Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/element/path-objects/2d.path.roundrect.1.radius.dompointinit.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/element/path-objects/2d.path.roundrect.1.radius.dompointinit.html@@ -8,7 +8,7 @@ <body class="show_output"> <h1>2d.path.roundrect.1.radius.dompointinit</h1>-<p class="desc">Verify that when two radii are given to roundRect(), the first radius, specified as a DOMPointInit, applies to the top-left and bottom-left corners.</p>+<p class="desc">Verify that when one radius is given to roundRect(), specified as a DOMPointInit, applies to all corners.</p> <p class="output">Actual output:</p>@@ -16,7 +16,7 @@ <ul id="d"></ul> <script>-var t = async_test("Verify that when two radii are given to roundRect(), the first radius, specified as a DOMPointInit, applies to the top-left and bottom-left corners.");+var t = async_test("Verify that when one radius is given to roundRect(), specified as a DOMPointInit, applies to all corners."); _addTest(function(canvas, ctx) { ctx.fillStyle = '#f00';
Based on the provided diff, I don't see any security-related fixes. The changes appear to be test description updates and corrections to match the actual test behavior. Here's the analysis: Vulnerability Existed: no No security vulnerability found in the diff. The changes are purely test description updates to accurately reflect the test's purpose. Additional Details: - The changes only modify test descriptions (both in the HTML and in the test assertion) - The actual test code (_addTest function) remains unchanged - The modifications are about clarifying that one radius (not two) is being tested and how it applies to corners - No security-relevant code was modified The diff shows: 1. Changed description from "two radii" to "one radius" 2. Changed which corners the radius applies to in the description 3. Updated the async_test description to match These are documentation/test accuracy improvements, not security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/ipc/LayersMessageUtils.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/ipc/LayersMessageUtils.h@@ -217,7 +217,6 @@ WriteParam(aMsg, aParam.mCompositionBounds); WriteParam(aMsg, aParam.mCompositionBoundsWidthIgnoringScrollbars); WriteParam(aMsg, aParam.mDisplayPort);- WriteParam(aMsg, aParam.mCriticalDisplayPort); WriteParam(aMsg, aParam.mScrollableRect); WriteParam(aMsg, aParam.mCumulativeResolution); WriteParam(aMsg, aParam.mDevPixelsPerCSSPixel);@@ -247,7 +246,6 @@ ReadParam(aMsg, aIter, &aResult->mCompositionBoundsWidthIgnoringScrollbars) && ReadParam(aMsg, aIter, &aResult->mDisplayPort) &&- ReadParam(aMsg, aIter, &aResult->mCriticalDisplayPort) && ReadParam(aMsg, aIter, &aResult->mScrollableRect) && ReadParam(aMsg, aIter, &aResult->mCumulativeResolution) && ReadParam(aMsg, aIter, &aResult->mDevPixelsPerCSSPixel) &&@@ -295,6 +293,7 @@ WriteParam(aMsg, aParam.mScrollOffset); WriteParam(aMsg, aParam.mZoom); WriteParam(aMsg, aParam.mScrollGeneration);+ WriteParam(aMsg, aParam.mScrollGenerationOnApz); WriteParam(aMsg, aParam.mDisplayPortMargins); WriteParam(aMsg, aParam.mPresShellId); WriteParam(aMsg, aParam.mLayoutViewport);@@ -316,6 +315,7 @@ ReadParam(aMsg, aIter, &aResult->mScrollOffset) && ReadParam(aMsg, aIter, &aResult->mZoom) && ReadParam(aMsg, aIter, &aResult->mScrollGeneration) &&+ ReadParam(aMsg, aIter, &aResult->mScrollGenerationOnApz) && ReadParam(aMsg, aIter, &aResult->mDisplayPortMargins) && ReadParam(aMsg, aIter, &aResult->mPresShellId) && ReadParam(aMsg, aIter, &aResult->mLayoutViewport) &&@@ -407,9 +407,9 @@ } };-template <>-struct ParamTraits<mozilla::ScrollGeneration>- : PlainOldDataSerializer<mozilla::ScrollGeneration> {};+template <typename T>+struct ParamTraits<mozilla::ScrollGeneration<T>>+ : PlainOldDataSerializer<mozilla::ScrollGeneration<T>> {}; template <> struct ParamTraits<mozilla::ScrollPositionUpdate>@@ -436,6 +436,8 @@ WriteParam(aMsg, aParam.mIsRDMTouchSimulationActive); WriteParam(aMsg, aParam.mDidContentGetPainted); WriteParam(aMsg, aParam.mPrefersReducedMotion);+ WriteParam(aMsg, aParam.mForceMousewheelAutodir);+ WriteParam(aMsg, aParam.mForceMousewheelAutodirHonourRoot); WriteParam(aMsg, aParam.mDisregardedDirection); WriteParam(aMsg, aParam.mOverscrollBehavior); WriteParam(aMsg, aParam.mScrollUpdates);@@ -476,6 +478,11 @@ ¶mType::SetDidContentGetPainted) && ReadBoolForBitfield(aMsg, aIter, aResult, ¶mType::SetPrefersReducedMotion) &&+ ReadBoolForBitfield(aMsg, aIter, aResult,+ ¶mType::SetForceMousewheelAutodir) &&+ ReadBoolForBitfield(+ aMsg, aIter, aResult,+ ¶mType::SetForceMousewheelAutodirHonourRoot) && ReadParam(aMsg, aIter, &aResult->mDisregardedDirection) && ReadParam(aMsg, aIter, &aResult->mOverscrollBehavior) && ReadParam(aMsg, aIter, &aResult->mScrollUpdates);
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Information Exposure] [gfx/layers/ipc/LayersMessageUtils.h] [Lines 217, 247]
[Old Code]
```
WriteParam(aMsg, aParam.mCriticalDisplayPort);
...
ReadParam(aMsg, aIter, &aResult->mCriticalDisplayPort)
```
[Fixed Code]
```
// Removed mCriticalDisplayPort serialization
```
Note: Removal of sensitive display port information might indicate a security fix, but without more context about the purpose of mCriticalDisplayPort, we can't be certain.
2. Vulnerability Existed: not sure
[Scroll Generation Synchronization Issue] [gfx/layers/ipc/LayersMessageUtils.h] [Lines 295-296, 315-316]
[Old Code]
```
WriteParam(aMsg, aParam.mScrollGeneration);
...
ReadParam(aMsg, aIter, &aResult->mScrollGeneration)
```
[Fixed Code]
```
WriteParam(aMsg, aParam.mScrollGeneration);
WriteParam(aMsg, aParam.mScrollGenerationOnApz);
...
ReadParam(aMsg, aIter, &aResult->mScrollGeneration) &&
ReadParam(aMsg, aIter, &aResult->mScrollGenerationOnApz)
```
Note: Addition of APZ-specific scroll generation tracking might prevent race conditions, but this could be a functional rather than security fix.
3. Vulnerability Existed: not sure
[Template Parameterization Issue] [gfx/layers/ipc/LayersMessageUtils.h] [Lines 407-409]
[Old Code]
```
template <>
struct ParamTraits<mozilla::ScrollGeneration>
: PlainOldDataSerializer<mozilla::ScrollGeneration> {};
```
[Fixed Code]
```
template <typename T>
struct ParamTraits<mozilla::ScrollGeneration<T>>
: PlainOldDataSerializer<mozilla::ScrollGeneration<T>> {};
```
Note: The template parameterization change might prevent type confusion issues, but this appears to be more of a code maintenance change.
4. Vulnerability Existed: not sure
[Mousewheel Direction Forcing] [gfx/layers/ipc/LayersMessageUtils.h] [Lines 436-438, 478-481]
[Old Code]
```
// No mousewheel autodirection parameters
```
[Fixed Code]
```
WriteParam(aMsg, aParam.mForceMousewheelAutodir);
WriteParam(aMsg, aParam.mForceMousewheelAutodirHonourRoot);
...
ReadBoolForBitfield(aMsg, aIter, aResult, ¶mType::SetForceMousewheelAutodir)
ReadBoolForBitfield(aMsg, aIter, aResult, ¶mType::SetForceMousewheelAutodirHonourRoot)
```
Note: New parameters for controlling mousewheel behavior could have security implications for input handling, but their purpose isn't clear from the diff alone.
The most likely security-relevant change is the removal of mCriticalDisplayPort serialization, which might have been exposing sensitive display information, but without more context about what this field contained, we can't be certain. The other changes appear to be more functional improvements or feature additions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/test/unit/test_http3_server_not_existing.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/test/unit/test_http3_server_not_existing.js@@ -6,7 +6,7 @@ let httpsUri; registerCleanupFunction(async () => {- Services.prefs.clearUserPref("network.http.http3.enabled");+ Services.prefs.clearUserPref("network.http.http3.enable"); Services.prefs.clearUserPref("network.dns.localDomains"); Services.prefs.clearUserPref("network.dns.disableIPv6"); Services.prefs.clearUserPref(@@ -53,7 +53,7 @@ let h2Port = env.get("MOZHTTP2_PORT"); Assert.notEqual(h2Port, null);- Services.prefs.setBoolPref("network.http.http3.enabled", true);+ Services.prefs.setBoolPref("network.http.http3.enable", true); Services.prefs.setCharPref("network.dns.localDomains", "foo.example.com"); Services.prefs.setBoolPref("network.dns.disableIPv6", true); // Set AltSvc to point to not existing HTTP3 server on port 443
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Preference Name Mismatch] [netwerk/test/unit/test_http3_server_not_existing.js] [Lines 6,53]
Old Code: `Services.prefs.clearUserPref("network.http.http3.enabled");` and `Services.prefs.setBoolPref("network.http.http3.enabled", true);`
Fixed Code: `Services.prefs.clearUserPref("network.http.http3.enable");` and `Services.prefs.setBoolPref("network.http.http3.enable", true);`
Additional Details: The change involves correcting a preference name from "network.http.http3.enabled" to "network.http.http3.enable". While this doesn't appear to be a direct security vulnerability, using incorrect preference names could potentially lead to unexpected behavior or configuration issues.
Note: The diff shows a consistent change in preference naming but doesn't indicate any clear security vulnerability. The modification appears to be a correction of a configuration parameter rather than a security fix. No known vulnerability name is associated with this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-paint-clip-019.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-paint-clip-019.html@@ -10,7 +10,6 @@ <meta content="This test checks that the paint containment of an element clips contents. It should also prevent layout overflow from being propagated to ancestors." name="assert">-<meta content="" name="flags"> <style> #container {
Based on the provided code diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/css-contain/contain-paint-clip-019.html [Lines] 10 [Old Code] <meta content="" name="flags"> [Fixed Code] (removed) Additional Details: The change simply removes an empty meta tag with a "flags" attribute. This doesn't appear to be related to any security vulnerability but rather a cleanup of unnecessary markup. The "flags" meta tag is typically used in test files to specify test conditions or requirements, and its removal doesn't indicate any security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wast/src/ast/expr.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wast/src/ast/expr.rs@@ -15,7 +15,11 @@ impl<'a> Parse<'a> for Expression<'a> { fn parse(parser: Parser<'a>) -> Result<Self> {- ExpressionParser::default().parse(parser)+ let mut exprs = ExpressionParser::default();+ exprs.parse(parser)?;+ Ok(Expression {+ instrs: exprs.instrs.into(),+ }) } }@@ -96,7 +100,7 @@ } impl<'a> ExpressionParser<'a> {- fn parse(mut self, parser: Parser<'a>) -> Result<Expression<'a>> {+ fn parse(&mut self, parser: Parser<'a>) -> Result<()> { // Here we parse instructions in a loop, and we do not recursively // invoke this parse function to avoid blowing the stack on // deeply-recursive parses.@@ -207,9 +211,7 @@ } }- Ok(Expression {- instrs: self.instrs.into(),- })+ Ok(()) } /// Parses either `(`, `)`, or nothing.@@ -300,7 +302,7 @@ // If we made it this far then we're at `If::End` which means that there // were too many s-expressions inside the `(if)` and we don't want to // parse anything else.- Err(parser.error("too many payloads inside of `(if)`"))+ Err(parser.error("unexpected token: too many payloads inside of `(if)`")) } /// Handles parsing of a `try` statement. A `try` statement is simpler@@ -387,7 +389,7 @@ return Err(parser.error("unexpected items after `catch`")); }- Err(parser.error("too many payloads inside of `(try)`"))+ Err(parser.error("unexpected token: too many payloads inside of `(try)`")) } }@@ -579,6 +581,7 @@ // function-references proposal RefAsNonNull : [0xd3] : "ref.as_non_null", BrOnNull(ast::Index<'a>) : [0xd4] : "br_on_null",+ BrOnNonNull(ast::Index<'a>) : [0xd6] : "br_on_non_null", // gc proposal: eqref RefEq : [0xd5] : "ref.eq",@@ -1122,6 +1125,25 @@ Rethrow(ast::Index<'a>) : [0x09] : "rethrow", Delegate(ast::Index<'a>) : [0x18] : "delegate", CatchAll : [0x19] : "catch_all",++ // Relaxed SIMD proposal+ I8x16SwizzleRelaxed : [0xfd, 0xa2]: "i8x16.swizzle_relaxed",+ I32x4TruncSatF32x4SRelaxed : [0xfd, 0xa5]: "i32x4.trunc_f32x4_s_relaxed",+ I32x4TruncSatF32x4URelaxed : [0xfd, 0xa6]: "i32x4.trunc_f32x4_u_relaxed",+ I32x4TruncSatF64x2SZeroRelaxed : [0xfd, 0xc5]: "i32x4.trunc_f64x2_s_zero_relaxed",+ I32x4TruncSatF64x2UZeroRelaxed : [0xfd, 0xc6]: "i32x4.trunc_f64x2_u_zero_relaxed",+ F32x4FmaRelaxed : [0xfd, 0xaf]: "f32x4.fma_relaxed",+ F32x4FmsRelaxed : [0xfd, 0xb0]: "f32x4.fms_relaxed",+ F64x4FmaRelaxed : [0xfd, 0xcf]: "f64x2.fma_relaxed",+ F64x4FmsRelaxed : [0xfd, 0xd0]: "f64x2.fms_relaxed",+ I8x16LaneSelect : [0xfd, 0xb2]: "i8x16.laneselect",+ I16x8LaneSelect : [0xfd, 0xb3]: "i16x8.laneselect",+ I32x4LaneSelect : [0xfd, 0xd2]: "i32x4.laneselect",+ I64x2LaneSelect : [0xfd, 0xd3]: "i64x2.laneselect",+ F32x4MinRelaxed : [0xfd, 0xb4]: "f32x4.min_relaxed",+ F32x4MaxRelaxed : [0xfd, 0xe2]: "f32x4.max_relaxed",+ F64x2MinRelaxed : [0xfd, 0xd4]: "f64x2.min_relaxed",+ F64x2MaxRelaxed : [0xfd, 0xee]: "f64x2.max_relaxed", } }@@ -1288,7 +1310,8 @@ } let memory = parser- .parse::<Option<ast::ItemRef<'a, kw::memory>>>()?+ .parse::<Option<ast::IndexOrRef<'a, kw::memory>>>()?+ .map(|i| i.0) .unwrap_or(idx_zero(parser.prev_span(), kw::memory)); let offset = parse_u64("offset", parser)?.unwrap_or(0); let align = match parse_u32("align", parser)? {@@ -1327,8 +1350,44 @@ impl<'a> LoadOrStoreLane<'a> { fn parse(parser: Parser<'a>, default_align: u32) -> Result<Self> {+ // This is sort of funky. The first integer we see could be the lane+ // index, but it could also be the memory index. To determine what it is+ // then if we see a second integer we need to look further.+ let has_memarg = parser.step(|c| match c.integer() {+ Some((_, after_int)) => {+ // Two integers in a row? That means that the first one is the+ // memory index and the second must be the lane index.+ if after_int.integer().is_some() {+ return Ok((true, c));+ }++ // If the first integer is trailed by `offset=...` or+ // `align=...` then this is definitely a memarg.+ if let Some((kw, _)) = after_int.keyword() {+ if kw.starts_with("offset=") || kw.starts_with("align=") {+ return Ok((true, c));+ }+ }++ // Otherwise the first integer was trailed by something that+ // didn't look like a memarg, so this must be the lane index.+ Ok((false, c))+ }++ // Not an integer here? That must mean that this must be the memarg+ // first followed by the trailing index.+ None => Ok((true, c)),+ })?; Ok(LoadOrStoreLane {- memarg: MemArg::parse(parser, default_align)?,+ memarg: if has_memarg {+ MemArg::parse(parser, default_align)?+ } else {+ MemArg {+ align: default_align,+ offset: 0,+ memory: idx_zero(parser.prev_span(), kw::memory),+ }+ }, lane: LaneArg::parse(parser)?, }) }@@ -1453,11 +1512,14 @@ impl<'a> Parse<'a> for MemoryInit<'a> { fn parse(parser: Parser<'a>) -> Result<Self> {- let data = parser.parse()?;- let mem = parser- .parse::<Option<ast::IndexOrRef<_>>>()?- .map(|i| i.0)- .unwrap_or(idx_zero(parser.prev_span(), kw::memory));+ let prev_span = parser.prev_span();+ let (data, mem) =+ if parser.peek::<ast::ItemRef<kw::memory>>() || parser.peek2::<ast::Index>() {+ let memory = parser.parse::<ast::IndexOrRef<_>>()?.0;+ (parser.parse()?, memory)+ } else {+ (parser.parse()?, idx_zero(prev_span, kw::memory))+ }; Ok(MemoryInit { data, mem }) } }
I'll analyze the code diff and provide the security findings following the specified format.
1. Vulnerability Existed: not sure
Stack Overflow Vulnerability [third_party/rust/wast/src/ast/expr.rs] [Lines 15-19, 96-100]
[Old Code]
fn parse(parser: Parser<'a>) -> Result<Self> {
ExpressionParser::default().parse(parser)
}
[Fixed Code]
fn parse(parser: Parser<'a>) -> Result<Self> {
let mut exprs = ExpressionParser::default();
exprs.parse(parser)?;
Ok(Expression {
instrs: exprs.instrs.into(),
})
}
2. Vulnerability Existed: not sure
Parser Error Handling Improvement [third_party/rust/wast/src/ast/expr.rs] [Lines 300-302]
[Old Code]
Err(parser.error("too many payloads inside of `(if)`"))
[Fixed Code]
Err(parser.error("unexpected token: too many payloads inside of `(if)`"))
3. Vulnerability Existed: not sure
Parser Error Handling Improvement [third_party/rust/wast/src/ast/expr.rs] [Lines 387-389]
[Old Code]
Err(parser.error("too many payloads inside of `(try)`"))
[Fixed Code]
Err(parser.error("unexpected token: too many payloads inside of `(try)`"))
4. Vulnerability Existed: not sure
Memory Initialization Parsing Improvement [third_party/rust/wast/src/ast/expr.rs] [Lines 1453-1512]
[Old Code]
fn parse(parser: Parser<'a>) -> Result<Self> {
let data = parser.parse()?;
let mem = parser
.parse::<Option<ast::IndexOrRef<_>>>()?
.map(|i| i.0)
.unwrap_or(idx_zero(parser.prev_span(), kw::memory));
Ok(MemoryInit { data, mem })
}
[Fixed Code]
fn parse(parser: Parser<'a>) -> Result<Self> {
let prev_span = parser.prev_span();
let (data, mem) =
if parser.peek::<ast::ItemRef<kw::memory>>() || parser.peek2::<ast::Index>() {
let memory = parser.parse::<ast::IndexOrRef<_>>()?.0;
(parser.parse()?, memory)
} else {
(parser.parse()?, idx_zero(prev_span, kw::memory))
};
Ok(MemoryInit { data, mem })
}
The changes appear to be focused on:
1. Preventing potential stack overflows by avoiding recursive parsing
2. Improving error messages for better debugging
3. Adding new WebAssembly instruction support (Relaxed SIMD proposal)
4. Improving memory initialization parsing logic
5. Adding better handling for memory arguments in load/store operations
While these changes improve robustness and add functionality, I couldn't identify any specific security vulnerabilities that were explicitly fixed. The changes seem more focused on correctness, error handling, and feature support.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.componentTransfer.identity.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.componentTransfer.identity.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.filter = new CanvasFilter({filter: "componentTransfer", funcR: {type: "identity"},@@ -33,7 +33,7 @@ for (const color of inputColors) { ctx.fillStyle = `rgba(${color[0]}, ${color[1]}, ${color[2]}, 1)`, ctx.fillRect(0, 0, 10, 10);- _assertPixel(offscreenCanvas, 5, 5, color[0],color[1],color[2],255, "5,5", `${color[0]},${color[1]},${color[2]}`);+ _assertPixel(canvas, 5, 5, color[0],color[1],color[2],255, "5,5", `${color[0]},${color[1]},${color[2]}`); } t.done();
After analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.componentTransfer.identity.worker.js [Lines] 13-33
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 5, 5, color[0],color[1],color[2],255, "5,5", `${color[0]},${color[1]},${color[2]}`);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 5, 5, color[0],color[1],color[2],255, "5,5", `${color[0]},${color[1]},${color[2]}`);
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications. The functionality remains identical, and there are no security vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/xpcom/rust/xpcom/src/interfaces/idl.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/xpcom/rust/xpcom/src/interfaces/idl.rs@@ -9,4 +9,4 @@ // NOTE: This file contains a series of `include!()` invocations, defining all // idl interfaces directly within this module.-include!(concat!(env!("MOZ_TOPOBJDIR"), "/dist/xpcrs/rt/all.rs"));+include!(mozbuild::objdir_path!("dist/xpcrs/rt/all.rs"));
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Path Traversal or Insecure Path Handling] [xpcom/rust/xpcom/src/interfaces/idl.rs] [Lines 9]
[Old Code] include!(concat!(env!("MOZ_TOPOBJDIR"), "/dist/xpcrs/rt/all.rs"));
[Fixed Code] include!(mozbuild::objdir_path!("dist/xpcrs/rt/all.rs"));
Additional Details:
1. The change involves how the path to the included file is constructed, moving from using `env!` macro with string concatenation to using a dedicated `mozbuild::objdir_path!` macro.
2. While not clearly a security vulnerability, the old approach could potentially be more susceptible to path manipulation if the environment variable could be controlled by an attacker.
3. The new approach appears to be more robust by using a dedicated path construction macro, which might include additional safety checks.
4. Without knowing the exact implementation of `mozbuild::objdir_path!`, we can't be certain if this fixes a specific vulnerability, but it's likely a security improvement.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/include/jxl/encode.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/include/jxl/encode.h@@ -41,14 +41,18 @@ typedef struct JxlEncoderStruct JxlEncoder; /**- * Opaque structure that holds frame specific encoding options for a JPEG XL- * encoder.- *- * Allocated and initialized with JxlEncoderOptionsCreate().+ * Settings and metadata for a single image frame. This includes encoder options+ * for a frame such as compression quality and speed.+ *+ * Allocated and initialized with JxlEncoderFrameSettingsCreate(). * Cleaned up and deallocated when the encoder is destroyed with * JxlEncoderDestroy(). */-typedef struct JxlEncoderOptionsStruct JxlEncoderOptions;+typedef struct JxlEncoderFrameSettingsStruct JxlEncoderFrameSettings;++/** DEPRECATED: Use JxlEncoderFrameSettings instead.+ */+typedef JxlEncoderFrameSettings JxlEncoderOptions; /** * Return value for multiple encoder functions.@@ -67,19 +71,17 @@ */ JXL_ENC_NEED_MORE_OUTPUT = 2,- /** The encoder doesn't (yet) support this.+ /** DEPRECATED: the encoder does not return this status and there is no need+ * to handle or expect it. */ JXL_ENC_NOT_SUPPORTED = 3, } JxlEncoderStatus; /**- * Id of per-frame options to set to JxlEncoderOptions with- * JxlEncoderOptionsSetInteger.- * NOTE: this enum includes most but not all encoder options. The image quality- * is a frame option that can be set with JxlEncoderOptionsSetDistance instead.- * Options that apply globally, rather than per-frame, are set with their own- * functions and do not use the per-frame JxlEncoderOptions.+ * Id of encoder options for a frame. This includes options such as the+ * image quality and compression speed for this frame. This does not include+ * non-frame related encoder options such as for boxes. */ typedef enum { /** Sets encoder effort/speed level without affecting decoding speed. Valid@@ -87,13 +89,13 @@ * 4:cheetah 5:hare 6:wombat 7:squirrel 8:kitten 9:tortoise. * Default: squirrel (7). */- JXL_ENC_OPTION_EFFORT = 0,+ JXL_ENC_FRAME_SETTING_EFFORT = 0, /** Sets the decoding speed tier for the provided options. Minimum is 0 * (slowest to decode, best quality/density), and maximum is 4 (fastest to * decode, at the cost of some quality/density). Default is 0. */- JXL_ENC_OPTION_DECODING_SPEED = 1,+ JXL_ENC_FRAME_SETTING_DECODING_SPEED = 1, /** Sets resampling option. If enabled, the image is downsampled before * compression, and upsampled to original size in the decoder. Integer option,@@ -101,161 +103,161 @@ * 1 for no downsampling (1x1), 2 for 2x2 downsampling, 4 for 4x4 * downsampling, 8 for 8x8 downsampling. */- JXL_ENC_OPTION_RESAMPLING = 2,-- /** Similar to JXL_ENC_OPTION_RESAMPLING, but for extra channels. Integer- * option, use -1 for the default behavior (depends on encoder+ JXL_ENC_FRAME_SETTING_RESAMPLING = 2,++ /** Similar to JXL_ENC_FRAME_SETTING_RESAMPLING, but for extra channels.+ * Integer option, use -1 for the default behavior (depends on encoder * implementation), 1 for no downsampling (1x1), 2 for 2x2 downsampling, 4 for * 4x4 downsampling, 8 for 8x8 downsampling. */- JXL_ENC_OPTION_EXTRA_CHANNEL_RESAMPLING = 3,+ JXL_ENC_FRAME_SETTING_EXTRA_CHANNEL_RESAMPLING = 3, /** Indicates the frame added with @ref JxlEncoderAddImageFrame is already * downsampled by the downsampling factor set with @ref- * JXL_ENC_OPTION_RESAMPLING. The input frame must then be given in the+ * JXL_ENC_FRAME_SETTING_RESAMPLING. The input frame must then be given in the * downsampled resolution, not the full image resolution. The downsampled * resolution is given by ceil(xsize / resampling), ceil(ysize / resampling) * with xsize and ysize the dimensions given in the basic info, and resampling- * the factor set with @ref JXL_ENC_OPTION_RESAMPLING.+ * the factor set with @ref JXL_ENC_FRAME_SETTING_RESAMPLING. * Use 0 to disable, 1 to enable. Default value is 0. */- JXL_ENC_OPTION_ALREADY_DOWNSAMPLED = 4,+ JXL_ENC_FRAME_SETTING_ALREADY_DOWNSAMPLED = 4, /** Adds noise to the image emulating photographic film noise, the higher the * given number, the grainier the image will be. As an example, a value of 100 * gives low noise whereas a value of 3200 gives a lot of noise. The default * value is 0. */- JXL_ENC_OPTION_PHOTON_NOISE = 5,+ JXL_ENC_FRAME_SETTING_PHOTON_NOISE = 5, /** Enables adaptive noise generation. This setting is not recommended for- * use, please use JXL_ENC_OPTION_PHOTON_NOISE instead. Use -1 for the default- * (encoder chooses), 0 to disable, 1 to enable.- */- JXL_ENC_OPTION_NOISE = 6,+ * use, please use JXL_ENC_FRAME_SETTING_PHOTON_NOISE instead. Use -1 for the+ * default (encoder chooses), 0 to disable, 1 to enable.+ */+ JXL_ENC_FRAME_SETTING_NOISE = 6, /** Enables or disables dots generation. Use -1 for the default (encoder * chooses), 0 to disable, 1 to enable. */- JXL_ENC_OPTION_DOTS = 7,+ JXL_ENC_FRAME_SETTING_DOTS = 7, /** Enables or disables patches generation. Use -1 for the default (encoder * chooses), 0 to disable, 1 to enable. */- JXL_ENC_OPTION_PATCHES = 8,+ JXL_ENC_FRAME_SETTING_PATCHES = 8, /** Edge preserving filter level, -1 to 3. Use -1 for the default (encoder * chooses), 0 to 3 to set a strength. */- JXL_ENC_OPTION_EPF = 9,+ JXL_ENC_FRAME_SETTING_EPF = 9, /** Enables or disables the gaborish filter. Use -1 for the default (encoder * chooses), 0 to disable, 1 to enable. */- JXL_ENC_OPTION_GABORISH = 10,+ JXL_ENC_FRAME_SETTING_GABORISH = 10, /** Enables modular encoding. Use -1 for default (encoder * chooses), 0 to enforce VarDCT mode (e.g. for photographic images), 1 to * enforce modular mode (e.g. for lossless images). */- JXL_ENC_OPTION_MODULAR = 11,+ JXL_ENC_FRAME_SETTING_MODULAR = 11, /** Enables or disables preserving color of invisible pixels. Use -1 for the * default (1 if lossless, 0 if lossy), 0 to disable, 1 to enable. */- JXL_ENC_OPTION_KEEP_INVISIBLE = 12,+ JXL_ENC_FRAME_SETTING_KEEP_INVISIBLE = 12, /** Determines the order in which 256x256 regions are stored in the codestream * for progressive rendering. Use -1 for the encoder * default, 0 for scanline order, 1 for center-first order. */- JXL_ENC_OPTION_GROUP_ORDER = 13,+ JXL_ENC_FRAME_SETTING_GROUP_ORDER = 13, /** Determines the horizontal position of center for the center-first group * order. Use -1 to automatically use the middle of the image, 0..xsize to * specifically set it. */- JXL_ENC_OPTION_GROUP_ORDER_CENTER_X = 14,+ JXL_ENC_FRAME_SETTING_GROUP_ORDER_CENTER_X = 14, /** Determines the center for the center-first group order. Use -1 to * automatically use the middle of the image, 0..ysize to specifically set it. */- JXL_ENC_OPTION_GROUP_ORDER_CENTER_Y = 15,+ JXL_ENC_FRAME_SETTING_GROUP_ORDER_CENTER_Y = 15, /** Enables or disables progressive encoding for modular mode. Use -1 for the * encoder default, 0 to disable, 1 to enable. */- JXL_ENC_OPTION_RESPONSIVE = 16,+ JXL_ENC_FRAME_SETTING_RESPONSIVE = 16, /** Set the progressive mode for the AC coefficients of VarDCT, using spectral * progression from the DCT coefficients. Use -1 for the encoder default, 0 to * disable, 1 to enable. */- JXL_ENC_OPTION_PROGRESSIVE_AC = 17,+ JXL_ENC_FRAME_SETTING_PROGRESSIVE_AC = 17, /** Set the progressive mode for the AC coefficients of VarDCT, using * quantization of the least significant bits. Use -1 for the encoder default, * 0 to disable, 1 to enable. */- JXL_ENC_OPTION_QPROGRESSIVE_AC = 18,+ JXL_ENC_FRAME_SETTING_QPROGRESSIVE_AC = 18, /** Set the progressive mode using lower-resolution DC images for VarDCT. Use * -1 for the encoder default, 0 to disable, 1 to have an extra 64x64 lower * resolution pass, 2 to have a 512x512 and 64x64 lower resolution pass. */- JXL_ENC_OPTION_PROGRESSIVE_DC = 19,+ JXL_ENC_FRAME_SETTING_PROGRESSIVE_DC = 19, /** Use Global channel palette if the amount of colors is smaller than this * percentage of range. Use 0-100 to set an explicit percentage, -1 to use the * encoder default. Used for modular encoding. */- JXL_ENC_OPTION_CHANNEL_COLORS_GLOBAL_PERCENT = 20,+ JXL_ENC_FRAME_SETTING_CHANNEL_COLORS_GLOBAL_PERCENT = 20, /** Use Local (per-group) channel palette if the amount of colors is smaller * than this percentage of range. Use 0-100 to set an explicit percentage, -1 * to use the encoder default. Used for modular encoding. */- JXL_ENC_OPTION_CHANNEL_COLORS_GROUP_PERCENT = 21,+ JXL_ENC_FRAME_SETTING_CHANNEL_COLORS_GROUP_PERCENT = 21, /** Use color palette if amount of colors is smaller than or equal to this * amount, or -1 to use the encoder default. Used for modular encoding. */- JXL_ENC_OPTION_PALETTE_COLORS = 22,+ JXL_ENC_FRAME_SETTING_PALETTE_COLORS = 22, /** Enables or disables delta palette. Use -1 for the default (encoder * chooses), 0 to disable, 1 to enable. Used in modular mode. */- JXL_ENC_OPTION_LOSSY_PALETTE = 23,+ JXL_ENC_FRAME_SETTING_LOSSY_PALETTE = 23, /** Color transform for internal encoding: -1 = default, 0=XYB, 1=none (RGB), * 2=YCbCr. The XYB setting performs the forward XYB transform. None and * YCbCr both perform no transform, but YCbCr is used to indicate that the * encoded data losslessly represents YCbCr values. */- JXL_ENC_OPTION_COLOR_TRANSFORM = 24,+ JXL_ENC_FRAME_SETTING_COLOR_TRANSFORM = 24, /** Color space for modular encoding: -1=default, 0-35=reverse color transform * index, e.g. index 0 = none, index 6 = YCoCg. * The default behavior is to try several, depending on the speed setting. */- JXL_ENC_OPTION_MODULAR_COLOR_SPACE = 25,+ JXL_ENC_FRAME_SETTING_MODULAR_COLOR_SPACE = 25, /** Group size for modular encoding: -1=default, 0=128, 1=256, 2=512, 3=1024. */- JXL_ENC_OPTION_MODULAR_GROUP_SIZE = 26,+ JXL_ENC_FRAME_SETTING_MODULAR_GROUP_SIZE = 26, /** Predictor for modular encoding. -1 = default, 0=zero, 1=left, 2=top, * 3=avg0, 4=select, 5=gradient, 6=weighted, 7=topright, 8=topleft, * 9=leftleft, 10=avg1, 11=avg2, 12=avg3, 13=toptop predictive average 14=mix * 5 and 6, 15=mix everything. */- JXL_ENC_OPTION_MODULAR_PREDICTOR = 27,+ JXL_ENC_FRAME_SETTING_MODULAR_PREDICTOR = 27, /** Fraction of pixels used to learn MA trees as a percentage. -1 = default, * 0 = no MA and fast decode, 50 = default value, 100 = all, values above * 100 are also permitted. Higher values use more encoder memory. */- JXL_ENC_OPTION_MODULAR_MA_TREE_LEARNING_PERCENT = 28,+ JXL_ENC_FRAME_SETTING_MODULAR_MA_TREE_LEARNING_PERCENT = 28, /** Number of extra (previous-channel) MA tree properties to use. -1 = * default, 0-11 = valid values. Recommended values are in the range 0 to 3,@@ -263,19 +265,19 @@ * excluding color channels when using VarDCT mode). Higher value gives slower * encoding and slower decoding. */- JXL_ENC_OPTION_MODULAR_NB_PREV_CHANNELS = 29,+ JXL_ENC_FRAME_SETTING_MODULAR_NB_PREV_CHANNELS = 29, /** Enable or disable CFL (chroma-from-luma) for lossless JPEG recompression. * -1 = default, 0 = disable CFL, 1 = enable CFL. */- JXL_ENC_OPTION_JPEG_RECON_CFL = 30,+ JXL_ENC_FRAME_SETTING_JPEG_RECON_CFL = 30, /** Enum value not to be used as an option. This value is added to force the * C compiler to have the enum to take a known size. */- JXL_ENC_OPTION_FILL_ENUM = 65535,--} JxlEncoderOptionId;+ JXL_ENC_FRAME_SETTING_FILL_ENUM = 65535,++} JxlEncoderFrameSettingId; /** * Creates an instance of JxlEncoder and initializes it.@@ -306,6 +308,17 @@ * @param enc instance to be cleaned up and deallocated. */ JXL_EXPORT void JxlEncoderDestroy(JxlEncoder* enc);++/**+ * Sets the color management system (CMS) that will be used for color conversion+ * (if applicable) during encoding. May only be set before starting encoding. If+ * left unset, the default CMS implementation will be used.+ *+ * @param enc encoder object.+ * @param cms structure representing a CMS implementation. See JxlCmsInterface+ * for more details.+ */+JXL_EXPORT void JxlEncoderSetCms(JxlEncoder* enc, JxlCmsInterface cms); /** * Set the parallel runner for multithreading. May only be set before starting@@ -335,6 +348,12 @@ * When the return value is not JXL_ENC_ERROR or JXL_ENC_SUCCESS, the encoding * requires more JxlEncoderProcessOutput calls to continue. *+ * This encodes the frames and/or boxes added so far. If the last frame or last+ * box has been added, @ref JxlEncoderCloseInput, @ref JxlEncoderCloseFrames+ * and/or @ref JxlEncoderCloseBoxes must be called before the next+ * @ref JxlEncoderProcessOutput call, or the codestream won't be encoded+ * correctly.+ * * @param enc encoder object. * @param next_out pointer to next bytes to write to. * @param avail_out amount of bytes available starting from *next_out.@@ -347,6 +366,80 @@ size_t* avail_out); /**+ * Sets the frame information for this frame to the encoder. This includes+ * animation information such as frame duration to store in the frame header.