Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/ch-unit-004.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/ch-unit-004.html@@ -3,7 +3,6 @@ <title>CSS Values and Units Test: support for the ch unit</title> <link rel="author" title="Florian Rivoal" href="http://florian.rivoal.net/"> <link rel="help" href="https://drafts.csswg.org/css-values-3/#font-relative-lengths">-<meta name="flags" content=""> <link rel="match" href="reference/ch-unit-001-ref.html"> <meta name="assert" content="In vertical sideways, The ch unit is equal to the used horizontal advance measure of the 0 (ZERO, U+0030) glyph found in the font used to render it."> <style>
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-values/ch-unit-004.html] [Lines 3-6] [Old Code] <meta name="flags" content=""> [Fixed Code] [Removed line] Additional Details: - The change simply removes an empty meta tag for "flags" which appears to be test-related metadata - No security implications or vulnerabilities are apparent in this change - This seems to be a minor cleanup rather than a security fix - No known vulnerability patterns are being addressed here The diff shows only a removal of an unused/empty meta tag, which doesn't appear to be related to any security fixes. The change is more likely related to test maintenance or cleanup.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.empty.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.empty.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.isPointInPath(0, 0), false, "ctx.isPointInPath(0, 0)", "false"); t.done();
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming for better clarity. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes simply rename the variable from `offscreenCanvas` to `canvas`, which doesn't affect security. This appears to be a code style/readability improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-10.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-10.xml@@ -7,7 +7,6 @@ <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p title="foobar">This paragraph should have a green background because
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-10.xml] [Lines 7] [Old Code] <meta name="flags" content="" /> [Fixed Code] [Removed line] Additional Details: 1. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata. 2. There's no indication of any security vulnerability being fixed here - this appears to be a minor cleanup or test modification. 3. The empty flags attribute wasn't posing any security risk, and its removal doesn't appear to address any security concern. 4. This change is more likely related to test maintenance or cleanup rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.invalid.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.invalid.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.shadowBlur = 1; ctx.shadowBlur = -2;
Let me analyze the code diff for potential security fixes:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
This appears to be a simple variable renaming change from "offscreenCanvas" to "canvas". There are no security-related changes in this diff, just a code style/readability improvement. The functionality remains exactly the same - creating an OffscreenCanvas and getting its 2D context. No security vulnerabilities are being addressed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.lineCap.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.lineCap.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Test that restore() undoes any modifications var old = ctx.lineCap;
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The changes appear to be purely variable renaming (from 'offscreenCanvas' to 'canvas')
- No security-related changes were made
- This is likely a code style/readability improvement rather than a security fix
- No known vulnerabilities are addressed by this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.default.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.default.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.textBaseline, 'alphabetic', "ctx.textBaseline", "'alphabetic'"); t.done();
Analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely variable renaming without any security implications.
Answer for Each Vulnerability:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.default.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes simply rename the variable from `offscreenCanvas` to `canvas`, which doesn't affect security in any way. This appears to be a code style or consistency improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/quota/StorageManager.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/quota/StorageManager.h@@ -42,6 +42,8 @@ already_AddRefed<Promise> Estimate(ErrorResult& aRv);+ already_AddRefed<Promise> GetDirectory();+ NS_DECL_CYCLE_COLLECTING_ISUPPORTS NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(StorageManager)
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Missing Error Handling] [dom/quota/StorageManager.h] [Lines around 42]
[Old Code]
already_AddRefed<Promise> Estimate(ErrorResult& aRv);
[Fixed Code]
already_AddRefed<Promise> Estimate(ErrorResult& aRv);
already_AddRefed<Promise> GetDirectory();
Additional Details:
- The diff shows the addition of a new method `GetDirectory()` without an `ErrorResult&` parameter, unlike the existing `Estimate` method.
- This could potentially lead to unhandled errors if the method fails, but without seeing the implementation, we can't be certain if this is a security issue.
- The change might be related to improved directory handling functionality rather than a direct security fix.
- No specific vulnerability name can be assigned without more context about the implementation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/windows/TSFTextStore.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/windows/TSFTextStore.h@@ -267,6 +267,11 @@ * So, you may need to check IMMHandler::IsGoogleJapaneseInputActive() too. */ static bool IsGoogleJapaneseInputActive();++ /**+ * Returns true if active TIP is ATOK.+ */+ static bool IsATOKActive(); /** * Returns true if active TIP or IME is a black listed one and we should
Here's the analysis following the specified format: Vulnerability Existed: not sure [Potential Information Disclosure] [widget/windows/TSFTextStore.h] [Lines 267+] [Old Code] static bool IsGoogleJapaneseInputActive(); [Fixed Code] static bool IsGoogleJapaneseInputActive(); /** * Returns true if active TIP is ATOK. */ static bool IsATOKActive(); Additional Details: 1. The diff shows an addition of a new method `IsATOKActive()` but doesn't show any security fixes for existing code. 2. The change appears to be a feature addition rather than a security fix. 3. The comment mentions "black listed" TIP/IME which might indicate security concerns, but the actual security implications are unclear from this partial diff. 4. Without seeing the implementation of these methods or more context about how they're used, we can't definitively identify a security vulnerability. Note: The diff appears to be truncated, making it difficult to perform a complete security analysis. More context would be needed to properly assess potential vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.3.radii.2.double.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.3.radii.2.double.html@@ -17,18 +17,18 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50); ctx.roundRect(0, 0, 100, 50, [0, 20, 0]); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255"); t.done(); });
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.3.radii.2.double.html] [Lines 17-18, 25-28]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
_assertPixel(offscreenCanvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");
_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");
_assertPixel(offscreenCanvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
_assertPixel(canvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");
_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");
_assertPixel(canvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");
```
Additional Details: This change appears to be purely a variable name refactoring from `offscreenCanvas` to `canvas`. There are no security implications in this change, just improved code readability/consistency. No vulnerabilities were fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/editor/libeditor/EditorBase.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/editor/libeditor/EditorBase.h@@ -867,9 +867,12 @@ bool mDidNormalizeWhitespaces; // Set to true by default. If somebody inserts an HTML fragment- // intentionally, inline elements shouldn't be cleaned up later. In the+ // intentionally, any empty elements shouldn't be cleaned up later. In the // case this is set to false.- bool mNeedsToCleanUpEmptyInlineElements;+ // TODO: We should not do this by default. If it's necessary, each edit+ // action handler do it by itself instead. Then, we can avoid such+ // unnecessary DOM tree scan.+ bool mNeedsToCleanUpEmptyElements; /** * The following methods modifies some data of this struct and@@ -918,7 +921,7 @@ mDidDeleteEmptyParentBlocks = false; mRestoreContentEditableCount = false; mDidNormalizeWhitespaces = false;- mNeedsToCleanUpEmptyInlineElements = true;+ mNeedsToCleanUpEmptyElements = true; } /**
Here's the analysis of the provided code diff following the specified format:
Vulnerability Existed: not sure
[Potential DOM XSS or HTML Injection] [editor/libeditor/EditorBase.h] [Lines 867-872]
[Old Code]
// Set to true by default. If somebody inserts an HTML fragment
// intentionally, inline elements shouldn't be cleaned up later. In the
// case this is set to false.
bool mNeedsToCleanUpEmptyInlineElements;
[Fixed Code]
// Set to true by default. If somebody inserts an HTML fragment
// intentionally, any empty elements shouldn't be cleaned up later. In the
// case this is set to false.
// TODO: We should not do this by default. If it's necessary, each edit
// action handler do it by itself instead. Then, we can avoid such
// unnecessary DOM tree scan.
bool mNeedsToCleanUpEmptyElements;
Additional Details:
1. The change expands the scope from "inline elements" to "any empty elements" in the cleanup logic
2. The added TODO comment suggests this might be part of a security hardening effort to avoid unnecessary DOM tree scans
3. While not directly showing a security vulnerability, this could be related to preventing potential DOM-based XSS or HTML injection by being more thorough in element cleanup
4. The change appears to be more of a defensive programming improvement than a direct security fix
No clear vulnerability is shown in this diff, but the change could be security-related in terms of more robust HTML sanitization. The expanded scope of element cleanup might help prevent certain types of injection attacks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.source-out.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.source-out.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 1.0)';@@ -22,7 +22,7 @@ ctx.globalCompositeOperation = 'source-out'; ctx.fillStyle = 'rgba(255, 255, 0, 1.0)'; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming without any security implications. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 22]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
Variable Renaming [File] [Line 22]
Old Code:
```javascript
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
```
Fixed Code:
```javascript
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
```
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't affect security. No actual security vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/ReadableByteStreamController.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/ReadableByteStreamController.cpp@@ -15,6 +15,7 @@ #include "mozilla/AlreadyAddRefed.h" #include "mozilla/Attributes.h" #include "mozilla/ErrorResult.h"+#include "mozilla/HoldDropJSObjects.h" #include "mozilla/dom/ByteStreamHelpers.h" #include "mozilla/dom/Promise.h" #include "mozilla/dom/PromiseNativeHandler.h"@@ -26,9 +27,11 @@ #include "mozilla/dom/ReadableStreamBYOBRequest.h" #include "mozilla/dom/ReadableStreamController.h" #include "mozilla/dom/ReadableStreamDefaultController.h"+#include "mozilla/dom/ReadableStreamDefaultReader.h" #include "mozilla/dom/ReadableStreamGenericReader.h" #include "mozilla/dom/ToJSValue.h" #include "mozilla/dom/ScriptSettings.h"+#include "mozilla/dom/UnderlyingSourceCallbackHelpers.h" #include "nsCycleCollectionParticipant.h" #include "nsIGlobalObject.h" #include "nsISupports.h"@@ -41,7 +44,8 @@ NS_IMPL_CYCLE_COLLECTION_CLASS(ReadableByteStreamController) NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(ReadableByteStreamController, ReadableStreamController)- NS_IMPL_CYCLE_COLLECTION_UNLINK(mByobRequest, mStream)+ NS_IMPL_CYCLE_COLLECTION_UNLINK(mByobRequest, mCancelAlgorithm,+ mPullAlgorithm, mStream) tmp->ClearPendingPullIntos(); tmp->ClearQueue(); NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER@@ -49,7 +53,8 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(ReadableByteStreamController, ReadableStreamController)- NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mByobRequest, mStream)+ NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mByobRequest, mCancelAlgorithm,+ mPullAlgorithm, mStream) NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(ReadableByteStreamController,@@ -73,11 +78,14 @@ ReadableByteStreamController::ReadableByteStreamController( nsIGlobalObject* aGlobal)- : ReadableStreamController(aGlobal) {}+ : ReadableStreamController(aGlobal) {+ mozilla::HoldJSObjects(this);+} ReadableByteStreamController::~ReadableByteStreamController() { ClearPendingPullIntos(); ClearQueue();+ mozilla::DropJSObjects(this); } void ReadableByteStreamController::ClearQueue() {@@ -103,7 +111,8 @@ // https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontrollergetbyobrequest already_AddRefed<ReadableStreamBYOBRequest> ReadableByteStreamControllerGetBYOBRequest(- JSContext* aCx, ReadableByteStreamController* aController) {+ JSContext* aCx, ReadableByteStreamController* aController,+ ErrorResult& aRv) { // Step 1. if (!aController->GetByobRequest() && !aController->PendingPullIntos().isEmpty()) {@@ -112,6 +121,7 @@ aController->PendingPullIntos().getFirst(); // Step 1.2:+ aRv.MightThrowJSException(); JS::Rooted<JSObject*> buffer(aCx, firstDescriptor->Buffer()); JS::Rooted<JSObject*> view( aCx, JS_NewUint8ArrayWithBuffer(@@ -119,6 +129,10 @@ firstDescriptor->ByteOffset() + firstDescriptor->BytesFilled(), int64_t(firstDescriptor->ByteLength() - firstDescriptor->BytesFilled())));+ if (!view) {+ aRv.StealExceptionFromJSContext(aCx);+ return nullptr;+ } // Step 1.3: RefPtr<ReadableStreamBYOBRequest> byobRequest =@@ -140,8 +154,8 @@ } already_AddRefed<ReadableStreamBYOBRequest>-ReadableByteStreamController::GetByobRequest(JSContext* aCx) {- return ReadableByteStreamControllerGetBYOBRequest(aCx, this);+ReadableByteStreamController::GetByobRequest(JSContext* aCx, ErrorResult& aRv) {+ return ReadableByteStreamControllerGetBYOBRequest(aCx, this, aRv); } // https://streams.spec.whatwg.org/#readable-byte-stream-controller-get-desired-size@@ -257,7 +271,7 @@ JSContext* aCx, ReadableByteStreamController* aController, ErrorResult& aRv) { // Step 1.- ReadableStream* stream = aController->Stream();+ RefPtr<ReadableStream> stream = aController->Stream(); // Step 2. if (aController->CloseRequested() ||@@ -293,6 +307,7 @@ return; }+ aRv.MightThrowJSException(); aRv.ThrowJSException(aCx, exception); return; }@@ -338,6 +353,78 @@ aController->AddToQueueTotalSize(double(aByteLength)); }+// https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontrollerenqueueclonedchunktoqueue+void ReadableByteStreamControllerEnqueueClonedChunkToQueue(+ JSContext* aCx, ReadableByteStreamController* aController,+ JS::Handle<JSObject*> aBuffer, size_t aByteOffset, size_t aByteLength,+ ErrorResult& aRv) {+ // Step 1. Let cloneResult be CloneArrayBuffer(buffer, byteOffset, byteLength,+ // %ArrayBuffer%).+ aRv.MightThrowJSException();+ JS::Rooted<JSObject*> cloneResult(+ aCx, JS::ArrayBufferClone(aCx, aBuffer, aByteOffset, aByteLength));++ // Step 2. If cloneResult is an abrupt completion,+ if (!cloneResult) {+ JS::Rooted<JS::Value> exception(aCx);+ if (!JS_GetPendingException(aCx, &exception)) {+ // Uncatchable exception; we should mark aRv and return.+ aRv.StealExceptionFromJSContext(aCx);+ return;+ }+ JS_ClearPendingException(aCx);++ // Step 2.1. Perform ! ReadableByteStreamControllerError(controller,+ // cloneResult.[[Value]]).+ ReadableByteStreamControllerError(aController, exception, aRv);+ if (aRv.Failed()) {+ return;+ }++ // Step 2.2. Return cloneResult.+ aRv.ThrowJSException(aCx, exception);+ return;+ }++ // Step 3. Perform !+ // ReadableByteStreamControllerEnqueueChunkToQueue(controller,+ // cloneResult.[[Value]], 0, byteLength).+ ReadableByteStreamControllerEnqueueChunkToQueue(aController, cloneResult, 0,+ aByteLength);+}++already_AddRefed<PullIntoDescriptor>+ReadableByteStreamControllerShiftPendingPullInto(+ ReadableByteStreamController* aController);++// https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontrollerenqueuedetachedpullintotoqueue+void ReadableByteStreamControllerEnqueueDetachedPullIntoToQueue(+ JSContext* aCx, ReadableByteStreamController* aController,+ PullIntoDescriptor* aPullIntoDescriptor, ErrorResult& aRv) {+ // Step 1. Assert: pullIntoDescriptor’s reader type is "none".+ MOZ_ASSERT(aPullIntoDescriptor->GetReaderType() == ReaderType::None);++ // Step 2. If pullIntoDescriptor’s bytes filled > 0,+ // perform ? ReadableByteStreamControllerEnqueueClonedChunkToQueue(controller,+ // pullIntoDescriptor’s buffer, pullIntoDescriptor’s byte offset,+ // pullIntoDescriptor’s bytes filled).+ if (aPullIntoDescriptor->BytesFilled() > 0) {+ JS::Rooted<JSObject*> buffer(aCx, aPullIntoDescriptor->Buffer());+ ReadableByteStreamControllerEnqueueClonedChunkToQueue(+ aCx, aController, buffer, aPullIntoDescriptor->ByteOffset(),+ aPullIntoDescriptor->BytesFilled(), aRv);+ if (aRv.Failed()) {+ return;+ }+ }++ // Step 3. Perform !+ // ReadableByteStreamControllerShiftPendingPullInto(controller).+ RefPtr<PullIntoDescriptor> discarded =+ ReadableByteStreamControllerShiftPendingPullInto(aController);+ (void)discarded;+}+ // https://streams.spec.whatwg.org/#readable-stream-get-num-read-into-requests static size_t ReadableStreamGetNumReadIntoRequests(ReadableStream* aStream) { // Step 1.@@ -396,10 +483,6 @@ return false; }-MOZ_CAN_RUN_SCRIPT void ReadableByteStreamControllerCallPullIfNeeded(- JSContext* aCx, ReadableByteStreamController* aController,- ErrorResult& aRv);- // MG:XXX: There's a template hiding here for handling the difference between // default and byte stream, eventually? class ByteStreamPullIfNeededPromiseHandler final : public PromiseNativeHandler {@@ -417,7 +500,8 @@ : PromiseNativeHandler(), mController(aController) {} MOZ_CAN_RUN_SCRIPT- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#readable-byte-stream-controller-call-pull-if-needed // Step 7.1 mController->SetPulling(false);@@ -427,19 +511,16 @@ mController->SetPullAgain(false); // Step 7.2.2- ErrorResult rv; ReadableByteStreamControllerCallPullIfNeeded(- aCx, MOZ_KnownLive(mController), rv);- (void)rv.MaybeSetPendingException(aCx, "PullIfNeeded Resolved Error");- }- }-- void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ aCx, MOZ_KnownLive(mController), aRv);+ }+ }++ void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#readable-byte-stream-controller-call-pull-if-needed // Step 8.1- ErrorResult rv;- ReadableByteStreamControllerError(mController, aValue, rv);- (void)rv.MaybeSetPendingException(aCx, "PullIfNeeded Rejected Error");+ ReadableByteStreamControllerError(mController, aValue, aRv); } };@@ -483,16 +564,15 @@ pullAlgorithm ? pullAlgorithm->PullCallback(aCx, *controller, aRv) : Promise::CreateResolvedWithUndefined( controller->GetParentObject(), aRv);+ if (aRv.Failed()) {+ return;+ } // Steps 7+8 RefPtr<ByteStreamPullIfNeededPromiseHandler> promiseHandler = new ByteStreamPullIfNeededPromiseHandler(aController); pullPromise->AppendNativeHandler(promiseHandler); }--already_AddRefed<PullIntoDescriptor>-ReadableByteStreamControllerShiftPendingPullInto(- ReadableByteStreamController* aController); bool ReadableByteStreamControllerFillPullIntoDescriptorFromQueue( JSContext* aCx, ReadableByteStreamController* aController,@@ -540,19 +620,22 @@ // Step 1. Assert: stream.[[state]] is not "errored". MOZ_ASSERT(aStream->State() != ReadableStream::ReaderState::Errored);- // Step 2. Let done be false.+ // Step 2. Assert: pullIntoDescriptor.reader type is not "none".+ MOZ_ASSERT(pullIntoDescriptor->GetReaderType() != ReaderType::None);++ // Step 3. Let done be false. bool done = false;- // Step 3. If stream.[[state]] is "closed",+ // Step 4. If stream.[[state]] is "closed", if (aStream->State() == ReadableStream::ReaderState::Closed) {- // Step 3.1. Assert: pullIntoDescriptor’s bytes filled is 0.+ // Step 4.1. Assert: pullIntoDescriptor’s bytes filled is 0. MOZ_ASSERT(pullIntoDescriptor->BytesFilled() == 0);- // Step 3.2. Set done to true.+ // Step 4.2. Set done to true. done = true; }- // Step 4. Let filledView be !+ // Step 5. Let filledView be ! // ReadableByteStreamControllerConvertPullIntoDescriptor(pullIntoDescriptor). JS::RootedObject filledView( aCx, ReadableByteStreamControllerConvertPullIntoDescriptor(@@ -562,18 +645,18 @@ } JS::RootedValue filledViewValue(aCx, JS::ObjectValue(*filledView));- // Step 5. If pullIntoDescriptor’s reader type is "default",+ // Step 6. If pullIntoDescriptor’s reader type is "default", if (pullIntoDescriptor->GetReaderType() == ReaderType::Default) {- // Step 5.1. Perform !ReadableStreamFulfillReadRequest(stream, filledView,+ // Step 6.1. Perform !ReadableStreamFulfillReadRequest(stream, filledView, // done). ReadableStreamFulfillReadRequest(aCx, aStream, filledViewValue, done, aRv); return; }- // Step 6.1. Assert: pullIntoDescriptor’s reader type is "byob".+ // Step 7.1. Assert: pullIntoDescriptor’s reader type is "byob". MOZ_ASSERT(pullIntoDescriptor->GetReaderType() == ReaderType::BYOB);- // Step 6.2 Perform !ReadableStreamFulfillReadIntoRequest(stream, filledView,+ // Step 7.2 Perform !ReadableStreamFulfillReadIntoRequest(stream, filledView, // done). ReadableStreamFulfillReadIntoRequest(aCx, aStream, filledViewValue, done, aRv);@@ -626,12 +709,89 @@ } }+MOZ_CAN_RUN_SCRIPT+void ReadableByteStreamControllerHandleQueueDrain(+ JSContext* aCx, ReadableByteStreamController* aController,+ ErrorResult& aRv);++// https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontrollerfillreadrequestfromqueue+MOZ_CAN_RUN_SCRIPT void ReadableByteStreamControllerFillReadRequestFromQueue(+ JSContext* aCx, ReadableByteStreamController* aController,+ ReadRequest* aReadRequest, ErrorResult& aRv) {+ // Step 1. Assert: controller.[[queueTotalSize]] > 0.+ MOZ_ASSERT(aController->QueueTotalSize() > 0);++ // Step 2. Let entry be controller.[[queue]][0].+ // Step 3. Remove entry from controller.[[queue]].+ RefPtr<ReadableByteStreamQueueEntry> entry = aController->Queue().popFirst();++ // Step 4. Set controller.[[queueTotalSize]] to controller.[[queueTotalSize]]+ // − entry’s byte length.+ aController->SetQueueTotalSize(aController->QueueTotalSize() -+ double(entry->ByteLength()));++ // Step 5. Perform ! ReadableByteStreamControllerHandleQueueDrain(controller).+ ReadableByteStreamControllerHandleQueueDrain(aCx, aController, aRv);+ if (aRv.Failed()) {+ return;+ }++ // Step 6. Let view be ! Construct(%Uint8Array%, « entry’s buffer, entry’s+ // byte offset, entry’s byte length »).+ aRv.MightThrowJSException();+ JS::Rooted<JSObject*> buffer(aCx, entry->Buffer());+ JS::Rooted<JSObject*> view(+ aCx, JS_NewUint8ArrayWithBuffer(aCx, buffer, entry->ByteOffset(),+ int64_t(entry->ByteLength())));+ if (!view) {+ aRv.StealExceptionFromJSContext(aCx);+ return;+ }++ // Step 7. Perform readRequest’s chunk steps, given view.+ JS::Rooted<JS::Value> viewValue(aCx, JS::ObjectValue(*view));+ aReadRequest->ChunkSteps(aCx, viewValue, aRv);+}++MOZ_CAN_RUN_SCRIPT void+ReadableByteStreamControllerProcessReadRequestsUsingQueue(+ JSContext* aCx, ReadableByteStreamController* aController,+ ErrorResult& aRv) {+ // Step 1. Let reader be controller.[[stream]].[[reader]].+ // Step 2. Assert: reader implements ReadableStreamDefaultReader.+ RefPtr<ReadableStreamDefaultReader> reader =+ aController->Stream()->GetDefaultReader();++ // Step 3. While reader.[[readRequests]] is not empty,+ while (!reader->ReadRequests().isEmpty()) {+ // Step 3.1. If controller.[[queueTotalSize]] is 0, return.+ if (aController->QueueTotalSize() == 0) {+ return;+ }++ // Step 3.2. Let readRequest be reader.[[readRequests]][0].+ // Step 3.3. Remove readRequest from reader.[[readRequests]].+ RefPtr<ReadRequest> readRequest = reader->ReadRequests().popFirst();++ // Step 3.4. Perform !+ // ReadableByteStreamControllerFillReadRequestFromQueue(controller,+ // readRequest).+ ReadableByteStreamControllerFillReadRequestFromQueue(aCx, aController,+ readRequest, aRv);+ if (aRv.Failed()) {+ return;+ }+ }+}+ // https://streams.spec.whatwg.org/#readable-byte-stream-controller-enqueue void ReadableByteStreamControllerEnqueue( JSContext* aCx, ReadableByteStreamController* aController, JS::Handle<JSObject*> aChunk, ErrorResult& aRv) {+ aRv.MightThrowJSException();+ // Step 1.- ReadableStream* stream = aController->Stream();+ RefPtr<ReadableStream> stream = aController->Stream(); // Step 2. if (aController->CloseRequested() ||@@ -643,6 +803,10 @@ bool isShared; JS::Rooted<JSObject*> buffer( aCx, JS_GetArrayBufferViewBuffer(aCx, aChunk, &isShared));+ if (!buffer) {+ aRv.StealExceptionFromJSContext(aCx);+ return;+ } // Step 4. size_t byteOffset = JS_GetArrayBufferViewByteOffset(aChunk);@@ -667,54 +831,84 @@ // Step 8. if (!aController->PendingPullIntos().isEmpty()) { // Step 8.1- PullIntoDescriptor* firstPendingPullInto =+ RefPtr<PullIntoDescriptor> firstPendingPullInto = aController->PendingPullIntos().getFirst(); // Step 8.2 JS::Rooted<JSObject*> pendingBuffer(aCx, firstPendingPullInto->Buffer()); if (JS::IsDetachedArrayBufferObject(pendingBuffer)) {- aRv.ThrowTypeError("Pending PullInto has detatched buffer");- return;- }-- // Step 8.3+ aRv.ThrowTypeError("Pending PullInto has detached buffer");+ return;+ }++ // Step 8.3. Perform !+ // ReadableByteStreamControllerInvalidateBYOBRequest(controller).+ ReadableByteStreamControllerInvalidateBYOBRequest(aController);++ // Step 8.4. Set firstPendingPullInto’s buffer to !+ // TransferArrayBuffer(firstPendingPullInto’s buffer). pendingBuffer = TransferArrayBuffer(aCx, pendingBuffer); if (!pendingBuffer) { aRv.StealExceptionFromJSContext(aCx); return; } firstPendingPullInto->SetBuffer(pendingBuffer);- }-- // Step 9.- ReadableByteStreamControllerInvalidateBYOBRequest(aController);-- // Step 10.++ // Step 8.5. If firstPendingPullInto’s reader type is "none", perform ?+ // ReadableByteStreamControllerEnqueueDetachedPullIntoToQueue(controller,+ // firstPendingPullInto).+ if (firstPendingPullInto->GetReaderType() == ReaderType::None) {+ ReadableByteStreamControllerEnqueueDetachedPullIntoToQueue(+ aCx, aController, firstPendingPullInto, aRv);+ if (aRv.Failed()) {+ return;+ }+ }+ }++ // Step 9. If ! ReadableStreamHasDefaultReader(stream) is true, if (ReadableStreamHasDefaultReader(stream)) {- // Step 10.1+ // Step 9.1. Perform !+ // ReadableByteStreamControllerProcessReadRequestsUsingQueue(controller).+ ReadableByteStreamControllerProcessReadRequestsUsingQueue(aCx, aController,+ aRv);+ if (aRv.Failed()) {+ return;+ }++ // Step 9.2. If ! ReadableStreamGetNumReadRequests(stream) is 0, if (ReadableStreamGetNumReadRequests(stream) == 0) {- // Step 10.1.1+ // Step 9.2.1 Assert: controller.[[pendingPullIntos]] is empty. MOZ_ASSERT(aController->PendingPullIntos().isEmpty());- // Step 10.1.2.+ // Step 9.2.2. Perform !+ // ReadableByteStreamControllerEnqueueChunkToQueue(controller,+ // transferredBuffer, byteOffset, byteLength). ReadableByteStreamControllerEnqueueChunkToQueue( aController, transferredBuffer, byteOffset, byteLength);++ // Step 9.3. Otherwise, } else {- // Step 10.2.1+ // Step 9.3.1 Assert: controller.[[queue]] is empty. MOZ_ASSERT(aController->Queue().isEmpty());- // Step 10.2.2+ // Step 9.3.2. If controller.[[pendingPullIntos]] is not empty, if (!aController->PendingPullIntos().isEmpty()) {- // Step 10.2.2.1:+ // Step 9.3.2.1. Assert: controller.[[pendingPullIntos]][0]'s reader+ // type is "default". MOZ_ASSERT( aController->PendingPullIntos().getFirst()->GetReaderType() == ReaderType::Default);- // Step 10.2.2.2:- (void)ReadableByteStreamControllerShiftPendingPullInto(aController);+ // Step 9.3.2.2. Perform !+ // ReadableByteStreamControllerShiftPendingPullInto(controller).+ RefPtr<PullIntoDescriptor> pullIntoDescriptor =+ ReadableByteStreamControllerShiftPendingPullInto(aController);+ (void)pullIntoDescriptor; }- // Step 10.2.3+ // Step 9.3.3. Let transferredView be ! Construct(%Uint8Array%, «+ // transferredBuffer, byteOffset, byteLength »). JS::Rooted<JSObject*> transferredView( aCx, JS_NewUint8ArrayWithBuffer(aCx, transferredBuffer, byteOffset, int64_t(byteLength)));@@ -723,37 +917,47 @@ return; }- // Step 10.2.4- JS::RootedValue transferredViewValue(aCx,- JS::ObjectValue(*transferredView));+ // Step 9.3.4. Perform ! ReadableStreamFulfillReadRequest(stream,+ // transferredView, false).+ JS::Rooted<JS::Value> transferredViewValue(+ aCx, JS::ObjectValue(*transferredView)); ReadableStreamFulfillReadRequest(aCx, stream, transferredViewValue, false, aRv); if (aRv.Failed()) { return; } }- // Step 11++ // Step 10. Otherwise, if ! ReadableStreamHasBYOBReader(stream) is true, } else if (ReadableStreamHasBYOBReader(stream)) {- // Step 11.1+ // Step 10.1. Perform !+ // ReadableByteStreamControllerEnqueueChunkToQueue(controller,+ // transferredBuffer, byteOffset, byteLength). ReadableByteStreamControllerEnqueueChunkToQueue( aController, transferredBuffer, byteOffset, byteLength);- // Step 11.2+ // Step 10.2 Perform !+ // ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(controller). ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue( aCx, aController, aRv); if (aRv.Failed()) { return; }++ // Step 11. Otherwise, } else {- // Step 12.1- MOZ_ASSERT(IsReadableStreamLocked(stream));-- // Step 12.2+ // Step 11.1. Assert: ! IsReadableStreamLocked(stream) is false.+ MOZ_ASSERT(!IsReadableStreamLocked(stream));++ // Step 11.2. Perform !+ // ReadableByteStreamControllerEnqueueChunkToQueue(controller,+ // transferredBuffer, byteOffset, byteLength). ReadableByteStreamControllerEnqueueChunkToQueue( aController, transferredBuffer, byteOffset, byteLength); }- // Step 13.+ // Step 12. Perform !+ // ReadableByteStreamControllerCallPullIfNeeded(controller). ReadableByteStreamControllerCallPullIfNeeded(aCx, aController, aRv); }@@ -834,7 +1038,6 @@ } // https://streams.spec.whatwg.org/#readable-byte-stream-controller-handle-queue-drain-MOZ_CAN_RUN_SCRIPT void ReadableByteStreamControllerHandleQueueDrain( JSContext* aCx, ReadableByteStreamController* aController, ErrorResult& aRv) {@@ -848,7 +1051,8 @@ ReadableByteStreamControllerClearAlgorithms(aController); // Step 2.2- ReadableStreamClose(aCx, aController->Stream(), aRv);+ RefPtr<ReadableStream> stream = aController->Stream();+ ReadableStreamClose(aCx, stream, aRv); return; }@@ -868,35 +1072,15 @@ // Step 3. if (QueueTotalSize() > 0) {- // Step 3.1+ // Step 3.1. Assert: ! ReadableStreamGetNumReadRequests ( stream ) is 0. MOZ_ASSERT(ReadableStreamGetNumReadRequests(stream) == 0);- // Step 3.2 + 3.3- RefPtr<ReadableByteStreamQueueEntry> entry = Queue().popFirst();-- // Step 3.4- SetQueueTotalSize(QueueTotalSize() - double(entry->ByteLength()));-- // Step 3.5- ReadableByteStreamControllerHandleQueueDrain(aCx, this, aRv);- if (aRv.Failed()) {- return;- }-- // Step 3.6- JS::Rooted<JSObject*> buffer(aCx, entry->Buffer());- JS::Rooted<JSObject*> view(- aCx, JS_NewUint8ArrayWithBuffer(aCx, buffer, entry->ByteOffset(),- int64_t(entry->ByteLength())));-- // Step 3.7- JS::RootedValue viewValue(aCx, JS::ObjectValue(*view));- aReadRequest->ChunkSteps(aCx, viewValue, aRv);- if (aRv.Failed()) {- return;- }-- // Step 3.8+ // Step 3.2. Perform !+ // ReadableByteStreamControllerFillReadRequestFromQueue(this, readRequest).+ ReadableByteStreamControllerFillReadRequestFromQueue(aCx, this,+ aReadRequest, aRv);++ // Step 3.3. Return. return; }@@ -906,6 +1090,7 @@ // Step 5. if (autoAllocateChunkSize) { // Step 5.1+ aRv.MightThrowJSException(); JS::Rooted<JSObject*> buffer( aCx, JS::NewArrayBuffer(aCx, *autoAllocateChunkSize)); // Step 5.2@@ -944,6 +1129,24 @@ ReadableByteStreamControllerCallPullIfNeeded(aCx, this, aRv); }+// https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontroller-releasesteps+void ReadableByteStreamController::ReleaseSteps() {+ // Step 1. If this.[[pendingPullIntos]] is not empty,+ if (!PendingPullIntos().isEmpty()) {+ // Step 1.1. Let firstPendingPullInto be this.[[pendingPullIntos]][0].+ RefPtr<PullIntoDescriptor> firstPendingPullInto =+ PendingPullIntos().popFirst();++ // Step 1.2. Set firstPendingPullInto’s reader type to "none".+ firstPendingPullInto->SetReaderType(ReaderType::None);++ // Step 1.3. Set this.[[pendingPullIntos]] to the list «+ // firstPendingPullInto ».+ PendingPullIntos().clear();+ PendingPullIntos().insertBack(firstPendingPullInto);+ }+}+ // https://streams.spec.whatwg.org/#readable-byte-stream-controller-shift-pending-pull-into already_AddRefed<PullIntoDescriptor> ReadableByteStreamControllerShiftPendingPullInto(@@ -982,19 +1185,20 @@ // https://streams.spec.whatwg.org/#readable-byte-stream-controller-convert-pull-into-descriptor JSObject* ReadableByteStreamControllerConvertPullIntoDescriptor( JSContext* aCx, PullIntoDescriptor* pullIntoDescriptor, ErrorResult& aRv) {- // Step 1.+ // Step 1. Let bytesFilled be pullIntoDescriptor’s bytes filled. uint64_t bytesFilled = pullIntoDescriptor->BytesFilled();- // Step2.+ // Step 2. Let elementSize be pullIntoDescriptor’s element size. uint64_t elementSize = pullIntoDescriptor->ElementSize();- // Step 3.+ // Step 3. Assert: bytesFilled ≤ pullIntoDescriptor’s byte length. MOZ_ASSERT(bytesFilled <= pullIntoDescriptor->ByteLength());- // Step 4.+ // Step 4. Assert: bytesFilled mod elementSize is 0. MOZ_ASSERT(bytesFilled % elementSize == 0);- // Step 5.+ // Step 5. Let buffer be ! TransferArrayBuffer(pullIntoDescriptor’s buffer).+ aRv.MightThrowJSException(); JS::Rooted<JSObject*> srcBuffer(aCx, pullIntoDescriptor->Buffer()); JS::Rooted<JSObject*> buffer(aCx, TransferArrayBuffer(aCx, srcBuffer)); if (!buffer) {@@ -1002,16 +1206,16 @@ return nullptr; }- // Step 6.+ // Step 6. Return ! Construct(pullIntoDescriptor’s view constructor,+ // « buffer, pullIntoDescriptor’s byte offset, bytesFilled ÷ elementSize »). JS::Rooted<JSObject*> res( aCx, ConstructFromPullIntoConstructor( aCx, pullIntoDescriptor->ViewConstructor(), buffer,- pullIntoDescriptor->ByteOffset(), bytesFilled % elementSize));+ pullIntoDescriptor->ByteOffset(), bytesFilled / elementSize)); if (!res) { aRv.StealExceptionFromJSContext(aCx); return nullptr; }- return res; }@@ -1020,21 +1224,32 @@ static void ReadableByteStreamControllerRespondInClosedState( JSContext* aCx, ReadableByteStreamController* aController, RefPtr<PullIntoDescriptor>& aFirstDescriptor, ErrorResult& aRv) {- // Step 1.+ // Step 1. Assert: firstDescriptor ’s bytes filled is 0. MOZ_ASSERT(aFirstDescriptor->BytesFilled() == 0);- // Step 2.+ // Step 2. If firstDescriptor’s reader type is "none",+ // perform ! ReadableByteStreamControllerShiftPendingPullInto(controller).+ if (aFirstDescriptor->GetReaderType() == ReaderType::None) {+ RefPtr<PullIntoDescriptor> discarded =+ ReadableByteStreamControllerShiftPendingPullInto(aController);+ (void)discarded;+ }++ // Step 3. Let stream be controller.[[stream]]. RefPtr<ReadableStream> stream = aController->Stream();- // Step 3.+ // Step 4. If ! ReadableStreamHasBYOBReader(stream) is true, if (ReadableStreamHasBYOBReader(stream)) {- // Step 3.1+ // Step 4.1. While ! ReadableStreamGetNumReadIntoRequests(stream) > 0, while (ReadableStreamGetNumReadIntoRequests(stream) > 0) {- // Step 3.1.1+ // Step 4.1.1. Let pullIntoDescriptor be !+ // ReadableByteStreamControllerShiftPendingPullInto(controller). RefPtr<PullIntoDescriptor> pullIntoDescriptor = ReadableByteStreamControllerShiftPendingPullInto(aController);- // Step 3.1.2.+ // Step 4.1.2. Perform !+ // ReadableByteStreamControllerCommitPullIntoDescriptor(stream,+ // pullIntoDescriptor). ReadableByteStreamControllerCommitPullIntoDescriptor( aCx, stream, pullIntoDescriptor, aRv); }@@ -1075,52 +1290,68 @@ ReadableByteStreamControllerFillHeadPullIntoDescriptor( aController, aBytesWritten, aPullIntoDescriptor);- // Step 3. If pullIntoDescriptor’s bytes filled < pullIntoDescriptor’s element+ // Step 3. If pullIntoDescriptor’s reader type is "none",+ if (aPullIntoDescriptor->GetReaderType() == ReaderType::None) {+ // Step 3.1. Perform ?+ // ReadableByteStreamControllerEnqueueDetachedPullIntoToQueue(controller,+ // pullIntoDescriptor).+ ReadableByteStreamControllerEnqueueDetachedPullIntoToQueue(+ aCx, aController, aPullIntoDescriptor, aRv);+ if (aRv.Failed()) {+ return;+ }++ // Step 3.2. Perform !+ // ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(controller).+ ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(+ aCx, aController, aRv);++ // Step 3.3. Return.+ return;+ }++ // Step 4. If pullIntoDescriptor’s bytes filled < pullIntoDescriptor’s element // size, return. if (aPullIntoDescriptor->BytesFilled() < aPullIntoDescriptor->ElementSize()) { return; }- // Step 4. Perform+ // Step 5. Perform // !ReadableByteStreamControllerShiftPendingPullInto(controller).- ReadableByteStreamControllerShiftPendingPullInto(aController);-- // Step 5. Let remainderSize be pullIntoDescriptor’s bytes filled mod+ RefPtr<PullIntoDescriptor> pullIntoDescriptor =+ ReadableByteStreamControllerShiftPendingPullInto(aController);+ (void)pullIntoDescriptor;++ // Step 6. Let remainderSize be pullIntoDescriptor’s bytes filled mod // pullIntoDescriptor’s element size. size_t remainderSize = aPullIntoDescriptor->BytesFilled() % aPullIntoDescriptor->ElementSize();- // Step 6. If remainderSize > 0,+ // Step 7. If remainderSize > 0, if (remainderSize > 0) {- // Step 6.1. Let end be pullIntoDescriptor’s byte offset ++ // Step 7.1. Let end be pullIntoDescriptor’s byte offset + // pullIntoDescriptor’s bytes filled. size_t end = aPullIntoDescriptor->ByteOffset() + aPullIntoDescriptor->BytesFilled();- // Step 6.2. Let remainder be ? CloneArrayBuffer(pullIntoDescriptor’s- // buffer, end − remainderSize, remainderSize, %ArrayBuffer%).+ // Step 7.2. Perform ?+ // ReadableByteStreamControllerEnqueueClonedChunkToQueue(controller,+ // pullIntoDescriptor’s buffer, end − remainderSize, remainderSize). JS::Rooted<JSObject*> pullIntoBuffer(aCx, aPullIntoDescriptor->Buffer());- JS::Rooted<JSObject*> remainder(- aCx, JS::ArrayBufferClone(aCx, pullIntoBuffer, end - remainderSize,- remainderSize));- if (!remainder) {- aRv.StealExceptionFromJSContext(aCx);- return;- }-- // Step 6.3 Perform- // !ReadableByteStreamControllerEnqueueChunkToQueue(controller, remainder,- // 0, remainder.[[ByteLength]]).- ReadableByteStreamControllerEnqueueChunkToQueue(- aController, remainder, 0, JS::GetArrayBufferByteLength(remainder));- }-- // Step 7. Set pullIntoDescriptor’s bytes filled to pullIntoDescriptor’s bytes+ ReadableByteStreamControllerEnqueueClonedChunkToQueue(+ aCx, aController, pullIntoBuffer, end - remainderSize, remainderSize,+ aRv);+ if (aRv.Failed()) {+ return;+ }+ }++ // Step 8. Set pullIntoDescriptor’s bytes filled to pullIntoDescriptor’s bytes // filled − remainderSize. aPullIntoDescriptor->SetBytesFilled(aPullIntoDescriptor->BytesFilled() - remainderSize);- // Step 8. Perform+ // Step 9. Perform // !ReadableByteStreamControllerCommitPullIntoDescriptor(controller.[[stream]], // pullIntoDescriptor). RefPtr<ReadableStream> stream(aController->Stream());@@ -1130,7 +1361,7 @@ return; }- // Step 9. Perform+ // Step 10. Perform // !ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue(controller). ReadableByteStreamControllerProcessPullIntoDescriptorsUsingQueue( aCx, aController, aRv);@@ -1227,6 +1458,7 @@ } // Step 6.+ aRv.MightThrowJSException(); JS::Rooted<JSObject*> buffer(aCx, firstDescriptor->Buffer()); JS::Rooted<JSObject*> transferredBuffer(aCx, TransferArrayBuffer(aCx, buffer));@@ -1245,6 +1477,8 @@ void ReadableByteStreamControllerRespondWithNewView( JSContext* aCx, ReadableByteStreamController* aController, JS::Handle<JSObject*> aView, ErrorResult& aRv) {+ aRv.MightThrowJSException();+ // Step 1. MOZ_ASSERT(!aController->PendingPullIntos().isEmpty());@@ -1304,17 +1538,23 @@ return; }- // Step 10.- JS::Rooted<JSObject*> transferedBuffer(aCx, TransferArrayBuffer(aCx, aView));+ // Step 10. Let viewByteLength be view.[[ByteLength]].+ size_t viewByteLength = JS_GetArrayBufferViewByteLength(aView);++ // Step 11. Set firstDescriptor’s buffer to ?+ // TransferArrayBuffer(view.[[ViewedArrayBuffer]]).+ JS::Rooted<JSObject*> transferedBuffer(+ aCx, TransferArrayBuffer(aCx, viewedArrayBuffer)); if (!transferedBuffer) { aRv.StealExceptionFromJSContext(aCx); return; } firstDescriptor->SetBuffer(transferedBuffer);- // Step 11.- ReadableByteStreamControllerRespondInternal(- aCx, aController, JS_GetArrayBufferViewByteLength(aView), aRv);+ // Step 12. Perform ? ReadableByteStreamControllerRespondInternal(controller,+ // viewByteLength).+ ReadableByteStreamControllerRespondInternal(aCx, aController, viewByteLength,+ aRv); } // https://streams.spec.whatwg.org/#readable-byte-stream-controller-fill-pull-into-descriptor-from-queue@@ -1447,6 +1687,8 @@ JSContext* aCx, ReadableByteStreamController* aController, JS::HandleObject aView, ReadIntoRequest* aReadIntoRequest, ErrorResult& aRv) {+ aRv.MightThrowJSException();+ // Step 1. Let stream be controller.[[stream]]. ReadableStream* stream = aController->Stream();@@ -1497,6 +1739,12 @@ aRv.StealExceptionFromJSContext(aCx); return; }++ // It's not expliclitly stated, but I assume the intention here is that+ // we perform a normal completion here; we also need to clear the+ // exception state anyhow to succesfully run ErrorSteps.+ JS_ClearPendingException(aCx);+ // Step 8.1. Perform readIntoRequest’s error steps, given // bufferResult.[[Value]]. aReadIntoRequest->ErrorSteps(aCx, pendingException, aRv);@@ -1568,7 +1816,7 @@ if (ready) { // Step 13.1.1 Let filledView be // !ReadableByteStreamControllerConvertPullIntoDescriptor(pullIntoDescriptor).- JS::RootedObject filledView(+ JS::Rooted<JSObject*> filledView( aCx, ReadableByteStreamControllerConvertPullIntoDescriptor( aCx, pullIntoDescriptor, aRv)); if (aRv.Failed()) {@@ -1636,7 +1884,8 @@ : PromiseNativeHandler(), mController(aController) {} MOZ_CAN_RUN_SCRIPT- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { MOZ_ASSERT(mController); // https://streams.spec.whatwg.org/#set-up-readable-byte-stream-controller@@ -1651,18 +1900,16 @@ mController->SetPullAgain(false); // Step 16.4:- ErrorResult rv;+ RefPtr<ReadableByteStreamController> stackController = mController;- ReadableByteStreamControllerCallPullIfNeeded(aCx, stackController, rv);- (void)rv.MaybeSetPendingException(aCx, "StartPromise Resolve Error");- }-- void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ ReadableByteStreamControllerCallPullIfNeeded(aCx, stackController, aRv);+ }++ void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#set-up-readable-byte-stream-controller // Step 17.1- ErrorResult rv;- ReadableByteStreamControllerError(mController, aValue, rv);- (void)rv.MaybeSetPendingException(aCx, "StartPromise Rejected Error");+ ReadableByteStreamControllerError(mController, aValue, aRv); } };@@ -1681,8 +1928,8 @@ UnderlyingSourceStartCallbackHelper* aStartAlgorithm, UnderlyingSourcePullCallbackHelper* aPullAlgorithm, UnderlyingSourceCancelCallbackHelper* aCancelAlgorithm,- double aHighWaterMark, Maybe<uint64_t> aAutoAllocateChunkSize,- ErrorResult& aRv) {+ UnderlyingSourceErrorCallbackHelper* aErrorAlgorithm, double aHighWaterMark,+ Maybe<uint64_t> aAutoAllocateChunkSize, ErrorResult& aRv) { // Step 1. Assert: stream.[[controller]] is undefined. MOZ_ASSERT(!aStream->Controller());@@ -1719,6 +1966,9 @@ // Step 10. Set controller.[[cancelAlgorithm]] to cancelAlgorithm. aController->SetCancelAlgorithm(aCancelAlgorithm);++ // Not Specified.+ aStream->SetErrorAlgorithm(aErrorAlgorithm); // Step 11. Set controller.[[autoAllocateChunkSize]] to autoAllocateChunkSize. aController->SetAutoAllocateChunkSize(aAutoAllocateChunkSize);@@ -1755,5 +2005,130 @@ new ByteStreamStartPromiseNativeHandler(aController)); }+// https://streams.spec.whatwg.org/#set-up-readable-byte-stream-controller-from-underlying-source+void SetUpReadableByteStreamControllerFromUnderlyingSource(+ JSContext* aCx, ReadableStream* aStream, JS::HandleObject aUnderlyingSource,+ UnderlyingSource& aUnderlyingSourceDict, double aHighWaterMark,+ ErrorResult& aRv) {+ // Step 1. Let controller be a new ReadableByteStreamController.+ RefPtr<ReadableByteStreamController> controller =+ new ReadableByteStreamController(aStream->GetParentObject());++ // Step 2. Let startAlgorithm be an algorithm that returns undefined.+ RefPtr<UnderlyingSourceStartCallbackHelper> startAlgorithm;++ // Step 3. Let pullAlgorithm be an algorithm that returns a promise resolved+ // with undefined.+ RefPtr<UnderlyingSourcePullCallbackHelper> pullAlgorithm;++ // Step 4. Let cancelAlgorithm be an algorithm that returns a promise resolved+ // with undefined.+ RefPtr<UnderlyingSourceCancelCallbackHelper> cancelAlgorithm;++ // Step 5. If underlyingSourceDict["start"] exists, then set startAlgorithm to+ // an algorithm which returns the result of invoking+ // underlyingSourceDict["start"] with argument list « controller » and+ // callback this value underlyingSource.+ startAlgorithm =+ aUnderlyingSourceDict.mStart.WasPassed()+ ? new UnderlyingSourceStartCallbackHelper(+ aUnderlyingSourceDict.mStart.Value(), aUnderlyingSource)+ : nullptr;++ // Step 6. If underlyingSourceDict["pull"] exists, then set pullAlgorithm to+ // an algorithm which returns the result of invoking+ // underlyingSourceDict["pull"] with argument list « controller » and callback+ // this value underlyingSource.+ pullAlgorithm =+ aUnderlyingSourceDict.mPull.WasPassed()+ ? new IDLUnderlyingSourcePullCallbackHelper(+ aUnderlyingSourceDict.mPull.Value(), aUnderlyingSource)+ : nullptr;++ // Step 7. If underlyingSourceDict["cancel"] exists, then set cancelAlgorithm+ // to an algorithm which takes an argument reason and returns the result of+ // invoking underlyingSourceDict["cancel"] with argument list « reason » and+ // callback this value underlyingSource.+ cancelAlgorithm =+ aUnderlyingSourceDict.mCancel.WasPassed()+ ? new IDLUnderlyingSourceCancelCallbackHelper(+ aUnderlyingSourceDict.mCancel.Value(), aUnderlyingSource)+ : nullptr;++ // Step 8. Let autoAllocateChunkSize be+ // underlyingSourceDict["autoAllocateChunkSize"], if it exists, or undefined+ // otherwise.+ Maybe<uint64_t> autoAllocateChunkSize = mozilla::Nothing();+ if (aUnderlyingSourceDict.mAutoAllocateChunkSize.WasPassed()) {+ uint64_t value = aUnderlyingSourceDict.mAutoAllocateChunkSize.Value();+ // Step 9. If autoAllocateChunkSize is 0, then throw a TypeError+ // exception.+ if (value == 0) {+ aRv.ThrowTypeError("autoAllocateChunkSize can not be zero.");+ return;+ }+ autoAllocateChunkSize = mozilla::Some(value);+ }++ // Step 10. Perform ? SetUpReadableByteStreamController(stream, controller,+ // startAlgorithm, pullAlgorithm, cancelAlgorithm, highWaterMark,+ // autoAllocateChunkSize).+ SetUpReadableByteStreamController(aCx, aStream, controller, startAlgorithm,+ pullAlgorithm, cancelAlgorithm,+ nullptr /* aErrorAlgorithm */,+ aHighWaterMark, autoAllocateChunkSize, aRv);
Based on the provided code diff, I'll analyze it for security fixes. Here's the analysis:
1. Vulnerability Existed: yes
Memory Management Issue [File] dom/streams/ReadableByteStreamController.cpp [Lines] Constructor/Destructor changes
[Old Code]
ReadableByteStreamController::ReadableByteStreamController(
nsIGlobalObject* aGlobal)
: ReadableStreamController(aGlobal) {}
ReadableByteStreamController::~ReadableByteStreamController() {
ClearPendingPullIntos();
ClearQueue();
}
[Fixed Code]
ReadableByteStreamController::ReadableByteStreamController(
nsIGlobalObject* aGlobal)
: ReadableStreamController(aGlobal) {
mozilla::HoldJSObjects(this);
}
ReadableByteStreamController::~ReadableByteStreamController() {
ClearPendingPullIntos();
ClearQueue();
mozilla::DropJSObjects(this);
}
2. Vulnerability Existed: yes
Cycle Collection Issue [File] dom/streams/ReadableByteStreamController.cpp [Lines] NS_IMPL_CYCLE_COLLECTION_UNLINK/TRAVERSE changes
[Old Code]
NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(ReadableByteStreamController,
ReadableStreamController)
NS_IMPL_CYCLE_COLLECTION_UNLINK(mByobRequest, mStream)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(ReadableByteStreamController,
ReadableStreamController)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mByobRequest, mStream)
[Fixed Code]
NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN_INHERITED(ReadableByteStreamController,
ReadableStreamController)
NS_IMPL_CYCLE_COLLECTION_UNLINK(mByobRequest, mCancelAlgorithm,
mPullAlgorithm, mStream)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_INHERITED(ReadableByteStreamController,
ReadableStreamController)
NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mByobRequest, mCancelAlgorithm,
mPullAlgorithm, mStream)
3. Vulnerability Existed: yes
Error Handling Issue [File] dom/streams/ReadableByteStreamController.cpp [Lines] ReadableByteStreamControllerGetBYOBRequest changes
[Old Code]
already_AddRefed<ReadableStreamBYOBRequest>
ReadableByteStreamControllerGetBYOBRequest(
JSContext* aCx, ReadableByteStreamController* aController) {
...
if (!view) {
return nullptr;
}
[Fixed Code]
already_AddRefed<ReadableStreamBYOBRequest>
ReadableByteStreamControllerGetBYOBRequest(
JSContext* aCx, ReadableByteStreamController* aController,
ErrorResult& aRv) {
...
aRv.MightThrowJSException();
...
if (!view) {
aRv.StealExceptionFromJSContext(aCx);
return nullptr;
}
4. Vulnerability Existed: yes
Memory Safety Issue [File] dom/streams/ReadableByteStreamController.cpp [Lines] ReadableByteStreamControllerRespondWithNewView changes
[Old Code]
JS::Rooted<JSObject*> transferedBuffer(aCx, TransferArrayBuffer(aCx, aView));
[Fixed Code]
JS::Rooted<JSObject*> transferedBuffer(
aCx, TransferArrayBuffer(aCx, viewedArrayBuffer));
5. Vulnerability Existed: yes
Promise Handling Issue [File] dom/streams/ReadableByteStreamController.cpp [Lines] ByteStreamPullIfNeededPromiseHandler changes
[Old Code]
void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {
...
ErrorResult rv;
ReadableByteStreamControllerCallPullIfNeeded(
aCx, MOZ_KnownLive(mController), rv);
(void)rv.MaybeSetPendingException(aCx, "PullIfNeeded Resolved Error");
}
void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {
ErrorResult rv;
ReadableByteStreamControllerError(mController, aValue, rv);
(void)rv.MaybeSetPendingException(aCx, "PullIfNeeded Rejected Error");
}
[Fixed Code]
void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override {
...
ReadableByteStreamControllerCallPullIfNeeded(
aCx, MOZ_KnownLive(mController), aRv);
}
void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override {
ReadableByteStreamControllerError(mController, aValue, aRv);
}
The changes address several security-related issues:
1. Proper JS object management with HoldJSObjects/DropJSObjects
2. Improved cycle collection to prevent memory leaks
3. Better error handling and propagation
4. Fixed buffer transfer logic
5. Improved promise handling with proper error propagation
These changes help prevent memory leaks, improve error handling, and make the code more robust against potential security issues related to improper resource management.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/console/Console.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/console/Console.cpp@@ -22,7 +22,6 @@ #include "mozilla/dom/ScriptSettings.h" #include "mozilla/dom/StructuredCloneHolder.h" #include "mozilla/dom/ToJSValue.h"-#include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/WorkerRunnable.h" #include "mozilla/dom/WorkerScope.h" #include "mozilla/dom/WorkletGlobalScope.h"
Based on the provided diff, I'll analyze it for potential security vulnerabilities: 1. Vulnerability Existed: not sure [Potential Unused Import Removal] [dom/console/Console.cpp] [Lines 22] Old Code: `#include "mozilla/dom/WorkerPrivate.h"` Fixed Code: [removed] Additional Details: - The change simply removes an unused header include (`mozilla/dom/WorkerPrivate.h`). - While removing unused code is generally good practice for maintainability, this doesn't appear to be a security fix. - There's no clear vulnerability being addressed here, just code cleanup. - Without more context about why this header was included in the first place, I can't be certain if its removal might have security implications, though it seems unlikely.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.source-in.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.source-in.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -26,7 +26,7 @@ ctx.globalCompositeOperation = 'source-in'; var offscreenCanvas2 = new OffscreenCanvas(100, 50); ctx.drawImage(offscreenCanvas2, 0, 0);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be variable renaming and consistency improvements rather than security fixes. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.source-in.html] [Lines 17-26]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.source-in.html] [Line 26]
Old Code:
```javascript
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
```
Fixed Code:
```javascript
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
```
The changes are purely variable name changes (from `offscreenCanvas` to `canvas`) and don't appear to address any security issues. The test logic remains the same, only the variable naming has been made more consistent.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.invalid.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.invalid.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.font = '20px serif'; _assertSame(ctx.font, '20px serif', "ctx.font", "'20px serif'");
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes in this diff appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas`. There is no indication of any security vulnerability being fixed in this change. The modification doesn't affect any security-related functionality or introduce/remove any security controls. The test case continues to perform the same font assertion check as before.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/futures-io/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/futures-io/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.toml":"3fe694cf8d976b18177e0d293eed1114dddb6ae8f7a47c4986714dff7dfb9a51","LICENSE-APACHE":"275c491d6d1160553c32fd6127061d7f9606c3ea25abfad6ca3f6ed088785427","LICENSE-MIT":"6652c868f35dfe5e8ef636810a4e576b9d663f3a17fb0f5613ad73583e1b88fd","README.md":"575430be5c47352d85f36b44dcc2c2851a6a19e2384593415c4af22c6654cee7","src/lib.rs":"ed7cdabff6c25bf4f917b071055962a88809cc4a23a6fc98395d0d72d1d930fd"},"package":"e481354db6b5c353246ccf6a728b0c5511d752c08da7260546fc0933869daa11"}+{"files":{"Cargo.toml":"3a6ff8f01952afc090840100031af93a25a429da7baf4d134e559abdfd9c9b2a","LICENSE-APACHE":"275c491d6d1160553c32fd6127061d7f9606c3ea25abfad6ca3f6ed088785427","LICENSE-MIT":"6652c868f35dfe5e8ef636810a4e576b9d663f3a17fb0f5613ad73583e1b88fd","README.md":"575430be5c47352d85f36b44dcc2c2851a6a19e2384593415c4af22c6654cee7","src/lib.rs":"526e9700c28250b7512f122952257d57adc38eb001af92ef25bdb48a8c453175"},"package":"b1f9d34af5a1aac6fb380f735fe510746c38067c5bf16c7fd250280503c971b2"}=========gfx/layers/ipc/CompositorBridgeChild.cpp========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/ipc/CompositorBridgeChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/ipc/CompositorBridgeChild.cpp@@ -26,7 +26,6 @@ #include "mozilla/gfx/GPUProcessManager.h" #include "mozilla/gfx/Logging.h" #include "mozilla/ipc/Endpoint.h"-#include "mozilla/webgpu/WebGPUChild.h" #include "mozilla/mozalloc.h" // for operator new, etc #include "mozilla/Telemetry.h" #include "gfxConfig.h"@@ -86,12 +85,7 @@ mFwdTransactionId(0), mThread(NS_GetCurrentThread()), mProcessToken(0),- mSectionAllocator(nullptr),- mPaintLock("CompositorBridgeChild.mPaintLock"),- mTotalAsyncPaints(0),- mIsDelayingForAsyncPaints(false),- mSlowFlushCount(0),- mTotalFlushCount(0) {+ mSectionAllocator(nullptr) { MOZ_ASSERT(NS_IsMainThread()); }@@ -180,12 +174,6 @@ ManagedPAPZChild(apzChildren); for (PAPZChild* child : apzChildren) { Unused << child->SendDestroy();- }-- AutoTArray<PWebGPUChild*, 16> webGPUChildren;- ManagedPWebGPUChild(webGPUChildren);- for (PWebGPUChild* child : webGPUChildren) {- Unused << child->SendShutdown(); } const ManagedContainer<PTextureChild>& textures = ManagedPTextureChild();@@ -341,20 +329,8 @@ gfxCriticalNote << "Receive IPC close with reason=AbnormalShutdown"; }- {- // We take the lock to update these fields, since they are read from the- // paint thread. We don't need the lock to init them, since that happens- // on the main thread before the paint thread can ever grab a reference- // to the CompositorBridge object.- //- // Note that it is useful to take this lock for one other reason: It also- // tells us whether GetIPCChannel is safe to call. If we access the IPC- // channel within this lock, when mCanSend is true, then we know it has not- // been zapped by IPDL.- MonitorAutoLock lock(mPaintLock);- mCanSend = false;- mActorDestroyed = true;- }+ mCanSend = false;+ mActorDestroyed = true; if (mProcessToken && XRE_IsParentProcess()) { GPUProcessManager::Get()->NotifyRemoteActorDestroyed(mProcessToken);@@ -555,15 +531,10 @@ PTextureChild* CompositorBridgeChild::CreateTexture( const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock, LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,- wr::MaybeExternalImageId& aExternalImageId, nsISerialEventTarget* aTarget) {+ wr::MaybeExternalImageId& aExternalImageId) { PTextureChild* textureChild = AllocPTextureChild(aSharedData, aReadLock, aLayersBackend, aFlags, LayersId{0} /* FIXME */, aSerial, aExternalImageId);-- // Do the DOM labeling.- if (aTarget) {- SetEventTargetForActor(textureChild, aTarget);- } return SendPTextureConstructor( textureChild, aSharedData, std::move(aReadLock), aLayersBackend, aFlags,@@ -602,16 +573,6 @@ } }-RefPtr<webgpu::WebGPUChild> CompositorBridgeChild::GetWebGPUChild() {- MOZ_ASSERT(gfx::gfxConfig::IsEnabled(gfx::Feature::WEBGPU));- if (!mWebGPUChild) {- webgpu::PWebGPUChild* bridge = SendPWebGPUConstructor();- mWebGPUChild = static_cast<webgpu::WebGPUChild*>(bridge);- }-- return mWebGPUChild;-}- bool CompositorBridgeChild::AllocUnsafeShmem( size_t aSize, ipc::SharedMemory::SharedMemoryType aType, ipc::Shmem* aShmem) {@@ -694,18 +655,6 @@ return true; }-webgpu::PWebGPUChild* CompositorBridgeChild::AllocPWebGPUChild() {- webgpu::WebGPUChild* child = new webgpu::WebGPUChild();- child->AddIPDLReference();- return child;-}--bool CompositorBridgeChild::DeallocPWebGPUChild(webgpu::PWebGPUChild* aActor) {- webgpu::WebGPUChild* child = static_cast<webgpu::WebGPUChild*>(aActor);- child->ReleaseIPDLReference();- return true;-}- uint64_t CompositorBridgeChild::GetNextResourceId() { ++mResourceId; MOZ_RELEASE_ASSERT(mResourceId != UINT32_MAX);
I'll analyze the provided code diff for security fixes following the specified format.
1. For the first file (third_party/rust/futures-io/.cargo-checksum.json):
Vulnerability Existed: no
This appears to be a standard checksum update for a Rust dependency. There are no security-related changes visible in the diff.
2. For the second file (gfx/layers/ipc/CompositorBridgeChild.cpp):
Vulnerability Existed: not sure
[Potential Resource Management Issue] [gfx/layers/ipc/CompositorBridgeChild.cpp] [Lines 26,86,180-185,341-353,555-563,602-610,694-663]
[Old Code]
- Included WebGPU functionality
- Had complex paint lock management
- Explicit WebGPU child management
[Fixed Code]
+ Removed all WebGPU-related code
+ Simplified synchronization
+ Removed paint lock infrastructure
Additional Details:
The changes in CompositorBridgeChild.cpp appear to be removing WebGPU support entirely and simplifying some synchronization mechanisms. While this could potentially address security issues related to:
1. Complex synchronization (removing mPaintLock)
2. WebGPU implementation (removing all WebGPU-related code)
3. Resource management (simplifying texture creation)
However, without more context about why these changes were made, I can't be certain if they were specifically for security fixes or just architectural changes. The removal of WebGPU could indicate a security issue was found in that component, but this is speculative.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java@@ -90,6 +90,19 @@ private static final int DATA_URI_MAX_LENGTH = 2 * 1024 * 1024;+ // Delay running compositor memory pressure by 10s to avoid interfering with tab switching.+ private static final int NOTIFY_MEMORY_PRESSURE_DELAY_MS = 10 * 1000;++ private final Runnable mNotifyMemoryPressure =+ new Runnable() {+ @Override+ public void run() {+ if (mCompositorReady) {+ mCompositor.notifyMemoryPressure();+ }+ }+ };+ private enum State implements NativeQueue.State { INITIAL(0), READY(1);@@ -194,6 +207,9 @@ @WrapForJNI(calledFrom = "ui", dispatchTo = "gecko") public native void setDynamicToolbarMaxHeight(int height);++ @WrapForJNI(calledFrom = "ui", dispatchTo = "gecko")+ public native void notifyMemoryPressure(); // Gecko thread pauses compositor; blocks UI thread. @WrapForJNI(calledFrom = "ui", dispatchTo = "current")@@ -1447,7 +1463,7 @@ LOAD_FLAGS_FORCE_ALLOW_DATA_URI, LOAD_FLAGS_REPLACE_HISTORY })- /* package */ @interface LoadFlags {}+ public @interface LoadFlags {} // These flags follow similarly named ones in Gecko's nsIWebNavigation.idl // https://searchfox.org/mozilla-central/source/docshell/base/nsIWebNavigation.idl@@ -1504,7 +1520,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef(value = {HEADER_FILTER_CORS_SAFELISTED, HEADER_FILTER_UNRESTRICTED_UNSAFE})- /* package */ @interface HeaderFilter {}+ public @interface HeaderFilter {} /** * Main entry point for loading URIs into a {@link GeckoSession}.@@ -1973,7 +1989,7 @@ FINDER_FIND_MATCH_CASE, FINDER_FIND_WHOLE_WORD })- /* package */ @interface FinderFindFlags {}+ public @interface FinderFindFlags {} /** Go backwards when finding the next match. */ public static final int FINDER_FIND_BACKWARDS = 1;@@ -1992,7 +2008,7 @@ FINDER_DISPLAY_DIM_PAGE, FINDER_DISPLAY_DRAW_LINK_OUTLINE })- /* package */ @interface FinderDisplayFlags {}+ public @interface FinderDisplayFlags {} /** Highlight all find-in-page matches. */ public static final int FINDER_DISPLAY_HIGHLIGHT_ALL = 1;@@ -2090,6 +2106,10 @@ if (!active) { mEventDispatcher.dispatch("GeckoView:FlushSessionState", null);+ ThreadUtils.postToUiThreadDelayed(mNotifyMemoryPressure, NOTIFY_MEMORY_PRESSURE_DELAY_MS);+ } else {+ // Delete any pending memory pressure events since we're active again.+ ThreadUtils.removeUiThreadCallbacks(mNotifyMemoryPressure); } ThreadUtils.runOnUiThread(() -> getAutofillSupport().onActiveChanged(active));@@ -2729,7 +2749,7 @@ public class SecurityInformation { @Retention(RetentionPolicy.SOURCE) @IntDef({SECURITY_MODE_UNKNOWN, SECURITY_MODE_IDENTIFIED, SECURITY_MODE_VERIFIED})- /* package */ @interface SecurityMode {}+ public @interface SecurityMode {} public static final int SECURITY_MODE_UNKNOWN = 0; public static final int SECURITY_MODE_IDENTIFIED = 1;@@ -2737,7 +2757,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({CONTENT_UNKNOWN, CONTENT_BLOCKED, CONTENT_LOADED})- /* package */ @interface ContentType {}+ public @interface ContentType {} public static final int CONTENT_UNKNOWN = 0; public static final int CONTENT_BLOCKED = 1;@@ -2802,9 +2822,9 @@ /** Empty constructor for tests */ protected SecurityInformation() {- mixedModePassive = 0;- mixedModeActive = 0;- securityMode = 0;+ mixedModePassive = CONTENT_UNKNOWN;+ mixedModeActive = CONTENT_UNKNOWN;+ securityMode = SECURITY_MODE_UNKNOWN; isSecure = false; isException = false; origin = "";@@ -2961,7 +2981,7 @@ public static class ContextElement { @Retention(RetentionPolicy.SOURCE) @IntDef({TYPE_NONE, TYPE_IMAGE, TYPE_VIDEO, TYPE_AUDIO})- /* package */ @interface Type {}+ public @interface Type {} public static final int TYPE_NONE = 0; public static final int TYPE_IMAGE = 1;@@ -3457,13 +3477,17 @@ SelectionActionDelegate.ACTION_COLLAPSE_TO_START, SelectionActionDelegate.ACTION_COLLAPSE_TO_END })- /* package */ @interface SelectionActionDelegateAction {}+ public @interface SelectionActionDelegateAction {} @Retention(RetentionPolicy.SOURCE) @IntDef( flag = true,- value = {SelectionActionDelegate.FLAG_IS_COLLAPSED, SelectionActionDelegate.FLAG_IS_EDITABLE})- /* package */ @interface SelectionActionDelegateFlag {}+ value = {+ SelectionActionDelegate.FLAG_IS_COLLAPSED,+ SelectionActionDelegate.FLAG_IS_EDITABLE,+ SelectionActionDelegate.FLAG_IS_PASSWORD+ })+ public @interface SelectionActionDelegateFlag {} @Retention(RetentionPolicy.SOURCE) @IntDef({@@ -3472,7 +3496,7 @@ SelectionActionDelegate.HIDE_REASON_ACTIVE_SELECTION, SelectionActionDelegate.HIDE_REASON_ACTIVE_SCROLL })- /* package */ @interface SelectionActionDelegateHideReason {}+ public @interface SelectionActionDelegateHideReason {} public interface NavigationDelegate { /**@@ -3548,7 +3572,7 @@ protected LoadRequest() { uri = ""; triggerUri = null;- target = 0;+ target = TARGET_WINDOW_NONE; isRedirect = false; hasUserGesture = false; isDirectNavigation = false;@@ -3698,7 +3722,7 @@ NavigationDelegate.TARGET_WINDOW_CURRENT, NavigationDelegate.TARGET_WINDOW_NEW })- /* package */ @interface TargetWindow {}+ public @interface TargetWindow {} /** * GeckoSession applications implement this interface to handle prompts triggered by content in@@ -3921,7 +3945,7 @@ public class ButtonPrompt extends BasePrompt { @Retention(RetentionPolicy.SOURCE) @IntDef({Type.POSITIVE, Type.NEGATIVE})- /* package */ @interface ButtonType {}+ public @interface ButtonType {} public static class Type { /** Index of positive response button (eg, "Yes", "OK") */@@ -4011,7 +4035,7 @@ Flags.PREVIOUS_FAILED, Flags.CROSS_ORIGIN_SUB_RESOURCE })- /* package */ @interface AuthFlag {}+ public @interface AuthFlag {} /** Auth prompt flags. */ public static class Flags {@@ -4031,7 +4055,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({Level.NONE, Level.PW_ENCRYPTED, Level.SECURE})- /* package */ @interface AuthLevel {}+ public @interface AuthLevel {} /** Auth prompt levels. */ public static class Level {@@ -4072,7 +4096,7 @@ protected AuthOptions() { flags = 0; uri = "";- level = 0;+ level = Level.NONE; username = ""; password = ""; }@@ -4190,7 +4214,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({Type.MENU, Type.SINGLE, Type.MULTIPLE})- /* package */ @interface ChoiceType {}+ public @interface ChoiceType {} public static class Type { /** Display choices in a menu that dismisses as soon as an item is chosen. */@@ -4333,7 +4357,7 @@ public class DateTimePrompt extends BasePrompt { @Retention(RetentionPolicy.SOURCE) @IntDef({Type.DATE, Type.MONTH, Type.WEEK, Type.TIME, Type.DATETIME_LOCAL})- /* package */ @interface DatetimeType {}+ public @interface DatetimeType {} public static class Type { /** Prompt for year, month, and day. */@@ -4402,7 +4426,7 @@ public class FilePrompt extends BasePrompt { @Retention(RetentionPolicy.SOURCE) @IntDef({Type.SINGLE, Type.MULTIPLE})- /* package */ @interface FileType {}+ public @interface FileType {} /** Types of file prompts. */ public static class Type {@@ -4417,7 +4441,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({Capture.NONE, Capture.ANY, Capture.USER, Capture.ENVIRONMENT})- /* package */ @interface CaptureType {}+ public @interface CaptureType {} /** Possible capture attribute values. */ public static class Capture {@@ -4577,7 +4601,7 @@ public class SharePrompt extends BasePrompt { @Retention(RetentionPolicy.SOURCE) @IntDef({Result.SUCCESS, Result.FAILURE, Result.ABORT})- /* package */ @interface ShareResult {}+ public @interface ShareResult {} /** Possible results to a {@link SharePrompt}. */ public static class Result {@@ -5203,7 +5227,7 @@ class ContentPermission { @Retention(RetentionPolicy.SOURCE) @IntDef({VALUE_PROMPT, VALUE_DENY, VALUE_ALLOW})- /* package */ @interface Value {}+ public @interface Value {} /** The corresponding permission is currently set to default/prompt behavior. */ public static final int VALUE_PROMPT = 3;@@ -5448,7 +5472,7 @@ SOURCE_MICROPHONE, SOURCE_AUDIOCAPTURE, SOURCE_OTHER })- /* package */ @interface Source {}+ public @interface Source {} /** Constant to indicate that camera will be recorded. */ public static final int SOURCE_CAMERA = 0;@@ -5467,7 +5491,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({TYPE_VIDEO, TYPE_AUDIO})- /* package */ @interface Type {}+ public @interface Type {} /** The media type is video. */ public static final int TYPE_VIDEO = 0;@@ -5547,8 +5571,8 @@ id = null; rawId = null; name = null;- source = 0;- type = 0;+ source = SOURCE_CAMERA;+ type = TYPE_VIDEO; } }@@ -5627,7 +5651,7 @@ PermissionDelegate.PERMISSION_TRACKING, PermissionDelegate.PERMISSION_STORAGE_ACCESS })- /* package */ @interface Permission {}+ public @interface Permission {} /** * Interface that SessionTextInput uses for performing operations such as opening and closing the@@ -5735,7 +5759,7 @@ TextInputDelegate.RESTART_REASON_BLUR, TextInputDelegate.RESTART_REASON_CONTENT_CHANGE })- /* package */ @interface RestartReason {}+ public @interface RestartReason {} /* package */ void onSurfaceChanged( final Surface surface, final int x, final int y, final int width, final int height) {@@ -6062,13 +6086,13 @@ @LongDef( flag = true, value = {Status.RECORDING, Status.INACTIVE})- /* package */ @interface RecordingStatus {}+ public @interface RecordingStatus {} @Retention(RetentionPolicy.SOURCE) @LongDef( flag = true, value = {Type.CAMERA, Type.MICROPHONE})- /* package */ @interface DeviceType {}+ public @interface DeviceType {} /** * A long giving the current recording status, must be either Status.RECORDING, Status.PAUSED@@ -6239,7 +6263,7 @@ HistoryDelegate.VISIT_REDIRECT_SOURCE_PERMANENT, HistoryDelegate.VISIT_UNRECOVERABLE_ERROR })- /* package */ @interface VisitFlags {}+ public @interface VisitFlags {} private Autofill.Support getAutofillSupport() { return mAutofillSupport;
Analyzing the provided code diff, I'll identify potential security vulnerabilities following the specified format:
1. Vulnerability Existed: yes
Information Exposure Through Default Initialization [File] mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java [Lines] 2802-2828
[Old Code]
protected SecurityInformation() {
mixedModePassive = 0;
mixedModeActive = 0;
securityMode = 0;
isSecure = false;
isException = false;
origin = "";
}
[Fixed Code]
protected SecurityInformation() {
mixedModePassive = CONTENT_UNKNOWN;
mixedModeActive = CONTENT_UNKNOWN;
securityMode = SECURITY_MODE_UNKNOWN;
isSecure = false;
isException = false;
origin = "";
}
2. Vulnerability Existed: yes
Information Exposure Through Default Initialization [File] mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java [Lines] 3548-3558
[Old Code]
protected LoadRequest() {
uri = "";
triggerUri = null;
target = 0;
isRedirect = false;
hasUserGesture = false;
isDirectNavigation = false;
}
[Fixed Code]
protected LoadRequest() {
uri = "";
triggerUri = null;
target = TARGET_WINDOW_NONE;
isRedirect = false;
hasUserGesture = false;
isDirectNavigation = false;
}
3. Vulnerability Existed: yes
Information Exposure Through Default Initialization [File] mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java [Lines] 4072-4099
[Old Code]
protected AuthOptions() {
flags = 0;
uri = "";
level = 0;
username = "";
password = "";
}
[Fixed Code]
protected AuthOptions() {
flags = 0;
uri = "";
level = Level.NONE;
username = "";
password = "";
}
4. Vulnerability Existed: yes
Information Exposure Through Default Initialization [File] mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java [Lines] 5547-5574
[Old Code]
protected MediaSource() {
id = null;
rawId = null;
name = null;
source = 0;
type = 0;
}
[Fixed Code]
protected MediaSource() {
id = null;
rawId = null;
name = null;
source = SOURCE_CAMERA;
type = TYPE_VIDEO;
}
5. Vulnerability Existed: not sure
Potential Memory Management Issue [File] mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoSession.java [Lines] 2090-2108
[Old Code]
if (!active) {
mEventDispatcher.dispatch("GeckoView:FlushSessionState", null);
}
[Fixed Code]
if (!active) {
mEventDispatcher.dispatch("GeckoView:FlushSessionState", null);
ThreadUtils.postToUiThreadDelayed(mNotifyMemoryPressure, NOTIFY_MEMORY_PRESSURE_DELAY_MS);
} else {
// Delete any pending memory pressure events since we're active again.
ThreadUtils.removeUiThreadCallbacks(mNotifyMemoryPressure);
}
Note: The first four vulnerabilities are similar in nature - they all involve replacing magic number initializations with proper constant/enum values, which could prevent potential security issues from incorrect default values. The fifth change is related to memory management but it's unclear if it's fixing a specific vulnerability or just improving performance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.round.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.round.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.getImageData(0, 0, 10, 10); imgdata.data[0] = 0.499;
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.round.worker.js [Lines] 13-14
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas`
- No security implications are evident in this change
- The modification doesn't affect any security-sensitive operations or data handling
- This appears to be a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/front/glsl/parser/declarations.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/front/glsl/parser/declarations.rs@@ -292,6 +292,7 @@ parser, &mut context, &mut body,+ &mut None, )?; parser.add_function(context, name, result, body, meta);
Let me analyze the provided code diff for security fixes. Vulnerability Existed: not sure Potential Missing Parameter Validation [File] [Lines 292-293] [Old Code] parser, &mut context, &mut body, [Fixed Code] parser, &mut context, &mut body, &mut None, Additional Details: 1. The diff shows an additional parameter `&mut None` being passed to a function call. Without seeing the function's definition, it's unclear if this fixes a security issue. 2. This could potentially relate to fixing a null pointer dereference or adding missing parameter validation, but we can't confirm without more context. 3. The change appears to be adding a default parameter value where one might have been expected but wasn't provided before. Note: Since we don't have the function signature being called or more context about what this parameter represents, we can't definitively identify a specific vulnerability. The change appears to be defensive programming, but we can't confirm if it's fixing an actual security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/StringType.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/StringType.h@@ -790,6 +790,16 @@ static_assert(sizeof(JSRope) == sizeof(JSString), "string subclasses must be binary-compatible with JSString");+/*+ * There are optimized entry points for some string allocation functions.+ *+ * The meaning of suffix:+ * * "MaybeDeflate": for char16_t variant, characters can fit Latin1+ * * "DontDeflate": for char16_t variant, characters don't fit Latin1+ * * "NonStatic": characters don't match StaticStrings+ * * "ValidLength": length fits JSString::MAX_LENGTH+ */+ class JSLinearString : public JSString { friend class JSString; friend class JS::AutoStableStringChars;@@ -823,6 +833,16 @@ static inline JSLinearString* new_( JSContext* cx, js::UniquePtr<CharT[], JS::FreePolicy> chars, size_t length, js::gc::InitialHeap heap);++ template <js::AllowGC allowGC, typename CharT>+ static inline JSLinearString* newValidLength(+ JSContext* cx, js::UniquePtr<CharT[], JS::FreePolicy> chars,+ size_t length, js::gc::InitialHeap heap);++ template <typename CharT>+ static inline JSLinearString* newForAtomValidLength(+ JSContext* cx, js::UniquePtr<CharT[], JS::FreePolicy> chars,+ size_t length); template <typename CharT> MOZ_ALWAYS_INLINE const CharT* nonInlineChars(@@ -1063,6 +1083,8 @@ static inline JSThinInlineString* new_(JSContext* cx, js::gc::InitialHeap heap);+ static inline JSThinInlineString* newForAtom(JSContext* cx);+ template <typename CharT> inline CharT* init(size_t length);@@ -1101,6 +1123,8 @@ template <js::AllowGC allowGC> static inline JSFatInlineString* new_(JSContext* cx, js::gc::InitialHeap heap);++ static inline JSFatInlineString* newForAtom(JSContext* cx); static const size_t MAX_LENGTH_LATIN1 = JSString::NUM_INLINE_CHARS_LATIN1 + INLINE_EXTENSION_CHARS_LATIN1;@@ -1370,6 +1394,14 @@ heap); }+template <typename CharT>+extern JSLinearString* NewStringForAtomCopyNMaybeDeflateValidLength(+ JSContext* cx, const CharT* s, size_t n);++template <typename CharT>+extern JSLinearString* NewStringForAtomCopyNDontDeflateValidLength(+ JSContext* cx, const CharT* s, size_t n);+ /* Copy a counted string and GC-allocate a descriptor for it. */ template <js::AllowGC allowGC, typename CharT> inline JSLinearString* NewStringCopy(@@ -1389,6 +1421,11 @@ /* Like NewStringCopyN, but doesn't try to deflate to Latin1. */ template <js::AllowGC allowGC, typename CharT> extern JSLinearString* NewStringCopyNDontDeflate(+ JSContext* cx, const CharT* s, size_t n,+ js::gc::InitialHeap heap = js::gc::DefaultHeap);++template <js::AllowGC allowGC, typename CharT>+extern JSLinearString* NewStringCopyNDontDeflateNonStaticValidLength( JSContext* cx, const CharT* s, size_t n, js::gc::InitialHeap heap = js::gc::DefaultHeap);
Based on the provided diff, I'll analyze it for security vulnerabilities. The changes appear to be adding new string allocation functions with various optimization flags, but I don't see any obvious security fixes. Here's my analysis: 1. Vulnerability Existed: no No specific vulnerability is being fixed here. The changes are adding new optimized string allocation functions with different characteristics (MaybeDeflate/DontDeflate, ValidLength, etc.) but these appear to be performance optimizations rather than security fixes. 2. Vulnerability Existed: not sure Potential Integer Overflow in String Allocation [js/src/vm/StringType.h] [Multiple lines] The changes introduce several new string allocation functions with "ValidLength" in their names, suggesting there might have been concerns about length validation. However, without seeing the implementation of these functions or the context of why they were added, I can't be certain if this was fixing a vulnerability or just adding defensive programming. 3. Vulnerability Existed: no The changes also add new atom-related string creation functions (newForAtom, NewStringForAtomCopyN*), but again these appear to be feature additions rather than security fixes. The main changes seem to be: 1. Adding documentation about string allocation optimization strategies 2. Adding new specialized string allocation functions with various optimization characteristics 3. Adding new atom-specific string creation functions While these changes could potentially help prevent certain classes of vulnerabilities (like integer overflows in string length calculations), there's no clear evidence in this diff that they're fixing an existing vulnerability rather than just adding new functionality or optimizations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.