[M148] ozone/x11: Fix UAF inside X11Window::GetBoundsInPixels() [chromium/src : refs/branch-heads/7778]
0 views
Skip to first unread message
chrome-cherry-picker@chops-service-accounts.iam.gserviceaccount.com (Gerrit)
May 28, 2026, 10:18:57 AMMay 28
to Thomas Anderson, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
chrome-che...@chops-service-accounts.iam.gserviceaccount.com voted Auto-Submit+1![]( "Open in Gerrit")
| Auto-Submit | +1 |
Related details
Attention set is empty
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
rubber-stamper@appspot.gserviceaccount.com (Gerrit)
May 28, 2026, 10:19:22 AMMay 28
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
rubber-...@appspot.gserviceaccount.com voted![]( "Open in Gerrit")
| Bot-Commit | +1 |
| Commit-Queue | +2 |
Related details
Attention set is empty
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
rubber-stamper@appspot.gserviceaccount.com (Gerrit)
Jun 6, 2026, 5:06:25 PMJun 6
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
rubber-...@appspot.gserviceaccount.com voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Related details
Attention set is empty
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
rubber-stamper@appspot.gserviceaccount.com (Gerrit)
Jun 16, 2026, 5:56:30 PM (13 days ago) Jun 16
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Message from rubber-...@appspot.gserviceaccount.com![]( "Open in Gerrit")
The change is not in the configured time window. Rubber Stamper is only allowed to review cherry-picks within 14 day(s). Learn more: go/rubber-stamper-user-guide.
Related details
Attention set is empty
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thomas Anderson (Gerrit)
Jun 22, 2026, 6:49:31 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Attention needed from Lei Zhang
Thomas Anderson voted![]( "Open in Gerrit")
| Code-Review | +1 |
| Commit-Queue | +2 |
Related details
Attention is currently required from:
- Lei Zhang
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lei Zhang (Gerrit)
Jun 22, 2026, 6:55:37 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Attention needed from Thomas Anderson
Lei Zhang voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Thomas Anderson
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lei Zhang (Gerrit)
Jun 22, 2026, 6:56:10 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Attention needed from Thomas Anderson
Lei Zhang voted Owners-Override+1![]( "Open in Gerrit")
| Owners-Override | +1 |
Related details
Attention is currently required from:
- Thomas Anderson
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Thomas Anderson (Gerrit)
Jun 22, 2026, 6:59:26 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Thomas Anderson voted Commit-Queue+2![]( "Open in Gerrit")
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Lei Zhang (Gerrit)
Jun 22, 2026, 7:00:12 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, Lei Zhang, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Attention needed from Thomas Anderson
Lei Zhang voted Commit-Queue+2![]( "Open in Gerrit")
| Commit-Queue | +2 |
Related details
Attention is currently required from:
- Thomas Anderson
Submit Requirements:
Code-Owners
Code-Review
Lint
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Chromium LUCI CQ (Gerrit)
Jun 22, 2026, 7:35:56 PM (6 days ago) Jun 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Thomas Anderson, Lei Zhang, android-bu...@system.gserviceaccount.com, ozone-...@chromium.org
Chromium LUCI CQ submitted the change![]( "Open in Gerrit")
Unreviewed changes
4 is the latest approved patch-set.
No files were changed between the latest approved patch-set and the submitted one.
Change information
Commit message:
[M148] ozone/x11: Fix UAF inside X11Window::GetBoundsInPixels()
Original change's description:
> ozone/x11: Fix UAF inside X11Window::GetBoundsInPixels()
>
> When GetBoundsInPixels() triggers synchronous nested message loops
> within GeometryCache, the calling X11Window instance can be
> synchronously destroyed. Subsequent operations in X11Window continue
> executing on the freed this context, leading to potential memory
> corruption in the browser process.
>
> This CL resolves the issue by:
> 1. Making weak_ptr_factory_ mutable in X11Window.
> 2. Guarding GetBoundsInPixels() calls in all critical X11Window methods
> using base::WeakPtrFactory to prevent executing subsequent code if
> this has been destroyed.
> 3. Adding a regression/POC unit test verifying the safety of
> SetBoundsInPixels under re-entrancy deletion conditions.
>
> Fixed: 516653777
> Change-Id: I812afc95f56e77770cda51ad783e206ba0f1b4c1
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7875980
> Commit-Queue: Thomas Anderson <thomasa...@chromium.org>
> Commit-Queue: Lei Zhang <the...@chromium.org>
> Auto-Submit: Thomas Anderson <thomasa...@chromium.org>
> Reviewed-by: Lei Zhang <the...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1636605}
(cherry picked from commit e3ce9901de36bda58a50b1c5005dc5100b8d0991)
Fixed: 517405897
Bug: 516653777
Change-Id: I812afc95f56e77770cda51ad783e206ba0f1b4c1
Reviewed-by: Lei Zhang <the...@chromium.org>
Commit-Queue: Thomas Anderson <thomasa...@chromium.org>
Auto-Submit: chrome-che...@chops-service-accounts.iam.gserviceaccount.com <chrome-che...@chops-service-accounts.iam.gserviceaccount.com>
Owners-Override: Lei Zhang <the...@chromium.org>
Reviewed-by: Thomas Anderson <thomasa...@chromium.org>
Commit-Queue: Lei Zhang <the...@chromium.org>
Cr-Commit-Position: refs/branch-heads/7778@{#4408}
Cr-Branched-From: 77f495ee216d4c3cc784d33658bad4778c0680ee-refs/heads/main@{#1610480}
Files:
- M ui/ozone/platform/x11/x11_window.cc
- M ui/ozone/platform/x11/x11_window.h
- M ui/ozone/platform/x11/x11_window_ozone_unittest.cc
Change size: M
Delta: 3 files changed, 168 insertions(+), 15 deletions(-)
Branch: refs/branch-heads/7778
Submit Requirements:
Code-Review: +1 by Thomas Anderson, +1 by Lei Zhang
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages