Thomas Anderson (Gerrit)

unread,

Jun 16, 2026, 4:50:16 PM (13 days ago) Jun 16

to Lei Zhang, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Lei Zhang

Thomas Anderson voted

Auto-Submit	+1
Commit-Queue	+1

Open in Gerrit

Related details

Attention is currently required from:

Lei Zhang

Submit Requirements:

Code-Owners
Code-Review
Lint
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

rubber-stamper@appspot.gserviceaccount.com (Gerrit)

unread,

Jun 16, 2026, 5:32:19 PM (13 days ago) Jun 16

to Thomas Anderson, Chromium LUCI CQ, Lei Zhang, chromium...@chromium.org, ozone-...@chromium.org

Message from rubber-...@appspot.gserviceaccount.com

The change cannot be auto-reviewed. The following files do not match the benign file configuration: ui/ozone/platform/x11/x11_window.cc, ui/ozone/platform/x11/x11_window.h, ui/ozone/platform/x11/x11_window_ozone_unittest.cc. Learn more: go/rubber-stamper-user-guide.

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Owners
Code-Review
Lint
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Lei Zhang (Gerrit)

unread,

Jun 16, 2026, 5:39:31 PM (13 days ago) Jun 16

to Thomas Anderson, Chromium LUCI CQ, Lei Zhang, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Thomas Anderson

Lei Zhang added 2 comments

File ui/ozone/platform/x11/x11_window.cc

Line 1411, Patchset 1 (Parent): ConvertEventLocationToTargetWindowLocation(

Lei Zhang . unresolved

Is there another CL that needs to be merged first? This doesn't match crrev.com/1647067.

File ui/ozone/platform/x11/x11_window_ozone_unittest.cc

Line 304, Patchset 1 (Latest):// Verifies that X11Window::OnWindowMapped() does not cause a use-after-free

Lei Zhang . unresolved

Doesn't match.

Open in Gerrit

Related details

Attention is currently required from:

Thomas Anderson

Submit Requirements:

Code-Owners
Code-Review
Lint

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Thomas Anderson (Gerrit)

unread,

Jun 16, 2026, 7:35:51 PM (12 days ago) Jun 16

to Chromium LUCI CQ, Lei Zhang, chromium...@chromium.org, ozone-...@chromium.org

Thomas Anderson abandoned this change.

View Change

Abandoned

Thomas Anderson abandoned this change

Related details

Attention set is empty

Submit Requirements:

Code-Review
Lint
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

unsatisfied_requirement

satisfied_requirement

open

diffy

Thomas Anderson (Gerrit)

unread,

Jun 23, 2026, 6:11:48 PM (6 days ago) Jun 23

to Lei Zhang, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Lei Zhang

Thomas Anderson voted

Auto-Submit	+1
Commit-Queue	+1

Open in Gerrit

Related details

Attention is currently required from:

Lei Zhang

Submit Requirements:

Code-Owners

Code-Review
Lint

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Lei Zhang (Gerrit)

unread,

Jun 23, 2026, 8:28:24 PM (5 days ago) Jun 23

to Thomas Anderson, Lei Zhang, Chromium LUCI CQ, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Thomas Anderson

Lei Zhang voted Code-Review+1

Code-Review

+1

Open in Gerrit

Related details

Attention is currently required from:

Thomas Anderson

Submit Requirements:

Code-Owners
Code-Review
Lint
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Lei Zhang (Gerrit)

unread,

Jun 23, 2026, 8:28:54 PM (5 days ago) Jun 23

to Thomas Anderson, Lei Zhang, Chromium LUCI CQ, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Thomas Anderson

Lei Zhang voted Commit-Queue+2

Commit-Queue

+2

Open in Gerrit

Related details

Attention is currently required from:

Thomas Anderson

Submit Requirements:

Code-Owners
Code-Review
Lint
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Chromium LUCI CQ (Gerrit)

unread,

Jun 23, 2026, 8:35:55 PM (5 days ago) Jun 23

to Thomas Anderson, Lei Zhang, chromium...@chromium.org, ozone-...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:

[M148] Ozone: Fix UAF in X11Window::DispatchUiEvent via weak_ptr tracking

Original change's description:
> Ozone: Fix UAF in X11Window::DispatchUiEvent via weak_ptr tracking
>
> A Use-After-Free (UAF) vulnerability can occur in
> X11Window::DispatchUiEvent when translating coordinates for a located
> event grabber window.
>
> During GetBoundsInPixels() on the grabber window, processing synchronous
> X server responses can dispatch events and invoke callbacks that destroy
> the grabber window. Since the grabber window was cached via a raw
> pointer on the stack, this results in a use-after-free when dispatching
> the event to the grabber window afterwards.
>
> This CL fixes this by tracking the grabber window via a base::WeakPtr
> and re-verifying its validity and capture ownership status after
> potential re-entrancy points.
>
> Fixed: 523690961
> Change-Id: Id7fd781af377ccd1a8f5495a5930d6b8bcbb3e52
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7943723
> Reviewed-by: Lei Zhang <the...@chromium.org>
> Commit-Queue: Thomas Anderson <thomasa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1647067}

(cherry picked from commit b12c924f5828e2d16248624bf1e068ada3bf1a2b)

Fixed: 524507778

Bug: 523690961

Change-Id: Iffee0b339126340193994431888345e34f02169a

Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7988712

Auto-Submit: Thomas Anderson <thomasa...@chromium.org>

Commit-Queue: Lei Zhang <the...@chromium.org>

Reviewed-by: Lei Zhang <the...@chromium.org>

Cr-Commit-Position: refs/branch-heads/7778@{#4417}

Cr-Branched-From: 77f495ee216d4c3cc784d33658bad4778c0680ee-refs/heads/main@{#1610480}

Files:

M ui/ozone/platform/x11/x11_window.cc
M ui/ozone/platform/x11/x11_window.h
M ui/ozone/platform/x11/x11_window_ozone_unittest.cc

Change size: M

Delta: 3 files changed, 98 insertions(+), 3 deletions(-)

Branch: refs/branch-heads/7778

Submit Requirements:

Code-Review: +1 by Lei Zhang

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[M148] Ozone: Fix UAF in X11Window::DispatchUiEvent via weak_ptr tracking [chromium/src : refs/branch-heads/7778]

Thomas Anderson (Gerrit)

Thomas Anderson voted

Related details

rubber-stamper@appspot.gserviceaccount.com (Gerrit)

Message from rubber-...@appspot.gserviceaccount.com

Related details

Lei Zhang (Gerrit)

Lei Zhang added 2 comments

Related details

Thomas Anderson (Gerrit)

Thomas Anderson abandoned this change

Related details

Thomas Anderson (Gerrit)

Thomas Anderson voted

Related details

Lei Zhang (Gerrit)

Lei Zhang voted Code-Review+1

Related details

Lei Zhang (Gerrit)

Lei Zhang voted Commit-Queue+2

Related details

Chromium LUCI CQ (Gerrit)

Chromium LUCI CQ submitted the change

Change information