Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/inspector/rules/test/head.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/inspector/rules/test/head.js@@ -1176,3 +1176,31 @@ ok(target, "The target element should exist"); is(target.dataset.variable, expectedDatasetValue); }++/**+ * Return specific rule ancestor data element (i.e. the one containing @layer / @media+ * information) from the Rules view+ *+ * @param {RulesView} view+ * The RulesView instance.+ * @param {Number} ruleIndex+ * @returns {HTMLElement}+ */+function getRuleViewAncestorRulesDataElementByIndex(view, ruleIndex) {+ return view.styleDocument.querySelector(+ `.ruleview-rule:nth-of-type(${ruleIndex + 1}) .ruleview-rule-ancestor-data`+ );+}++/**+ * Return specific rule ancestor data text from the Rules view.+ * Will return something like "@layer topLayer\n@media screen\n@layer".+ *+ * @param {RulesView} view+ * The RulesView instance.+ * @param {Number} ruleIndex+ * @returns {String}+ */+function getRuleViewAncestorRulesDataTextByIndex(view, ruleIndex) {+ return getRuleViewAncestorRulesDataElementByIndex(view, ruleIndex)?.innerText;+}
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be adding new utility functions for testing purposes rather than addressing security issues. For completeness, here's the analysis following the requested format: Vulnerability Existed: no No security vulnerability found [File] [Lines 1176-1207] [Old Code] [No old code for these new functions] [Fixed Code] [New functions added for test utilities] The diff shows the addition of two new helper functions: 1. `getRuleViewAncestorRulesDataElementByIndex` - queries DOM for rule ancestor data 2. `getRuleViewAncestorRulesDataTextByIndex` - gets text content from the found element These appear to be test utility functions added to support testing of CSS rule ancestor information (like @layer and @media rules) in the Rules view. There are no security fixes or vulnerability patches in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/tools/KnownRootHashes.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/tools/KnownRootHashes.json@@ -1137,7 +1137,72 @@ "label": "Certum_Trusted_Root_CA", "binNumber": 226, "sha256Fingerprint": "/naWVzhVdz43qV561NnMlsMBV8FdMXZbqbFXBOGueP0="+ },+ {+ "label": "TunTrust_Root_CA",+ "binNumber": 227,+ "sha256Fingerprint": "LkQQKrWMuFQZRRyOGdms82Ysr7xhS2pTlgow99Di60E="+ },+ {+ "label": "HARICA_TLS_RSA_Root_CA_2021",+ "binNumber": 228,+ "sha256Fingerprint": "2V0Ojtp5Ulv5vrEbFNIQDTKUmF8MYtn6vZzZmezLex0="+ },+ {+ "label": "HARICA_TLS_ECC_Root_CA_2021",+ "binNumber": 229,+ "sha256Fingerprint": "P5nMR0rPzk3+1YeUZl5HjRVHc58ueA8btMqbEzCX1AE="+ },+ {+ "label": "Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068",+ "binNumber": 230,+ "sha256Fingerprint": "V94Fg+/Ssm4DYdqZ2p30ZI3vfuhEHDtyivqbzeD5smo="+ },+ {+ "label": "vTrus_ECC_Root_CA",+ "binNumber": 231,+ "sha256Fingerprint": "MPu6LDIjjiqYVHr5eTHlUEKLmz8cjutmM9z6hsWyfdM="+ },+ {+ "label": "vTrus_Root_CA",+ "binNumber": 232,+ "sha256Fingerprint": "inHeZVkzb0JsJuU4gNANiKGNpMapHw3LYZTiBsXJY4c="+ },+ {+ "label": "ISRG_Root_X2",+ "binNumber": 233,+ "sha256Fingerprint": "aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA="+ },+ {+ "label": "HiPKI_Root_CA___G1",+ "binNumber": 234,+ "sha256Fingerprint": "8BXOPMI5v+8GS+nx0sQX4aAmSgqUvh8MjRIYZOtpScw="+ },+ {+ "label": "GlobalSign",+ "binNumber": 235,+ "sha256Fingerprint": "sIXXC5ZPGRpz5K8NVK56Dgeq/a+bcd0IYhOKtzJaJKI="+ },+ {+ "label": "GTS_Root_R1",+ "binNumber": 236,+ "sha256Fingerprint": "2UdDKr3nt/qQ/C5rWRAbEoDg4cfk5A+jxoh//1en9M8="+ },+ {+ "label": "GTS_Root_R2",+ "binNumber": 237,+ "sha256Fingerprint": "jSXNlyKdv3A1a9pOs8xzQDHiTPAPr8/TLcdutYQcfqg="+ },+ {+ "label": "GTS_Root_R3",+ "binNumber": 238,+ "sha256Fingerprint": "NNinPuII2bzbDZVlIJNLTkDmlIJZbotvc8hCawEKb0g="+ },+ {+ "label": "GTS_Root_R4",+ "binNumber": 239,+ "sha256Fingerprint": "NJ36QFjF4mMSOzmK55VXPE4TE8g/5o+TVWzV6AMbPH0=" } ],- "maxBin": 226+ "maxBin": 239 }=========testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside1.worker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside1.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,15 +23,15 @@ g.addColorStop(1, '#f00'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. For the KnownRootHashes.json file:
Vulnerability Existed: no
[Root Certificate Update] [security/manager/tools/KnownRootHashes.json] [Lines 1137+]
[Old Code: Only included Certum_Trusted_Root_CA up to binNumber 226]
[Fixed Code: Added multiple new root CA certificates up to binNumber 239]
This appears to be a routine update of trusted root certificates rather than a security fix. The changes add new root CA certificates to Firefox's trust store, which is a normal maintenance activity for a browser.
2. For the 2d.gradient.radial.inside1.worker.js file:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.inside1.worker.js] [Lines 13-48]
[Old Code: Used variable name 'offscreenCanvas']
[Fixed Code: Changed variable name to 'canvas']
This change appears to be purely cosmetic/refactoring, renaming a variable for consistency or clarity. There's no indication of any security vulnerability being fixed here.
No security vulnerabilities were identified in these changes. The first change is a standard certificate store update, and the second is a minor code refactoring.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/system/PathUtils.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/system/PathUtils.h@@ -8,11 +8,13 @@ #define mozilla_dom_PathUtils__ #include "mozilla/DataMutex.h"+#include "mozilla/EnumeratedArray.h" #include "mozilla/Maybe.h" #include "mozilla/MozPromise.h" #include "mozilla/Mutex.h" #include "mozilla/Result.h" #include "mozilla/dom/Promise.h"+#include "nsAppDirectoryServiceDefs.h" #include "nsString.h" #include "nsTArray.h"@@ -41,7 +43,8 @@ nsString& aResult, ErrorResult& aErr); static void Parent(const GlobalObject&, const nsAString& aPath,- nsString& aResult, ErrorResult& aErr);+ const int32_t aDepth, nsString& aResult,+ ErrorResult& aErr); static void Join(const GlobalObject&, const Sequence<nsString>& aComponents, nsString& aResult, ErrorResult& aErr);@@ -50,9 +53,6 @@ const nsAString& aRelativePath, nsString& aResult, ErrorResult& aErr);- static void CreateUniquePath(const GlobalObject&, const nsAString& aPath,- nsString& aResult, ErrorResult& aErr);- static void ToExtendedWindowsPath(const GlobalObject&, const nsAString& aPath, nsString& aResult, ErrorResult& aErr);@@ -65,14 +65,21 @@ static void ToFileURI(const GlobalObject&, const nsAString& aPath, nsCString& aResult, ErrorResult& aErr);- static already_AddRefed<Promise> GetProfileDir(const GlobalObject& aGlobal,- ErrorResult& aErr);-- static already_AddRefed<Promise> GetLocalProfileDir(+ static bool IsAbsolute(const GlobalObject&, const nsAString& aPath);++ static void GetProfileDirSync(const GlobalObject&, nsString& aResult,+ ErrorResult& aErr);+ static void GetLocalProfileDirSync(const GlobalObject&, nsString& aResult,+ ErrorResult& aErr);+ static void GetTempDirSync(const GlobalObject&, nsString& aResult,+ ErrorResult& aErr);++ static already_AddRefed<Promise> GetProfileDirAsync( const GlobalObject& aGlobal, ErrorResult& aErr);-- static already_AddRefed<Promise> GetTempDir(const GlobalObject& aGlobal,- ErrorResult& aErr);+ static already_AddRefed<Promise> GetLocalProfileDirAsync(+ const GlobalObject& aGlobal, ErrorResult& aErr);+ static already_AddRefed<Promise> GetTempDirAsync(const GlobalObject& aGlobal,+ ErrorResult& aErr); private: class DirectoryCache;@@ -87,7 +94,8 @@ class PathUtils::DirectoryCache final { public: /**- * A directory that can be requested via |GetDirectory|.+ * A directory that can be requested via |GetDirectorySync| or+ * |GetDirectoryAsync|. */ enum class Directory { /**@@ -102,6 +110,10 @@ * The temporary directory for the process. */ Temp,+ /**+ * The number of Directory entries.+ */+ Count, }; DirectoryCache();@@ -120,6 +132,9 @@ */ static DirectoryCache& Ensure(Maybe<DirectoryCache>& aCache);+ void GetDirectorySync(nsString& aResult, ErrorResult& aErr,+ const Directory aRequestedDir);+ /** * Request the path of a specific directory. *@@ -132,9 +147,9 @@ * * @return A promise that resolves to the path of the requested directory. */- already_AddRefed<Promise> GetDirectory(const GlobalObject& aGlobalObject,- ErrorResult& aErr,- const Directory aRequestedDir);+ already_AddRefed<Promise> GetDirectoryAsync(const GlobalObject& aGlobalObject,+ ErrorResult& aErr,+ const Directory aRequestedDir); private: using PopulateDirectoriesPromise = MozPromise<Ok, nsresult, false>;@@ -197,19 +212,17 @@ */ void ResolveWithDirectory(Promise* aPromise, const Directory aRequestedDir);- /**- * A promise that is resolved when |mProfileDir| and |mLocalProfileDir| are- * populated.- */- MozPromiseHolder<PopulateDirectoriesPromise> mProfileDirsPromise;- nsString mProfileDir;- nsString mLocalProfileDir;-- /**- * A promise that is resolved when *all* cache entries are populated.- */- MozPromiseHolder<PopulateDirectoriesPromise> mAllDirsPromise;- nsString mTempDir;+ template <typename T>+ using DirectoryArray = EnumeratedArray<Directory, Directory::Count, T>;++ DirectoryArray<nsString> mDirectories;+ DirectoryArray<MozPromiseHolder<PopulateDirectoriesPromise>> mPromises;++ static constexpr DirectoryArray<const char*> kDirectoryNames{+ NS_APP_USER_PROFILE_50_DIR,+ NS_APP_USER_PROFILE_LOCAL_50_DIR,+ NS_APP_CONTENT_PROCESS_TEMP_DIR,+ }; }; } // namespace dom
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Information Leak] [dom/system/PathUtils.h] [Lines 50-53] [Old Code] `static void CreateUniquePath(const GlobalObject&, const nsAString& aPath, nsString& aResult, ErrorResult& aErr);` [Fixed Code] (Removed) Additional Details: The removal of CreateUniquePath method might indicate it was potentially leaking sensitive path information, but without seeing the implementation, this is uncertain. 2. Vulnerability Existed: not sure [Potential Race Condition] [dom/system/PathUtils.h] [Lines 132-147] [Old Code] `already_AddRefed<Promise> GetDirectory(...)` [Fixed Code] `void GetDirectorySync(...)` and `already_AddRefed<Promise> GetDirectoryAsync(...)` Additional Details: The change from a single async method to separate sync/async methods could indicate a fix for potential race conditions in directory access, but this is speculative without more context. 3. Vulnerability Existed: not sure [Potential Directory Enumeration Issue] [dom/system/PathUtils.h] [Lines 94-147] [Old Code] (Separate directory fields and promises) [Fixed Code] `DirectoryArray<nsString> mDirectories` and `DirectoryArray<MozPromiseHolder<PopulateDirectoriesPromise>> mPromises` Additional Details: The change to use EnumeratedArray for directory storage might improve security by preventing out-of-bounds access or ensuring proper initialization, but this is uncertain. 4. Vulnerability Existed: not sure [Potential Path Traversal] [dom/system/PathUtils.h] [Lines 41-43] [Old Code] `static void Parent(const GlobalObject&, const nsAString& aPath, nsString& aResult, ErrorResult& aErr)` [Fixed Code] `static void Parent(const GlobalObject&, const nsAString& aPath, const int32_t aDepth, nsString& aResult, ErrorResult& aErr)` Additional Details: The addition of depth parameter to Parent() might help prevent path traversal attacks by limiting how far up the directory tree one can go, but without implementation details this is unclear. Note: The diff shows significant architectural changes (sync/async separation, array-based directory storage) that likely improve security, but without seeing the implementations of these methods or the context of their usage, it's difficult to identify specific vulnerabilities that were fixed. The changes appear to make the code more robust against race conditions and potential information leaks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/uriloader/exthandler/tests/mochitest/browser_open_internal_choice_persistence.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/uriloader/exthandler/tests/mochitest/browser_open_internal_choice_persistence.js@@ -187,6 +187,10 @@ let doc = dialogWindow.document; let internalHandlerRadio = doc.querySelector("#handleInternally");+ if (Services.focus.activeWindow != dialogWindow) {+ await BrowserTestUtils.waitForEvent(dialogWindow, "activate");+ }+ await waitForAcceptButtonToGetEnabled(doc); ok(!internalHandlerRadio.hidden, "The option should be visible for SVG");@@ -221,8 +225,13 @@ await testCase.dialogActions(doc);+ let mainWindowActivatedAndFocused = Promise.all([+ BrowserTestUtils.waitForEvent(window, "activate"),+ BrowserTestUtils.waitForEvent(window, "focus", true),+ ]); let dialog = doc.querySelector("#unknownContentType"); dialog.acceptDialog();+ await mainWindowActivatedAndFocused; let download = await downloadFinishedPromise; if (expectLaunch) {
Based on the provided diff, I'll analyze it for potential security fixes:
1. Vulnerability Existed: not sure
Focus/Activation Race Condition [uriloader/exthandler/tests/mochitest/browser_open_internal_choice_persistence.js] [Lines 187-221]
Old Code:
```
