Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package chromium for openSUSE:Factory checked in at 2021-03-16 15:43:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/chromium (Old) and /work/SRC/openSUSE:Factory/.chromium.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "chromium" Tue Mar 16 15:43:51 2021 rev:286 rq:879173 version:89.0.4389.90 Changes: -------- --- /work/SRC/openSUSE:Factory/chromium/chromium.changes 2021-03-10 08:51:44.978548010 +0100 +++ /work/SRC/openSUSE:Factory/.chromium.new.2401/chromium.changes 2021-03-16 15:46:04.337197342 +0100 @@ -1,0 +2,14 @@ +Mon Mar 15 10:55:23 UTC 2021 - Callum Farmer <gm...@opensuse.org> + +- Update to 89.0.4389.90 bsc#1183515 + - CVE-2021-21191: Use after free in WebRTC. + - CVE-2021-21192: Heap buffer overflow in tab groups. + - CVE-2021-21193: Use after free in Blink. + +------------------------------------------------------------------- +Thu Mar 11 18:03:38 UTC 2021 - Callum Farmer <gm...@opensuse.org> + +- Update to 89.0.4389.82 +- Add x11-ozone-fix-two-edge-cases.patch to fix tab drag errors + +------------------------------------------------------------------- Old: ---- chromium-89.0.4389.72.tar.xz New: ---- chromium-89.0.4389.90.tar.xz x11-ozone-fix-two-edge-cases.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ chromium.spec ++++++ --- /var/tmp/diff_new_pack.ONxp7M/_old 2021-03-16 15:46:15.869215674 +0100 +++ /var/tmp/diff_new_pack.ONxp7M/_new 2021-03-16 15:46:15.873215681 +0100 @@ -49,7 +49,7 @@ %endif %bcond_with clang Name: chromium -Version: 89.0.4389.72 +Version: 89.0.4389.90 Release: 0 Summary: Google's open source browser project License: BSD-3-Clause AND LGPL-2.1-or-later @@ -102,6 +102,7 @@ Patch87: chromium-89-missing-cstring-header.patch Patch88: chromium-89-AXTreeSerializer-include.patch Patch89: chromium-88-gcc-fix-swiftshader-libEGL-visibility.patch +Patch90: x11-ozone-fix-two-edge-cases.patch # Google seem not too keen on merging this but GPU accel is quite important # https://chromium-review.googlesource.com/c/chromium/src/+/532294 # https://github.com/saiarcot895/chromium-ubuntu-build/tree/master/debian/patches @@ -183,7 +184,6 @@ BuildRequires: pkgconfig(libwebp) >= 0.4.0 BuildRequires: pkgconfig(libxml-2.0) >= 2.9.5 BuildRequires: pkgconfig(libxslt) -BuildRequires: pkgconfig(xshmfence) BuildRequires: pkgconfig(minizip) BuildRequires: pkgconfig(nspr) >= 4.9.5 BuildRequires: pkgconfig(nss) >= 3.26 @@ -210,6 +210,7 @@ BuildRequires: pkgconfig(xrandr) BuildRequires: pkgconfig(xrender) BuildRequires: pkgconfig(xscrnsaver) +BuildRequires: pkgconfig(xshmfence) BuildRequires: pkgconfig(xt) BuildRequires: pkgconfig(xtst) BuildRequires: pkgconfig(zlib) ++++++ chromium-89.0.4389.72.tar.xz -> chromium-89.0.4389.90.tar.xz ++++++ /work/SRC/openSUSE:Factory/chromium/chromium-89.0.4389.72.tar.xz /work/SRC/openSUSE:Factory/.chromium.new.2401/chromium-89.0.4389.90.tar.xz differ: char 26, line 1 ++++++ x11-ozone-fix-two-edge-cases.patch ++++++ >From 5e3a738b1204941aab9f15c0eb3d06e20fefd96e Mon Sep 17 00:00:00 2001 From: Scott Violet <s...@chromium.org> Date: Mon, 8 Mar 2021 21:07:39 +0000 Subject: [PATCH] x11/ozone: fix two edge cases WindowTreeHost::OnHostMovedInPixels() may trigger a nested message loop (tab dragging), which when the stack unravels means this may be deleted. This adds an early out if this happens. X11WholeScreenMoveLoop has a similar issue, in so far as notifying the delegate may delete this. BUG=1185482 TEST=WindowTreeHostPlatform.DeleteHostFromOnHostMovedInPixels Change-Id: Ieca1c90b3e4358da50b332abe2941fdbb50c5c25 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2743555 Reviewed-by: Thomas Anderson <thomasander...@chromium.org> Commit-Queue: Scott Violet <s...