+ * The frame header fields represent the frame as passed to the encoder, but not+ * necessarily the exact values as they will be encoded file format: the encoder+ * could change crop and blending options of a frame for more efficient encoding+ * or introduce additional internal frames. Animation duration and time code+ * information is not altered since those are immutable metadata of the frame.+ *+ * It is not required to use this function, however if have_animation is set+ * to true in the basic info, then this function should be used to set the+ * time duration of this individual frame. By default individual frames have a+ * time duration of 0, making them form a composite still. See @ref+ * JxlFrameHeader for more information.+ *+ * This information is stored in the JxlEncoderFrameSettings and so is used for+ * any frame encoded with these JxlEncoderFrameSettings. It is ok to change+ * between @ref JxlEncoderAddImageFrame calls, each added image frame will have+ * the frame header that was set in the options at the time of calling+ * JxlEncoderAddImageFrame.+ *+ * The is_last and name_length fields of the JxlFrameHeader are ignored, use+ * @ref JxlEncoderCloseFrames to indicate last frame, and @ref+ * JxlEncoderSetFrameName to indicate the name and its length instead.+ * Calling this function will clear any name that was previously set with @ref+ * JxlEncoderSetFrameName.+ *+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object.+ * @param frame_header frame header data to set. Object owned by the caller and+ * does not need to be kept in memory, its information is copied internally.+ * @return JXL_ENC_SUCCESS on success, JXL_ENC_ERROR on error+ */+JXL_EXPORT JxlEncoderStatus+JxlEncoderSetFrameHeader(JxlEncoderFrameSettings* frame_settings,+ const JxlFrameHeader* frame_header);++/**+ * Sets blend info of an extra channel. The blend info of extra channels is set+ * separately from that of the color channels, the color channels are set with+ * @ref JxlEncoderSetFrameHeader.+ *+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object.+ * @param index index of the extra channel to use.+ * @param blend_info blend info to set for the extra channel+ * @return JXL_ENC_SUCCESS on success, JXL_ENC_ERROR on error+ */+JXL_EXPORT JxlEncoderStatus JxlEncoderSetExtraChannelBlendInfo(+ JxlEncoderFrameSettings* frame_settings, size_t index,+ const JxlBlendInfo* blend_info);++/**+ * Sets the name of the animation frame. This function is optional, frames are+ * not required to have a name. This setting is a part of the frame header, and+ * the same principles as for @ref JxlEncoderSetFrameHeader apply. The+ * name_length field of JxlFrameHeader is ignored by the encoder, this function+ * determines the name length instead as the length in bytes of the C string.+ *+ * The maximum possible name length is 1071 bytes (excluding terminating null+ * character).+ *+ * Calling @ref JxlEncoderSetFrameHeader clears any name that was+ * previously set.+ *+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object.+ * @param frame_name name of the next frame to be encoded, as a UTF-8 encoded C+ * string (zero terminated). Owned by the caller, and copied internally.+ * @return JXL_ENC_SUCCESS on success, JXL_ENC_ERROR on error+ */+JXL_EXPORT JxlEncoderStatus JxlEncoderSetFrameName(+ JxlEncoderFrameSettings* frame_settings, const char* frame_name);++/** * Sets the buffer to read JPEG encoded bytes from for the next frame to encode. * * If JxlEncoderSetBasicInfo has not yet been called, calling@@ -361,14 +454,20 @@ * JxlEncoderStoreJPEGMetadata and a single JPEG frame is added, it will be * possible to losslessly reconstruct the JPEG codestream. *- * @param options set of encoder options to use when encoding the frame.+ * If this is the last frame, @ref JxlEncoderCloseInput or @ref+ * JxlEncoderCloseFrames must be called before the next+ * @ref JxlEncoderProcessOutput call.+ *+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param buffer bytes to read JPEG from. Owned by the caller and its contents * are copied internally. * @param size size of buffer in bytes. * @return JXL_ENC_SUCCESS on success, JXL_ENC_ERROR on error */-JXL_EXPORT JxlEncoderStatus JxlEncoderAddJPEGFrame(- const JxlEncoderOptions* options, const uint8_t* buffer, size_t size);+JXL_EXPORT JxlEncoderStatus+JxlEncoderAddJPEGFrame(const JxlEncoderFrameSettings* frame_settings,+ const uint8_t* buffer, size_t size); /** * Sets the buffer to read pixels from for the next image to encode. Must call@@ -411,7 +510,12 @@ * uses_original_profile=false case. They are however not allowed to be NaN or * +-infinity. *- * @param options set of encoder options to use when encoding the frame.+ * If this is the last frame, @ref JxlEncoderCloseInput or @ref+ * JxlEncoderCloseFrames must be called before the next+ * @ref JxlEncoderProcessOutput call.+ *+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param pixel_format format for pixels. Object owned by the caller and its * contents are copied internally. * @param buffer buffer type to input the pixel data from. Owned by the caller@@ -420,8 +524,8 @@ * @return JXL_ENC_SUCCESS on success, JXL_ENC_ERROR on error */ JXL_EXPORT JxlEncoderStatus JxlEncoderAddImageFrame(- const JxlEncoderOptions* options, const JxlPixelFormat* pixel_format,- const void* buffer, size_t size);+ const JxlEncoderFrameSettings* frame_settings,+ const JxlPixelFormat* pixel_format, const void* buffer, size_t size); /** * Sets the buffer to read pixels from for an extra channel at a given index.@@ -434,7 +538,8 @@ * It is required to call this function for every extra channel, except for the * alpha channel if that was already set through @ref JxlEncoderAddImageFrame. *- * @param options set of encoder options to use when encoding the extra channel.+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param pixel_format format for pixels. Object owned by the caller and its * contents are copied internally. The num_channels value is ignored, since the * number of channels for an extra channel is always assumed to be one.@@ -445,8 +550,9 @@ * @return JXL_ENC_SUCCESS on success, JXL_ENC_ERROR on error */ JXL_EXPORT JxlEncoderStatus JxlEncoderSetExtraChannelBuffer(- const JxlEncoderOptions* options, const JxlPixelFormat* pixel_format,- const void* buffer, size_t size, uint32_t index);+ const JxlEncoderFrameSettings* frame_settings,+ const JxlPixelFormat* pixel_format, const void* buffer, size_t size,+ uint32_t index); /** Adds a metadata box to the file format. JxlEncoderProcessOutput must be used * to effectively write the box to the output. @ref JxlEncoderUseBoxes must@@ -582,7 +688,7 @@ * @ref JxlEncoderUseBoxes is not used. Further frames may still be added. * * Must be called between JxlEncoderAddBox of the last box- * and the next call to JxlEncoderProcessOutput, or JxlEncoderProcessOutput+ * and the next call to JxlEncoderProcessOutput, or @ref JxlEncoderProcessOutput * won't output the last box correctly. * * NOTE: if you don't need to close frames and boxes at separate times, you can@@ -595,7 +701,9 @@ /** * Declares that no frames will be added and @ref JxlEncoderAddImageFrame and * @ref JxlEncoderAddJPEGFrame won't be called anymore. Further metadata boxes- * may still be added.+ * may still be added. This function or @ref JxlEncoderCloseInput must be called+ * after adding the last frame and the next call to+ * @ref JxlEncoderProcessOutput, or the frame won't be properly marked as last. * * NOTE: if you don't need to close frames and boxes at separate times, you can * use @ref JxlEncoderCloseInput instead to close both at once.@@ -611,7 +719,10 @@ * calls should be done to create the final output. * * The requirements of both @ref JxlEncoderCloseFrames and @ref- * JxlEncoderCloseBoxes apply to this function.+ * JxlEncoderCloseBoxes apply to this function. Either this function or the+ * other two must be called after the final frame and/or box, and the next+ * @ref JxlEncoderProcessOutput call, or the codestream won't be encoded+ * correctly. * * @param enc encoder object. */@@ -660,11 +771,34 @@ JXL_EXPORT void JxlEncoderInitBasicInfo(JxlBasicInfo* info); /**+ * Initializes a JxlFrameHeader struct to default values.+ * For forwards-compatibility, this function has to be called before values+ * are assigned to the struct fields.+ * The default values correspond to a frame with no animation duration and the+ * 'replace' blend mode. After using this function, For animation duration must+ * be set, for composite still blend settings must be set.+ *+ * @param frame_header frame metadata. Object owned by the caller.+ */+JXL_EXPORT void JxlEncoderInitFrameHeader(JxlFrameHeader* frame_header);++/**+ * Initializes a JxlBlendInfo struct to default values.+ * For forwards-compatibility, this function has to be called before values+ * are assigned to the struct fields.