let doc = dialogWindow.document;
let internalHandlerRadio = doc.querySelector("#handleInternally");
await waitForAcceptButtonToGetEnabled(doc);
```
Fixed Code:
```
let doc = dialogWindow.document;
let internalHandlerRadio = doc.querySelector("#handleInternally");
if (Services.focus.activeWindow != dialogWindow) {
await BrowserTestUtils.waitForEvent(dialogWindow, "activate");
}
await waitForAcceptButtonToGetEnabled(doc);
```
2. Vulnerability Existed: not sure
Window Focus Race Condition [uriloader/exthandler/tests/mochitest/browser_open_internal_choice_persistence.js] [Lines 221-232]
Old Code:
```
await testCase.dialogActions(doc);
let dialog = doc.querySelector("#unknownContentType");
dialog.acceptDialog();
```
Fixed Code:
```
await testCase.dialogActions(doc);
let mainWindowActivatedAndFocused = Promise.all([
BrowserTestUtils.waitForEvent(window, "activate"),
BrowserTestUtils.waitForEvent(window, "focus", true),
]);
let dialog = doc.querySelector("#unknownContentType");
dialog.acceptDialog();
await mainWindowActivatedAndFocused;
```
The changes appear to be adding proper synchronization for window activation and focus events in test code. While these don't directly fix security vulnerabilities in the product code, they could potentially prevent race conditions in tests that might otherwise mask security issues. The fixes ensure proper window focus/activation sequencing during dialog handling tests.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.rect.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.rect.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -30,7 +30,7 @@ ctx.rect(50, 25, 0, 0); ctx.stroke(); ctx.strokeRect(50, 25, 0, 0);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-sensitive operations. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.rect.html] [Lines 17-18, 30]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or readability, but this doesn't represent a security fix. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/extensions/khr/pipeline_executable_properties.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/extensions/khr/pipeline_executable_properties.rs@@ -1,41 +1,33 @@ use crate::prelude::*; use crate::vk;-use crate::{EntryCustom, Instance};+use crate::{Device, Instance}; use std::ffi::CStr; use std::mem; #[derive(Clone)] pub struct PipelineExecutableProperties {- handle: vk::Instance,- pipeline_executable_properties_fn: vk::KhrPipelineExecutablePropertiesFn,+ handle: vk::Device,+ fp: vk::KhrPipelineExecutablePropertiesFn, } impl PipelineExecutableProperties {- pub fn new<L>(entry: &EntryCustom<L>, instance: &Instance) -> Self {- let pipeline_executable_properties_fn =- vk::KhrPipelineExecutablePropertiesFn::load(|name| unsafe {- mem::transmute(entry.get_instance_proc_addr(instance.handle(), name.as_ptr()))- });- Self {- handle: instance.handle(),- pipeline_executable_properties_fn,- }- }-- pub fn name() -> &'static CStr {- vk::KhrPipelineExecutablePropertiesFn::name()+ pub fn new(instance: &Instance, device: &Device) -> Self {+ let handle = device.handle();+ let fp = vk::KhrPipelineExecutablePropertiesFn::load(|name| unsafe {+ mem::transmute(instance.get_device_proc_addr(handle, name.as_ptr()))+ });+ Self { handle, fp } } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetPipelineExecutableInternalRepresentationsKHR.html>"] pub unsafe fn get_pipeline_executable_internal_representations( &self,- device: vk::Device, executable_info: &vk::PipelineExecutableInfoKHR, ) -> VkResult<Vec<vk::PipelineExecutableInternalRepresentationKHR>> { read_into_defaulted_vector(|count, data| {- self.pipeline_executable_properties_fn+ self.fp .get_pipeline_executable_internal_representations_khr(- device,+ self.handle, executable_info, count, data,@@ -46,32 +38,38 @@ #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetPipelineExecutablePropertiesKHR.html>"] pub unsafe fn get_pipeline_executable_properties( &self,- device: vk::Device, pipeline_info: &vk::PipelineInfoKHR, ) -> VkResult<Vec<vk::PipelineExecutablePropertiesKHR>> { read_into_defaulted_vector(|count, data| {- self.pipeline_executable_properties_fn- .get_pipeline_executable_properties_khr(device, pipeline_info, count, data)+ self.fp+ .get_pipeline_executable_properties_khr(self.handle, pipeline_info, count, data) }) } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetPipelineExecutableStatisticsKHR.html>"] pub unsafe fn get_pipeline_executable_statistics( &self,- device: vk::Device, executable_info: &vk::PipelineExecutableInfoKHR, ) -> VkResult<Vec<vk::PipelineExecutableStatisticKHR>> { read_into_defaulted_vector(|count, data| {- self.pipeline_executable_properties_fn- .get_pipeline_executable_statistics_khr(device, executable_info, count, data)+ self.fp.get_pipeline_executable_statistics_khr(+ self.handle,+ executable_info,+ count,+ data,+ ) }) }- pub fn fp(&self) -> &vk::KhrPipelineExecutablePropertiesFn {- &self.pipeline_executable_properties_fn+ pub fn name() -> &'static CStr {+ vk::KhrPipelineExecutablePropertiesFn::name() }- pub fn instance(&self) -> vk::Instance {+ pub fn fp(&self) -> &vk::KhrPipelineExecutablePropertiesFn {+ &self.fp+ }++ pub fn device(&self) -> vk::Device { self.handle } }
Let me analyze the code diff for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Incorrect Vulkan API Usage] [third_party/rust/ash/src/extensions/khr/pipeline_executable_properties.rs] [Lines 1-33] [Old Code: Used instance handle and EntryCustom for function loading] [Fixed Code: Uses device handle and Instance for function loading] Note: The change moves from instance-based to device-based function loading, which might be more correct for this Vulkan extension, but I'm not certain if the old version was actually vulnerable. 2. Vulnerability Existed: not sure [Potential Device/Instance Confusion] [third_party/rust/ash/src/extensions/khr/pipeline_executable_properties.rs] [Lines 20-22, 38-40, 48-50] [Old Code: Required passing device handle to each function call] [Fixed Code: Uses stored device handle (self.handle) in function calls] Note: The change removes the need to pass device handles, potentially reducing chances of passing wrong devices, but I'm not certain if this was an actual security issue. 3. Vulnerability Existed: no [Code Organization Improvement] [third_party/rust/ash/src/extensions/khr/pipeline_executable_properties.rs] [Lines 61-67] [Old Code: Had instance() method returning vk::Instance] [Fixed Code: Has device() method returning vk::Device] Note: This appears to be a structural change rather than a security fix. The changes appear to be primarily architectural, moving from instance-based to device-based operations for this Vulkan extension. While this might improve correctness, I don't see clear evidence of fixed security vulnerabilities in the diff. The changes could potentially prevent misuse of the API, but I can't identify specific vulnerabilities that were addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/core/platform.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/core/platform.h@@ -31,10 +31,13 @@ #include "PlatformMacros.h"+#include "mozilla/Atomics.h" #include "mozilla/Logging.h" #include "mozilla/MathAlgorithms.h" #include "mozilla/ProfileBufferEntrySerialization.h"+#include "mozilla/ProfileJSONWriter.h" #include "mozilla/ProfilerUtils.h"+#include "mozilla/ProgressLogger.h" #include "mozilla/TimeStamp.h" #include "mozilla/UniquePtr.h" #include "mozilla/Vector.h"@@ -57,7 +60,7 @@ #define LOG_TEST MOZ_LOG_TEST(gProfilerLog, mozilla::LogLevel::Info) #define LOG(arg, ...) \ MOZ_LOG(gProfilerLog, mozilla::LogLevel::Info, \- ("[%" PRIu64 "d] " arg, \+ ("[%" PRIu64 "] " arg, \ uint64_t(profiler_current_process_id().ToNumber()), ##__VA_ARGS__)) // These are for MOZ_LOG="prof:4" or higher. It should be used for logging that@@ -73,9 +76,15 @@ // ---------------------------------------------------------------------------- // Miscellaneous-namespace mozilla {-class JSONWriter;-}+// If positive, skip stack-sampling in the sampler thread loop.+// Users should increment it atomically when samplings should be avoided, and+// later decrement it back. Multiple uses can overlap.+// There could be a sampling in progress when this is first incremented, so if+// it is critical to prevent any sampling, lock the profiler mutex instead.+// Relaxed ordering, because it's used to request that the profiler pause+// future sampling; this is not time critical, nor dependent on anything else.+extern mozilla::Atomic<int, mozilla::MemoryOrdering::Relaxed> gSkipSampling;+ void AppendSharedLibraries(mozilla::JSONWriter& aWriter); // Convert the array of strings to a bitfield.@@ -83,9 +92,14 @@ uint32_t aFeatureCount, bool aIsStartup = false);+bool profiler_get_profile_json(+ SpliceableChunkedJSONWriter& aSpliceableChunkedJSONWriter,+ double aSinceTime, bool aIsShuttingDown,+ mozilla::ProgressLogger aProgressLogger);+ void profiler_get_profile_json_into_lazily_allocated_buffer( const std::function<char*(size_t)>& aAllocator, double aSinceTime,- bool aIsShuttingDown);+ bool aIsShuttingDown, mozilla::ProgressLogger aProgressLogger); // Flags to conveniently track various JS instrumentations. enum class JSInstrumentationFlags {
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be mostly additions of new functionality and minor formatting adjustments. Here's my analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 31-43]
[Old Code]
#include "mozilla/Logging.h"
#include "mozilla/MathAlgorithms.h"
#include "mozilla/ProfileBufferEntrySerialization.h"
[Fixed Code]
#include "mozilla/Atomics.h"
#include "mozilla/Logging.h"
#include "mozilla/MathAlgorithms.h"
#include "mozilla/ProfileBufferEntrySerialization.h"
#include "mozilla/ProfileJSONWriter.h"
#include "mozilla/ProgressLogger.h"
2. Vulnerability Existed: no
No security vulnerability found [File] [Lines 57-60]
[Old Code]
#define LOG(arg, ...) \
MOZ_LOG(gProfilerLog, mozilla::LogLevel::Info, \
("[%" PRIu64 "d] " arg, \
uint64_t(profiler_current_process_id().ToNumber()), ##__VA_ARGS__))
[Fixed Code]
#define LOG(arg, ...) \
MOZ_LOG(gProfilerLog, mozilla::LogLevel::Info, \
("[%" PRIu64 "] " arg, \
uint64_t(profiler_current_process_id().ToNumber()), ##__VA_ARGS__))
3. Vulnerability Existed: no
No security vulnerability found [File] [Lines 73-83]
[Old Code]
namespace mozilla {
class JSONWriter;
}
[Fixed Code]
extern mozilla::Atomic<int, mozilla::MemoryOrdering::Relaxed> gSkipSampling;
4. Vulnerability Existed: no
No security vulnerability found [File] [Lines 83-92]
[Old Code]
void profiler_get_profile_json_into_lazily_allocated_buffer(
const std::function<char*(size_t)>& aAllocator, double aSinceTime,
bool aIsShuttingDown);
[Fixed Code]
void profiler_get_profile_json_into_lazily_allocated_buffer(
const std::function<char*(size_t)>& aAllocator, double aSinceTime,
bool aIsShuttingDown, mozilla::ProgressLogger aProgressLogger);
The changes include:
- Added new header includes
- Fixed a minor format string issue (removed 'd' from PRIu64)
- Added new atomic variable for controlling sampling
- Added new function parameters for progress logging
- Removed forward declaration replaced by header include
None of these changes appear to address security vulnerabilities, but rather add functionality and improve code organization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/floats/floats-in-table-caption-001-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/floats/floats-in-table-caption-001-ref.html@@ -2,7 +2,6 @@ <meta charset="utf-8"> <link rel="author" title="David Grogan" href="[email protected]"> <link rel="help" href="https://www.w3.org/TR/CSS22/tables.html#model">-<meta name="flags" content="" /> <title> Caption block containers are rendered same as normal block boxes </title>
Based on the provided diff, here's the analysis: Vulnerability Existed: no No Security Vulnerability Found [File] [Lines 2-7] [Old Code] `<meta name="flags" content="" />` [Fixed Code] [Removed line] Additional Details: - The change simply removes an empty meta tag for "flags" which appears to be test-related metadata - No security vulnerability is apparent in this change - The modification seems to be cleanup/refactoring rather than a security fix No other vulnerabilities were identified in this diff. The change is minor and doesn't appear to address any security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/fetch/metadata/resources/record-header.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/fetch/metadata/resources/record-header.py@@ -122,6 +122,11 @@ response.headers.set(b"Content-Type", b"application/javascript") return b"self.postMessage('loaded');"+ ## Return a valid worklet+ if key.startswith(b"worklet"):+ response.headers.set(b"Content-Type", b"application/javascript")+ return b""+ ## Return a valid XSLT if key.startswith(b"xslt"): response.headers.set(b"Content-Type", b"text/xsl")
Let me analyze the code diff for potential security fixes: 1. Vulnerability Existed: not sure [Potential Content-Type Mismatch] [File: testing/web-platform/tests/fetch/metadata/resources/record-header.py] [Lines: 122+] [Old Code: (No worklet handler)] [Fixed Code: Added worklet handler with proper Content-Type] The diff adds a new handler for worklet requests, ensuring they return with the correct Content-Type header. While this doesn't directly fix a security vulnerability, it could prevent potential security issues that might arise from serving worklet content with incorrect MIME types. Proper Content-Type headers are important for security as they help browsers handle content appropriately and prevent certain types of attacks. Note: This appears to be more of a feature addition than a direct security fix, but it contributes to maintaining proper security practices by ensuring correct MIME type handling for worklet resources.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/extensions/khr/external_memory_fd.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/extensions/khr/external_memory_fd.rs@@ -7,29 +7,22 @@ #[derive(Clone)] pub struct ExternalMemoryFd { handle: vk::Device,- external_memory_fd_fn: vk::KhrExternalMemoryFdFn,+ fp: vk::KhrExternalMemoryFdFn, } impl ExternalMemoryFd { pub fn new(instance: &Instance, device: &Device) -> Self {- let external_memory_fd_fn = vk::KhrExternalMemoryFdFn::load(|name| unsafe {- mem::transmute(instance.get_device_proc_addr(device.handle(), name.as_ptr()))+ let handle = device.handle();+ let fp = vk::KhrExternalMemoryFdFn::load(|name| unsafe {+ mem::transmute(instance.get_device_proc_addr(handle, name.as_ptr())) });- Self {- handle: device.handle(),- external_memory_fd_fn,- }- }-- pub fn name() -> &'static CStr {- vk::KhrExternalMemoryFdFn::name()+ Self { handle, fp } } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkGetMemoryFdKHR.html>"] pub unsafe fn get_memory_fd(&self, create_info: &vk::MemoryGetFdInfoKHR) -> VkResult<i32> { let mut fd = -1;-- self.external_memory_fd_fn+ self.fp .get_memory_fd_khr(self.handle, create_info, &mut fd) .result_with_success(fd) }@@ -41,13 +34,17 @@ fd: i32, ) -> VkResult<vk::MemoryFdPropertiesKHR> { let mut memory_fd_properties = Default::default();- self.external_memory_fd_fn+ self.fp .get_memory_fd_properties_khr(self.handle, handle_type, fd, &mut memory_fd_properties) .result_with_success(memory_fd_properties) }+ pub fn name() -> &'static CStr {+ vk::KhrExternalMemoryFdFn::name()+ }+ pub fn fp(&self) -> &vk::KhrExternalMemoryFdFn {- &self.external_memory_fd_fn+ &self.fp } pub fn device(&self) -> vk::Device {
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No specific vulnerability found [File] third_party/rust/ash/src/extensions/khr/external_memory_fd.rs [Lines] Various
[Old Code] Various instances of `external_memory_fd_fn`
[Fixed Code] Renamed to `fp`
The changes appear to be primarily a field rename from `external_memory_fd_fn` to `fp` for consistency or brevity. No security implications were found in this change.
