Thomas Anderson (Gerrit)

unread,

May 14, 2026, 12:31:45 PM (10 days ago) May 14

to Lei Zhang, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Lei Zhang

Thomas Anderson voted

Auto-Submit	+1
Commit-Queue	+1

Open in Gerrit

Related details

Attention is currently required from:

Lei Zhang

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Lei Zhang (Gerrit)

unread,

May 14, 2026, 12:58:01 PM (10 days ago) May 14

to Thomas Anderson, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Attention needed from Thomas Anderson

Lei Zhang voted and added 2 comments

Votes added by Lei Zhang

Code-Review

+1

2 comments

File ui/ozone/platform/x11/test/x11_window_unittest.cc

Line 202, Patchset 3 (Latest): if (active && window_) {

Lei Zhang . unresolved

Don't bother with this check?

Line 210, Patchset 3 (Latest):};

Lei Zhang . unresolved

nit: newline after

Open in Gerrit

Related details

Attention is currently required from:

Thomas Anderson

Submit Requirements:

Code-Coverage
Code-Owners

Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Thomas Anderson (Gerrit)

unread,

May 14, 2026, 1:08:18 PM (10 days ago) May 14

to Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Thomas Anderson voted and added 2 comments

Votes added by Thomas Anderson

Auto-Submit	+0
Commit-Queue	+2

2 comments

File ui/ozone/platform/x11/test/x11_window_unittest.cc

Line 202, Patchset 3: if (active && window_) {

Lei Zhang . resolved

Don't bother with this check?

Thomas Anderson

Done

Line 210, Patchset 3:};

Lei Zhang . resolved

nit: newline after

Thomas Anderson

Done

Open in Gerrit

Related details

Attention set is empty

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

Chromium LUCI CQ (Gerrit)

unread,

May 14, 2026, 2:47:04 PM (10 days ago) May 14

to Thomas Anderson, Lei Zhang, android-bu...@system.gserviceaccount.com, chromium...@chromium.org, ozone-...@chromium.org

Chromium LUCI CQ submitted the change with unreviewed changes

Unreviewed changes

3 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:

```
The name of the file: ui/ozone/platform/x11/test/x11_window_unittest.cc
Insertions: 3, Deletions: 4.

@@ -199,15 +199,14 @@
   }
 
   void OnActivationChanged(bool active) override {
-    if (active && window_) {
-      // Synchronously destroy the window.
-      window_.reset();
-    }
+    // Synchronously destroy the window.
+    window_.reset();
   }
 
  private:
   std::unique_ptr<X11Window> window_;
 };
+
 // Returns the list of rectangles which describe |window|'s bounding region via
 // the X shape extension.
 std::vector<gfx::Rect> GetShapeRects(x11::Window window) {
```

Change information

Commit message:

[Ozone/X11] Fix UAF in DispatchUiEvent during synchronous destruction

A potential Use-After-Free (UAF) vulnerability was identified in
X11Window::DispatchUiEvent. Synchronous destruction of the X11Window
object during HandleEvent processing (e.g., due to activation changes)
could leave DispatchUiEvent with a dangling 'this' pointer.

This CL adds a base::WeakPtr liveness check after HandleEvent to
prevent further member accesses if the window is destroyed.

Fixed: 513006660

Change-Id: I4987be20f8288ff8215aebcce789529b056fe2e0

Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7848608

Commit-Queue: Thomas Anderson <thomasa...@chromium.org>

Reviewed-by: Lei Zhang <the...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#1630706}

Files:

M ui/ozone/platform/x11/test/x11_window_unittest.cc
M ui/ozone/platform/x11/x11_window.cc
M ui/ozone/platform/x11/x11_window.h

Change size: M

Delta: 3 files changed, 56 insertions(+), 1 deletion(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Lei Zhang

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[Ozone/X11] Fix UAF in DispatchUiEvent during synchronous destruction [chromium/src : main]

Thomas Anderson (Gerrit)

Thomas Anderson voted

Related details

Lei Zhang (Gerrit)

Lei Zhang voted and added 2 comments

Votes added by Lei Zhang

2 comments

Related details

Thomas Anderson (Gerrit)

Thomas Anderson voted and added 2 comments

Votes added by Thomas Anderson

2 comments

Related details

Chromium LUCI CQ (Gerrit)

Chromium LUCI CQ submitted the change with unreviewed changes

Unreviewed changes

Change information