+ *+ * @param blend_info blending info. Object owned by the caller.+ */+JXL_EXPORT void JxlEncoderInitBlendInfo(JxlBlendInfo* blend_info);++/** * Sets the global metadata of the image encoded by this encoder. * * If the JxlBasicInfo contains information of extra channels beyond an alpha * channel, then @ref JxlEncoderSetExtraChannelInfo must be called between- * JxlEncoderSetBasicInfo and @ref JxlEncoderAddImageFrame.+ * JxlEncoderSetBasicInfo and @ref JxlEncoderAddImageFrame. In order to indicate+ * extra channels, the value of `info.num_extra_channels` should be set to the+ * number of extra channels, also counting the alpha channel if present. * * @param enc encoder object. * @param info global image metadata. Object owned by the caller and its@@ -705,6 +839,9 @@ /** * Sets the name for the extra channel at the given index in UTF-8. The index * must be smaller than the num_extra_channels in the associated JxlBasicInfo.+ *+ * TODO(lode): remove size parameter for consistency with+ * JxlEncoderSetFrameName * * @param enc encoder object * @param index index of the extra channel to set.@@ -720,19 +857,21 @@ /** * Sets a frame-specific option of integer type to the encoder options.- * The JxlEncoderOptionId argument determines which option is set.- *- * @param options set of encoder options to update with the new mode.+ * The JxlEncoderFrameSettingId argument determines which option is set.+ *+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param option ID of the option to set. * @param value Integer value to set for this option. * @return JXL_ENC_SUCCESS if the operation was successful, JXL_ENC_ERROR in * case of an error, such as invalid or unknown option id, or invalid integer * value for the given option. If an error is returned, the state of the- * JxlEncoderOptions object is still valid and is the same as before this+ * JxlEncoderFrameSettings object is still valid and is the same as before this * function was called. */-JXL_EXPORT JxlEncoderStatus JxlEncoderOptionsSetInteger(- JxlEncoderOptions* options, JxlEncoderOptionId option, int32_t value);+JXL_EXPORT JxlEncoderStatus JxlEncoderFrameSettingsSetOption(+ JxlEncoderFrameSettings* frame_settings, JxlEncoderFrameSettingId option,+ int32_t value); /** Forces the encoder to use the box-based container format (BMFF) even * when not necessary.@@ -773,7 +912,8 @@ JxlEncoderStoreJPEGMetadata(JxlEncoder* enc, JXL_BOOL store_jpeg_metadata); /** Sets the feature level of the JPEG XL codestream. Valid values are 5 and- * 10.+ * 10. Keeping the default value of 5 is recommended for compatibility with all+ * decoders. * * Level 5: for end-user image delivery, this level is the most widely * supported level by image decoders and the recommended level to use unless a@@ -796,9 +936,35 @@ * the encoder will only use those compatible with the level setting. * * This setting can only be set at the beginning, before encoding starts.+ *+ * @param enc encoder object.+ * @param level the level value to set, must be 5 or 10.+ * @return JXL_ENC_SUCCESS if the operation was successful, JXL_ENC_ERROR+ * otherwise. */ JXL_EXPORT JxlEncoderStatus JxlEncoderSetCodestreamLevel(JxlEncoder* enc, int level);++/** Returns the codestream level required to support the currently configured+ * settings and basic info. This function can only be used at the beginning,+ * before encoding starts, but after setting basic info.+ *+ * This does not support per-frame settings, only global configuration, such as+ * the image dimensions, that are known at the time of writing the header of+ * the JPEG XL file.+ *+ * If this returns 5, nothing needs to be done and the codestream can be+ * compatible with any decoder. If this returns 10, JxlEncoderSetCodestreamLevel+ * has to be used to set the codestream level to 10, or the encoder can be+ * configured differently to allow using the more compatible level 5.+ *+ * @param enc encoder object.+ * @return -1 if no level can support the configuration (e.g. image dimensions+ * larger than even level 10 supports), 5 if level 5 is supported, 10 if setting+ * the codestream level to 10 is required.+ *+ */+JXL_EXPORT int JxlEncoderGetRequiredCodestreamLevel(const JxlEncoder* enc); /** * Enables lossless encoding.@@ -812,54 +978,67 @@ * using this function with lossless set to JXL_DEC_FALSE does not guarantee * lossy encoding, though the default set of options is lossy. *- * @param options set of encoder options to update with the new mode+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param lossless whether to override options for lossless mode * @return JXL_ENC_SUCCESS if the operation was successful, JXL_ENC_ERROR * otherwise. */+JXL_EXPORT JxlEncoderStatus JxlEncoderSetFrameLossless(+ JxlEncoderFrameSettings* frame_settings, JXL_BOOL lossless);++/** DEPRECATED: use JxlEncoderSetFrameLossless instead.+ */ JXL_EXPORT JxlEncoderStatus-JxlEncoderOptionsSetLossless(JxlEncoderOptions* options, JXL_BOOL lossless);--/**- * @param options set of encoder options to update with the new mode.+JxlEncoderOptionsSetLossless(JxlEncoderFrameSettings*, JXL_BOOL);++/**+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param effort the effort value to set. * @return JXL_ENC_SUCCESS if the operation was successful, JXL_ENC_ERROR * otherwise. *- * DEPRECATED: use JxlEncoderOptionsSetInteger(options, JXL_ENC_OPTION_EFFORT,- * effort)) instead.+ * DEPRECATED: use JxlEncoderFrameSettingsSetOption(frame_settings,+ * JXL_ENC_FRAME_SETTING_EFFORT, effort) instead. */ JXL_EXPORT JXL_DEPRECATED JxlEncoderStatus-JxlEncoderOptionsSetEffort(JxlEncoderOptions* options, int effort);--/**- * @param options set of encoder options to update with the new decoding speed- * tier.+JxlEncoderOptionsSetEffort(JxlEncoderFrameSettings* frame_settings, int effort);++/**+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param tier the decoding speed tier to set. * @return JXL_ENC_SUCCESS if the operation was successful, JXL_ENC_ERROR * otherwise. *- * DEPRECATED: use JxlEncoderOptionsSetInteger(options,- * JXL_ENC_OPTION_DECODING_SPEED, tier)) instead.- */-JXL_EXPORT JXL_DEPRECATED JxlEncoderStatus-JxlEncoderOptionsSetDecodingSpeed(JxlEncoderOptions* options, int tier);+ * DEPRECATED: use JxlEncoderFrameSettingsSetOption(frame_settings,+ * JXL_ENC_FRAME_SETTING_DECODING_SPEED, tier) instead.+ */+JXL_EXPORT JXL_DEPRECATED JxlEncoderStatus JxlEncoderOptionsSetDecodingSpeed(+ JxlEncoderFrameSettings* frame_settings, int tier); /** * Sets the distance level for lossy compression: target max butteraugli * distance, lower = higher quality. Range: 0 .. 15.- * 0.0 = mathematically lossless (however, use JxlEncoderOptionsSetLossless+ * 0.0 = mathematically lossless (however, use JxlEncoderSetFrameLossless * instead to use true lossless, as setting distance to 0 alone is not the only * requirement). 1.0 = visually lossless. Recommended range: 0.5 .. 3.0. Default * value: 1.0. *- * @param options set of encoder options to update with the new mode.+ * @param frame_settings set of options and metadata for this frame. Also+ * includes reference to the encoder object. * @param distance the distance value to set. * @return JXL_ENC_SUCCESS if the operation was successful, JXL_ENC_ERROR * otherwise. */+JXL_EXPORT JxlEncoderStatus JxlEncoderSetFrameDistance(+ JxlEncoderFrameSettings* frame_settings, float distance);++/** DEPRECATED: use JxlEncoderSetFrameDistance instead.+ */ JXL_EXPORT JxlEncoderStatus-JxlEncoderOptionsSetDistance(JxlEncoderOptions* options, float distance);+JxlEncoderOptionsSetDistance(JxlEncoderFrameSettings*, float); /** * Create a new set of encoder options, with all values initially copied from@@ -867,17 +1046,22 @@ * * The returned pointer is an opaque struct tied to the encoder and it will be * deallocated by the encoder when JxlEncoderDestroy() is called. For functions- * taking both a @ref JxlEncoder and a @ref JxlEncoderOptions, only- * JxlEncoderOptions created with this function for the same encoder instance- * can be used.+ * taking both a @ref JxlEncoder and a @ref JxlEncoderFrameSettings, only+ * JxlEncoderFrameSettings created with this function for the same encoder+ * instance can be used. * * @param enc encoder object. * @param source source options to copy initial values from, or NULL to get * defaults initialized to defaults. * @return the opaque struct pointer identifying a new set of encoder options. */-JXL_EXPORT JxlEncoderOptions* JxlEncoderOptionsCreate(- JxlEncoder* enc, const JxlEncoderOptions* source);+JXL_EXPORT JxlEncoderFrameSettings* JxlEncoderFrameSettingsCreate(+ JxlEncoder* enc, const JxlEncoderFrameSettings* source);++/** DEPRECATED: use JxlEncoderFrameSettingsCreate instead.+ */+JXL_EXPORT JxlEncoderFrameSettings* JxlEncoderOptionsCreate(+ JxlEncoder*, const JxlEncoderFrameSettings*); /** * Sets a color encoding to be sRGB.
