr 14, 2026, 1:16:56 PMApr 14
to Thomas Anderson, Jonathan Ross, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Attention needed from Jonathan Ross and Thomas Anderson
Andrew Paseltiner voted Commit-Queue+1![]( "Open in Gerrit")
| Commit-Queue | +1 |
Related details
Attention is currently required from:
- Jonathan Ross
- Thomas Anderson
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Jonathan Ross (Gerrit)
Apr 14, 2026, 1:46:39 PMApr 14
to Andrew Paseltiner, Joe Downing, Thomas Anderson, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Attention needed from Andrew Paseltiner, Joe Downing and Thomas Anderson
Jonathan Ross added 1 comment![]( "Open in Gerrit")
File ui/ozone/platform/x11/test/xinput_util_unittest.cc
Line 15, Patchset 3 (Latest):
// Regression test for crbug.com/501862016.Jonathan Ross . unresolved
Mind CCing me on the bug?
Related details
Attention is currently required from:
- Andrew Paseltiner
- Joe Downing
- Thomas Anderson
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Joe Downing (Gerrit)
Apr 14, 2026, 2:15:02 PMApr 14
to Andrew Paseltiner, Thomas Anderson, Jonathan Ross, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Attention needed from Andrew Paseltiner and Thomas Anderson
Joe Downing voted and added 1 comment![]( "Open in Gerrit")
Votes added by Joe Downing
| Code-Review | +1 |
1 comment
Patchset-level comments
Related details
Attention is currently required from:
- Andrew Paseltiner
- Thomas Anderson
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Paseltiner (Gerrit)
Apr 14, 2026, 2:22:52 PMApr 14
to Joe Downing, Thomas Anderson, Jonathan Ross, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Attention needed from Jonathan Ross and Thomas Anderson
Andrew Paseltiner added 1 comment![]( "Open in Gerrit")
File ui/ozone/platform/x11/test/xinput_util_unittest.cc
Line 15, Patchset 3 (Latest):
// Regression test for crbug.com/501862016.Jonathan Ross . resolved
Mind CCing me on the bug?
Attention is currently required from:
- Jonathan Ross
- Thomas Anderson
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thomas Anderson (Gerrit)
Apr 14, 2026, 3:23:57 PMApr 14
to Andrew Paseltiner, Joe Downing, Jonathan Ross, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Attention needed from Andrew Paseltiner and Jonathan Ross
Thomas Anderson voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Andrew Paseltiner
- Jonathan Ross
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Jonathan Ross (Gerrit)
Apr 14, 2026, 6:39:00 PMApr 14
to Andrew Paseltiner, Thomas Anderson, Joe Downing, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Attention needed from Andrew Paseltiner
Jonathan Ross voted Code-Review+1![]( "Open in Gerrit")
| Code-Review | +1 |
Related details
Attention is currently required from:
- Andrew Paseltiner
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Andrew Paseltiner (Gerrit)
Apr 14, 2026, 7:43:20 PMApr 14
to Jonathan Ross, Thomas Anderson, Joe Downing, chromiu...@luci-project-accounts.iam.gserviceaccount.com, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
Andrew Paseltiner voted Commit-Queue+2![]( "Open in Gerrit")
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
chromium-scoped@luci-project-accounts.iam.gserviceaccount.com (Gerrit)
Apr 14, 2026, 8:07:53 PMApr 14
to Andrew Paseltiner, Jonathan Ross, Thomas Anderson, Joe Downing, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, chromotin...@chromium.org, Sadrul Chowdhury, ozone-...@chromium.org, spang...@chromium.org
chromiu...@luci-project-accounts.iam.gserviceaccount.com submitted the change![]( "Open in Gerrit")
Change information
Commit message:
Fix heap out-of-bounds read in DeviceDataManagerX11
Refactor XInput mask utility functions to use base::span for safer
memory access and explicit bounds checking. Previously, these functions
used raw pointers without size information, leading to potential
out-of-bounds reads when processing truncated XInput event masks sent by
the X server.
Specific changes:
- Update SetXinputMask and IsXinputMaskSet in xinput_util.h to
accept base::span<uint8_t> and base::span<const uint8_t>.
- Use base::as_byte_span, base::as_writable_byte_span, or
base::byte_span_from_ref at all call sites (including
DeviceDataManagerX11, TouchFactory, and various test utilities) to
pass masks safely.
- Add unit tests in xinput_util_unittest.cc verifying safe bounds
handling for both IsXinputMaskSet and SetXinputMask, using
EXPECT_DEATH_IF_SUPPORTED for the latter.
- Add regression test in device_data_manager_x11_unittest.cc for
GetEventData with truncated masks.
Fixed: 501862016
Change-Id: Ia68255583bdaf944e786dea2a64cde937e761e4c
Reviewed-by: Thomas Anderson <thomasa...@chromium.org>
Reviewed-by: Joe Downing <joe...@chromium.org>
Commit-Queue: Andrew Paseltiner <apase...@chromium.org>
Reviewed-by: Jonathan Ross <jon...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1614784}
Files:
- M remoting/host/input_monitor/local_input_monitor_x11_common.cc
- M ui/base/x/x11_user_input_monitor.cc
- M ui/events/devices/x11/device_data_manager_x11.cc
- M ui/events/devices/x11/touch_factory_x11.cc
- M ui/events/devices/x11/xinput_util.h
- M ui/events/test/events_test_utils_x11.cc
- M ui/events/x/events_x_utils.cc
- M ui/ozone/platform/x11/BUILD.gn
- M ui/ozone/platform/x11/test/device_data_manager_x11_unittest.cc
- A ui/ozone/platform/x11/test/xinput_util_unittest.cc
Change size: M
Delta: 10 files changed, 164 insertions(+), 36 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Joe Downing, +1 by Jonathan Ross, +1 by Thomas Anderson
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages