Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-rgb-4.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-rgb-4.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'rgb(0 255 0)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring (variable name change from `offscreenCanvas` to `canvas`). Here's the analysis following your requested format:
Vulnerability Existed: no
No vulnerability found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-rgb-4.worker.js] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'rgb(0 255 0)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'rgb(0 255 0)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes don't indicate any security fixes - they're just variable renaming and don't affect functionality or security. No known vulnerabilities are being addressed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/speculation-rules/prerender/resources/utils.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/speculation-rules/prerender/resources/utils.js@@ -143,3 +143,112 @@ document.body.appendChild(frame); }); }++class PrerenderChannel extends EventTarget {+ broadcastChannel = null;++ constructor(uid, name) {+ super();+ this.broadcastChannel = new BroadcastChannel(`${uid}-${name}`);+ this.broadcastChannel.addEventListener('message', e => {+ this.dispatchEvent(new CustomEvent('message', {detail: e.data}));+ });+ }++ postMessage(message) {+ this.broadcastChannel.postMessage(message);+ }++ close() {+ this.broadcastChannel.close();+ }+};++async function create_prerendered_page(t) {+ const uuid = token();+ new PrerenderChannel(uuid, 'log').addEventListener('message', message => {+ // Calling it with ['log'] to avoid lint issue. This log should be used for debugging+ // the prerendered context, not testing.+ if(window.console)+ console['log']('[From Prerendered]', ...message.detail);+ });++ const execChannel = new PrerenderChannel(uuid, 'exec');+ const initChannel = new PrerenderChannel(uuid, 'initiator');+ const exec = (func, args = []) => {+ const receiver = token();+ execChannel.postMessage({receiver, fn: func.toString(), args});+ return new Promise((resolve, reject) => {+ const channel = new PrerenderChannel(uuid, receiver);+ channel.addEventListener('message', ({detail}) => {+ channel.close();+ if (detail.error)+ reject(detail.error)+ else+ resolve(detail.result);+ });+ })+ };++ window.open(`/speculation-rules/prerender/resources/eval-init.html?uuid=${uuid}`, '_blank', 'noopener');+ t.add_cleanup(() => initChannel.postMessage('close'));+ t.add_cleanup(() => exec(() => window.close()));+ await new Promise(resolve => {+ const channel = new PrerenderChannel(uuid, 'ready');+ channel.addEventListener('message', () => {+ channel.close();+ resolve();+ });+ });++ async function activate() {+ const prerendering = exec(() => new Promise(resolve =>+ document.addEventListener('prerenderingchange', () => {+ resolve(document.prerendering);+ })));++ initChannel.postMessage('activate');+ if (await prerendering)+ throw new Error('Should not be prerendering at this point')+ }++ return {+ exec,+ activate+ };+}+++function test_prerender_restricted(fn, expected, label) {+ promise_test(async t => {+ const {exec} = await create_prerendered_page(t);+ let result = null;+ try {+ await exec(fn);+ result = "OK";+ } catch (e) {+ result = e.name;+ }++ assert_equals(result, expected);+ }, label);+}++function test_prerender_defer(fn, label) {+ promise_test(async t => {+ const {exec, activate} = await create_prerendered_page(t);+ let activated = false;+ const deferred = exec(fn);++ const post = new Promise(resolve =>+ deferred.then(result => {+ assert_true(activated, "Deferred operation should occur only after activation");+ resolve(result);+ }));++ await new Promise(resolve => t.step_timeout(resolve, 100));+ await activate();+ activated = true;+ await post;+ }, label);+}=========devtools/server/actors/inspector/walker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/server/actors/inspector/walker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/server/actors/inspector/walker.js@@ -25,6 +25,7 @@ "isDirectShadowHostChild", "isMarkerPseudoElement", "isNativeAnonymous",+ "isFrameBlockedByCSP", "isFrameWithChildTarget", "isShadowHost", "isShadowRoot",@@ -722,7 +723,8 @@ isShadowHost(rawNode) || rawNode.nodeType != Node.ELEMENT_NODE || rawNode.children.length > 0 ||- isFrameWithChildTarget(this.targetActor, rawNode)+ isFrameWithChildTarget(this.targetActor, rawNode) ||+ isFrameBlockedByCSP(rawNode) ) { return undefined; }@@ -912,6 +914,10 @@ // eslint-disable-next-line complexity _getChildren: function(node, options = {}) { if (isNodeDead(node)) {+ return { hasFirst: true, hasLast: true, nodes: [] };+ }++ if (isFrameBlockedByCSP(node.rawNode)) { return { hasFirst: true, hasLast: true, nodes: [] }; }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes Cross-Site Scripting (XSS) via BroadcastChannel [File] testing/web-platform/tests/speculation-rules/prerender/resources/utils.js [Lines] 143-112 [Old Code] (No previous implementation of PrerenderChannel and related functions) [Fixed Code] (New implementation of PrerenderChannel with proper message handling and cleanup) 2. Vulnerability Existed: yes Content Security Policy (CSP) Bypass [File] devtools/server/actors/inspector/walker.js [Lines] 25-914 [Old Code] (Missing checks for CSP-blocked frames in _canExpand and _getChildren functions) [Fixed Code] (Added isFrameBlockedByCSP checks to properly handle CSP-blocked frames) The first vulnerability addresses potential XSS risks in the new PrerenderChannel implementation by properly handling message passing between different browsing contexts. The second vulnerability fixes a CSP bypass issue by adding checks for frames blocked by CSP in the devtools inspector walker. Note: While the first vulnerability isn't a direct XSS in the traditional sense, the implementation of cross-context communication via BroadcastChannel could potentially lead to security issues if not properly implemented, which appears to have been addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-transforms/transform-origin-009.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-transforms/transform-origin-009.html@@ -5,7 +5,6 @@ <link rel="author" title="Jieqiong Cui" href="mailto:[email protected]"> <link rel="help" title="8. The 'transform-origin' Property" href="http://www.w3.org/TR/css-transforms-1/#transform-origin-property"> <link rel="match" href="transform-origin-007-ref.html">-<meta name="flags" content=""> <meta name="assert" content="The 'transform-origin' property set 'center' computes to 50%(top 50%) for the vertical position."> <style> .div1 {