2. Vulnerability Existed: no
No specific vulnerability found [File] third_party/rust/ash/src/extensions/khr/external_memory_fd.rs [Lines] 7-22
[Old Code] Separate field initialization and struct creation
[Fixed Code] Combined field initialization and struct creation
The change in initialization pattern (moving from separate steps to combined initialization) doesn't appear to have security implications. This seems to be a code style/optimization change.
3. Vulnerability Existed: no
No specific vulnerability found [File] third_party/rust/ash/src/extensions/khr/external_memory_fd.rs [Lines] 41-43
[Old Code] `name()` method before `fp()` method
[Fixed Code] `name()` method moved after `fp()` method
The reordering of methods doesn't have any security implications and appears to be purely organizational.
The changes in this diff appear to be primarily code organization and naming convention improvements rather than security fixes. No actual vulnerabilities were identified in the changes. The modifications maintain the same functionality while potentially improving code readability and consistency.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.rgba-2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.rgba-2.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'rgba(255, 0, 0, 1. 0)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18, 24]
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
The changes in this diff appear to be purely cosmetic, renaming the variable `offscreenCanvas` to `canvas` for consistency or clarity. There are no security vulnerabilities being fixed in this diff - it's simply a variable name change that doesn't affect functionality or security. The test case remains the same, just using the new variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/JSScript.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/JSScript.h@@ -422,9 +422,6 @@ // Common base class of the templated variants of PinnedUnits<T>. class PinnedUnitsBase { protected:- PinnedUnitsBase** stack_ = nullptr;- PinnedUnitsBase* prev_ = nullptr;- ScriptSource* source_; explicit PinnedUnitsBase(ScriptSource* source) : source_(source) {}@@ -548,15 +545,18 @@ SourceType data = SourceType(Missing()); // If the GC calls triggerConvertToCompressedSource with PinnedUnits present,- // the first PinnedUnits (that is, bottom of the stack) will install the- // compressed chars upon destruction.+ // the last PinnedUnits instance will install the compressed chars upon+ // destruction. // // Retrievability isn't part of the type here because uncompressed->compressed // transitions must preserve existing retrievability.- PinnedUnitsBase* pinnedUnitsStack_ = nullptr;- mozilla::MaybeOneOf<CompressedData<mozilla::Utf8Unit>,- CompressedData<char16_t>>- pendingCompressed_;+ struct ReaderInstances {+ size_t count = 0;+ mozilla::MaybeOneOf<CompressedData<mozilla::Utf8Unit>,+ CompressedData<char16_t>>+ pendingCompressed;+ };+ ExclusiveData<ReaderInstances> readers_; // True if an associated SourceCompressionTask was ever created. bool hadCompressionTask_ = false;@@ -631,7 +631,8 @@ // to deflate to Latin1 for longer strings, because this can be slow. static const size_t SourceDeflateLimit = 100;- explicit ScriptSource() : id_(++idCount_) {}+ explicit ScriptSource()+ : id_(++idCount_), readers_(js::mutexid::SourceCompression) {} ~ScriptSource() { MOZ_ASSERT(refs == 0); } void AddRef() { refs++; }@@ -980,7 +981,8 @@ size_t uncompressedLength); template <typename Unit>- void performDelayedConvertToCompressedSource();+ void performDelayedConvertToCompressedSource(+ ExclusiveData<ReaderInstances>::Guard& g); void triggerConvertToCompressedSourceFromTask( SharedImmutableString compressed);@@ -1426,7 +1428,7 @@ // - Inner-functions and bindings generated by syntax parse. // - Nullptr, if no bytecode or inner functions. // This is updated as script is delazified and relazified.- PrivateScriptData* data_ = nullptr;+ GCStructPtr<PrivateScriptData*> data_; // Shareable script data. This includes runtime-wide atom pointers, bytecode, // and various script note structures. If the script is currently lazy, this
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Memory Safety Issue (Potential Use-After-Free) [File] js/src/vm/JSScript.h [Lines 422-548]
[Old Code]
class PinnedUnitsBase {
protected:
PinnedUnitsBase** stack_ = nullptr;
PinnedUnitsBase* prev_ = nullptr;
ScriptSource* source_;
};
PinnedUnitsBase* pinnedUnitsStack_ = nullptr;
[Fixed Code]
struct ReaderInstances {
size_t count = 0;
mozilla::MaybeOneOf<CompressedData<mozilla::Utf8Unit>,
CompressedData<char16_t>>
pendingCompressed;
};
ExclusiveData<ReaderInstances> readers_;
2. Vulnerability Existed: yes
Race Condition in Script Source Compression [File] js/src/vm/JSScript.h [Lines 548-631]
[Old Code]
PinnedUnitsBase* pinnedUnitsStack_ = nullptr;
mozilla::MaybeOneOf<CompressedData<mozilla::Utf8Unit>,
CompressedData<char16_t>>
pendingCompressed_;
[Fixed Code]
struct ReaderInstances {
size_t count = 0;
mozilla::MaybeOneOf<CompressedData<mozilla::Utf8Unit>,
CompressedData<char16_t>>
pendingCompressed;
};
ExclusiveData<ReaderInstances> readers_;
3. Vulnerability Existed: yes
Memory Safety Issue (GC-related) [File] js/src/vm/JSScript.h [Lines 1426-1428]
[Old Code]
PrivateScriptData* data_ = nullptr;
[Fixed Code]
GCStructPtr<PrivateScriptData*> data_;
The changes appear to address several memory safety issues:
1. The first change replaces a manual linked list implementation with a more robust counter-based approach protected by mutexes, fixing potential use-after-free vulnerabilities in the PinnedUnits handling.
2. The second change introduces thread-safe access to compression state through ExclusiveData wrapper, fixing race conditions during script source compression.
3. The third change wraps script data in a GCStructPtr, ensuring proper garbage collection handling and preventing potential use-after-free scenarios.
The fixes primarily focus on memory safety and thread safety issues that could lead to use-after-free vulnerabilities or race conditions during script handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.empty.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.empty.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -30,7 +30,7 @@ ctx.moveTo(40, 25); ctx.moveTo(60, 25); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security-sensitive operations or patterns. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.empty.html] [Lines 17-30]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); ... _assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); ... _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");]
The changes are purely cosmetic/refactoring in nature and don't affect security. The test functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/webrtc-sdp/src/media_type.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/webrtc-sdp/src/media_type.rs@@ -483,416 +483,5 @@ } #[cfg(test)]-pub fn create_dummy_media_section() -> SdpMedia {- let media_line = SdpMediaLine {- media: SdpMediaValue::Audio,- port: 9,- port_count: 0,- proto: SdpProtocolValue::RtpSavpf,- formats: SdpFormatList::Integers(Vec::new()),- };- SdpMedia::new(media_line)-}--#[cfg(test)]-mod tests {- use super::*;- use address::{AddressType, ExplicitlyTypedAddress};- use attribute_type::{- SdpAttributeFmtp, SdpAttributeFmtpParameters, SdpAttributePayloadType, SdpAttributeRtcpFb,- SdpAttributeRtcpFbType,- };- use std::convert::TryFrom;-- // TODO is this useful outside of tests?- impl SdpFormatList {- fn len(&self) -> usize {- match *self {- SdpFormatList::Integers(ref x) => x.len(),- SdpFormatList::Strings(ref x) => x.len(),- }- }- }-- pub fn add_dummy_attributes(media: &mut SdpMedia) {- assert!(media- .add_attribute(SdpAttribute::Rtcpfb(SdpAttributeRtcpFb {- payload_type: SdpAttributePayloadType::Wildcard,- feedback_type: SdpAttributeRtcpFbType::Ack,- parameter: "".to_string(),- extra: "".to_string(),- },))- .is_ok());- assert!(media- .add_attribute(SdpAttribute::Fmtp(SdpAttributeFmtp {- payload_type: 1,- parameters: SdpAttributeFmtpParameters {- packetization_mode: 0,- level_asymmetry_allowed: false,- profile_level_id: 0x0042_0010,- max_fs: 0,- max_cpb: 0,- max_dpb: 0,- max_br: 0,- max_mbps: 0,- usedtx: false,- stereo: false,- useinbandfec: false,- cbr: false,- max_fr: 0,- maxplaybackrate: 48000,- maxaveragebitrate: 0,- ptime: 0,- minptime: 0,- maxptime: 0,- encodings: Vec::new(),- dtmf_tones: "".to_string(),- rtx: None,- unknown_tokens: Vec::new()- }- },))- .is_ok());- assert!(media- .add_attribute(SdpAttribute::Sctpmap(SdpAttributeSctpmap {- port: 5000,- channels: 2,- }))- .is_ok());- assert!(media.add_attribute(SdpAttribute::BundleOnly).is_ok());- assert!(media.add_attribute(SdpAttribute::SctpPort(5000)).is_ok());-- assert!(media.get_attribute(SdpAttributeType::Rtpmap).is_some());- assert!(media.get_attribute(SdpAttributeType::Rtcpfb).is_some());- assert!(media.get_attribute(SdpAttributeType::Fmtp).is_some());- assert!(media.get_attribute(SdpAttributeType::Sctpmap).is_some());- assert!(media.get_attribute(SdpAttributeType::SctpPort).is_some());- assert!(media.get_attribute(SdpAttributeType::BundleOnly).is_some());- }-- fn check_parse(media_line_str: &str) -> SdpMediaLine {- if let Ok(SdpType::Media(media_line)) = parse_media(media_line_str) {- media_line- } else {- unreachable!()- }- }-- fn check_parse_and_serialize(media_line_str: &str) {- let parsed = check_parse(media_line_str);- assert_eq!(parsed.to_string(), media_line_str.to_string());- }-- #[test]- fn test_get_set_port() {- let mut msection = create_dummy_media_section();- assert_eq!(msection.get_port(), 9);- msection.set_port(2048);- assert_eq!(msection.get_port(), 2048);- }-- #[test]- fn test_add_codec() -> Result<(), SdpParserInternalError> {- let mut msection = create_dummy_media_section();- msection.add_codec(SdpAttributeRtpmap::new(96, "foobar".to_string(), 1000))?;- assert_eq!(msection.get_formats().len(), 1);- assert!(msection.get_attribute(SdpAttributeType::Rtpmap).is_some());-- let mut msection = create_dummy_media_section();- msection.media.formats = SdpFormatList::Strings(Vec::new());- msection.add_codec(SdpAttributeRtpmap::new(97, "boofar".to_string(), 1001))?;- assert_eq!(msection.get_formats().len(), 1);- assert!(msection.get_attribute(SdpAttributeType::Rtpmap).is_some());- Ok(())- }-- #[test]- fn test_remove_codecs() -> Result<(), SdpParserInternalError> {- let mut msection = create_dummy_media_section();- msection.add_codec(SdpAttributeRtpmap::new(96, "foobar".to_string(), 1000))?;- assert_eq!(msection.get_formats().len(), 1);- assert!(msection.get_attribute(SdpAttributeType::Rtpmap).is_some());- msection.remove_codecs();- assert_eq!(msection.get_formats().len(), 0);- assert!(msection.get_attribute(SdpAttributeType::Rtpmap).is_none());-- let mut msection = create_dummy_media_section();- msection.media.formats = SdpFormatList::Strings(Vec::new());- msection.add_codec(SdpAttributeRtpmap::new(97, "boofar".to_string(), 1001))?;- assert_eq!(msection.get_formats().len(), 1);-- add_dummy_attributes(&mut msection);-- msection.remove_codecs();- assert_eq!(msection.get_formats().len(), 0);- assert!(msection.get_attribute(SdpAttributeType::Rtpmap).is_none());- assert!(msection.get_attribute(SdpAttributeType::Rtcpfb).is_none());- assert!(msection.get_attribute(SdpAttributeType::Fmtp).is_none());- assert!(msection.get_attribute(SdpAttributeType::Sctpmap).is_none());- assert!(msection.get_attribute(SdpAttributeType::SctpPort).is_none());- Ok(())- }-- #[test]- fn test_add_datachannel() -> Result<(), SdpParserInternalError> {- let mut msection = create_dummy_media_section();- msection.add_datachannel("foo".to_string(), 5000, 256, 0)?;- assert_eq!(*msection.get_type(), SdpMediaValue::Application);- assert!(msection.get_attribute(SdpAttributeType::SctpPort).is_none());- assert!(msection- .get_attribute(SdpAttributeType::MaxMessageSize)- .is_none());- assert!(msection.get_attribute(SdpAttributeType::Sctpmap).is_some());- match *msection.get_attribute(SdpAttributeType::Sctpmap).unwrap() {- SdpAttribute::Sctpmap(ref s) => {- assert_eq!(s.port, 5000);- assert_eq!(s.channels, 256);- }- _ => unreachable!(),- }-- let mut msection = create_dummy_media_section();- msection.add_datachannel("foo".to_string(), 5000, 256, 1234)?;- assert_eq!(*msection.get_type(), SdpMediaValue::Application);- assert!(msection.get_attribute(SdpAttributeType::SctpPort).is_none());- assert!(msection- .get_attribute(SdpAttributeType::MaxMessageSize)- .is_some());- match *msection- .get_attribute(SdpAttributeType::MaxMessageSize)- .unwrap()- {- SdpAttribute::MaxMessageSize(m) => {- assert_eq!(m, 1234);- }- _ => unreachable!(),- }-- let mut msection = create_dummy_media_section();- msection.media.proto = SdpProtocolValue::UdpDtlsSctp;- msection.add_datachannel("foo".to_string(), 5000, 256, 5678)?;- assert_eq!(*msection.get_type(), SdpMediaValue::Application);- assert!(msection.get_attribute(SdpAttributeType::Sctpmap).is_none());- assert!(msection.get_attribute(SdpAttributeType::SctpPort).is_some());- match *msection.get_attribute(SdpAttributeType::SctpPort).unwrap() {- SdpAttribute::SctpPort(s) => {- assert_eq!(s, 5000);- }- _ => unreachable!(),- }- assert!(msection- .get_attribute(SdpAttributeType::MaxMessageSize)- .is_some());- match *msection- .get_attribute(SdpAttributeType::MaxMessageSize)- .unwrap()- {- SdpAttribute::MaxMessageSize(m) => {- assert_eq!(m, 5678);- }- _ => unreachable!(),- }- Ok(())- }-- #[test]- fn test_parse_media_token() -> Result<(), SdpParserInternalError> {- let audio = parse_media_token("audio")?;- assert_eq!(audio, SdpMediaValue::Audio);- let video = parse_media_token("VIDEO")?;- assert_eq!(video, SdpMediaValue::Video);- let app = parse_media_token("aPplIcatIOn")?;- assert_eq!(app, SdpMediaValue::Application);-- assert!(parse_media_token("").is_err());- assert!(parse_media_token("foobar").is_err());- Ok(())- }-- #[test]- fn test_parse_protocol_rtp_token() -> Result<(), SdpParserInternalError> {- fn parse_and_serialize_protocol_token(- token: &str,- result: SdpProtocolValue,- ) -> Result<(), SdpParserInternalError> {- let rtps = parse_protocol_token(token)?;- assert_eq!(rtps, result);- assert_eq!(rtps.to_string(), token.to_uppercase());- Ok(())- }- parse_and_serialize_protocol_token("rtp/avp", SdpProtocolValue::RtpAvp)?;- parse_and_serialize_protocol_token("rtp/avpf", SdpProtocolValue::RtpAvpf)?;- parse_and_serialize_protocol_token("rtp/savp", SdpProtocolValue::RtpSavp)?;- parse_and_serialize_protocol_token("rtp/savpf", SdpProtocolValue::RtpSavpf)?;- parse_and_serialize_protocol_token("udp/tls/rtp/savp", SdpProtocolValue::UdpTlsRtpSavp)?;- parse_and_serialize_protocol_token("udp/tls/rtp/savpf", SdpProtocolValue::UdpTlsRtpSavpf)?;- parse_and_serialize_protocol_token("TCP/dtls/rtp/savp", SdpProtocolValue::TcpDtlsRtpSavp)?;- parse_and_serialize_protocol_token(- "tcp/DTLS/rtp/savpf",- SdpProtocolValue::TcpDtlsRtpSavpf,- )?;-- assert!(parse_protocol_token("").is_err());- assert!(parse_protocol_token("foobar").is_err());- Ok(())- }-- #[test]- fn test_parse_protocol_sctp_token() -> Result<(), SdpParserInternalError> {- fn parse_and_serialize_protocol_token(- token: &str,- result: SdpProtocolValue,- ) -> Result<(), SdpParserInternalError> {- let rtps = parse_protocol_token(token)?;- assert_eq!(rtps, result);- assert_eq!(rtps.to_string(), token.to_uppercase());- Ok(())- }- parse_and_serialize_protocol_token("dtLs/ScTP", SdpProtocolValue::DtlsSctp)?;- parse_and_serialize_protocol_token("udp/DTLS/sctp", SdpProtocolValue::UdpDtlsSctp)?;- parse_and_serialize_protocol_token("tcp/dtls/SCTP", SdpProtocolValue::TcpDtlsSctp)?;- Ok(())- }-- #[test]- fn test_media_works() {- check_parse_and_serialize("audio 9 UDP/TLS/RTP/SAVPF 109");- check_parse_and_serialize("video 9 UDP/TLS/RTP/SAVPF 126");- check_parse_and_serialize("application 9 DTLS/SCTP 5000");- check_parse_and_serialize("application 9 UDP/DTLS/SCTP webrtc-datachannel");-- check_parse_and_serialize("audio 9 UDP/TLS/RTP/SAVPF 109 9 0 8");- check_parse_and_serialize("audio 0 UDP/TLS/RTP/SAVPF 8");- check_parse_and_serialize("audio 9/2 UDP/TLS/RTP/SAVPF 8");- }-- #[test]- fn test_media_missing_token() {- assert!(parse_media("video 9 UDP/TLS/RTP/SAVPF").is_err());- }-- #[test]- fn test_media_invalid_port_number() {- assert!(parse_media("video 75123 UDP/TLS/RTP/SAVPF 8").is_err());- }-- #[test]- fn test_media_invalid_type() {- assert!(parse_media("invalid 9 UDP/TLS/RTP/SAVPF 8").is_err());- }-- #[test]- fn test_media_invalid_port() {- assert!(parse_media("audio / UDP/TLS/RTP/SAVPF 8").is_err());- }-- #[test]- fn test_media_invalid_transport() {- assert!(parse_media("audio 9 invalid/invalid 8").is_err());- }-- #[test]- fn test_media_invalid_payload() {- assert!(parse_media("audio 9 UDP/TLS/RTP/SAVPF 300").is_err());- }-- #[test]- fn test_media_vector_first_line_failure() {- let mut sdp_lines: Vec<SdpLine> = Vec::new();- let line = SdpLine {- line_number: 0,- sdp_type: SdpType::Session("hello".to_string()),- text: "".to_owned(),- };- sdp_lines.push(line);- assert!(parse_media_vector(&mut sdp_lines).is_err());- }-- #[test]- fn test_media_vector_multiple_connections() {- let mut sdp_lines: Vec<SdpLine> = Vec::new();- let media_line = SdpMediaLine {- media: SdpMediaValue::Audio,- port: 9,- port_count: 0,- proto: SdpProtocolValue::RtpSavpf,- formats: SdpFormatList::Integers(Vec::new()),- };- let media = SdpLine {- line_number: 0,- sdp_type: SdpType::Media(media_line),- text: "".to_owned(),- };- sdp_lines.push(media);- let c = SdpConnection {- address: ExplicitlyTypedAddress::try_from((AddressType::IpV4, "127.0.0.1")).unwrap(),- ttl: None,- amount: None,- };- let c1 = SdpLine {- line_number: 1,- sdp_type: SdpType::Connection(c.clone()),- text: "".to_owned(),- };- sdp_lines.push(c1);- let c2 = SdpLine {- line_number: 2,- sdp_type: SdpType::Connection(c),- text: "".to_owned(),- };- sdp_lines.push(c2);- assert!(parse_media_vector(&mut sdp_lines).is_err());- }-- #[test]- fn test_media_vector_invalid_types() {- let mut sdp_lines: Vec<SdpLine> = Vec::new();- let media_line = SdpMediaLine {- media: SdpMediaValue::Audio,- port: 9,- port_count: 0,- proto: SdpProtocolValue::RtpSavpf,- formats: SdpFormatList::Integers(Vec::new()),- };- let media = SdpLine {- line_number: 0,- sdp_type: SdpType::Media(media_line),- text: "".to_owned(),- };- sdp_lines.push(media);- use SdpTiming;- let t = SdpTiming { start: 0, stop: 0 };- let tline = SdpLine {- line_number: 1,- sdp_type: SdpType::Timing(t),- text: "".to_owned(),- };- sdp_lines.push(tline);- assert!(parse_media_vector(&mut sdp_lines).is_err());- }-- #[test]- fn test_media_vector_invalid_media_level_attribute() {- let mut sdp_lines: Vec<SdpLine> = Vec::new();- let media_line = SdpMediaLine {- media: SdpMediaValue::Audio,- port: 9,- port_count: 0,- proto: SdpProtocolValue::RtpSavpf,- formats: SdpFormatList::Integers(Vec::new()),- };- let media = SdpLine {- line_number: 0,- sdp_type: SdpType::Media(media_line),- text: "".to_owned(),- };- sdp_lines.push(media);- let a = SdpAttribute::IceLite;- let aline = SdpLine {- line_number: 1,- sdp_type: SdpType::Attribute(a),- text: "".to_owned(),- };- sdp_lines.push(aline);- assert!(parse_media_vector(&mut sdp_lines).is_err());- }-}+#[path = "./media_type_tests.rs"]+mod media_type_tests;
After analyzing the provided code diff, I can see that this is primarily a structural change moving test code to a separate file rather than a security fix. However, I'll analyze it according to the requested format: Vulnerability Existed: no [No specific vulnerability] [third_party/rust/webrtc-sdp/src/media_type.rs] [Lines 483-899] [Old Code: All test code was embedded directly in the file] [Fixed Code: Test code moved to separate media_type_tests.rs file] The change appears to be purely organizational, moving test code from being inline in the main source file to a separate test file. This doesn't appear to address any specific security vulnerability but rather improves code organization and maintainability. No actual security vulnerabilities were identified in the removed test code. The test cases appear to be standard unit tests for media type handling in WebRTC SDP parsing. Additional notes: 1. The test code being moved included tests for various SDP parsing scenarios, including error cases 2. The dummy data creation functions (create_dummy_media_section, add_dummy_attributes) were also moved 3. No functional changes were made to the actual media type handling code 4. The change follows Rust's common practice of separating tests into dedicated files
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-170d.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-170d.xml@@ -9,7 +9,6 @@ <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="reference/this-line-green-color.xht"/>- <meta name="flags" content="" /> </head> <body> <p>This line should be green.</p>
Let me analyze the diff for potential security vulnerabilities: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-170d.xml] [Lines 9] [Old Code] <meta name="flags" content="" /> [Fixed Code] [Removed line] Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata. 2. There's no indication this was related to any security vulnerability. 3. The empty flags attribute wasn't posing any security risk. 4. This appears to be a test cleanup rather than a security fix. No known vulnerability patterns (XSS, injection, etc.) are present in this change. The modification seems to be part of routine test maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/intl/unicharutil/util/nsUnicodeProperties.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/intl/unicharutil/util/nsUnicodeProperties.h@@ -9,6 +9,7 @@ #include "mozilla/intl/UnicodeProperties.h"+#include "mozilla/Span.h" #include "nsBidiUtils.h" #include "nsUGenCategory.h" #include "harfbuzz/hb.h"@@ -158,36 +159,8 @@ return IsClusterExtender(aCh, GetGeneralCategory(aCh)); }-// A simple iterator for a string of char16_t codepoints that advances-// by Unicode grapheme clusters-class ClusterIterator {- public:- ClusterIterator(const char16_t* aText, uint32_t aLength)- : mPos(aText),- mLimit(aText + aLength)-#ifdef DEBUG- ,- mText(aText)-#endif- {- }-- operator const char16_t*() const { return mPos; }-- bool AtEnd() const { return mPos >= mLimit; }-- void Next();-- private:- const char16_t* mPos;- const char16_t* mLimit;-#ifdef DEBUG- const char16_t* mText;-#endif-};- // Count the number of grapheme clusters in the given string-uint32_t CountGraphemeClusters(const char16_t* aText, uint32_t aLength);+uint32_t CountGraphemeClusters(Span<const char16_t> aText); // Determine whether a character is a "combining diacritic" for the purpose // of diacritic-insensitive text search. Examples of such characters include@@ -210,24 +183,6 @@ // Remove diacritics from a character uint32_t GetNaked(uint32_t aCh);-// A simple reverse iterator for a string of char16_t codepoints that-// advances by Unicode grapheme clusters-class ClusterReverseIterator {- public:- ClusterReverseIterator(const char16_t* aText, uint32_t aLength)- : mPos(aText + aLength), mLimit(aText) {}-- operator const char16_t*() const { return mPos; }-- bool AtEnd() const { return mPos <= mLimit; }-- void Next();-- private:- const char16_t* mPos;- const char16_t* mLimit;-};- } // end namespace unicode } // end namespace mozilla
After analyzing the provided code diff, here are the potential security issues identified:
1. Vulnerability Existed: not sure
Potential Buffer Overflow Vulnerability [File] [Lines]
[Old Code]
class ClusterIterator {
public:
ClusterIterator(const char16_t* aText, uint32_t aLength)
: mPos(aText),
mLimit(aText + aLength)
#ifdef DEBUG
,
mText(aText)
#endif
{
}
[Fixed Code]
(Removed entirely, replaced with Span usage)
Additional Details: The old code used raw pointers and length parameters which could potentially lead to buffer overflows if not properly validated. The switch to using mozilla::Span suggests a move to safer bounds-checked operations.
2. Vulnerability Existed: not sure
Potential Buffer Overflow Vulnerability [File] [Lines]
[Old Code]
class ClusterReverseIterator {
public:
ClusterReverseIterator(const char16_t* aText, uint32_t aLength)
: mPos(aText + aLength), mLimit(aText) {}
[Fixed Code]
(Removed entirely, replaced with Span usage)
Additional Details: Similar to the first case, the reverse iterator also used raw pointers and length parameters which could potentially lead to buffer overflows. The removal suggests safer alternatives are being used.
3. Vulnerability Existed: not sure
API Hardening [File] [Lines]
[Old Code]
uint32_t CountGraphemeClusters(const char16_t* aText, uint32_t aLength);
[Fixed Code]
uint32_t CountGraphemeClusters(Span<const char16_t> aText);
Additional Details: The change from raw pointer+length to Span suggests an effort to harden the API against potential buffer overflow issues, though this isn't fixing a specific known vulnerability.
Note: While these changes appear to be security-related improvements (moving from potentially unsafe raw pointer operations to safer abstractions), I can't confirm they were fixing specific known vulnerabilities without more context. The changes are likely part of general security hardening efforts.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-160.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-160.xml@@ -11,7 +11,6 @@ <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="reference/this-line-lime-background.xht"/>- <meta name="flags" content="" /> </head> <body> <p>This line should have a green background.</p>
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-160.xml] [Lines 11] [Old Code: <meta name="flags" content="" />] [Fixed Code: (line removed)] Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata. 2. There's no indication of any security vulnerability being fixed here - this seems like routine test cleanup. 3. The empty meta tag didn't pose any security risk, and its removal doesn't appear to address any security issue. 4. This is likely just a cleanup of test infrastructure rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.basic.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.basic.html@@ -17,12 +17,12 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes where variable names were updated for consistency. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.basic.html [Lines] 17-25
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` and update all references to it. There are no security implications to this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/python/mozversioncontrol/test/test_branch.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/python/mozversioncontrol/test/test_branch.py@@ -6,6 +6,7 @@ import mozunit import pytest+ from mozversioncontrol import get_repository_object@@ -33,7 +34,7 @@ def test_branch(repo):- vcs = get_repository_object(repo.strpath)+ vcs = get_repository_object(repo.dir) if vcs.name == "git" and LooseVersion(vcs.tool_version) < LooseVersion("2.22.0"): pytest.xfail("`git branch --show-current` not implemented yet")@@ -42,10 +43,10 @@ else: assert vcs.branch is None- next(repo.step)+ repo.execute_next_step() assert vcs.branch == "test"- next(repo.step)+ repo.execute_next_step() assert vcs.branch == "test" vcs.update(vcs.head_ref)
Let me analyze the code diff for potential security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] python/mozversioncontrol/test/test_branch.py [Lines] 33 Old Code: vcs = get_repository_object(repo.strpath) Fixed Code: vcs = get_repository_object(repo.dir) The change appears to be an internal API usage update rather than a security fix. 2. Vulnerability Existed: no No specific vulnerability found [File] python/mozversioncontrol/test/test_branch.py [Lines] 42,44 Old Code: next(repo.step) Fixed Code: repo.execute_next_step() This seems to be a refactoring of test code to use a more explicit method call rather than a direct iterator access, not a security fix. The changes appear to be test code improvements and API usage updates rather than security vulnerability fixes. No specific vulnerabilities were identified in this diff. The modifications seem focused on code clarity and maintainability rather than addressing security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.unicode.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.unicode.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var offscreenCanvas2 = new OffscreenCanvas(100, 50); assert_throws_js(TypeError, function() { offscreenCanvas2.getContext("2\uFF44"); });
Analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no No security vulnerability found in this diff. The changes appear to be variable renaming (from `offscreenCanvas` to `canvas`) and adding a test case for Unicode character handling in context names. Additional details: - The diff shows a test case modification where a variable is renamed for clarity - A new test case is added to verify proper handling of Unicode characters in context names (specifically testing "2\uFF44" which is a fullwidth 'd' character) - The test asserts that passing an unrecognized context name (even in Unicode) should throw a TypeError - These changes are related to test improvements rather than security fixes No CVE or known vulnerability patterns are present in this diff. The changes are focused on test robustness and Unicode handling verification.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.