Fix Use-After-Free in NativeWidgetNSWindowBridge after fullscreen transition
Moderate
提交哈希:
bc8da3486bff9c43959b8733f4eddbf01b6f0240
提交时间: 2026-04-28 15:39:29
影响等级: Moderate
生成工具: chromium-watcher
上游审核链接:
查看上游审核 🔗
📋 摘要
In NativeWidgetNSWindowBridge::FullscreenControllerToggleFullscreen, calling -[NSWindow toggleFullScreen:] enters a nested run loop. If a window close request arrives during this nested loop, the NativeWidgetNSWindowBridge object may be destroyed before toggleFullScreen returns (via NativeWidgetNSWindowFullscreenController::HandleDeferredClose). This commit uses a weak pointer to detect whether
this has been deleted and early-outs if so, avoiding access to the now-invalid window_ member.
🎯 影响分析
This fix has direct impact on WebView2Mac. NativeWidgetNSWindowBridge is the core class in the WebView2Mac architecture responsible for managing NSWindow and executing UI operations like fullscreen transitions. In WebView2's fullscreen flow, while web element fullscreen uses the "Fullscreen Within Tab" mode (not triggering real window fullscreen), the host app may call [window toggleFullScreen:nil] via the delegate callback to achieve window-level fullscreen. If the host app closes the window during the fullscreen transition, this UAF crash can be triggered. The Edge downstream code does not yet contain this fix and has the same crash risk — this patch needs to be merged.
受影响的类:
remote_cocoa::NativeWidgetNSWindowBridge
remote_cocoa::NativeWidgetNSWindowFullscreenController