diff options
author | Scott Violet <sky@chromium.org> | 2021-03-23 18:47:22 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-09 10:50:40 +0000 |
commit | 5cc54b6c60ee4cdb3ca49076d8d2baf53f437596 (patch) | |
tree | c14ce520c3598e71a54fcdd62e278d2bbf913849 | |
parent | fcd5c56fe795bb48ff3b31e0fff038875c5ad689 (diff) | |
download | qtwebengine-chromium-5cc54b6c60ee4cdb3ca49076d8d2baf53f437596.tar.gz |
[Backport] Security bug 1185482
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2779886:
x11/ozone: fix two edge cases
WindowTreeHost::OnHostMovedInPixels() may trigger a nested message
loop (tab dragging), which when the stack unravels means this may
be deleted. This adds an early out if this happens.
X11WholeScreenMoveLoop has a similar issue, in so far as notifying
the delegate may delete this.
BUG=1185482
TEST=WindowTreeHostPlatform.DeleteHostFromOnHostMovedInPixels
(cherry picked from commit 5e3a738b1204941aab9f15c0eb3d06e20fefd96e)
Change-Id: Ieca1c90b3e4358da50b332abe2941fdbb50c5c25
Reviewed-by: Thomas Anderson <thomasanderson@chromium.org>
Commit-Queue: Scott Violet <sky@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#860852}
Cr-Commit-Position: refs/branch-heads/4389@{#1583}
Cr-Branched-From: 9251c5db2b6d5a59fe4eac7aafa5fed37c139bb7-refs/heads/master@{#843830}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/ui/aura/window_tree_host.cc | 4 | ||||
-rw-r--r-- | chromium/ui/aura/window_tree_host.h | 2 | ||||
-rw-r--r-- | chromium/ui/aura/window_tree_host_platform.cc | 7 | ||||
-rw-r--r-- | chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc | 4 |
4 files changed, 16 insertions, 1 deletions
diff --git a/chromium/ui/aura/window_tree_host.cc b/chromium/ui/aura/window_tree_host.cc index eb60ca912ba..ee6191b71da 100644 --- a/chromium/ui/aura/window_tree_host.cc +++ b/chromium/ui/aura/window_tree_host.cc @@ -124,6 +124,10 @@ ui::EventSink* WindowTreeHost::event_sink() { return dispatcher_.get(); } +base::WeakPtr<WindowTreeHost> WindowTreeHost::GetWeakPtr() { + return weak_factory_.GetWeakPtr(); +} + gfx::Transform WindowTreeHost::GetRootTransform() const { gfx::Transform transform; transform.Scale(device_scale_factor_, device_scale_factor_); diff --git a/chromium/ui/aura/window_tree_host.h b/chromium/ui/aura/window_tree_host.h index 77c28cfecc1..15a3f0ed8de 100644 --- a/chromium/ui/aura/window_tree_host.h +++ b/chromium/ui/aura/window_tree_host.h @@ -90,6 +90,8 @@ class AURA_EXPORT WindowTreeHost : public ui::internal::InputMethodDelegate, ui::Compositor* compositor() { return compositor_.get(); } + base::WeakPtr<WindowTreeHost> GetWeakPtr(); + // Gets/Sets the root window's transform. virtual gfx::Transform GetRootTransform() const; virtual void SetRootTransform(const gfx::Transform& transform); diff --git a/chromium/ui/aura/window_tree_host_platform.cc b/chromium/ui/aura/window_tree_host_platform.cc index ae7a71ac0c4..039befdfd81 100644 --- a/chromium/ui/aura/window_tree_host_platform.cc +++ b/chromium/ui/aura/window_tree_host_platform.cc @@ -192,9 +192,14 @@ void WindowTreeHostPlatform::OnBoundsChanged(const gfx::Rect& new_bounds) { float current_scale = compositor()->device_scale_factor(); float new_scale = ui::GetScaleFactorForNativeView(window()); gfx::Rect old_bounds = bounds_; + auto weak_ref = GetWeakPtr(); bounds_ = new_bounds; - if (bounds_.origin() != old_bounds.origin()) + if (bounds_.origin() != old_bounds.origin()) { OnHostMovedInPixels(bounds_.origin()); + // Changing the bounds may destroy this. + if (!weak_ref) + return; + } if (pending_local_surface_id_.is_valid() || bounds_.size() != old_bounds.size() || current_scale != new_scale) { auto local_surface_id = bounds_.size() == pending_size_ diff --git a/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc b/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc index d6b086c11f8..dc3a403c01c 100644 --- a/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc +++ b/chromium/ui/views/widget/desktop_aura/x11_whole_screen_move_loop.cc @@ -59,9 +59,13 @@ X11WholeScreenMoveLoop::~X11WholeScreenMoveLoop() {} void X11WholeScreenMoveLoop::DispatchMouseMovement() { if (!last_motion_in_screen_) return; + auto weak_ref = weak_factory_.GetWeakPtr(); delegate_->OnMouseMovement(last_motion_in_screen_->location(), last_motion_in_screen_->flags(), last_motion_in_screen_->time_stamp()); + // The delegate may delete this during dispatch. + if (!weak_ref) + return; last_motion_in_screen_.reset(); } |