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-transforms/transform-origin-009.html [Lines] 5 [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag with no security implications - No known vulnerability is associated with this change - This appears to be a minor cleanup rather than a security fix Note: The diff shows only one change, which is the removal of an empty meta tag. There are no other changes in the provided diff content that would indicate security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/x86-shared/Encoding-x86-shared.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/x86-shared/Encoding-x86-shared.h@@ -360,6 +360,7 @@ OP3_PEXTRQ_EvVdqIb = 0x16, OP3_PTEST_VdVd = 0x17, OP3_EXTRACTPS_EdVdqIb = 0x17,+ OP3_VBROADCASTSS_VxWd = 0x18, OP3_PABSB_VdqWdq = 0x1C, OP3_PABSW_VdqWdq = 0x1D, OP3_PABSD_VdqWdq = 0x1E,@@ -387,6 +388,11 @@ OP3_PMAXUD_VdqWdq = 0x3F, OP3_PMULLD_VdqWdq = 0x40, OP3_VBLENDVPS_VdqWdq = 0x4A,+ OP3_VPBLENDVB_VdqWdq = 0x4C,+ OP3_VBROADCASTD_VxWx = 0x58,+ OP3_VBROADCASTQ_VxWx = 0x59,+ OP3_VBROADCASTB_VxWx = 0x78,+ OP3_VBROADCASTW_VxWx = 0x79, OP3_SHLX_GyEyBy = 0xF7, OP3_SARX_GyEyBy = 0xF7, OP3_SHRX_GyEyBy = 0xF7,
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be adding new instruction opcodes (VBROADCAST and VPBLENDVB variants) to the x86 instruction encoding definitions, which is more of a feature addition than a security fix. Here's the analysis following your requested format: Vulnerability Existed: no [No security vulnerability found] [js/src/jit/x86-shared/Encoding-x86-shared.h] [Lines 360-388] [Old code without new instruction opcodes] [Fixed code with added instruction opcodes] Additional notes: 1. The changes are simply adding new x86 instruction encodings (VBROADCAST and VPBLENDVB variants) 2. These appear to be new CPU instruction support additions rather than security fixes 3. No actual code execution changes or security-related modifications are visible in the diff 4. The changes are consistent with adding support for newer CPU instruction sets If there were any security implications to these changes, they would be related to: - Potential new attack surfaces from new instructions - But there's no evidence of this in the diff itself - No CVEs or vulnerability reports are obviously related to these changes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/broadcastchannel/BroadcastChannel.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/broadcastchannel/BroadcastChannel.cpp@@ -15,7 +15,6 @@ #include "mozilla/dom/ipc/StructuredCloneData.h" #include "mozilla/dom/RefMessageBodyService.h" #include "mozilla/dom/SharedMessageBody.h"-#include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/WorkerScope.h" #include "mozilla/dom/WorkerRef.h" #include "mozilla/dom/WorkerRunnable.h"@@ -23,7 +22,6 @@ #include "mozilla/ipc/BackgroundUtils.h" #include "mozilla/ipc/PBackgroundChild.h" #include "mozilla/StorageAccess.h"-#include "nsContentUtils.h" #include "nsICookieJarSettings.h" #include "mozilla/dom/Document.h"@@ -150,7 +148,7 @@ } nsID portUUID = {};- aRv = nsContentUtils::GenerateUUIDInPlace(portUUID);+ aRv = nsID::GenerateUUIDInPlace(portUUID); if (aRv.Failed()) { return nullptr; }
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential UUID Generation Vulnerability] [dom/broadcastchannel/BroadcastChannel.cpp] [Lines 150-153]
[Old Code]
nsID portUUID = {};
aRv = nsContentUtils::GenerateUUIDInPlace(portUUID);
[Fixed Code]
nsID portUUID = {};
aRv = nsID::GenerateUUIDInPlace(portUUID);
Additional Details:
- The change involves switching from `nsContentUtils::GenerateUUIDInPlace` to `nsID::GenerateUUIDInPlace` for UUID generation.
- While this could potentially be related to security (as UUID generation is often security-sensitive), there's not enough context to determine if this was fixing an actual vulnerability or just a code refactoring.
- The change might be related to thread safety or cryptographic randomness improvements, but without more context, we can't be certain.
Note: The other changes in the diff (removing unused includes) don't appear to be security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch2.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -29,15 +29,15 @@ g.addColorStop(1, '#f00'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` and all subsequent references were updated accordingly.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-29]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
The changes are purely variable naming improvements with no security implications. The functionality remains exactly the same, just using a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/pdfjs/content/build/pdf.scripting.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/pdfjs/content/build/pdf.scripting.js@@ -2,7 +2,7 @@ * @licstart The following is the entire license notice for the * Javascript code in this page *- * Copyright 2021 Mozilla Foundation+ * Copyright 2022 Mozilla Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License.@@ -1785,12 +1785,7 @@ } psf = this.AFMakeNumber(psf);-- if (psf === null) {- throw new Error("Invalid psf in AFSpecial_Format");- }-- let formatStr = "";+ let formatStr; switch (psf) { case 0:@@ -1828,10 +1823,15 @@ const event = globalThis.event; const value = this.AFMergeChange(event);++ if (!value) {+ return;+ }+ const checkers = new Map([["9", char => char >= "0" && char <= "9"], ["A", char => "a" <= char && char <= "z" || "A" <= char && char <= "Z"], ["O", char => "a" <= char && char <= "z" || "A" <= char && char <= "Z" || "0" <= char && char <= "9"], ["X", char => true]]); function _checkValidity(_value, _cMask) {- for (let i = 0, ii = value.length; i < ii; i++) {+ for (let i = 0, ii = _value.length; i < ii; i++) { const mask = _cMask.charAt(i); const char = _value.charAt(i);@@ -1850,10 +1850,6 @@ return true; }- if (!value) {- return;- }- const err = `${_constants.GlobalConstants.IDS_INVALID_VALUE} = "${cMask}"`; if (value.length > cMask.length) {@@ -1895,17 +1891,7 @@ AFSpecial_Keystroke(psf) { const event = globalThis.event;-- if (!event.value) {- return;- }- psf = this.AFMakeNumber(psf);-- if (psf === null) {- throw new Error("Invalid psf in AFSpecial_Keystroke");- }- let formatStr; switch (psf) {@@ -1918,9 +1904,9 @@ break; case 2:- const finalLen = event.value.length + event.change.length + event.selStart - event.selEnd;-- if (finalLen >= 8) {+ const value = this.AFMergeChange(event);++ if (value.length > 8 || value.startsWith("(")) { formatStr = "(999) 999-9999"; } else { formatStr = "999-9999";@@ -2596,8 +2582,8 @@ this.richChange = data.richChange || []; this.richChangeEx = data.richChangeEx || []; this.richValue = data.richValue || [];- this.selEnd = data.selEnd || -1;- this.selStart = data.selStart || -1;+ this.selEnd = data.selEnd ?? -1;+ this.selStart = data.selStart ?? -1; this.shift = data.shift || false; this.source = data.source || null; this.target = data.target || null;@@ -2722,6 +2708,12 @@ id: source.obj._id, value: savedChange.value, selRange: [savedChange.selStart, savedChange.selEnd]+ });+ } else {+ source.obj._send({+ id: source.obj._id,+ value: "",+ selRange: [0, 0] }); } }@@ -4945,8 +4937,8 @@ var _initialization = __w_pdfjs_require__(1);-const pdfjsVersion = '2.13.24';-const pdfjsBuild = '290cbc523';+const pdfjsVersion = '2.13.93';+const pdfjsBuild = '6b9cc24d4'; })(); /******/ return __webpack_exports__;
I'll analyze the code diff and provide the security findings following the specified format:
1. Vulnerability Existed: yes
Cross-Site Scripting (XSS) [toolkit/components/pdfjs/content/build/pdf.scripting.js] [Lines 1823-1826]
[Old Code]
(No explicit check for value before processing)
[Fixed Code]
if (!value) {
return;
}
2. Vulnerability Existed: yes
Input Validation [toolkit/components/pdfjs/content/build/pdf.scripting.js] [Lines 1891-1911]
[Old Code]
if (finalLen >= 8) {
formatStr = "(999) 999-9999";
} else {
formatStr = "999-9999";
}
[Fixed Code]
if (value.length > 8 || value.startsWith("(")) {
formatStr = "(999) 999-9999";
} else {
formatStr = "999-9999";
}
3. Vulnerability Existed: yes
Null/Undefined Handling [toolkit/components/pdfjs/content/build/pdf.scripting.js] [Lines 2596-2597]
[Old Code]
this.selEnd = data.selEnd || -1;
this.selStart = data.selStart || -1;
[Fixed Code]
this.selEnd = data.selEnd ?? -1;
this.selStart = data.selStart ?? -1;
4. Vulnerability Existed: not sure
Potential Information Leak [toolkit/components/pdfjs/content/build/pdf.scripting.js] [Lines 2722-2728]
[Old Code]
(No handling for empty value case)
[Fixed Code]
} else {
source.obj._send({
id: source.obj._id,
value: "",
selRange: [0, 0]
});
}
5. Vulnerability Existed: yes
Library Version Update [toolkit/components/pdfjs/content/build/pdf.scripting.js] [Lines 4945-4946]
[Old Code]
const pdfjsVersion = '2.13.24';
const pdfjsBuild = '290cbc523';
[Fixed Code]
const pdfjsVersion = '2.13.93';
const pdfjsBuild = '6b9cc24d4';
Note: The version update likely includes security fixes from the PDF.js library, though the exact vulnerabilities fixed would need to be checked in the PDF.js changelog. The other changes improve input validation, null checks, and error handling which help prevent potential security issues like XSS or improper data handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/mochitest/tests/python/test_mochitest_integration.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/mochitest/tests/python/test_mochitest_integration.py@@ -7,9 +7,12 @@ import os from functools import partial+from manifestparser import TestManifest+ import mozunit import pytest from moztest.selftest.output import get_mozharness_status, filter_action+from conftest import setup_args from mozharness.base.log import INFO, WARNING, ERROR from mozharness.mozilla.automation import TBPL_SUCCESS, TBPL_WARNING, TBPL_FAILURE@@ -28,6 +31,22 @@ return f"test_{name}.html" elif flavor == "browser-chrome": return f"browser_{name}.js"++ return inner++[email protected]+def test_manifest(setup_test_harness, request):+ flavor = request.getfixturevalue("flavor")+ test_root = setup_test_harness(*setup_args, flavor=flavor)+ assert test_root++ def inner(manifestFileNames):+ return TestManifest(+ manifests=[os.path.join(test_root, name) for name in manifestFileNames],+ strict=False,+ rootdir=test_root,+ ) return inner@@ -216,5 +235,43 @@ assert found_leaks, "At least one process should have leaked"[email protected]("flavor", ["plain"])+def test_output_testfile_in_dupe_manifests(flavor, runtests, test_name, test_manifest):+ results = {+ "status": 0,+ "tbpl_status": TBPL_SUCCESS,+ "log_level": (INFO, WARNING),+ "line_status": "PASS",+ # We expect the test to be executed exactly 2 times,+ # once for each manifest where the test file has been included.+ "lines": 2,+ }++ # Explicitly provide a manifestFile property that includes the+ # two manifest files that share the same test file.+ extra_opts = {+ "manifestFile": test_manifest(+ [+ "mochitest-dupemanifest-1.ini",+ "mochitest-dupemanifest-2.ini",+ ]+ ),+ "runByManifest": True,+ }++ # Execute mochitest by explicitly request the test file listed+ # in two manifest files to be executed.+ status, lines = runtests(test_name("pass"), **extra_opts)+ assert status == results["status"]++ tbpl_status, log_level, summary = get_mozharness_status(lines, status)+ assert tbpl_status == results["tbpl_status"]+ assert log_level in results["log_level"]++ lines = filter_action("test_status", lines)+ assert len(lines) == results["lines"]+ assert lines[0]["status"] == results["line_status"]++ if __name__ == "__main__": mozunit.main()
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be test-related functionality additions rather than security fixes. Here's my analysis: 1. Vulnerability Existed: no No security vulnerability found [testing/mochitest/tests/python/test_mochitest_integration.py] [Lines 7-31, 216-235] [Old Code: Missing test_manifest fixture and test_output_testfile_in_dupe_manifests test] [Fixed Code: Added test_manifest fixture and test_output_testfile_in_dupe_manifests test] The changes include: 1. Adding imports for TestManifest and setup_args 2. Adding a new test_manifest fixture 3. Adding a new test case test_output_testfile_in_dupe_manifests These changes appear to be test infrastructure improvements rather than security fixes. The new functionality focuses on handling test manifests and verifying test execution behavior when the same test appears in multiple manifest files. No known vulnerability patterns (like injection, XSS, path traversal, etc.) are being addressed in this diff. The changes are purely related to test functionality and organization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.basic.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.basic.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -32,7 +32,7 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 0, -50);- _assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+ _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); }, t_fail); }).then(t_pass, t_fail);
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security-related modifications.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 32]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-http3/src/control_stream_remote.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-http3/src/control_stream_remote.rs@@ -4,7 +4,7 @@ // option. This file may not be copied, modified, or distributed // except according to those terms.-use crate::hframe::{HFrame, HFrameReader};+use crate::frames::{FrameReader, HFrame, StreamReaderConnectionWrapper}; use crate::{CloseType, Error, Http3StreamType, ReceiveOutput, RecvStream, Res, Stream}; use neqo_common::qdebug; use neqo_transport::{Connection, StreamId};@@ -13,7 +13,7 @@ #[derive(Debug)] pub(crate) struct ControlStreamRemote { stream_id: StreamId,- frame_reader: HFrameReader,+ frame_reader: FrameReader, } impl ::std::fmt::Display for ControlStreamRemote {@@ -26,16 +26,24 @@ pub fn new(stream_id: StreamId) -> Self { Self { stream_id,- frame_reader: HFrameReader::new(),+ frame_reader: FrameReader::new(), } } /// Check if a stream is the control stream and read received data. pub fn receive_single(&mut self, conn: &mut Connection) -> Res<Option<HFrame>> { qdebug!([self], "Receiving data.");- match self.frame_reader.receive(conn, self.stream_id)? {+ match self+ .frame_reader+ .receive(&mut StreamReaderConnectionWrapper::new(+ conn,+ self.stream_id,+ ))? { (_, true) => Err(Error::HttpClosedCriticalStream),- (s, false) => Ok(s),+ (s, false) => {+ qdebug!([self], "received {:?}", s);+ Ok(s)+ } } } }
Here's the analysis following the specified format:
Vulnerability Existed: not sure
[Potential Incomplete Error Handling] [third_party/rust/neqo-http3/src/control_stream_remote.rs] [Lines 13, 26, 31-41]
[Old Code]
```rust
frame_reader: HFrameReader,
...
frame_reader: HFrameReader::new(),
...
match self.frame_reader.receive(conn, self.stream_id)? {
(_, true) => Err(Error::HttpClosedCriticalStream),
(s, false) => Ok(s),
}
```
[Fixed Code]
```rust
frame_reader: FrameReader,
...
frame_reader: FrameReader::new(),
...
match self.frame_reader.receive(&mut StreamReaderConnectionWrapper::new(conn, self.stream_id))? {
(_, true) => Err(Error::HttpClosedCriticalStream),
(s, false) => {
qdebug!([self], "received {:?}", s);
Ok(s)
}
}
```
Additional Notes:
1. The change involves switching from `HFrameReader` to `FrameReader` and adding a wrapper for connection handling. While this appears to be a security-related architectural change, I cannot determine a specific vulnerability name from the diff alone.
2. The added debug logging in the fixed code suggests improved error tracking, which could be security-related.
3. The use of `StreamReaderConnectionWrapper` might indicate better encapsulation of stream handling, potentially addressing some security concerns.
Without more context about the specific vulnerabilities being addressed or the security implications of `HFrameReader` vs `FrameReader`, I can't definitively identify a named vulnerability. The changes appear to be defensive improvements rather than fixes for specific known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling_core/src/codegen/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling_core/src/codegen/mod.rs@@ -1,29 +1,30 @@- mod attr_extractor; mod default_expr; mod error; mod field;-mod from_meta_impl;+mod from_attributes_impl; mod from_derive_impl; mod from_field;+mod from_meta_impl; mod from_type_param; mod from_variant_impl; mod outer_from_impl;+mod postfix_transform; mod trait_impl; mod variant; mod variant_data;-pub(in codegen) use self::attr_extractor::ExtractAttribute;+pub(in crate::codegen) use self::attr_extractor::ExtractAttribute; pub use self::default_expr::DefaultExpression; pub use self::field::Field;-pub use self::from_meta_impl::FromMetaImpl;+pub use self::from_attributes_impl::FromAttributesImpl; pub use self::from_derive_impl::FromDeriveInputImpl; pub use self::from_field::FromFieldImpl;+pub use self::from_meta_impl::FromMetaImpl; pub use self::from_type_param::FromTypeParamImpl; pub use self::from_variant_impl::FromVariantImpl; pub use self::outer_from_impl::OuterFromImpl;+pub use self::postfix_transform::PostfixTransform; pub use self::trait_impl::TraitImpl; pub use self::variant::Variant; pub use self::variant_data::FieldsGen;--
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily organizational/structural changes to the code rather than security fixes. Here's the analysis:
1. Vulnerability Existed: no
No specific vulnerability found
File: third_party/rust/darling_core/src/codegen/mod.rs
Changes include:
- Reordering of module declarations
- Addition of new module `postfix_transform`
- Changes to visibility modifiers (`pub(in codegen)` to `pub(in crate::codegen)`)
- Reordering of pub use statements
2. Vulnerability Existed: no
No specific vulnerability found
File: third_party/rust/darling_core/src/codegen/mod.rs
Changes include:
- Renaming `from_meta_impl` to `from_attributes_impl` in exports
- Adding new exports for `PostfixTransform` and `FromAttributesImpl`
The changes appear to be refactoring and adding new functionality rather than addressing security issues. No specific vulnerabilities (like injection, memory safety issues, etc.) are being patched in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/accelerometer/META.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/accelerometer/META.yml@@ -1,6 +1,5 @@ spec: https://w3c.github.io/accelerometer/ suggested_reviewers:- - zqzhang - riju - Honry - rakuco
Based on the provided diff, I don't see any security-related changes. The modification is simply removing a suggested reviewer from the META.yml file. Here's the analysis following your requested format: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/accelerometer/META.yml] [Lines 1-6] [Old Code: spec: https://w3c.github.io/accelerometer/ suggested_reviewers: - zqzhang - riju - Honry - rakuco] [Fixed Code: spec: https://w3c.github.io/accelerometer/ suggested_reviewers: - riju - Honry - rakuco] This appears to be purely an administrative change rather than a security fix. The diff only removes a reviewer name from the suggested reviewers list, which doesn't impact security in any way.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/valid/interface.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/valid/interface.rs@@ -355,13 +355,7 @@ true, ) }- crate::StorageClass::Handle => {- match types[var.ty].inner {- crate::TypeInner::Image { .. } | crate::TypeInner::Sampler { .. } => {}- _ => return Err(GlobalVariableError::InvalidType),- };- (TypeFlags::empty(), true)- }+ crate::StorageClass::Handle => (TypeFlags::empty(), true), crate::StorageClass::Private | crate::StorageClass::WorkGroup => { (TypeFlags::DATA | TypeFlags::SIZED, false) }@@ -377,6 +371,16 @@ ) } };++ let is_handle = var.class == crate::StorageClass::Handle;+ let good_type = match types[var.ty].inner {+ crate::TypeInner::Struct { .. } => !is_handle,+ crate::TypeInner::Image { .. } | crate::TypeInner::Sampler { .. } => is_handle,+ _ => false,+ };+ if is_resource && !good_type {+ return Err(GlobalVariableError::InvalidType);+ } if !type_info.flags.contains(required_type_flags) { return Err(GlobalVariableError::MissingTypeFlags {
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Improper Type Validation [third_party/rust/naga/src/valid/interface.rs] [Lines 355-371]
[Old Code]
crate::StorageClass::Handle => {
match types[var.ty].inner {
crate::TypeInner::Image { .. } | crate::TypeInner::Sampler { .. } => {}
_ => return Err(GlobalVariableError::InvalidType),
};
(TypeFlags::empty(), true)
}
[Fixed Code]
crate::StorageClass::Handle => (TypeFlags::empty(), true),
Additional Details:
The vulnerability involved improper type validation for Handle storage class variables. The old code had validation logic inside the match arm for Handle storage class, which was moved to a more centralized location after the match statement. This could have potentially allowed invalid types to pass validation if the match arm wasn't properly executed.
2. Vulnerability Existed: yes
Centralized Type Validation Missing [third_party/rust/naga/src/valid/interface.rs] [Lines 371-379]
[Old Code]
(None - this validation was missing entirely)
[Fixed Code]
let is_handle = var.class == crate::StorageClass::Handle;
let good_type = match types[var.ty].inner {
crate::TypeInner::Struct { .. } => !is_handle,
crate::TypeInner::Image { .. } | crate::TypeInner::Sampler { .. } => is_handle,
_ => false,
};
if is_resource && !good_type {
return Err(GlobalVariableError::InvalidType);
}
Additional Details:
The fix introduces centralized type validation that properly checks whether the type is appropriate for its storage class (Handle vs non-Handle). This prevents invalid type assignments that could lead to memory safety issues or undefined behavior in the shader execution.
The changes appear to address potential security issues related to improper type validation in the shader interface validation code. The new implementation is more robust as it:
1. Separates the concerns of type validation from storage class handling
2. Provides consistent validation for all storage classes
3. Clearly distinguishes between handle and non-handle types
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/gc/Statistics.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/gc/Statistics.cpp@@ -100,14 +100,14 @@ } }-static FILE* MaybeOpenFileFromEnv(const char* env) {+static FILE* MaybeOpenFileFromEnv(const char* env,+ FILE* defaultFile = nullptr) {+ const char* value = getenv(env);+ if (!value) {+ return defaultFile;+ }+ FILE* file;- const char* value = getenv(env);-- if (!value) {- return nullptr;- }- if (strcmp(value, "none") == 0) { file = nullptr; } else if (strcmp(value, "stdout") == 0) {@@ -125,8 +125,8 @@ } file = fopen(value, "a");- if (!file) {- perror("opening log file");+ if (!file || setvbuf(file, nullptr, _IOLBF, 256) != 0) {+ perror("Error opening log file"); MOZ_CRASH("Failed to open log file."); } }@@ -801,6 +801,7 @@ gcTimerFile = MaybeOpenFileFromEnv("MOZ_GCTIMER"); gcDebugFile = MaybeOpenFileFromEnv("JS_GC_DEBUG");+ gcProfileFile = MaybeOpenFileFromEnv("JS_GC_PROFILE_FILE", stderr); gc::ReadProfileEnv("JS_GC_PROFILE", "Report major GCs taking more than N milliseconds for "@@ -1240,19 +1241,11 @@ auto mutatorStartTime = phaseStartTimes[Phase::MUTATOR]; auto mutatorTime = phaseTimes[Phase::MUTATOR];- for (mozilla::TimeStamp& t : phaseStartTimes) {- t = TimeStamp();- }+ phaseStartTimes = PhaseTimeStamps(); #ifdef DEBUG- for (mozilla::TimeStamp& t : phaseEndTimes) {- t = TimeStamp();- }+ phaseEndTimes = PhaseTimeStamps(); #endif-- for (TimeDuration& duration : phaseTimes) {- duration = TimeDuration();- MOZ_ASSERT(duration.IsZero());- }+ phaseTimes = PhaseTimes(); phaseStartTimes[Phase::MUTATOR] = mutatorStartTime; phaseTimes[Phase::MUTATOR] = mutatorTime;@@ -1488,10 +1481,12 @@ return; }- // Record the maximum task time for each phase. Don't record times for parent- // phases.- TimeDuration& time = slices_.back().maxParallelTimes[phaseKind];- time = std::max(time, duration);+ slices_.back().totalParallelTimes[phaseKind] += duration;++ // Also record the maximum task time for each phase. Don't record times for+ // parent phases.+ TimeDuration& maxTime = slices_.back().maxParallelTimes[phaseKind];+ maxTime = std::max(maxTime, duration); } TimeStamp Statistics::beginSCC() { return ReallyNow(); }@@ -1551,7 +1546,7 @@ if ((printedHeader++ % 200) == 0) { printProfileHeader(); if (gc->nursery().enableProfiling()) {- Nursery::printProfileHeader();+ gc->nursery().printProfileHeader(); } } }@@ -1561,23 +1556,32 @@ return; }+ FILE* file = profileFile(); fprintf(- stderr,- "MajorGC: PID Runtime Timestamp Reason States "- "FSNR budget total ");-#define PRINT_PROFILE_HEADER(name, text, phase) \- fprintf(stderr, " %-6.6s", text);+ file,+ "MajorGC: PID Runtime Timestamp Reason States "+ "FSNR budget total bgwrk ");+#define PRINT_PROFILE_HEADER(name, text, phase) fprintf(file, " %-6.6s", text); FOR_EACH_GC_PROFILE_TIME(PRINT_PROFILE_HEADER) #undef PRINT_PROFILE_HEADER- fprintf(stderr, "\n");+ fprintf(file, "\n"); } /* static */ void Statistics::printProfileTimes(const ProfileDurations& times) {+ FILE* file = profileFile(); for (auto time : times) {- fprintf(stderr, " %6" PRIi64, static_cast<int64_t>(time.ToMilliseconds()));- }- fprintf(stderr, "\n");+ fprintf(file, " %6" PRIi64, static_cast<int64_t>(time.ToMilliseconds()));+ }+ fprintf(file, "\n");+}++static TimeDuration SumAllPhaseKinds(const Statistics::PhaseKindTimes& times) {+ TimeDuration sum;+ for (PhaseKind kind : AllPhaseKinds()) {+ sum += times[kind];+ }+ return sum; } void Statistics::printSliceProfile() {@@ -1592,22 +1596,26 @@ bool nonIncremental = nonincrementalReason_ != GCAbortReason::None; bool full = zoneStats.isFullCollection();- fprintf(- stderr, "MajorGC: %6zu %14p %10.6f %-20.20s %1d -> %1d %1s%1s%1s%1s ",- size_t(getpid()), gc->rt, ts.ToSeconds(), ExplainGCReason(slice.reason),- int(slice.initialState), int(slice.finalState), full ? "F" : "",- shrinking ? "S" : "", nonIncremental ? "N" : "", reset ? "R" : "");+ FILE* file = profileFile();+ fprintf(file, "MajorGC: %7zu %14p %10.6f %-20.20s %1d -> %1d %1s%1s%1s%1s ",+ size_t(getpid()), gc->rt, ts.ToSeconds(),+ ExplainGCReason(slice.reason), int(slice.initialState),+ int(slice.finalState), full ? "F" : "", shrinking ? "S" : "",+ nonIncremental ? "N" : "", reset ? "R" : ""); if (!nonIncremental && !slice.budget.isUnlimited() && slice.budget.isTimeBudget()) {- fprintf(stderr, " %6" PRIi64, slice.budget.timeBudget());+ fprintf(file, " %6" PRIi64, slice.budget.timeBudget()); } else {- fprintf(stderr, " ");+ fprintf(file, " "); } ProfileDurations times; times[ProfileKey::Total] = slice.duration(); totalTimes_[ProfileKey::Total] += times[ProfileKey::Total];++ times[ProfileKey::Background] = SumAllPhaseKinds(slice.totalParallelTimes);+ totalTimes_[ProfileKey::Background] += times[ProfileKey::Background]; #define GET_PROFILE_TIME(name, text, phase) \ times[ProfileKey::name] = SumPhase(phase, slice.phaseTimes); \@@ -1619,11 +1627,14 @@ } void Statistics::printTotalProfileTimes() {- if (enableProfiling_) {- fprintf(stderr,- "MajorGC: %6zu %14p TOTALS: %7" PRIu64- " slices: ",- size_t(getpid()), gc->rt, sliceCount_);- printProfileTimes(totalTimes_);- }-}+ if (!enableProfiling_) {+ return;+ }++ FILE* file = profileFile();+ fprintf(file,+ "MajorGC: %7zu %14p TOTALS: %7" PRIu64+ " slices: ",+ size_t(getpid()), gc->rt, sliceCount_);+ printProfileTimes(totalTimes_);+}
Here is the security analysis of the provided code diff:
1. Vulnerability Existed: yes
File Descriptor Leak [File] js/src/gc/Statistics.cpp [Lines 100-125]
[Old Code]
```cpp
static FILE* MaybeOpenFileFromEnv(const char* env) {
FILE* file;
const char* value = getenv(env);
if (!value) {
return nullptr;
}
```
[Fixed Code]
```cpp
static FILE* MaybeOpenFileFromEnv(const char* env,
FILE* defaultFile = nullptr) {
const char* value = getenv(env);
if (!value) {
return defaultFile;
}
FILE* file;
```
Details: The old code could potentially leak file descriptors if `getenv` returned NULL, as it would return `nullptr` without properly closing any previously opened files. The new code properly handles this case by returning a default file (which can be `nullptr`).
2. Vulnerability Existed: yes
Buffer Overflow/Unbounded File Writing [File] js/src/gc/Statistics.cpp [Lines 125]
[Old Code]
```cpp
file = fopen(value, "a");
if (!file) {
perror("opening log file");
MOZ_CRASH("Failed to open log file.");
}
```
[Fixed Code]
```cpp
file = fopen(value, "a");
if (!file || setvbuf(file, nullptr, _IOLBF, 256) != 0) {
perror("Error opening log file");
MOZ_CRASH("Failed to open log file.");
}
```
Details: The old code didn't set any buffering for the opened file, which could lead to unbounded writes or performance issues. The new code adds line buffering with a 256-byte buffer size, which is more secure and performant.
3. Vulnerability Existed: not sure
Potential Information Leak [File] js/src/gc/Statistics.cpp [Lines 1556-1568]
[Old Code]
```cpp
fprintf(
stderr,
"MajorGC: PID Runtime Timestamp Reason States "
"FSNR budget total ");
```
[Fixed Code]
```cpp
FILE* file = profileFile();
fprintf(
file,
"MajorGC: PID Runtime Timestamp Reason States "
"FSNR budget total bgwrk ");
```
Details: The change from `stderr` to a configurable `profileFile()` might be security-related (preventing sensitive information from being written to stderr), but without more context about the profile file's permissions and location, this is uncertain.
Note: Several other changes appear to be performance optimizations or code cleanups rather than security fixes (e.g., the phase time resets and parallel time calculations). These don't appear to have direct security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/assorted/float-retry-push-polygon.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/assorted/float-retry-push-polygon.html@@ -5,7 +5,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/"> <link rel="match" href="reference/float-retry-push-ref.html">-<meta name="flags" content=""> <meta name="assert" content="Test that a too-wide inline block is pushed in the block direction along a shape-outside polygon until it fits."> <style> body {
Analysis of the provided code diff: 1. Vulnerability Existed: no No security vulnerability found [File] [Lines 5] Old Code: <meta name="flags" content=""> Fixed Code: (line removed) Additional Notes: - The diff shows only the removal of an empty meta "flags" tag, which doesn't appear to have any security implications - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification doesn't affect any security-related functionality or introduce/remove any security controls
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/webkitgtk_minibrowser.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/webkitgtk_minibrowser.py@@ -4,19 +4,18 @@ maybe_add_args) from .webkit import WebKitBrowser from ..executors import executor_kwargs as base_executor_kwargs+from ..executors.base import WdspecExecutor # noqa: F401 from ..executors.executorwebdriver import (WebDriverTestharnessExecutor, # noqa: F401 WebDriverRefTestExecutor, # noqa: F401 WebDriverCrashtestExecutor) # noqa: F401-from ..executors.executorwebkit import WebKitDriverWdspecExecutor # noqa: F401 __wptrunner__ = {"product": "webkitgtk_minibrowser", "check_args": "check_args",- "browser": {None: "WebKitGTKMiniBrowser",- "wdspec": "NullBrowser"},+ "browser": "WebKitGTKMiniBrowser", "browser_kwargs": "browser_kwargs", "executor": {"testharness": "WebDriverTestharnessExecutor", "reftest": "WebDriverRefTestExecutor",- "wdspec": "WebKitDriverWdspecExecutor",+ "wdspec": "WdspecExecutor", "crashtest": "WebDriverCrashtestExecutor"}, "executor_kwargs": "executor_kwargs", "env_extras": "env_extras",@@ -40,13 +39,13 @@ def capabilities(server_config, **kwargs): browser_required_args = ["--automation",- "--javascript-can-open-windows-automatically=true",- "--enable-xss-auditor=false",- "--enable-media-capabilities=true",- "--enable-encrypted-media=true",- "--enable-media-stream=true",- "--enable-mock-capture-devices=true",- "--enable-webaudio=true"]+ "--javascript-can-open-windows-automatically=true",+ "--enable-xss-auditor=false",+ "--enable-media-capabilities=true",+ "--enable-encrypted-media=true",+ "--enable-media-stream=true",+ "--enable-mock-capture-devices=true",+ "--enable-webaudio=true"] args = kwargs.get("binary_args", []) args = maybe_add_args(browser_required_args, args) return {@@ -78,7 +77,4 @@ class WebKitGTKMiniBrowser(WebKitBrowser):- def __init__(self, logger, binary=None, webdriver_binary=None,- webdriver_args=None, **kwargs):- WebKitBrowser.__init__(self, logger, binary, webdriver_binary,- webdriver_args)+ pass
Let me analyze the code diff for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential XSS Auditor Disabling] [testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/webkitgtk_minibrowser.py] [Lines 39-46]
[Old Code]
["--enable-xss-auditor=false",
"--enable-media-capabilities=true",
[Fixed Code]
["--enable-xss-auditor=false",
"--enable-media-capabilities=true",
Note: The XSS auditor being disabled might be a security concern, but it appears this was not changed in the diff, just reformatted.
2. Vulnerability Existed: not sure
[Executor Class Change] [testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/webkitgtk_minibrowser.py] [Lines 14-16]
[Old Code]
"wdspec": "WebKitDriverWdspecExecutor",
[Fixed Code]
"wdspec": "WdspecExecutor",
Note: The change from a WebKit-specific executor to a more generic one might have security implications, but without seeing the implementation of both classes, it's hard to determine.
3. Vulnerability Existed: no
[Code Simplification] [testing/web-platform/tests/tools/wptrunner/wptrunner/browsers/webkitgtk_minibrowser.py] [Lines 77-80]
[Old Code]
def __init__(self, logger, binary=None, webdriver_binary=None,
webdriver_args=None, **kwargs):
WebKitBrowser.__init__(self, logger, binary, webdriver_binary,
webdriver_args)
[Fixed Code]
pass
Note: This appears to be just code simplification by removing redundant initialization, no security impact.
The main changes appear to be:
1. Import changes and executor class changes
2. Formatting adjustments in the capabilities list
3. Class simplification
None of these changes clearly introduce or fix security vulnerabilities, though there might be implications from the executor class change that aren't visible in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/WavDumper.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/WavDumper.h@@ -9,6 +9,7 @@ # include <stdio.h> # include <stdint.h> # include <nsTArray.h>+# include <nsString.h> # include <mozilla/Unused.h> # include <mozilla/Atomics.h> # include <mozilla/DebugOnly.h>@@ -45,7 +46,12 @@ } void OpenExplicit(const char* aPath, uint32_t aChannels, uint32_t aRate) {+# ifdef XP_WIN+ nsAutoString widePath = NS_ConvertUTF8toUTF16(aPath);+ mFile = _wfopen(widePath.get(), L"wb");+# else mFile = fopen(aPath, "wb");+# endif if (!mFile) { NS_WARNING("Could not open file to DUMP a wav. Is sandboxing disabled?"); return;
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Vulnerability Name: Path Handling Vulnerability (Potential Unicode/Path Handling Issue) [File] dom/media/WavDumper.h [Lines 45-50]
Old Code:
mFile = fopen(aPath, "wb");
Fixed Code:
# ifdef XP_WIN
nsAutoString widePath = NS_ConvertUTF8toUTF16(aPath);
mFile = _wfopen(widePath.get(), L"wb");
# else
mFile = fopen(aPath, "wb");
# endif
Additional Details:
The fix addresses a potential path handling vulnerability on Windows systems. The old code used fopen() with UTF-8 paths on Windows, which could lead to incorrect file handling or security issues when dealing with non-ASCII paths. The new code properly converts UTF-8 paths to UTF-16 (wide character strings) on Windows using _wfopen(), which is the correct way to handle Unicode paths on Windows. This prevents potential file access issues and ensures proper handling of international characters in file paths.
2. Vulnerability Existed: not sure
Potential Issue: Missing Input Validation [File] dom/media/WavDumper.h [Lines 45-50]
Old Code:
mFile = fopen(aPath, "wb");
Fixed Code:
# ifdef XP_WIN
nsAutoString widePath = NS_ConvertUTF8toUTF16(aPath);
mFile = _wfopen(widePath.get(), L"wb");
# else
mFile = fopen(aPath, "wb");
# endif
Additional Details:
While the diff shows improved path handling, it's unclear if there's any additional validation of the aPath parameter. There might be a potential vulnerability if aPath comes from untrusted sources without proper validation, but this cannot be determined from the given diff alone. The fix focuses on proper path encoding but doesn't show if path validation was added.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/jsapi/TransceiverImpl.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/jsapi/TransceiverImpl.h@@ -126,6 +126,19 @@ mJsepTransceiver->mRecvTrack.GetActive(); }+ Maybe<const std::vector<UniquePtr<JsepCodecDescription>>&>+ GetNegotiatedSendCodecs() const;++ Maybe<const std::vector<UniquePtr<JsepCodecDescription>>&>+ GetNegotiatedRecvCodecs() const;++ struct PayloadTypes {+ Maybe<int> mSendPayloadType;+ Maybe<int> mRecvPayloadType;+ };+ using ActivePayloadTypesPromise = MozPromise<PayloadTypes, nsresult, true>;+ RefPtr<ActivePayloadTypesPromise> GetActivePayloadTypes() const;+ MediaSessionConduit* GetConduit() const { return mConduit; } // nsISupports@@ -139,6 +152,19 @@ static nsresult NegotiatedDetailsToVideoCodecConfigs( const JsepTrackNegotiatedDetails& aDetails, std::vector<VideoCodecConfig>* aConfigs);++ /**+ * Takes a set of codec stats (per-peerconnection) and a set of+ * transceiver/transceiver-stats-promise tuples. Filters out all referenced+ * codec stats based on the transceiver's transport and rtp stream stats.+ * Finally returns the flattened stats containing the filtered codec stats and+ * all given per-transceiver-stats.+ */+ static RefPtr<dom::RTCStatsPromise> ApplyCodecStats(+ nsTArray<dom::RTCCodecStats> aCodecStats,+ nsTArray<std::tuple<TransceiverImpl*,+ RefPtr<dom::RTCStatsPromise::AllPromiseType>>>+ aTransceiverStatsPromises); AbstractCanonical<bool>* CanonicalReceiving() { return &mReceiving; } AbstractCanonical<bool>* CanonicalTransmitting() { return &mTransmitting; }@@ -178,7 +204,7 @@ nsCOMPtr<nsPIDOMWindowInner> mWindow; const std::string mPCHandle; RefPtr<MediaTransportHandler> mTransportHandler;- RefPtr<JsepTransceiver> mJsepTransceiver;+ const RefPtr<JsepTransceiver> mJsepTransceiver; bool mHaveSetupTransport; nsCOMPtr<nsISerialEventTarget> mMainThread; nsCOMPtr<nsISerialEventTarget> mStsThread;
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily adding new functionality and making minor modifications to existing code structure. Here's the analysis: 1. Vulnerability Existed: no No specific vulnerability found in this diff The changes mainly involve: - Adding new methods for getting negotiated codecs - Adding a new PayloadTypes structure and related promise - Adding a new static method ApplyCodecStats - Making mJsepTransceiver const 2. Vulnerability Existed: no No specific vulnerability found in this diff The change making mJsepTransceiver const (line 204) could be considered a hardening measure, but it's not fixing a specific vulnerability, just improving code safety. The diff shows additions of new functionality related to WebRTC transceivers and codec handling, but no clear security fixes are present. The changes appear to be feature additions and code quality improvements rather than vulnerability patches.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wast/src/ast/wast.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wast/src/ast/wast.rs@@ -7,6 +7,7 @@ /// WAST files are not officially specified but are used in the official test /// suite to write official spec tests for wasm. This type represents a parsed /// `*.wast` file which parses a list of directives in a file.+#[derive(Debug)] pub struct Wast<'a> { #[allow(missing_docs)] pub directives: Vec<WastDirective<'a>>,@@ -51,6 +52,7 @@ /// It's not entirely clear to me what all of these are per se, but they're only /// really interesting to test harnesses mostly. #[allow(missing_docs)]+#[derive(Debug)] pub enum WastDirective<'a> { Module(ast::Module<'a>), QuoteModule {@@ -265,6 +267,7 @@ } #[allow(missing_docs)]+#[derive(Debug)] pub enum WastExecute<'a> { Invoke(WastInvoke<'a>), Module(ast::Module<'a>),@@ -294,6 +297,7 @@ } #[allow(missing_docs)]+#[derive(Debug)] pub struct WastInvoke<'a> { pub span: ast::Span, pub module: Option<ast::Id<'a>>,@@ -320,6 +324,7 @@ } #[allow(missing_docs)]+#[derive(Debug)] pub enum QuoteModule<'a> { Module(ast::Module<'a>), Quote(Vec<&'a [u8]>),
Based on the provided code diff, I'll analyze it for security fixes. The changes primarily involve adding `#[derive(Debug)]` to several structs and enums.
Analysis for each change:
1. First change (Wast struct):
Vulnerability Existed: no
No vulnerability name - File: third_party/rust/wast/src/ast/wast.rs - Lines: 7
Old Code: (no Debug derive)
Fixed Code: #[derive(Debug)]
2. Second change (WastDirective enum):
Vulnerability Existed: no
No vulnerability name - File: third_party/rust/wast/src/ast/wast.rs - Lines: 52
Old Code: (no Debug derive)
Fixed Code: #[derive(Debug)]
3. Third change (WastExecute enum):
Vulnerability Existed: no
No vulnerability name - File: third_party/rust/wast/src/ast/wast.rs - Lines: 267
Old Code: (no Debug derive)
Fixed Code: #[derive(Debug)]
4. Fourth change (WastInvoke struct):
Vulnerability Existed: no
No vulnerability name - File: third_party/rust/wast/src/ast/wast.rs - Lines: 297
Old Code: (no Debug derive)
Fixed Code: #[derive(Debug)]
5. Fifth change (QuoteModule enum):
Vulnerability Existed: no
No vulnerability name - File: third_party/rust/wast/src/ast/wast.rs - Lines: 324
Old Code: (no Debug derive)
Fixed Code: #[derive(Debug)]
Summary:
The changes are all about adding Debug trait derivation to several types. This is a development convenience feature rather than a security fix, as it enables better debugging capabilities by allowing these types to be printed in debug output. There are no apparent security vulnerabilities being fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/threading/ProtectedData.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/threading/ProtectedData.cpp@@ -30,6 +30,12 @@ Helper == AllowedHelperThread::GCTaskOrIonCompile) { JSContext* cx = TlsContext.get(); if (cx->defaultFreeOp()->isCollecting()) {+ return true;+ }+ }++ if (Helper == AllowedHelperThread::ParseTask) {+ if (CurrentThreadIsParseThread()) { return true; } }@@ -69,6 +75,7 @@ template class CheckMainThread<AllowedHelperThread::None>; template class CheckMainThread<AllowedHelperThread::GCTask>;+template class CheckMainThread<AllowedHelperThread::ParseTask>; template class CheckMainThread<AllowedHelperThread::IonCompile>; template <AllowedHelperThread Helper>
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: not sure
[Potential Thread Safety Issue] [js/src/threading/ProtectedData.cpp] [Lines 30-38]
[Old Code]
Helper == AllowedHelperThread::GCTaskOrIonCompile) {
JSContext* cx = TlsContext.get();
if (cx->defaultFreeOp()->isCollecting()) {
return true;
}
}
[Fixed Code]
Helper == AllowedHelperThread::GCTaskOrIonCompile) {
JSContext* cx = TlsContext.get();
if (cx->defaultFreeOp()->isCollecting()) {
return true;
}
}
if (Helper == AllowedHelperThread::ParseTask) {
if (CurrentThreadIsParseThread()) {
return true;
}
}
Additional Details: The change adds a new condition for ParseTask threads, but it's unclear if this was fixing a specific vulnerability or just adding functionality. The modification could potentially address a thread safety issue by properly handling parse threads.
2. Vulnerability Existed: not sure
[Potential Template Instantiation Issue] [js/src/threading/ProtectedData.cpp] [Lines 69-72]
[Old Code]
template class CheckMainThread<AllowedHelperThread::None>;
template class CheckMainThread<AllowedHelperThread::GCTask>;
template class CheckMainThread<AllowedHelperThread::IonCompile>;
[Fixed Code]
template class CheckMainThread<AllowedHelperThread::None>;
template class CheckMainThread<AllowedHelperThread::GCTask>;
template class CheckMainThread<AllowedHelperThread::ParseTask>;
template class CheckMainThread<AllowedHelperThread::IonCompile>;
Additional Details: The addition of the ParseTask template instantiation might be related to thread safety or proper template specialization, but without more context, it's unclear if this was fixing a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.