After analyzing the provided code diff, I don't identify any clear security vulnerabilities being fixed. The changes appear to be primarily: 1. Renaming types and enums (JxlEncoderOptions -> JxlEncoderFrameSettings, JxlEncoderOptionId -> JxlEncoderFrameSettingId) 2. Adding new functions and deprecating old ones 3. Improving documentation 4. Adding new features like color management system (CMS) support Here's the structured analysis: Vulnerability Existed: no [No security vulnerability found] [third_party/jpeg-xl/lib/include/jxl/encode.h] [Various lines] [Old code being refactored/renamed] [New code with improved naming and functionality] The changes are focused on API improvements and feature additions rather than security fixes. The most significant changes are: 1. The type rename from JxlEncoderOptions to JxlEncoderFrameSettings to better reflect its purpose 2. Addition of JxlEncoderSetCms() for color management 3. Deprecation of old functions in favor of new ones 4. Improved documentation about frame settings and requirements No CVE or known vulnerability patterns are being addressed in this diff. The changes appear to be part of normal API evolution and improvement. If I had to identify anything security-related, it would be the addition of more precise documentation which could help prevent misuse, but this doesn't qualify as a vulnerability fix. Would you like me to analyze any specific part of the diff in more detail?
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/first-letter-003.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/first-letter-003.html@@ -6,7 +6,6 @@ <link rel="author" title="Florian Rivoal" href="mailto:[email protected]"> <link rel="match" href="first-letter-001-ref.html"> <link rel="help" href="https://drafts.csswg.org/css-pseudo-4/#first-letter-styling">- <meta name="flags" content=""> <meta name="assert" content="Test checks that a floated ::first-letter is formatted identically to a floated non-pseudo element with the same content."> <style> div {
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 6] Old Code: `<meta name="flags" content="">` Fixed Code: (line removed) Additional Details: - The diff shows the removal of an empty meta tag with name="flags". This appears to be a cleanup change rather than a security fix. - There's no indication of any security vulnerability being addressed by this change. - The change seems to be removing unnecessary or deprecated metadata from the test file. - No CVE or known vulnerability patterns are associated with this type of change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-transport/src/connection/tests/stream.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-transport/src/connection/tests/stream.rs@@ -916,3 +916,49 @@ SMALL_MAX_DATA ); }++fn connect_w_different_limit(bidi_limit: u64, unidi_limit: u64) {+ let mut client = default_client();+ let out = client.process(None, now());+ let mut server = new_server(+ ConnectionParameters::default()+ .max_streams(StreamType::BiDi, bidi_limit)+ .max_streams(StreamType::UniDi, unidi_limit),+ );+ let out = server.process(out.dgram(), now());++ let out = client.process(out.dgram(), now());+ mem::drop(server.process(out.dgram(), now()));++ assert!(maybe_authenticate(&mut client));++ let mut bidi_events = 0;+ let mut unidi_events = 0;+ let mut connected_events = 0;+ for e in client.events() {+ match e {+ ConnectionEvent::SendStreamCreatable { stream_type } => {+ if stream_type == StreamType::BiDi {+ bidi_events += 1;+ } else {+ unidi_events += 1;+ }+ }+ ConnectionEvent::StateChange(state) if state == State::Connected => {+ connected_events += 1;+ }+ _ => {}+ }+ }+ assert_eq!(bidi_events, usize::from(bidi_limit > 0));+ assert_eq!(unidi_events, usize::from(unidi_limit > 0));+ assert_eq!(connected_events, 1);+}++#[test]+fn client_stream_creatable_event() {+ connect_w_different_limit(0, 0);+ connect_w_different_limit(0, 1);+ connect_w_different_limit(1, 0);+ connect_w_different_limit(1, 1);+}
Analyzing the provided code diff, which shows an addition of a new test function and helper function, I don't see any security vulnerabilities being fixed. This appears to be new test code being added rather than a security patch. Here's the analysis following the requested format: 1. Vulnerability Existed: no No vulnerability found [File] third_party/rust/neqo-transport/src/connection/tests/stream.rs [Old Code] (No old code for this addition) [Fixed Code] (New test code added) The diff shows the addition of a test function `client_stream_creatable_event` and its helper function `connect_w_different_limit`. This appears to be test coverage for stream creation events with different stream limits, but doesn't show any security fixes or vulnerabilities being addressed. The code is testing functionality rather than fixing security issues. Since this is entirely new code being added rather than modifications to existing code, there are no vulnerabilities being fixed in this diff. The addition appears to be normal test case expansion.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/nsDOMWindowUtils.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/nsDOMWindowUtils.cpp@@ -424,6 +424,16 @@ } else { aViewportFit.AssignLiteral("auto"); }+ return NS_OK;+}++NS_IMETHODIMP+nsDOMWindowUtils::SetMousewheelAutodir(Element* aElement, bool aEnabled,+ bool aHonourRoot) {+ aElement->SetProperty(nsGkAtoms::forceMousewheelAutodir,+ reinterpret_cast<void*>(aEnabled));+ aElement->SetProperty(nsGkAtoms::forceMousewheelAutodirHonourRoot,+ reinterpret_cast<void*>(aHonourRoot)); return NS_OK; }
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Memory Safety Issue] [dom/base/nsDOMWindowUtils.cpp] [Lines 424-434]
[Old Code]
(No previous implementation of SetMousewheelAutodir existed)
[Fixed Code]
aElement->SetProperty(nsGkAtoms::forceMousewheelAutodir,
reinterpret_cast<void*>(aEnabled));
aElement->SetProperty(nsGkAtoms::forceMousewheelAutodirHonourRoot,
reinterpret_cast<void*>(aHonourRoot));
Note: While this is a new function being added rather than a fix to existing code, there are potential security considerations:
1. The use of reinterpret_cast to store boolean values as pointers could be problematic if not handled correctly elsewhere in the code
2. There's no apparent null check for the aElement parameter
3. The properties being set could potentially be accessed by untrusted code
However, without seeing more context about how these properties are used elsewhere in the codebase, I can't definitively say this introduces a vulnerability. The addition appears to be implementing new functionality rather than fixing a specific security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.space.basic.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.space.basic.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);@@ -30,8 +30,8 @@ ctx.fillRect(0, 0, 100, 50); ctx.fillStyle = '#0f0'; ctx.fillText('E EE', -100, 37.5);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2); }).then(t_pass, t_fail); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas`. The functionality remains the same.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.space.basic.html
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);
The changes are simply variable renaming and don't address any security issues. All the assertions and functionality remain identical.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.source-in.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.source-in.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 1.0)';@@ -22,7 +22,7 @@ ctx.globalCompositeOperation = 'source-in'; ctx.fillStyle = 'rgba(255, 255, 0, 1.0)'; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5);+_assertPixelApprox(canvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming without any security implications. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 22]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 255,255,0,255, "50,25", "255,255,0,255", 5);