@chromium.org> Cr-Commit-Position: refs/heads/master@{#860852} --- ui/aura/window_tree_host_platform.cc | 10 ++++- ui/aura/window_tree_host_platform_unittest.cc | 40 ++++++++++++++++++- ui/base/x/x11_whole_screen_move_loop.cc | 4 ++ 3 files changed, 51 insertions(+), 3 deletions(-) diff --git a/ui/aura/window_tree_host_platform.cc b/ui/aura/window_tree_host_platform.cc index ce8395fe07..7589542026 100644 --- a/ui/aura/window_tree_host_platform.cc +++ b/ui/aura/window_tree_host_platform.cc @@ -214,13 +214,21 @@ void WindowTreeHostPlatform::OnBoundsChanged(const gfx::Rect& new_bounds) { float current_scale = compositor()->device_scale_factor(); float new_scale = ui::GetScaleFactorForNativeView(window()); gfx::Rect old_bounds = bounds_in_pixels_; + auto weak_ref = GetWeakPtr(); bounds_in_pixels_ = new_bounds; - if (bounds_in_pixels_.origin() != old_bounds.origin()) + if (bounds_in_pixels_.origin() != old_bounds.origin()) { OnHostMovedInPixels(bounds_in_pixels_.origin()); + // Changing the bounds may destroy this. + if (!weak_ref) + return; + } if (bounds_in_pixels_.size() != old_bounds.size() || current_scale != new_scale) { pending_size_ = gfx::Size(); OnHostResizedInPixels(bounds_in_pixels_.size()); + // Changing the size may destroy this. + if (!weak_ref) + return; } DCHECK_GT(on_bounds_changed_recursion_depth_, 0); if (--on_bounds_changed_recursion_depth_ == 0) { diff --git a/ui/aura/window_tree_host_platform_unittest.cc b/ui/aura/window_tree_host_platform_unittest.cc index eda14e2f0c..4de039c88a 100644 --- a/ui/aura/window_tree_host_platform_unittest.cc +++ b/ui/aura/window_tree_host_platform_unittest.cc @@ -34,7 +34,7 @@ class TestWindowTreeHost : public WindowTreeHostPlatform { // OnHostWill/DidProcessBoundsChange. Additionally, this triggers a bounds // change from within OnHostResized(). Such a scenario happens in production // code. -class TestWindowTreeHostObserver : public aura::WindowTreeHostObserver { +class TestWindowTreeHostObserver : public WindowTreeHostObserver { public: TestWindowTreeHostObserver(WindowTreeHostPlatform* host, ui::PlatformWindow* platform_window) @@ -51,7 +51,7 @@ class TestWindowTreeHostObserver : public aura::WindowTreeHostObserver { return on_host_will_process_bounds_change_count_; } - // aura::WindowTreeHostObserver: + // WindowTreeHostObserver: void OnHostResized(WindowTreeHost* host) override { if (!should_change_bounds_in_on_resized_) return; @@ -92,5 +92,41 @@ TEST_F(WindowTreeHostPlatformTest, HostWillProcessBoundsChangeRecursion) { EXPECT_EQ(1, observer.on_host_will_process_bounds_change_count()); } +// Deletes WindowTreeHostPlatform from OnHostMovedInPixels(). +class DeleteHostWindowTreeHostObserver : public WindowTreeHostObserver { + public: + explicit DeleteHostWindowTreeHostObserver( + std::unique_ptr<TestWindowTreeHost> host) + : host_(std::move(host)) { + host_->AddObserver(this); + } + ~DeleteHostWindowTreeHostObserver() override = default; + + TestWindowTreeHost* host() { return host_.get(); } + + // WindowTreeHostObserver: + void OnHostMovedInPixels(WindowTreeHost* host, + const gfx::Point& new_origin_in_pixels) override { + host_->RemoveObserver(this); + host_.reset(); + } + + private: + std::unique_ptr<TestWindowTreeHost> host_; + + DISALLOW_COPY_AND_ASSIGN(DeleteHostWindowTreeHostObserver); +}; + +// Verifies WindowTreeHostPlatform can be safely deleted when calling +// OnHostMovedInPixels(). +// Regression test for https://crbug.com/1185482 +TEST_F(WindowTreeHostPlatformTest, DeleteHostFromOnHostMovedInPixels) { + std::unique_ptr<TestWindowTreeHost> host = + std::make_unique<TestWindowTreeHost>(); + DeleteHostWindowTreeHostObserver observer(std::move(host)); + observer.host()->SetBoundsInPixels(gfx::Rect(1, 2, 3, 4)); + EXPECT_EQ(nullptr, observer.host()); +} + } // namespace } // namespace aura diff --git a/ui/base/x/x11_whole_screen_move_loop.cc b/ui/base/x/x11_whole_screen_move_loop.cc index 5ed215db66..db678799db 100644 --- a/ui/base/x/x11_whole_screen_move_loop.cc +++ b/ui/base/x/x11_whole_screen_move_loop.cc @@ -78,9 +78,13 @@ X11WholeScreenMoveLoop::~X11WholeScreenMoveLoop() { void X11WholeScreenMoveLoop::DispatchMouseMovement() { if (!last_motion_in_screen_) return; + auto weak_ref = weak_factory_.GetWeakPtr(); delegate_->OnMouseMovement(last_motion_in_screen_->root_location(), last_motion_in_screen_->flags(), last_motion_in_screen_->time_stamp()); + // The delegate may delete this during dispatch. + if (!weak_ref) + return; last_motion_in_screen_.reset(); }
