Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/html/HTMLSlotElement.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/html/HTMLSlotElement.cpp@@ -228,18 +228,12 @@ // Clear out existing assigned nodes if (mInManualShadowRoot) {- nsTArray<RefPtr<nsINode>> assignedNodes(std::move(mAssignedNodes));- for (RefPtr<nsINode>& node : assignedNodes) {- nsIContent* content = node->AsContent();- HTMLSlotElement* oldSlot = content->GetAssignedSlot();- MOZ_RELEASE_ASSERT(oldSlot == this);- if (changedSlots.EnsureInserted(oldSlot)) {- if (root) {- MOZ_ASSERT(oldSlot->GetContainingShadow() == root);- root->InvalidateStyleAndLayoutOnSubtree(oldSlot);- }- }- oldSlot->RemoveAssignedNode(*content);+ if (!mAssignedNodes.IsEmpty()) {+ changedSlots.EnsureInserted(this);+ if (root) {+ root->InvalidateStyleAndLayoutOnSubtree(this);+ }+ ClearAssignedNodes(); } MOZ_ASSERT(mAssignedNodes.IsEmpty());
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
Potential Memory Safety Issue [File] dom/html/HTMLSlotElement.cpp [Lines 228-242]
[Old Code]
nsTArray<RefPtr<nsINode>> assignedNodes(std::move(mAssignedNodes));
for (RefPtr<nsINode>& node : assignedNodes) {
nsIContent* content = node->AsContent();
HTMLSlotElement* oldSlot = content->GetAssignedSlot();
MOZ_RELEASE_ASSERT(oldSlot == this);
if (changedSlots.EnsureInserted(oldSlot)) {
if (root) {
MOZ_ASSERT(oldSlot->GetContainingShadow() == root);
root->InvalidateStyleAndLayoutOnSubtree(oldSlot);
}
}
oldSlot->RemoveAssignedNode(*content);
}
[Fixed Code]
if (!mAssignedNodes.IsEmpty()) {
changedSlots.EnsureInserted(this);
if (root) {
root->InvalidateStyleAndLayoutOnSubtree(this);
}
ClearAssignedNodes();
}
The changes appear to simplify the node removal process and potentially address some memory safety concerns by:
1. Removing the manual iteration through assigned nodes
2. Using a dedicated ClearAssignedNodes() method instead of manual removal
3. Removing the need for multiple assertions and checks during iteration
While this could potentially fix memory safety issues (like use-after-free during node removal), without more context about the ClearAssignedNodes() implementation or specific bug reports, I can't definitively identify a specific vulnerability. The changes do make the code more robust by centralizing the node removal logic.
Note: If this was fixing a specific CVE or bug, that information would typically be in the commit message, which isn't provided here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.empty.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.empty.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -26,7 +26,7 @@ ctx.moveTo(40, 25); ctx.moveTo(60, 25); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security-related fixes. Here's the analysis:
1. Vulnerability Existed: no
No vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.empty.worker.js [Lines] 13-26
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or clarity, but this doesn't represent any security fix. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.transformation.basic.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.transformation.basic.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.translate(0, -100); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` for consistency or clarity.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.transformation.basic.worker.js] [Lines 13-14, 23]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes don't indicate any security fixes - just variable renaming for better code readability or consistency. No known vulnerability patterns are present in either the old or new code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/webrender/src/spatial_node.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/webrender/src/spatial_node.rs@@ -3,7 +3,8 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */-use api::{ExternalScrollId, PipelineId, PropertyBinding, PropertyBindingId, ReferenceFrameKind, ScrollLocation};+use api::{ExternalScrollId, PipelineId, PropertyBinding, PropertyBindingId, ReferenceFrameKind};+use api::{APZScrollGeneration, HasScrollLinkedEffect, SampledScrollOffset}; use api::{TransformStyle, StickyOffsetBounds, SpatialTreeItemKey}; use api::units::*; use crate::internal_types::PipelineInstanceId;@@ -194,6 +195,8 @@ content_size: &LayoutSize, frame_kind: ScrollFrameKind, external_scroll_offset: LayoutVector2D,+ offset_generation: APZScrollGeneration,+ has_scroll_linked_effect: HasScrollLinkedEffect, is_root_coord_system: bool, ) -> Self { let node_type = SpatialNodeType::ScrollFrame(ScrollFrameInfo::new(@@ -205,6 +208,8 @@ external_id, frame_kind, external_scroll_offset,+ offset_generation,+ has_scroll_linked_effect, ) );@@ -320,7 +325,9 @@ self.children.push(child); }- pub fn set_scroll_offset(&mut self, offset: &LayoutVector2D) -> bool {+ pub fn set_scroll_offsets(&mut self, mut offsets: Vec<SampledScrollOffset>) -> bool {+ debug_assert!(offsets.len() > 0);+ let scrolling = match self.node_type { SpatialNodeType::ScrollFrame(ref mut scrolling) => scrolling, _ => {@@ -329,13 +336,15 @@ } };- let new_offset = -*offset - scrolling.external_scroll_offset;-- if new_offset == scrolling.offset {+ for element in offsets.iter_mut() {+ element.offset = -element.offset - scrolling.external_scroll_offset;+ }++ if scrolling.offsets == offsets { return false; }- scrolling.offset = new_offset;+ scrolling.offsets = offsets; true }@@ -685,12 +694,12 @@ state.scroll_offset = info.current_offset; } SpatialNodeType::ScrollFrame(ref scrolling) => {- state.parent_accumulated_scroll_offset += scrolling.offset;- state.nearest_scrolling_ancestor_offset = scrolling.offset;+ state.parent_accumulated_scroll_offset += scrolling.offset();+ state.nearest_scrolling_ancestor_offset = scrolling.offset(); state.nearest_scrolling_ancestor_viewport = scrolling.viewport_rect; state.preserves_3d = false; state.external_id = Some(scrolling.external_id);- state.scroll_offset = scrolling.offset + scrolling.external_scroll_offset;+ state.scroll_offset = scrolling.offset() + scrolling.external_scroll_offset; } SpatialNodeType::ReferenceFrame(ref info) => { state.external_id = None;@@ -706,70 +715,16 @@ } }- pub fn scroll(&mut self, scroll_location: ScrollLocation) -> bool {- // TODO(gw): This scroll method doesn't currently support- // scroll nodes with non-zero external scroll- // offsets. However, it's never used by Gecko,- // which is the only client that requires- // non-zero external scroll offsets.-- let scrolling = match self.node_type {- SpatialNodeType::ScrollFrame(ref mut scrolling) => scrolling,- _ => return false,- };-- let delta = match scroll_location {- ScrollLocation::Delta(delta) => delta,- ScrollLocation::Start => {- if scrolling.offset.y.round() >= 0.0 {- // Nothing to do on this layer.- return false;- }-- scrolling.offset.y = 0.0;- return true;- }- ScrollLocation::End => {- let end_pos = -scrolling.scrollable_size.height;- if scrolling.offset.y.round() <= end_pos {- // Nothing to do on this layer.- return false;- }-- scrolling.offset.y = end_pos;- return true;- }- };-- let scrollable_width = scrolling.scrollable_size.width;- let scrollable_height = scrolling.scrollable_size.height;- let original_layer_scroll_offset = scrolling.offset;-- if scrollable_width > 0. {- scrolling.offset.x = (scrolling.offset.x + delta.x)- .min(0.0)- .max(-scrollable_width);- }-- if scrollable_height > 0. {- scrolling.offset.y = (scrolling.offset.y + delta.y)- .min(0.0)- .max(-scrollable_height);- }-- scrolling.offset != original_layer_scroll_offset- }- pub fn scroll_offset(&self) -> LayoutVector2D { match self.node_type {- SpatialNodeType::ScrollFrame(ref scrolling) => scrolling.offset,+ SpatialNodeType::ScrollFrame(ref scrolling) => scrolling.offset(), _ => LayoutVector2D::zero(), } } pub fn matches_external_id(&self, external_id: ExternalScrollId) -> bool { match self.node_type {- SpatialNodeType::ScrollFrame(info) if info.external_id == external_id => true,+ SpatialNodeType::ScrollFrame(ref info) if info.external_id == external_id => true, _ => false, } }@@ -801,7 +756,7 @@ Explicit, }-#[derive(Copy, Clone, Debug, PartialEq)]+#[derive(Clone, Debug, PartialEq)] #[cfg_attr(feature = "capture", derive(Serialize))] #[cfg_attr(feature = "replay", derive(Deserialize))] pub struct ScrollFrameInfo {@@ -830,15 +785,25 @@ /// pre-scrolled in their local coordinates. pub external_scroll_offset: LayoutVector2D,- /// The negated scroll offset of this scroll node. including the- /// pre-scrolled amount. If, for example, a scroll node was pre-scrolled- /// to y=10 (10 pixels down from the initial unscrolled position), then+ /// A set of a pair of negated scroll offset and scroll generation of this+ /// scroll node. The negated scroll offset is including the pre-scrolled+ /// amount. If, for example, a scroll node was pre-scrolled to y=10 (10+ /// pixels down from the initial unscrolled position), then /// `external_scroll_offset` would be (0,10), and this `offset` field would /// be (0,-10). If WebRender is then asked to change the scroll position by /// an additional 10 pixels (without changing the pre-scroll amount in the /// display list), `external_scroll_offset` would remain at (0,10) and /// `offset` would change to (0,-20).- pub offset: LayoutVector2D,+ pub offsets: Vec<SampledScrollOffset>,++ /// The generation of the external_scroll_offset.+ /// This is used to pick up the most appropriate scroll offset sampled+ /// off the main thread.+ pub offset_generation: APZScrollGeneration,++ /// Whether the document containing this scroll frame has any scroll-linked+ /// effect or not.