[M150] [Ozone/Wayland] Fix UAF in WaylandWindow bubble activation/removal [chromium/src : refs/branch-heads/7871]

0 views
Skip to first unread message

rubber-stamper@appspot.gserviceaccount.com (Gerrit)

unread,
Jun 18, 2026, 6:51:37 PM (10 days ago) Jun 18
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org, nickdiego+wa...@igalia.com, max+watc...@igalia.com

rubber-...@appspot.gserviceaccount.com voted

Bot-Commit+1
Commit-Queue+2
Open in Gerrit

Related details

Attention set is empty
Submit Requirements:
  • requirement satisfiedCode-Owners
  • requirement satisfiedCode-Review
  • requirement satisfiedLint
  • requirement satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7871
Gerrit-Change-Id: Ia4c921dab990cbb5795a74d2a03e32155197fbfb
Gerrit-Change-Number: 7964539
Gerrit-PatchSet: 2
Gerrit-CC: Thomas Anderson <thomasa...@chromium.org>
Gerrit-Comment-Date: Thu, 18 Jun 2026 22:51:23 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
satisfied_requirement
open
diffy

Chromium LUCI CQ (Gerrit)

unread,
Jun 18, 2026, 8:08:40 PM (10 days ago) Jun 18
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, rubber-...@appspot.gserviceaccount.com, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org, nickdiego+wa...@igalia.com, max+watc...@igalia.com

Chromium LUCI CQ submitted the change

Change information

Commit message:
[M150] [Ozone/Wayland] Fix UAF in WaylandWindow bubble activation/removal

Original change's description:
> [Ozone/Wayland] Fix UAF in WaylandWindow bubble activation/removal
>
> The delegate callback OnActivationChanged() on top-level/bubble windows
> may synchronously destroy the underlying platform window (e.g. if the
> associated widget closes synchronously).
>
> This CL adds base::WeakPtr guards to WaylandWindow::ActivateBubble() and
> WaylandWindow::RemoveBubble() immediately after invoking these callbacks
> to check if the window was destroyed, returning early if so. It also
> ensures child bubbles are safely erased from the child list only if they
> are still present.
>
> Fixed: 524584791
> Change-Id: Ia4c921dab990cbb5795a74d2a03e32155197fbfb
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7958809
> Commit-Queue: Thomas Lukaszewicz <tl...@chromium.org>
> Auto-Submit: Thomas Anderson <thomasa...@chromium.org>
> Reviewed-by: Thomas Lukaszewicz <tl...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1648660}

(cherry picked from commit 9f9a3573e334d4f3aa2b09dfa7825aa30738a276)
Bug: 525280622,524584791
Change-Id: Ia4c921dab990cbb5795a74d2a03e32155197fbfb
Cr-Commit-Position: refs/branch-heads/7871@{#1635}
Cr-Branched-From: f542126b8c1b3e80104b26bb05ec830bd1206f29-refs/heads/main@{#1639810}
Files:
  • M ui/ozone/platform/wayland/host/wayland_window.cc
  • M ui/ozone/platform/wayland/host/wayland_window_unittest.cc
Change size: M
Delta: 2 files changed, 78 insertions(+), 3 deletions(-)
Branch: refs/branch-heads/7871
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7871
Gerrit-Change-Id: Ia4c921dab990cbb5795a74d2a03e32155197fbfb
Gerrit-Change-Number: 7964539
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages