Thomas Anderson (Gerrit)

unread,

Jun 24, 2026, 6:31:51 PM (4 days ago) Jun 24

to Lei Zhang, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Lei Zhang

Thomas Anderson voted

Auto-Submit	+1
Commit-Queue	+1

Open in Gerrit

Related details

Attention is currently required from:

Lei Zhang

Submit Requirements:

Code-Owners
Code-Review
Lint
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Lei Zhang (Gerrit)

unread,

Jun 24, 2026, 6:34:01 PM (4 days ago) Jun 24

to Thomas Anderson, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Thomas Anderson

Lei Zhang voted

Code-Review	+1
Commit-Queue	+2

Open in Gerrit

Related details

Attention is currently required from:

Thomas Anderson

Submit Requirements:

Code-Owners
Code-Review
Lint
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Chromium LUCI CQ (Gerrit)

unread,

Jun 24, 2026, 7:59:46 PM (4 days ago) Jun 24

to Thomas Anderson, Lei Zhang, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:

[M149] ozone/x11: Fix potential UAF in X11Window::DispatchEvent

Original change's description:
> ozone/x11: Fix potential UAF in X11Window::DispatchEvent
>
> During mouse event dispatch, synchronous event processing inside
> X11WindowManager::MouseOnWindow can trigger observers that synchronously
> close the widget and destroy the X11Window. Because there was no WeakPtr
> guard, the rest of DispatchEvent would proceed with a freed pointer,
> causing a Use-After-Free (UAF).
>
> This CL adds a WeakPtr guard to check if the window was destroyed during
> MouseOnWindow and returns early. A regression test is added to prevent
> regressions.
>
> Fixed: 524395469
> Change-Id: I7f5c27cf383d9753699c76341a327ebe88f405fd
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7950619
> Reviewed-by: Lei Zhang <the...@chromium.org>
> Commit-Queue: Lei Zhang <the...@chromium.org>
> Auto-Submit: Thomas Anderson <thomasa...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1647701}

(cherry picked from commit fdf7bd93e6af84c37cee9d6fda623d7359bb8582)

Fixed: 524889824

Bug: 524395469

Change-Id: I5a6b17f8d78b8b968b7ed4b31440a4911f91f5ce

Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7997567

Commit-Queue: Thomas Anderson <thomasa...@chromium.org>

Commit-Queue: Lei Zhang <the...@chromium.org>

Auto-Submit: Thomas Anderson <thomasa...@chromium.org>

Reviewed-by: Lei Zhang <the...@chromium.org>

Cr-Commit-Position: refs/branch-heads/7827@{#3807}

Cr-Branched-From: 9f3e9aaccba63bd2ec30334e45e0bfd07ebcc8f1-refs/heads/main@{#1625079}

Files:

M ui/ozone/platform/x11/x11_window.cc
M ui/ozone/platform/x11/x11_window_ozone_unittest.cc

Change size: M

Delta: 2 files changed, 81 insertions(+), 0 deletions(-)

Branch: refs/branch-heads/7827

Submit Requirements:

Code-Review: +1 by Lei Zhang

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[M149] ozone/x11: Fix potential UAF in X11Window::DispatchEvent [chromium/src : refs/branch-heads/7827]

Thomas Anderson (Gerrit)

Thomas Anderson voted

Related details

Lei Zhang (Gerrit)

Lei Zhang voted

Related details

Chromium LUCI CQ (Gerrit)

Chromium LUCI CQ submitted the change

Change information