+ pub has_scroll_linked_effect: HasScrollLinkedEffect, } /// Manages scrolling offset.@@ -849,14 +814,46 @@ external_id: ExternalScrollId, frame_kind: ScrollFrameKind, external_scroll_offset: LayoutVector2D,+ offset_generation: APZScrollGeneration,+ has_scroll_linked_effect: HasScrollLinkedEffect, ) -> ScrollFrameInfo { ScrollFrameInfo { viewport_rect,- offset: -external_scroll_offset, scrollable_size, external_id, frame_kind, external_scroll_offset,+ offsets: vec![SampledScrollOffset{+ // If this scroll frame is a newly created one, using+ // `external_scroll_offset` and `offset_generation` is correct.+ // If this scroll frame is a result of updating an existing+ // scroll frame and if there have already been sampled async+ // scroll offsets by APZ, then these offsets will be replaced in+ // SpatialTree::set_scroll_offsets via a+ // RenderBackend::update_document call.+ offset: -external_scroll_offset,+ generation: offset_generation.clone(),+ }],+ offset_generation,+ has_scroll_linked_effect,+ }+ }++ pub fn offset(&self) -> LayoutVector2D {+ debug_assert!(self.offsets.len() > 0, "There should be at least one sampled offset!");++ if self.has_scroll_linked_effect == HasScrollLinkedEffect::No {+ // If there's no scroll-linked effect, use the one-frame delay offset.+ return self.offsets.first().map_or(LayoutVector2D::zero(), |sampled| sampled.offset);+ }++ match self.offsets.iter().find(|sampled| sampled.generation == self.offset_generation) {+ // If we found an offset having the same generation, use it.+ Some(sampled) => sampled.offset,+ // If we don't have any offset having the same generation, i.e.+ // the generation of this scroll frame is behind sampled offsets,+ // use the first queued sampled offset.+ _ => self.offsets.first().map_or(LayoutVector2D::zero(), |sampled| sampled.offset), } } }@@ -942,6 +939,7 @@ ReferenceFrameKind::Transform { is_2d_scale_translation: false, should_snap: false,+ paired_with_perspective: false, }, LayoutVector2D::zero(), pipeline_id,@@ -956,6 +954,8 @@ &LayoutSize::new(100.0, 500.0), ScrollFrameKind::Explicit, LayoutVector2D::zero(),+ APZScrollGeneration::default(),+ HasScrollLinkedEffect::No, SpatialNodeUid::external(SpatialTreeItemKey::new(0, 1), PipelineId::dummy(), pid), );@@ -967,6 +967,8 @@ &LayoutSize::new(100.0, 500.0), ScrollFrameKind::Explicit, LayoutVector2D::new(0.0, 50.0),+ APZScrollGeneration::default(),+ HasScrollLinkedEffect::No, SpatialNodeUid::external(SpatialTreeItemKey::new(0, 3), PipelineId::dummy(), pid), );
Here is the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Scroll Offset Handling Vulnerability] [gfx/wr/webrender/src/spatial_node.rs] [Lines 194-208, 320-349, 685-706, 801-856]
[Old Code]
```rust
pub fn set_scroll_offset(&mut self, offset: &LayoutVector2D) -> bool {
let scrolling = match self.node_type {
SpatialNodeType::ScrollFrame(ref mut scrolling) => scrolling,
_ => {
return false;
}
};
let new_offset = -*offset - scrolling.external_scroll_offset;
if new_offset == scrolling.offset {
return false;
}
scrolling.offset = new_offset;
true
}
```
[Fixed Code]
```rust
pub fn set_scroll_offsets(&mut self, mut offsets: Vec<SampledScrollOffset>) -> bool {
debug_assert!(offsets.len() > 0);
let scrolling = match self.node_type {
SpatialNodeType::ScrollFrame(ref mut scrolling) => scrolling,
_ => {
return false;
}
};
for element in offsets.iter_mut() {
element.offset = -element.offset - scrolling.external_scroll_offset;
}
if scrolling.offsets == offsets {
return false;
}
scrolling.offsets = offsets;
true
}
```
Additional Details: The change introduces a more complex scroll offset handling mechanism with multiple sampled offsets and generation tracking. While not clearly a security fix, it could potentially address race conditions or synchronization issues in scroll handling.
2. Vulnerability Existed: not sure
[Potential Reference Frame Vulnerability] [gfx/wr/webrender/src/spatial_node.rs] [Lines 801-856]
[Old Code]
```rust
#[derive(Copy, Clone, Debug, PartialEq)]
pub struct ScrollFrameInfo {
// ...
pub offset: LayoutVector2D,
}
```
[Fixed Code]
```rust
#[derive(Clone, Debug, PartialEq)]
pub struct ScrollFrameInfo {
// ...
pub offsets: Vec<SampledScrollOffset>,
pub offset_generation: APZScrollGeneration,
pub has_scroll_linked_effect: HasScrollLinkedEffect,
}
```
Additional Details: The change from a single offset to multiple sampled offsets with generation tracking could potentially address synchronization or state management issues, though it's not clearly a security fix.
3. Vulnerability Existed: not sure
[Potential Scroll Generation Mismatch Vulnerability] [gfx/wr/webrender/src/spatial_node.rs] [Lines 801-856]
[Old Code]
N/A (no generation tracking)
[Fixed Code]
```rust
pub fn offset(&self) -> LayoutVector2D {
debug_assert!(self.offsets.len() > 0, "There should be at least one sampled offset!");
if self.has_scroll_linked_effect == HasScrollLinkedEffect::No {
return self.offsets.first().map_or(LayoutVector2D::zero(), |sampled| sampled.offset);
}
match self.offsets.iter().find(|sampled| sampled.generation == self.offset_generation) {
Some(sampled) => sampled.offset,
_ => self.offsets.first().map_or(LayoutVector2D::zero(), |sampled| sampled.offset),
}
}
```
Additional Details: The new offset selection logic based on scroll generation could potentially prevent mismatches between scroll updates and their application, though it's not clearly a security fix.
Note: While none of these changes are explicitly marked as security fixes, they introduce more robust handling of scroll state which could potentially address race conditions or synchronization issues that might have security implications. The changes appear to be more about improving functionality and reliability than directly addressing known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/dns/HTTPSSVC.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/dns/HTTPSSVC.h@@ -100,7 +100,7 @@ Maybe<uint16_t> GetPort() const; bool NoDefaultAlpn() const; void GetIPHints(CopyableTArray<mozilla::net::NetAddr>& aAddresses) const;- nsTArray<nsCString> GetAllAlpn() const;+ nsTArray<Tuple<nsCString, SupportedAlpnRank>> GetAllAlpn() const; uint16_t mSvcFieldPriority = 0; nsCString mSvcDomainName; nsCString mEchConfig;@@ -112,7 +112,7 @@ struct SVCBWrapper { explicit SVCBWrapper(const SVCB& aRecord) : mRecord(aRecord) {}- Maybe<Tuple<nsCString, SupportedAlpnType>> mAlpn;+ Maybe<Tuple<nsCString, SupportedAlpnRank>> mAlpn; const SVCB& mRecord; };@@ -123,7 +123,7 @@ explicit SVCBRecord(const SVCB& data) : mData(data), mPort(Nothing()), mAlpn(Nothing()) {} explicit SVCBRecord(const SVCB& data,- Maybe<Tuple<nsCString, SupportedAlpnType>> aAlpn);+ Maybe<Tuple<nsCString, SupportedAlpnRank>> aAlpn); private: friend class DNSHTTPSSVCRecordBase;@@ -132,7 +132,7 @@ SVCB mData; Maybe<uint16_t> mPort;- Maybe<Tuple<nsCString, SupportedAlpnType>> mAlpn;+ Maybe<Tuple<nsCString, SupportedAlpnRank>> mAlpn; }; class DNSHTTPSSVCRecordBase {
Analyzing the provided code diff, I notice changes in the type usage from `SupportedAlpnType` to `SupportedAlpnRank`. However, this appears to be more of a type/implementation refinement rather than a security fix. Here's my analysis: 1. Vulnerability Existed: no Type Refinement [File] netwerk/dns/HTTPSSVC.h [Lines 100, 112, 123, 132] Old Code: Various uses of `SupportedAlpnType` and simple `nsCString` return Fixed Code: Changed to use `SupportedAlpnRank` consistently and added ranking information to ALPN return Additional observations: - The changes appear to be implementing a more sophisticated ALPN (Application-Layer Protocol Negotiation) handling system - The modification adds ranking information to ALPN strings, which could improve security by enabling better protocol selection - No clear vulnerability is being fixed here - this seems to be an enhancement rather than a security patch No security vulnerabilities were identified in this diff. The changes appear to be implementation improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/feature-policy/reporting/sync-xhr-reporting.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/feature-policy/reporting/sync-xhr-reporting.html@@ -11,7 +11,7 @@ var check_report_format = (reports, observer) => { let report = reports[0];- assert_equals(report.type, "feature-policy-violation");+ assert_equals(report.type, "permissions-policy-violation"); assert_equals(report.url, document.location.href); assert_equals(report.body.featureId, "sync-xhr"); assert_equals(report.body.sourceFile, document.location.href);@@ -22,7 +22,7 @@ }; new ReportingObserver(t.step_func_done(check_report_format),- {types: ['feature-policy-violation']}).observe();+ {types: ['permissions-policy-violation']}).observe(); t.step_func(() => { var xhr = new XMLHttpRequest();
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: not sure
[Feature Policy to Permissions Policy Renaming] [testing/web-platform/tests/feature-policy/reporting/sync-xhr-reporting.html] [Lines 11,22]
[Old Code]
assert_equals(report.type, "feature-policy-violation");
{types: ['feature-policy-violation']}).observe();
[Fixed Code]
assert_equals(report.type, "permissions-policy-violation");
{types: ['permissions-policy-violation']}).observe();
Additional Details:
This appears to be a standardization update rather than a security fix, changing from "feature-policy" to "permissions-policy" terminology. While this isn't a direct security vulnerability fix, it's worth noting that using outdated terminology could potentially lead to compatibility or interpretation issues. The change aligns with the W3C specification which renamed Feature Policy to Permissions Policy.
No other vulnerabilities were identified in this diff. The changes appear to be purely related to terminology updates in line with evolving web standards.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/xhr/XMLHttpRequestWorker.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/xhr/XMLHttpRequestWorker.cpp@@ -30,7 +30,6 @@ #include "mozilla/dom/UnionConversions.h" #include "mozilla/dom/URLSearchParams.h" #include "mozilla/dom/WorkerScope.h"-#include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/WorkerRef.h" #include "mozilla/dom/WorkerRunnable.h" #include "mozilla/dom/XMLHttpRequestBinding.h"@@ -406,10 +405,12 @@ } nsresult Cancel() override {- // This must run!+ // We need to check first if cancel is called twice nsresult rv = MainThreadProxyRunnable::Cancel();- nsresult rv2 = Run();- return NS_FAILED(rv) ? rv : rv2;+ NS_ENSURE_SUCCESS(rv, rv);++ // On the first cancel, this must run!+ return Run(); } };@@ -1267,9 +1268,8 @@ } void SendRunnable::RunOnMainThread(ErrorResult& aRv) {- nsresult rv = mProxy->mXHR->CheckCurrentGlobalCorrectness();- if (NS_WARN_IF(NS_FAILED(rv))) {- aRv = rv;+ // Before we change any state let's check if we can send.+ if (!mProxy->mXHR->CanSend(aRv)) { return; }@@ -1886,6 +1886,11 @@ return; }+ if (mStateData->mReadyState != XMLHttpRequest_Binding::OPENED) {+ aRv.ThrowInvalidStateError("XMLHttpRequest state must be OPENED.");+ return;+ }+ if (!mProxy || mStateData->mFlagSend) { aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR); return;
Here's the security analysis following the specified format:
1. Vulnerability Existed: yes
Double Cancel Vulnerability [dom/xhr/XMLHttpRequestWorker.cpp] [Lines 406-412]
[Old Code]
nsresult Cancel() override {
// This must run!
nsresult rv = MainThreadProxyRunnable::Cancel();
nsresult rv2 = Run();
return NS_FAILED(rv) ? rv : rv2;
}
[Fixed Code]
nsresult Cancel() override {
// We need to check first if cancel is called twice
nsresult rv = MainThreadProxyRunnable::Cancel();
NS_ENSURE_SUCCESS(rv, rv);
// On the first cancel, this must run!
return Run();
}
2. Vulnerability Existed: yes
Missing State Check Vulnerability [dom/xhr/XMLHttpRequestWorker.cpp] [Lines 1886-1891]
[Old Code]
if (!mProxy || mStateData->mFlagSend) {
aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
return;
[Fixed Code]
if (mStateData->mReadyState != XMLHttpRequest_Binding::OPENED) {
aRv.ThrowInvalidStateError("XMLHttpRequest state must be OPENED.");
return;
}
if (!mProxy || mStateData->mFlagSend) {
aRv.Throw(NS_ERROR_DOM_INVALID_STATE_ERR);
return;
3. Vulnerability Existed: not sure
Potential XHR Security Check Vulnerability [dom/xhr/XMLHttpRequestWorker.cpp] [Lines 1267-1271]
[Old Code]
nsresult rv = mProxy->mXHR->CheckCurrentGlobalCorrectness();
if (NS_WARN_IF(NS_FAILED(rv))) {
aRv = rv;
return;
}
[Fixed Code]
// Before we change any state let's check if we can send.
if (!mProxy->mXHR->CanSend(aRv)) {
return;
}
The changes appear to address several security concerns:
1. The first fix prevents potential issues from double cancellation by adding proper checks
2. The second fix adds missing state validation before certain operations
3. The third change might be related to more comprehensive security checks before sending requests, though the exact security implications are unclear without seeing the implementation of CanSend()
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/crossbeam-channel/tests/golang.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/crossbeam-channel/tests/golang.rs@@ -8,6 +8,8 @@ //! - https://golang.org/AUTHORS //! - https://golang.org/LICENSE //! - https://golang.org/PATENTS++#![allow(clippy::mutex_atomic, clippy::redundant_clone)] use std::alloc::{GlobalAlloc, Layout, System}; use std::any::Any;@@ -176,7 +178,7 @@ if !ret.is_null() { ALLOCATED.fetch_add(layout.size(), SeqCst); }- return ret;+ ret } unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) {@@ -232,6 +234,9 @@ mod doubleselect { use super::*;+ #[cfg(miri)]+ const ITERATIONS: i32 = 100;+ #[cfg(not(miri))] const ITERATIONS: i32 = 10_000; fn sender(n: i32, c1: Chan<i32>, c2: Chan<i32>, c3: Chan<i32>, c4: Chan<i32>) {@@ -691,6 +696,11 @@ mod select2 { use super::*;+ #[cfg(miri)]+ const N: i32 = 1000;+ #[cfg(not(miri))]+ const N: i32 = 100000;+ #[test] fn main() { fn sender(c: &Chan<i32>, n: i32) {@@ -702,9 +712,7 @@ fn receiver(c: &Chan<i32>, dummy: &Chan<i32>, n: i32) { for _ in 0..n { select! {- recv(c.rx()) -> _ => {- ()- }+ recv(c.rx()) -> _ => {} recv(dummy.rx()) -> _ => { panic!("dummy"); }@@ -717,15 +725,18 @@ ALLOCATED.store(0, SeqCst);- go!(c, sender(&c, 100000));- receiver(&c, &dummy, 100000);+ go!(c, sender(&c, N));+ receiver(&c, &dummy, N); let alloc = ALLOCATED.load(SeqCst);- go!(c, sender(&c, 100000));- receiver(&c, &dummy, 100000);-- assert!(!(ALLOCATED.load(SeqCst) > alloc && (ALLOCATED.load(SeqCst) - alloc) > 110000))+ go!(c, sender(&c, N));+ receiver(&c, &dummy, N);++ assert!(+ !(ALLOCATED.load(SeqCst) > alloc+ && (ALLOCATED.load(SeqCst) - alloc) > (N as usize + 10000))+ ) } }@@ -913,6 +924,9 @@ #[test] fn test_chan() {+ #[cfg(miri)]+ const N: i32 = 20;+ #[cfg(not(miri))] const N: i32 = 200; for cap in 0..N {@@ -1052,6 +1066,9 @@ #[test] fn test_nonblock_recv_race() {+ #[cfg(miri)]+ const N: usize = 100;+ #[cfg(not(miri))] const N: usize = 1000; for _ in 0..N {@@ -1073,6 +1090,9 @@ #[test] fn test_nonblock_select_race() {+ #[cfg(miri)]+ const N: usize = 100;+ #[cfg(not(miri))] const N: usize = 1000; let done = make::<bool>(1);@@ -1106,6 +1126,9 @@ #[test] fn test_nonblock_select_race2() {+ #[cfg(miri)]+ const N: usize = 100;+ #[cfg(not(miri))] const N: usize = 1000; let done = make::<bool>(1);@@ -1142,6 +1165,11 @@ // Ensure that send/recv on the same chan in select // does not crash nor deadlock.+ #[cfg(miri)]+ const N: usize = 100;+ #[cfg(not(miri))]+ const N: usize = 1000;+ for &cap in &[0, 10] { let wg = WaitGroup::new(); wg.add(2);@@ -1151,7 +1179,7 @@ let p = p; go!(wg, p, c, { defer! { wg.done() }- for i in 0..1000 {+ for i in 0..N { if p == 0 || i % 2 == 0 { select! { send(c.tx(), p) -> _ => {}@@ -1180,14 +1208,17 @@ #[test] fn test_select_stress() {+ #[cfg(miri)]+ const N: usize = 100;+ #[cfg(not(miri))]+ const N: usize = 10000;+ let c = vec![ make::<i32>(0), make::<i32>(0), make::<i32>(2), make::<i32>(3), ];-- const N: usize = 10000; // There are 4 goroutines that send N values on each of the chans, // + 4 goroutines that receive N values on each of the chans,@@ -1286,6 +1317,9 @@ #[test] fn test_select_fairness() {+ #[cfg(miri)]+ const TRIALS: usize = 100;+ #[cfg(not(miri))] const TRIALS: usize = 10000; let c1 = make::<u8>(TRIALS + 1);@@ -1369,6 +1403,9 @@ #[test] fn test_pseudo_random_send() {+ #[cfg(miri)]+ const N: usize = 20;+ #[cfg(not(miri))] const N: usize = 100; for cap in 0..N {@@ -1412,6 +1449,9 @@ #[test] fn test_multi_consumer() { const NWORK: usize = 23;+ #[cfg(miri)]+ const NITER: usize = 100;+ #[cfg(not(miri))] const NITER: usize = 271828; let pn = [2, 3, 7, 11, 13, 17, 19, 23, 27, 31];@@ -1510,6 +1550,9 @@ use super::*; // sent messages+ #[cfg(miri)]+ const N: usize = 100;+ #[cfg(not(miri))] const N: usize = 1000; // receiving "goroutines" const M: usize = 10;
I'll analyze the provided code diff for security fixes following the specified format. 1. Vulnerability Existed: no No specific vulnerability found File: third_party/rust/crossbeam-channel/tests/golang.rs Old Code: Various test constants and configurations Fixed Code: Added Miri-specific configurations with lower iteration counts 2. Vulnerability Existed: no Code style improvement File: third_party/rust/crossbeam-channel/tests/golang.rs [Lines 176-178] Old Code: `return ret;` Fixed Code: `ret` 3. Vulnerability Existed: no Test optimization File: third_party/rust/crossbeam-channel/tests/golang.rs [Lines 725-727] Old Code: Hardcoded value `110000` in assertion Fixed Code: Dynamic calculation using `(N as usize + 10000)` 4. Vulnerability Existed: no Linter configuration File: third_party/rust/crossbeam-channel/tests/golang.rs [Lines 8-10] Old Code: No linter exceptions Fixed Code: Added `#![allow(clippy::mutex_atomic, clippy::redundant_clone)]` The changes appear to be primarily focused on: 1. Adding support for Miri (Rust's experimental interpreter) with reduced iteration counts 2. Code style improvements 3. Making test assertions more dynamic 4. Adding linter exceptions for specific cases 5. General test optimizations No security vulnerabilities were identified in these changes. The modifications are mostly related to test configurations and code quality improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/pocket/content/panels/js/main.bundle.js.LICENSE.txt+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/pocket/content/panels/js/main.bundle.js.LICENSE.txt@@ -1,32 +1,23 @@-/*-object-assign-(c) Sindre Sorhus-@license MIT-*/+/*!***********************************!*\+ !*** ./content/panels/js/main.js ***!+ \***********************************/-/** @license React v0.20.2- * scheduler.production.min.js- *- * Copyright (c) Facebook, Inc. and its affiliates.- *- * This source code is licensed under the MIT license found in the- * LICENSE file in the root directory of this source tree.- */+/*!***************************************!*\+ !*** ./content/panels/js/messages.js ***!+ \***************************************/-/** @license React v17.0.2- * react-dom.production.min.js- *- * Copyright (c) Facebook, Inc. and its affiliates.- *- * This source code is licensed under the MIT license found in the- * LICENSE file in the root directory of this source tree.- */+/*!*******************************************!*\+ !*** ./content/panels/js/home/overlay.js ***!+ \*******************************************/-/** @license React v17.0.2- * react.production.min.js- *- * Copyright (c) Facebook, Inc. and its affiliates.- *- * This source code is licensed under the MIT license found in the- * LICENSE file in the root directory of this source tree.- */+/*!********************************************!*\+ !*** ./content/panels/js/saved/overlay.js ***!+ \********************************************/++/*!*********************************************!*\+ !*** ./content/panels/js/signup/overlay.js ***!+ \*********************************************/++/*!********************************************************!*\+ !*** ./content/panels/js/components/PopularTopics.jsx ***!+ \********************************************************/
Based on the provided diff, this appears to be a license file change showing updates to the attribution comments for various JavaScript files. I don't see any actual code changes that would indicate security fixes, just changes to license headers and file references.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 1-32]
[Old License headers]
[New License headers]
Additional observations:
1. The changes only affect license attribution comments
2. No actual code modifications are shown in the diff
3. The changes appear to be organizational (updating file references)
4. No known vulnerabilities are being patched in this diff
The diff shows a restructuring of license headers from specific library attributions (React, object-assign) to file path references for the Pocket panel components, but no security-related changes are evident.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/editor/libeditor/EditorDOMPoint.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/editor/libeditor/EditorDOMPoint.h@@ -764,7 +764,8 @@ return false; }- if (mChild && mChild->GetParentNode() != mParent) {+ if (mChild &&+ (mChild->GetParentNode() != mParent || mChild->IsBeingRemoved())) { return false; } if (mOffset.isSome() && mOffset.value() > mParent->Length()) {@@ -1213,6 +1214,34 @@ return EditorDOMRangeInTexts(mStart.AsInText(), mEnd.AsInText()); }+ bool EnsureNotInNativeAnonymousSubtree() {+ if (mStart.IsInNativeAnonymousSubtree()) {+ nsIContent* parent = nullptr;+ for (parent = mStart.ContainerAsContent()+ ->GetClosestNativeAnonymousSubtreeRootParent();+ parent && parent->IsInNativeAnonymousSubtree();+ parent = parent->GetClosestNativeAnonymousSubtreeRootParent()) {+ }+ if (MOZ_UNLIKELY(!parent)) {+ return false;+ }+ mStart.Set(parent);+ }+ if (mEnd.IsInNativeAnonymousSubtree()) {+ nsIContent* parent = nullptr;+ for (parent = mEnd.ContainerAsContent()+ ->GetClosestNativeAnonymousSubtreeRootParent();+ parent && parent->IsInNativeAnonymousSubtree();+ parent = parent->GetClosestNativeAnonymousSubtreeRootParent()) {+ }+ if (MOZ_UNLIKELY(!parent)) {+ return false;+ }+ mEnd.SetAfter(parent);+ }+ return true;+ }+ private: EditorDOMPointType mStart; EditorDOMPointType mEnd;
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
DOM Node Validation Issue [File] editor/libeditor/EditorDOMPoint.h [Lines] 764-765
[Old Code]
if (mChild && mChild->GetParentNode() != mParent) {
[Fixed Code]
if (mChild &&
(mChild->GetParentNode() != mParent || mChild->IsBeingRemoved())) {
The fix adds a check for whether the child node is being removed, which could prevent potential use-after-free or invalid DOM state issues when working with nodes in the process of being removed.
2. Vulnerability Existed: yes
Native Anonymous Subtree Handling [File] editor/libeditor/EditorDOMPoint.h [Lines] 1214-1234
[Old Code]
(New function added, no old code)
[Fixed Code]
bool EnsureNotInNativeAnonymousSubtree() {
if (mStart.IsInNativeAnonymousSubtree()) {
nsIContent* parent = nullptr;
for (parent = mStart.ContainerAsContent()
->GetClosestNativeAnonymousSubtreeRootParent();
parent && parent->IsInNativeAnonymousSubtree();
parent = parent->GetClosestNativeAnonymousSubtreeRootParent()) {
}
if (MOZ_UNLIKELY(!parent)) {
return false;
}
mStart.Set(parent);
}
if (mEnd.IsInNativeAnonymousSubtree()) {
nsIContent* parent = nullptr;
for (parent = mEnd.ContainerAsContent()
->GetClosestNativeAnonymousSubtreeRootParent();
parent && parent->IsInNativeAnonymousSubtree();
parent = parent->GetClosestNativeAnonymousSubtreeRootParent()) {
}
if (MOZ_UNLIKELY(!parent)) {
return false;
}
mEnd.SetAfter(parent);
}
return true;
}
The new function adds proper handling for native anonymous subtrees, which could prevent security issues related to accessing or modifying content in these special DOM trees. This appears to be a defense-in-depth measure against potential privilege escalation or content manipulation vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/dav1d/src/decode.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/dav1d/src/decode.c@@ -2949,14 +2949,10 @@ goto error; } }- Dav1dTileState *ts_new = dav1d_alloc_aligned(sizeof(*f->ts) * n_ts, 32);- if (!ts_new) goto error;- if (f->ts) {- memcpy(ts_new, f->ts, sizeof(*f->ts) * imin(n_ts, f->n_ts));- dav1d_free_aligned(f->ts);- }+ dav1d_free_aligned(f->ts);+ f->ts = dav1d_alloc_aligned(sizeof(*f->ts) * n_ts, 32);+ if (!f->ts) goto error; f->n_ts = n_ts;- f->ts = ts_new; } const int a_sz = f->sb128w * f->frame_hdr->tiling.rows * (1 + (c->n_fc > 1 && c->n_tc > 1));@@ -3497,7 +3493,9 @@ if (out_delayed->p.data[0]) { const unsigned progress = atomic_load_explicit(&out_delayed->progress[1], memory_order_relaxed);- if (out_delayed->visible && progress != FRAME_ERROR) {+ if ((out_delayed->visible || c->output_invisible_frames) &&+ progress != FRAME_ERROR)+ { dav1d_picture_ref(&c->out, &out_delayed->p); c->event_flags |= dav1d_picture_get_event_flags(out_delayed); }@@ -3671,7 +3669,7 @@ // move f->cur into output queue if (c->n_fc == 1) {- if (f->frame_hdr->show_frame) {+ if (f->frame_hdr->show_frame || c->output_invisible_frames) { dav1d_picture_ref(&c->out, &f->sr_cur.p); c->event_flags |= dav1d_picture_get_event_flags(&f->sr_cur); }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Memory Leak/Allocation Issue [third_party/dav1d/src/decode.c] [Lines 2949-2956]
Old Code:
```
Dav1dTileState *ts_new = dav1d_alloc_aligned(sizeof(*f->ts) * n_ts, 32);
if (!ts_new) goto error;
if (f->ts) {
memcpy(ts_new, f->ts, sizeof(*f->ts) * imin(n_ts, f->n_ts));
dav1d_free_aligned(f->ts);
}
f->n_ts = n_ts;
f->ts = ts_new;
```
Fixed Code:
```
dav1d_free_aligned(f->ts);
f->ts = dav1d_alloc_aligned(sizeof(*f->ts) * n_ts, 32);
if (!f->ts) goto error;
f->n_ts = n_ts;
```
Note: The change simplifies memory management by freeing the old allocation before allocating new memory, which could potentially fix a memory leak or race condition.
2. Vulnerability Existed: not sure
Logic Error/Incomplete Frame Handling [third_party/dav1d/src/decode.c] [Lines 3497-3500]
Old Code:
```
if (out_delayed->visible && progress != FRAME_ERROR) {
```
Fixed Code:
```
if ((out_delayed->visible || c->output_invisible_frames) &&
progress != FRAME_ERROR)
```
Note: The change adds a condition to handle invisible frames when output_invisible_frames is set, which might prevent incorrect frame filtering.
3. Vulnerability Existed: not sure
Logic Error/Incomplete Frame Handling [third_party/dav1d/src/decode.c] [Line 3671]
Old Code:
```
if (f->frame_hdr->show_frame) {
```
Fixed Code:
```
if (f->frame_hdr->show_frame || c->output_invisible_frames) {
```
Note: Similar to the previous change, this adds handling for invisible frames when output_invisible_frames is set.
While these changes appear to be functional improvements rather than direct security fixes, they could potentially prevent issues like memory leaks or incorrect frame processing that might lead to security vulnerabilities in certain scenarios. However, without more context about the specific vulnerabilities being addressed, I can't definitively identify any known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-151.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-151.xml@@ -10,7 +10,6 @@ <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="reference/this-line-lime-background-offset.xht"/>- <meta name="flags" content="" /> </head> <body> <address> </address>
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Meta Tag Removal [File] [Lines 10]
[Old Code] <meta name="flags" content="" />
[Fixed Code] (removed)
Additional Details:
- The change simply removes an empty meta tag with a "flags" attribute. This doesn't appear to be related to any security vulnerability.
- The "flags" meta tag was likely used for test configuration but wasn't serving any purpose in this case since it was empty.
- There are no known security vulnerabilities associated with removing such a meta tag.
- The change appears to be a simple cleanup rather than a security fix.
No other vulnerabilities are apparent in this small diff. The modification doesn't show any signs of fixing XSS, injection, or other common web security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/intl/unicharutil/util/nsUnicodeProperties.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/intl/unicharutil/util/nsUnicodeProperties.cpp@@ -9,7 +9,7 @@ #include "mozilla/ArrayUtils.h" #include "mozilla/HashTable.h"-#include "nsCharTraits.h"+#include "mozilla/intl/Segmenter.h" #include "BaseChars.h" #include "IsCombiningDiacritic.h"@@ -167,145 +167,11 @@ (aCh >= 0xe0020 && aCh <= 0xe007f)); // emoji (flag) tag characters }-enum HSType {- HST_NONE = U_HST_NOT_APPLICABLE,- HST_L = U_HST_LEADING_JAMO,- HST_V = U_HST_VOWEL_JAMO,- HST_T = U_HST_TRAILING_JAMO,- HST_LV = U_HST_LV_SYLLABLE,- HST_LVT = U_HST_LVT_SYLLABLE-};--static HSType GetHangulSyllableType(uint32_t aCh) {- return HSType(intl::UnicodeProperties::GetIntPropertyValue(- aCh, intl::UnicodeProperties::IntProperty::HangulSyllableType));-}--void ClusterIterator::Next() {- if (AtEnd()) {- NS_WARNING("ClusterIterator has already reached the end");- return;- }-- uint32_t ch = *mPos++;-- if (mPos < mLimit && NS_IS_SURROGATE_PAIR(ch, *mPos)) {- ch = SURROGATE_TO_UCS4(ch, *mPos++);- } else if ((ch & ~0xff) == 0x1100 || (ch >= 0xa960 && ch <= 0xa97f) ||- (ch >= 0xac00 && ch <= 0xd7ff)) {- // Handle conjoining Jamo that make Hangul syllables- HSType hangulState = GetHangulSyllableType(ch);- while (mPos < mLimit) {- ch = *mPos;- HSType hangulType = GetHangulSyllableType(ch);- switch (hangulType) {- case HST_L:- case HST_LV:- case HST_LVT:- if (hangulState == HST_L) {- hangulState = hangulType;- mPos++;- continue;- }- break;- case HST_V:- if ((hangulState != HST_NONE) && (hangulState != HST_T) &&- (hangulState != HST_LVT)) {- hangulState = hangulType;- mPos++;- continue;- }- break;- case HST_T:- if (hangulState != HST_NONE && hangulState != HST_L) {- hangulState = hangulType;- mPos++;- continue;- }- break;- default:- break;- }- break;- }- }-- const uint32_t kVS16 = 0xfe0f;- const uint32_t kZWJ = 0x200d;- // UTF-16 surrogate values for Fitzpatrick type modifiers- const uint32_t kFitzpatrickHigh = 0xD83C;- const uint32_t kFitzpatrickLowFirst = 0xDFFB;- const uint32_t kFitzpatrickLowLast = 0xDFFF;-- bool baseIsEmoji = (GetEmojiPresentation(ch) == EmojiDefault) ||- (GetEmojiPresentation(ch) == TextDefault &&- ((mPos < mLimit && *mPos == kVS16) ||- (mPos + 1 < mLimit && *mPos == kFitzpatrickHigh &&- *(mPos + 1) >= kFitzpatrickLowFirst &&- *(mPos + 1) <= kFitzpatrickLowLast)));- bool prevWasZwj = false;-- while (mPos < mLimit) {- ch = *mPos;- size_t chLen = 1;-- // Check for surrogate pairs; note that isolated surrogates will just- // be treated as generic (non-cluster-extending) characters here,- // which is fine for cluster-iterating purposes- if (mPos < mLimit - 1 && NS_IS_SURROGATE_PAIR(ch, *(mPos + 1))) {- ch = SURROGATE_TO_UCS4(ch, *(mPos + 1));- chLen = 2;- }-- bool extendCluster =- IsClusterExtender(ch) ||- (baseIsEmoji && prevWasZwj &&- ((GetEmojiPresentation(ch) == EmojiDefault) ||- (GetEmojiPresentation(ch) == TextDefault && mPos + chLen < mLimit &&- *(mPos + chLen) == kVS16)));- if (!extendCluster) {- break;- }-- prevWasZwj = (ch == kZWJ);- mPos += chLen;- }-- NS_ASSERTION(mText < mPos && mPos <= mLimit,- "ClusterIterator::Next has overshot the string!");-}--void ClusterReverseIterator::Next() {- if (AtEnd()) {- NS_WARNING("ClusterReverseIterator has already reached the end");- return;- }-- uint32_t ch;- do {- ch = *--mPos;-- if (mPos > mLimit && NS_IS_SURROGATE_PAIR(*(mPos - 1), ch)) {- ch = SURROGATE_TO_UCS4(*--mPos, ch);- }-- if (!IsClusterExtender(ch)) {- break;- }- } while (mPos > mLimit);-- // XXX May need to handle conjoining Jamo-- NS_ASSERTION(mPos >= mLimit,- "ClusterReverseIterator::Next has overshot the string!");-}--uint32_t CountGraphemeClusters(const char16_t* aText, uint32_t aLength) {- ClusterIterator iter(aText, aLength);+uint32_t CountGraphemeClusters(Span<const char16_t> aText) {+ intl::GraphemeClusterBreakIteratorUtf16 iter(aText); uint32_t result = 0;- while (!iter.AtEnd()) {+ while (iter.Next()) { ++result;- iter.Next(); } return result; }
Based on the provided code diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Memory Safety Issue] [intl/unicharutil/util/nsUnicodeProperties.cpp] [Lines 167-167] [Old Code: Custom cluster iteration implementation] [Fixed Code: Uses mozilla::intl::GraphemeClusterBreakIteratorUtf16] Note: The change replaces a complex custom implementation of grapheme cluster counting with a standardized library implementation. While not clearly a security fix, this type of change often addresses potential edge cases and memory safety issues in custom string handling code. 2. Vulnerability Existed: not sure [Potential Unicode Handling Issues] [intl/unicharutil/util/nsUnicodeProperties.cpp] [Lines throughout] [Old Code: Custom Hangul/Jamo and emoji handling] [Fixed Code: Removed in favor of library implementation] Note: The removal of custom Hangul/Jamo syllable handling and emoji presentation logic suggests these might have been sources of potential security issues, though not explicitly stated. Complex Unicode handling often contains edge cases that could lead to security vulnerabilities. The main changes appear to be: 1. Replacing custom character property handling with standardized library implementations 2. Removing complex custom grapheme cluster detection logic 3. Simplifying the interface to use Span<const char16_t> instead of raw pointer+length While not explicitly security fixes, these changes likely improve security by: - Reducing attack surface in custom code - Using well-tested library implementations - Modernizing memory-safe interfaces (using Span) No specific CVEs or vulnerability names are clearly indicated by these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/canvas/CanvasRenderingContext2D.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/canvas/CanvasRenderingContext2D.cpp@@ -154,7 +154,7 @@ const size_t MAX_STYLE_STACK_SIZE = 1024; /* Memory reporter stuff */-static int64_t gCanvasAzureMemoryUsed = 0;+static Atomic<int64_t> gCanvasAzureMemoryUsed(0); // Adds Save() / Restore() calls to the scope. class MOZ_RAII AutoSaveRestore {@@ -817,6 +817,7 @@ // Make sure we remove ourselves from the list of demotable contexts (raw // pointers), since we're logically destructed at this point. NS_IMPL_CYCLE_COLLECTION_UNLINK(mCanvasElement)+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mOffscreenCanvas) NS_IMPL_CYCLE_COLLECTION_UNLINK(mDocShell) for (uint32_t i = 0; i < tmp->mStyleStack.Length(); i++) { ImplCycleCollectionUnlink(tmp->mStyleStack[i].patternStyles[Style::STROKE]);@@ -845,6 +846,7 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(CanvasRenderingContext2D) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mCanvasElement)+ NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mOffscreenCanvas) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mDocShell) for (uint32_t i = 0; i < tmp->mStyleStack.Length(); i++) { ImplCycleCollectionTraverse(@@ -960,7 +962,7 @@ **/ // Initialize our static variables.-uintptr_t CanvasRenderingContext2D::sNumLivingContexts = 0;+Atomic<uintptr_t> CanvasRenderingContext2D::sNumLivingContexts(0); DrawTarget* CanvasRenderingContext2D::sErrorTarget = nullptr; CanvasRenderingContext2D::CanvasRenderingContext2D(@@ -977,14 +979,12 @@ mHasPendingStableStateCallback(false), mIsEntireFrameInvalid(false), mPredictManyRedrawCalls(false),- mIsCapturedFrameInvalid(false),+ mFrameCaptureState(FrameCaptureState::CLEAN,+ "CanvasRenderingContext2D::mFrameCaptureState"), mPathTransformWillUpdate(false), mInvalidateCount(0), mWriteOnly(false) { sNumLivingContexts++;-- mShutdownObserver = new CanvasShutdownObserver(this);- nsContentUtils::RegisterShutdownObserver(mShutdownObserver); } CanvasRenderingContext2D::~CanvasRenderingContext2D() {@@ -997,6 +997,8 @@ NS_IF_RELEASE(sErrorTarget); } }++void CanvasRenderingContext2D::Initialize() { AddShutdownObserver(); } JSObject* CanvasRenderingContext2D::WrapObject( JSContext* aCx, JS::Handle<JSObject*> aGivenProto) {@@ -1054,7 +1056,7 @@ // no longer be valid. mIsEntireFrameInvalid = false; mPredictManyRedrawCalls = false;- mIsCapturedFrameInvalid = false;+ mFrameCaptureState = FrameCaptureState::CLEAN; return NS_OK; }@@ -1069,6 +1071,14 @@ if (provider) { provider->OnShutdown(); }+}++void CanvasRenderingContext2D::AddShutdownObserver() {+ MOZ_ASSERT(!mShutdownObserver);+ MOZ_ASSERT(NS_IsMainThread());++ mShutdownObserver = new CanvasShutdownObserver(this);+ nsContentUtils::RegisterShutdownObserver(mShutdownObserver); } void CanvasRenderingContext2D::RemoveShutdownObserver() {@@ -1122,7 +1132,7 @@ } nsresult CanvasRenderingContext2D::Redraw() {- mIsCapturedFrameInvalid = true;+ mFrameCaptureState = FrameCaptureState::DIRTY; if (mIsEntireFrameInvalid) { return NS_OK;@@ -1130,20 +1140,20 @@ mIsEntireFrameInvalid = true;- if (!mCanvasElement) {+ if (mCanvasElement) {+ SVGObserverUtils::InvalidateDirectRenderingObservers(mCanvasElement);+ mCanvasElement->InvalidateCanvasContent(nullptr);+ } else if (mOffscreenCanvas) {+ mOffscreenCanvas->QueueCommitToCompositor();+ } else { NS_ASSERTION(mDocShell, "Redraw with no canvas element or docshell!");- return NS_OK;- }-- SVGObserverUtils::InvalidateDirectRenderingObservers(mCanvasElement);-- mCanvasElement->InvalidateCanvasContent(nullptr);+ } return NS_OK; } void CanvasRenderingContext2D::Redraw(const gfx::Rect& aR) {- mIsCapturedFrameInvalid = true;+ mFrameCaptureState = FrameCaptureState::DIRTY; ++mInvalidateCount;@@ -1156,20 +1166,20 @@ return; }- if (!mCanvasElement) {+ if (mCanvasElement) {+ SVGObserverUtils::InvalidateDirectRenderingObservers(mCanvasElement);+ mCanvasElement->InvalidateCanvasContent(&aR);+ } else if (mOffscreenCanvas) {+ mOffscreenCanvas->QueueCommitToCompositor();+ } else { NS_ASSERTION(mDocShell, "Redraw with no canvas element or docshell!");- return;- }-- SVGObserverUtils::InvalidateDirectRenderingObservers(mCanvasElement);-- mCanvasElement->InvalidateCanvasContent(&aR);+ } } void CanvasRenderingContext2D::DidRefresh() {} void CanvasRenderingContext2D::RedrawUser(const gfxRect& aR) {- mIsCapturedFrameInvalid = true;+ mFrameCaptureState = FrameCaptureState::DIRTY; if (mIsEntireFrameInvalid) { ++mInvalidateCount;@@ -1352,6 +1362,7 @@ mBufferProvider = std::move(newProvider); RegisterAllocation();+ AddZoneWaitingForGC(); RestoreClipsAndTransformToTarget();@@ -1360,12 +1371,12 @@ if (mCanvasElement) { mCanvasElement->InvalidateCanvas(); }- // EnsureTarget hasn't drawn anything. Preserve mIsCapturedFrameInvalid.- bool capturedFrameInvalid = mIsCapturedFrameInvalid;+ // EnsureTarget hasn't drawn anything. Preserve mFrameCaptureState.+ FrameCaptureState captureState = mFrameCaptureState; // Calling Redraw() tells our invalidation machinery that the entire // canvas is already invalid, which can speed up future drawing. Redraw();- mIsCapturedFrameInvalid = capturedFrameInvalid;+ mFrameCaptureState = captureState; return true; }@@ -1409,7 +1420,9 @@ registered = true; RegisterStrongMemoryReporter(new Canvas2dPixelsReporter()); }-+}++void CanvasRenderingContext2D::AddZoneWaitingForGC() { JSObject* wrapper = GetWrapperPreserveColor(); if (wrapper) { CycleCollectedJSRuntime::Get()->AddZoneWaitingForGC(@@ -1526,6 +1539,22 @@ return NS_OK; }+void CanvasRenderingContext2D::AddAssociatedMemory() {+ JSObject* wrapper = GetWrapperMaybeDead();+ if (wrapper) {+ JS::AddAssociatedMemory(wrapper, BindingJSObjectMallocBytes(this),+ JS::MemoryUse::DOMBinding);+ }+}++void CanvasRenderingContext2D::RemoveAssociatedMemory() {+ JSObject* wrapper = GetWrapperMaybeDead();+ if (wrapper) {+ JS::RemoveAssociatedMemory(wrapper, BindingJSObjectMallocBytes(this),+ JS::MemoryUse::DOMBinding);+ }+}+ void CanvasRenderingContext2D::ClearTarget(int32_t aWidth, int32_t aHeight) { Reset();@@ -1538,19 +1567,18 @@ // Update the memory size associated with the wrapper object when we change // the dimensions. Note that we need to keep updating dying wrappers before // they are finalized so that the memory accounting balances out.- JSObject* wrapper = GetWrapperMaybeDead();- if (wrapper) {- JS::RemoveAssociatedMemory(wrapper, BindingJSObjectMallocBytes(this),- JS::MemoryUse::DOMBinding);- }-+ RemoveAssociatedMemory(); mWidth = aWidth; mHeight = aHeight;-- if (wrapper) {- JS::AddAssociatedMemory(wrapper, BindingJSObjectMallocBytes(this),- JS::MemoryUse::DOMBinding);- }+ AddAssociatedMemory();+ }++ if (mOffscreenCanvas) {+ OffscreenCanvasDisplayData data;+ data.mSize = {mWidth, mHeight};+ data.mIsOpaque = mOpaque;+ data.mIsAlphaPremult = true;+ mOffscreenCanvas->UpdateDisplayData(data); } if (!mCanvasElement || !mCanvasElement->IsInComposedDoc()) {@@ -4261,6 +4289,12 @@ double aY, const CanvasWindingRule& aWinding, nsIPrincipal& aSubjectPrincipal) {+ return IsPointInPath(aCx, aX, aY, aWinding, Some(&aSubjectPrincipal));+}++bool CanvasRenderingContext2D::IsPointInPath(+ JSContext* aCx, double aX, double aY, const CanvasWindingRule& aWinding,+ Maybe<nsIPrincipal*> aSubjectPrincipal) { if (!FloatValidate(aX, aY)) { return false; }@@ -4272,6 +4306,9 @@ aSubjectPrincipal)) { return false; }+ } else if (mOffscreenCanvas &&+ mOffscreenCanvas->ShouldResistFingerprinting()) {+ return false; } EnsureUserSpacePath(aWinding);@@ -4290,7 +4327,15 @@ const CanvasPath& aPath, double aX, double aY, const CanvasWindingRule& aWinding,- nsIPrincipal&) {+ nsIPrincipal& aSubjectPrincipal) {+ return IsPointInPath(aCx, aPath, aX, aY, aWinding, Some(&aSubjectPrincipal));+}++bool CanvasRenderingContext2D::IsPointInPath(JSContext* aCx,+ const CanvasPath& aPath, double aX,+ double aY,+ const CanvasWindingRule& aWinding,+ Maybe<nsIPrincipal*>) { if (!FloatValidate(aX, aY)) { return false; }@@ -4307,6 +4352,12 @@ bool CanvasRenderingContext2D::IsPointInStroke( JSContext* aCx, double aX, double aY, nsIPrincipal& aSubjectPrincipal) {+ return IsPointInStroke(aCx, aX, aY, Some(&aSubjectPrincipal));+}++bool CanvasRenderingContext2D::IsPointInStroke(+ JSContext* aCx, double aX, double aY,+ Maybe<nsIPrincipal*> aSubjectPrincipal) { if (!FloatValidate(aX, aY)) { return false; }@@ -4318,6 +4369,9 @@ aSubjectPrincipal)) { return false; }+ } else if (mOffscreenCanvas &&+ mOffscreenCanvas->ShouldResistFingerprinting()) {+ return false; } EnsureUserSpacePath();@@ -4338,10 +4392,16 @@ mTarget->GetTransform()); }+bool CanvasRenderingContext2D::IsPointInStroke(+ JSContext* aCx, const CanvasPath& aPath, double aX, double aY,+ nsIPrincipal& aSubjectPrincipal) {+ return IsPointInStroke(aCx, aPath, aX, aY, Some(&aSubjectPrincipal));+}+ bool CanvasRenderingContext2D::IsPointInStroke(JSContext* aCx, const CanvasPath& aPath, double aX, double aY,- nsIPrincipal&) {+ Maybe<nsIPrincipal*>) { if (!FloatValidate(aX, aY)) { return false; }@@ -5040,7 +5100,14 @@ already_AddRefed<ImageData> CanvasRenderingContext2D::GetImageData( JSContext* aCx, int32_t aSx, int32_t aSy, int32_t aSw, int32_t aSh, nsIPrincipal& aSubjectPrincipal, ErrorResult& aError) {- if (!mCanvasElement && !mDocShell) {+ return GetImageData(aCx, aSx, aSy, aSw, aSh, Some(&aSubjectPrincipal),+ aError);+}++already_AddRefed<ImageData> CanvasRenderingContext2D::GetImageData(+ JSContext* aCx, int32_t aSx, int32_t aSy, int32_t aSw, int32_t aSh,+ Maybe<nsIPrincipal*> aSubjectPrincipal, ErrorResult& aError) {+ if (!mCanvasElement && !mDocShell && !mOffscreenCanvas) { NS_ERROR("No canvas element and no docshell in GetImageData!!!"); aError.Throw(NS_ERROR_DOM_SECURITY_ERR); return nullptr;@@ -5048,6 +5115,7 @@ // Check only if we have a canvas element; if we were created with a docshell, // then it's special internal use.+ // FIXME(aosmond): OffscreenCanvas security check??! if (IsWriteOnly() || (mCanvasElement && !mCanvasElement->CallerCanRead(aCx))) { // XXX ERRMSG we need to report an error to developers here! (bug 329026)@@ -5095,7 +5163,7 @@ nsresult CanvasRenderingContext2D::GetImageDataArray( JSContext* aCx, int32_t aX, int32_t aY, uint32_t aWidth, uint32_t aHeight,- nsIPrincipal& aSubjectPrincipal, JSObject** aRetval) {+ Maybe<nsIPrincipal*> aSubjectPrincipal, JSObject** aRetval) { MOZ_ASSERT(aWidth && aHeight); // Restrict the typed array length to INT32_MAX because that's all we support@@ -5160,6 +5228,8 @@ nsCOMPtr<Document> ownerDoc = mCanvasElement->OwnerDoc(); usePlaceholder = !CanvasUtils::IsImageExtractionAllowed(ownerDoc, aCx, aSubjectPrincipal);+ } else if (mOffscreenCanvas) {+ usePlaceholder = mOffscreenCanvas->ShouldResistFingerprinting(); } do {@@ -5504,14 +5574,6 @@ } mIsEntireFrameInvalid = false; mInvalidateCount = 0;-}--void CanvasRenderingContext2D::MarkContextCleanForFrameCapture() {- mIsCapturedFrameInvalid = false;-}--bool CanvasRenderingContext2D::IsContextCleanForFrameCapture() {- return !mIsCapturedFrameInvalid; } void CanvasRenderingContext2D::GetAppUnitsValues(int32_t* aPerDevPixel,@@ -5821,14 +5883,14 @@ } size_t BindingJSObjectMallocBytes(CanvasRenderingContext2D* aContext) {- int32_t width = aContext->GetWidth();- int32_t height = aContext->GetHeight();+ IntSize size = aContext->GetSize(); // TODO: Bug 1552137: No memory will be allocated if either dimension is // greater than gfxPrefs::gfx_canvas_max_size(). We should check this here // too.- CheckedInt<uint32_t> bytes = CheckedInt<uint32_t>(width) * height * 4;+ CheckedInt<uint32_t> bytes =+ CheckedInt<uint32_t>(size.width) * size.height * 4; if (!bytes.isValid()) { return 0; }
Here's the security analysis of the provided code diff:
1. Vulnerability Existed: yes
Race Condition Vulnerability [File] dom/canvas/CanvasRenderingContext2D.cpp [Lines 154, 960]
[Old Code]
static int64_t gCanvasAzureMemoryUsed = 0;
uintptr_t CanvasRenderingContext2D::sNumLivingContexts = 0;
[Fixed Code]
static Atomic<int64_t> gCanvasAzureMemoryUsed(0);
Atomic<uintptr_t> CanvasRenderingContext2D::sNumLivingContexts(0);
2. Vulnerability Existed: yes
Memory Leak Vulnerability [File] dom/canvas/CanvasRenderingContext2D.cpp [Lines 817, 845]
[Old Code]
NS_IMPL_CYCLE_COLLECTION_UNLINK(mCanvasElement)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(CanvasRenderingContext2D)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mCanvasElement)
[Fixed Code]
NS_IMPL_CYCLE_COLLECTION_UNLINK(mCanvasElement)
NS_IMPL_CYCLE_COLLECTION_UNLINK(mOffscreenCanvas)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(CanvasRenderingContext2D)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mCanvasElement)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mOffscreenCanvas)
3. Vulnerability Existed: yes
Improper Shutdown Handling [File] dom/canvas/CanvasRenderingContext2D.cpp [Lines 977-982]
[Old Code]
mShutdownObserver = new CanvasShutdownObserver(this);
nsContentUtils::RegisterShutdownObserver(mShutdownObserver);
[Fixed Code]
mFrameCaptureState(FrameCaptureState::CLEAN,
"CanvasRenderingContext2D::mFrameCaptureState"),
// Shutdown observer moved to separate Initialize() method
void CanvasRenderingContext2D::Initialize() { AddShutdownObserver(); }
4. Vulnerability Existed: yes
Fingerprinting Resistance [File] dom/canvas/CanvasRenderingContext2D.cpp [Multiple locations]
[Old Code]
// No checks for OffscreenCanvas fingerprinting resistance
[Fixed Code]
Added multiple checks like:
if (mOffscreenCanvas && mOffscreenCanvas->ShouldResistFingerprinting()) {
return false;
}
5. Vulnerability Existed: not sure
Potential Memory Accounting Issue [File] dom/canvas/CanvasRenderingContext2D.cpp [Lines 1526-1554]
[Old Code]
// No separate Add/Remove associated memory methods
[Fixed Code]
Added explicit AddAssociatedMemory() and RemoveAssociatedMemory() methods
with proper JS memory accounting
The changes primarily address:
1. Thread safety issues with atomic variables
2. Memory leaks in cycle collection
3. Proper shutdown handling
4. Fingerprinting resistance
5. More robust memory accounting
The most significant security fixes are the addition of fingerprinting resistance checks and the thread safety improvements for shared variables.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/InputData.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/InputData.cpp@@ -501,7 +501,7 @@ // PANDELTA_PAGE // Emulate legacy widget/gtk behavior wheelEvent.mDeltaMode = WheelEvent_Binding::DOM_DELTA_LINE;- wheelEvent.mScrollType = WidgetWheelEvent::SCROLL_ASYNCHRONOUSELY;+ wheelEvent.mScrollType = WidgetWheelEvent::SCROLL_ASYNCHRONOUSLY; wheelEvent.mDeltaX *= 3; wheelEvent.mDeltaY *= 3; } else {
Here's the analysis of the provided code diff: Vulnerability Existed: no [Typo Fix] [widget/InputData.cpp] [Lines 501] [Old Code] wheelEvent.mScrollType = WidgetWheelEvent::SCROLL_ASYNCHRONOUSELY; [Fixed Code] wheelEvent.mScrollType = WidgetWheelEvent::SCROLL_ASYNCHRONOUSLY; Additional Details: - This appears to be a simple typo correction in an enum value name from "SCROLL_ASYNCHRONOUSELY" to "SCROLL_ASYNCHRONOUSLY" - There is no security vulnerability being fixed here, just a spelling correction in the code - The functionality remains the same, only the spelling of the constant is being corrected - No security implications are apparent from this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/filesystem/FileSystemTaskBase.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/filesystem/FileSystemTaskBase.cpp@@ -113,14 +113,6 @@ if (NS_WARN_IF(rv.Failed())) { rv.SuppressException(); return;- }-- if (NS_IsMainThread()) {- nsISerialEventTarget* target =- mGlobalObject->EventTargetFor(TaskCategory::Other);- MOZ_ASSERT(target);-- actor->SetEventTargetForActor(this, target); } actor->SendPFileSystemRequestConstructor(this, params);
Let me analyze the code diff for potential security fixes.
Vulnerability Existed: not sure
Potential Race Condition or Thread Safety Issue [File] [Lines 113-121]
[Old Code]
if (NS_IsMainThread()) {
nsISerialEventTarget* target =
mGlobalObject->EventTargetFor(TaskCategory::Other);
MOZ_ASSERT(target);
actor->SetEventTargetForActor(this, target);
}
[Fixed Code]
[Code removed entirely]
Additional Details:
The removed code was setting an event target for an actor only when on the main thread. This could potentially lead to thread safety issues if the actor was used across different threads without proper synchronization. However, without more context about how this actor is used elsewhere, I can't be certain if this was actually causing a security vulnerability or just a potential reliability issue. The removal suggests the event target handling was either unnecessary or moved elsewhere.
Note: There might be other security implications not visible in this diff, but based solely on the shown changes, this is the only potential issue I can identify.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.transformation.changing.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.transformation.changing.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -30,7 +30,7 @@ ctx.rotate(Math.PI/2); ctx.scale(0.1, 0.1); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-sensitive operations or patterns. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.transformation.changing.worker.js [Lines] 13-30
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are:
1. Renaming variable `offscreenCanvas` to `canvas`
2. Updating the variable name in the `_assertPixel` call
3. No security-related changes were made
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/gecko_taskgraph/util/declarative_artifacts.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/gecko_taskgraph/util/declarative_artifacts.py@@ -5,29 +5,45 @@ import re-from gecko_taskgraph.util.scriptworker import generate_beetmover_upstream_artifacts+from gecko_taskgraph.util.scriptworker import (+ generate_beetmover_upstream_artifacts,+ generate_beetmover_artifact_map,+) _ARTIFACT_ID_PER_PLATFORM = {- "android-aarch64-opt": "geckoview-default-arm64-v8a",- "android-arm-opt": "geckoview-default-armeabi-v7a",- "android-x86-opt": "geckoview-default-x86",- "android-x86_64-opt": "geckoview-default-x86_64",- "android-geckoview-fat-aar-opt": "geckoview-default",- "android-aarch64-shippable": "geckoview{update_channel}-omni-arm64-v8a",- "android-aarch64-shippable-lite": "geckoview{update_channel}-arm64-v8a",- "android-arm-shippable": "geckoview{update_channel}-omni-armeabi-v7a",- "android-arm-shippable-lite": "geckoview{update_channel}-armeabi-v7a",- "android-x86-shippable": "geckoview{update_channel}-omni-x86",- "android-x86-shippable-lite": "geckoview{update_channel}-x86",- "android-x86_64-shippable": "geckoview{update_channel}-omni-x86_64",- "android-x86_64-shippable-lite": "geckoview{update_channel}-x86_64",- "android-geckoview-fat-aar-shippable": "geckoview{update_channel}-omni",- "android-geckoview-fat-aar-shippable-lite": "geckoview{update_channel}",+ "android-aarch64-opt": "{package}-default-arm64-v8a",+ "android-arm-opt": "{package}-default-armeabi-v7a",+ "android-x86-opt": "{package}-default-x86",+ "android-x86_64-opt": "{package}-default-x86_64",+ "android-geckoview-fat-aar-opt": "{package}-default",+ "android-aarch64-shippable": "{package}{update_channel}-omni-arm64-v8a",+ "android-aarch64-shippable-lite": "{package}{update_channel}-arm64-v8a",+ "android-arm-shippable": "{package}{update_channel}-omni-armeabi-v7a",+ "android-arm-shippable-lite": "{package}{update_channel}-armeabi-v7a",+ "android-x86-shippable": "{package}{update_channel}-omni-x86",+ "android-x86-shippable-lite": "{package}{update_channel}-x86",+ "android-x86_64-shippable": "{package}{update_channel}-omni-x86_64",+ "android-x86_64-shippable-lite": "{package}{update_channel}-x86_64",+ "android-geckoview-fat-aar-shippable": "{package}{update_channel}-omni",+ "android-geckoview-fat-aar-shippable-lite": "{package}{update_channel}", }-def get_geckoview_upstream_artifacts(config, job, platform=""):+def get_geckoview_artifact_map(config, job):+ return generate_beetmover_artifact_map(+ config,+ job,+ **get_geckoview_template_vars(+ config,+ job["attributes"]["build_platform"],+ job["maven-package"],+ job["attributes"].get("update-channel"),+ ),+ )+++def get_geckoview_upstream_artifacts(config, job, package, platform=""): if not platform: platform = job["attributes"]["build_platform"] upstream_artifacts = generate_beetmover_upstream_artifacts(@@ -35,7 +51,7 @@ job, platform="", **get_geckoview_template_vars(- config, platform, job["attributes"].get("update-channel")+ config, platform, package, job["attributes"].get("update-channel") ), ) return [@@ -44,7 +60,7 @@ ]-def get_geckoview_template_vars(config, platform, update_channel):+def get_geckoview_template_vars(config, platform, package, update_channel): version_groups = re.match(r"(\d+).(\d+).*", config.params["version"]) if version_groups: major_version, minor_version = version_groups.groups()@@ -53,6 +69,7 @@ "artifact_id": get_geckoview_artifact_id( config, platform,+ package, update_channel, ), "build_date": config.params["moz_build_date"],@@ -61,7 +78,7 @@ }-def get_geckoview_artifact_id(config, platform, update_channel=None):+def get_geckoview_artifact_id(config, platform, package, update_channel=None): if update_channel == "release": update_channel = "" elif update_channel is not None:@@ -71,4 +88,6 @@ # "nightly-{project}" for the update channel. For other builds, the # update channel is not set, but the value is not substituted. update_channel = "-nightly-{}".format(config.params["project"])- return _ARTIFACT_ID_PER_PLATFORM[platform].format(update_channel=update_channel)+ return _ARTIFACT_ID_PER_PLATFORM[platform].format(+ update_channel=update_channel, package=package+ )
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Template Injection] [taskcluster/gecko_taskgraph/util/declarative_artifacts.py] [Lines 5-88]
[Old Code]
The old code used hardcoded "geckoview" strings in artifact IDs
[Fixed Code]
The new code uses a "{package}" variable that gets passed through multiple function calls
Additional Details:
While not a confirmed vulnerability, the change from hardcoded strings to variable substitution could potentially introduce template injection risks if the package variable isn't properly sanitized. The safer approach would be to validate the package parameter.
2. Vulnerability Existed: not sure
[Insecure Direct Object Reference] [taskcluster/gecko_taskgraph/util/declarative_artifacts.py] [Lines 5-88]
[Old Code]
The old implementation had fixed artifact ID patterns
[Fixed Code]
The new implementation allows dynamic artifact ID generation based on package name
Additional Details:
The change makes artifact IDs more flexible but could potentially allow unauthorized access if the package naming isn't properly controlled. The security impact depends on how these artifact IDs are used in the broader system.
Note: The changes appear to be more about adding flexibility to support different package names rather than fixing specific security vulnerabilities. The security implications would depend on how these functions are used in the wider context of the application.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.alpha.4.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.alpha.4.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.shadowOffsetY = 50; ctx.globalAlpha = 0.707; ctx.fillRect(0, -50, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);+_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2); t.done(); });
Here's the analysis following your requested format:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.alpha.4.worker.js] [Lines 13-14, 23]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
Additional Details:
This appears to be a simple variable renaming from "offscreenCanvas" to "canvas" throughout the file. There are no security-related changes or vulnerabilities being fixed in this diff. The changes are purely cosmetic/readability improvements with no functional impact.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.source-out.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.source-out.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -36,7 +36,7 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 0, 0);- _assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);+ _assertPixelApprox(canvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5); }, t_fail); }).then(t_pass, t_fail);
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security-related modifications.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.source-out.html] [Lines 17-18, 36]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.