The changes simply rename the variable 'offscreenCanvas' to 'canvas' for consistency or readability, without affecting the security of the code. No security vulnerabilities are being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/nsClipboard.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/nsClipboard.h@@ -1,5 +1,5 @@-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */-/* vim:expandtab:shiftwidth=4:tabstop=4:+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */+/* vim:expandtab:shiftwidth=2:tabstop=2: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this@@ -9,8 +9,11 @@ #define __nsClipboard_h_ #include "mozilla/UniquePtr.h"+#include "mozilla/Span.h" #include "nsIClipboard.h" #include "nsIObserver.h"+#include "nsCOMPtr.h"+#include "GUniquePtr.h" #include <gtk/gtk.h> #ifdef MOZ_LOGGING@@ -20,11 +23,50 @@ extern mozilla::LazyLogModule gClipboardLog; # define LOGCLIP(...) \ MOZ_LOG(gClipboardLog, mozilla::LogLevel::Debug, (__VA_ARGS__))+# define LOGCLIP_ENABLED() \+ MOZ_LOG_TEST(gClipboardLog, mozilla::LogLevel::Debug) #else # define LOGCLIP(...)+# define LOGCLIP_ENABLED() false #endif /* MOZ_LOGGING */-enum ClipboardDataType { CLIPBOARD_DATA, CLIPBOARD_TEXT, CLIPBOARD_TARGETS };+class ClipboardTargets {+ friend class ClipboardData;++ mozilla::GUniquePtr<GdkAtom> mTargets;+ uint32_t mCount = 0;++ public:+ ClipboardTargets() = default;+ ClipboardTargets(mozilla::GUniquePtr<GdkAtom> aTargets, uint32_t aCount)+ : mTargets(std::move(aTargets)), mCount(aCount) {}++ mozilla::Span<GdkAtom> AsSpan() const { return {mTargets.get(), mCount}; }+ explicit operator bool() const { return bool(mTargets); }+};++class ClipboardData {+ mozilla::GUniquePtr<char> mData;+ uint32_t mLength = 0;++ public:+ ClipboardData() = default;++ void SetData(mozilla::Span<const uint8_t>);+ void SetText(mozilla::Span<const char>);+ void SetTargets(ClipboardTargets);++ ClipboardTargets ExtractTargets();+ mozilla::GUniquePtr<char> ExtractText() {+ mLength = 0;+ return std::move(mData);+ }++ mozilla::Span<char> AsSpan() const { return {mData.get(), mLength}; }+ explicit operator bool() const { return bool(mData); }+};++enum class ClipboardDataType { Data, Text, Targets }; class nsRetrievalContext { public:@@ -32,19 +74,15 @@ // main thread only. NS_INLINE_DECL_REFCOUNTING(nsRetrievalContext)- // Get actual clipboard content (GetClipboardData/GetClipboardText)- // which has to be released by ReleaseClipboardData().- virtual const char* GetClipboardData(const char* aMimeType,- int32_t aWhichClipboard,- uint32_t* aContentLength) = 0;- virtual const char* GetClipboardText(int32_t aWhichClipboard) = 0;- virtual void ReleaseClipboardData(const char* aClipboardData) = 0;+ // Get actual clipboard content (GetClipboardData/GetClipboardText).+ virtual ClipboardData GetClipboardData(const char* aMimeType,+ int32_t aWhichClipboard) = 0;+ virtual mozilla::GUniquePtr<char> GetClipboardText(+ int32_t aWhichClipboard) = 0;- // Get data mime types which can be obtained from clipboard.- // The returned array has to be released by g_free().- virtual GdkAtom* GetTargets(int32_t aWhichClipboard, int* aTargetNum) = 0;-- virtual bool HasSelectionSupport(void) = 0;+ // Get data mime types which can be obtained from clipboard. The returned+ // array has to be released by g_free().+ virtual ClipboardTargets GetTargets(int32_t aWhichClipboard) = 0; protected: virtual ~nsRetrievalContext() = default;
I'll analyze the code diff for security fixes following the specified format. Vulnerability Existed: not sure Memory Management Improvement [File] nsClipboard.h [Lines 9-11, 20-74] [Old Code] The original code used raw pointers for clipboard data and required manual memory management with ReleaseClipboardData() and g_free(). [Fixed Code] The new code uses smart pointers (GUniquePtr) and Span for safer memory management, eliminating the need for manual release functions and reducing potential memory leaks. Vulnerability Existed: not sure Logging Enhancement [File] nsClipboard.h [Lines 20-28] [Old Code] Basic logging macros without enabled check capability. [Fixed Code] Added LOGCLIP_ENABLED() macro to check if logging is enabled before performing potentially expensive logging operations. Vulnerability Existed: not sure Type Safety Improvement [File] nsClipboard.h [Lines 66] [Old Code] Used plain enum for ClipboardDataType. [Fixed Code] Changed to enum class for better type safety and scoping. Note: While none of these changes directly address known CVEs or specific vulnerabilities, they all represent improvements that could potentially prevent security issues: 1. The memory management changes could prevent memory leaks or use-after-free vulnerabilities 2. The logging changes could prevent information leakage in cases where logging is disabled 3. The enum class change improves type safety which could prevent certain classes of bugs However, without more context about the specific security issues being addressed, I can't definitively state that these were security fixes versus general code improvements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/extensions/screenshots/build/shot.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/extensions/screenshots/build/shot.js@@ -374,8 +374,13 @@ get filename() { let filenameTitle = this.title; const date = new Date(this.createdDate);- // eslint-disable-next-line no-control-regex- filenameTitle = filenameTitle.replace(/[:\\<>/!@&?"*.|\x00-\x1F]/g, " ");+ /* eslint-disable no-control-regex */+ filenameTitle = filenameTitle+ .replace(/[\\/]/g, "_")+ .replace(/[\u200e\u200f\u202a-\u202e]/g, "")+ .replace(/[\x00-\x1f\x7f-\x9f:*?|"<>;,+=\[\]]+/g, " ")+ .replace(/^[\s\u180e.]+|[\s\u180e.]+$/g, "");+ /* eslint-enable no-control-regex */ filenameTitle = filenameTitle.replace(/\s{1,4000}/g, " "); const currentDateTime = new Date( date.getTime() - date.getTimezoneOffset() * 60 * 1000@@ -383,16 +388,26 @@ const filenameDate = currentDateTime.substring(0, 10); const filenameTime = currentDateTime.substring(11, 19).replace(/:/g, "-"); let clipFilename = `Screenshot ${filenameDate} at ${filenameTime} ${filenameTitle}`;- const clipFilenameBytesSize = clipFilename.length * 2; // JS STrings are UTF-16- if (clipFilenameBytesSize > 251) {- // 255 bytes (Usual filesystems max) - 4 for the ".png" file extension string- const excedingchars = (clipFilenameBytesSize - 246) / 2; // 251 - 5 for ellipsis "[...]"- clipFilename = clipFilename.substring(- 0,- clipFilename.length - excedingchars- );- clipFilename = clipFilename + "[...]";- }++ // Crop the filename size at less than 246 bytes, so as to leave+ // room for the extension and an ellipsis [...]. Note that JS+ // strings are UTF16 but the filename will be converted to UTF8+ // when saving which could take up more space, and we want a+ // maximum of 255 bytes (not characters). Here, we iterate+ // and crop at shorter and shorter points until we fit into+ // 255 bytes.+ let suffix = "";+ for (let cropSize = 246; cropSize >= 0; cropSize -= 32) {+ if (new Blob([clipFilename]).size > 246) {+ clipFilename = clipFilename.substring(0, cropSize);+ suffix = "[...]";+ } else {+ break;+ }+ }++ clipFilename += suffix;+ const clip = this.getClip(this.clipNames()[0]); let extension = ".png"; if (clip && clip.image && clip.image.type) {
Here's the analysis of the code diff for security fixes:
1. Vulnerability Existed: yes
Cross-Site Scripting (XSS) via Filename [browser/extensions/screenshots/build/shot.js] [Lines 374-383]
Old Code:
// eslint-disable-next-line no-control-regex
filenameTitle = filenameTitle.replace(/[:\\<>/!@&?"*.|\x00-\x1F]/g, " ");
Fixed Code:
/* eslint-disable no-control-regex */
filenameTitle = filenameTitle
.replace(/[\\/]/g, "_")
.replace(/[\u200e\u200f\u202a-\u202e]/g, "")
.replace(/[\x00-\x1f\x7f-\x9f:*?|"<>;,+=\[\]]+/g, " ")
.replace(/^[\s\u180e.]+|[\s\u180e.]+$/g, "");
/* eslint-enable no-control-regex */
Additional Details:
The fix improves filename sanitization by:
1. Adding protection against bidirectional Unicode characters (u200e, u200f, u202a-u202e) which could be used for filename spoofing
2. Expanding the set of sanitized characters (now includes more control chars and symbols)
3. Adding trimming of leading/trailing spaces and special chars
4. Replacing path separators with underscores
2. Vulnerability Existed: yes
Path Traversal/File System Corruption [browser/extensions/screenshots/build/shot.js] [Lines 383-398]
Old Code:
const clipFilenameBytesSize = clipFilename.length * 2; // JS STrings are UTF-16
if (clipFilenameBytesSize > 251) {
// 255 bytes (Usual filesystems max) - 4 for the ".png" file extension string
const excedingchars = (clipFilenameBytesSize - 246) / 2; // 251 - 5 for ellipsis "[...]"
clipFilename = clipFilename.substring(
0,
clipFilename.length - excedingchars
);
clipFilename = clipFilename + "[...]";
}
Fixed Code:
// Crop the filename size at less than 246 bytes, so as to leave
// room for the extension and an ellipsis [...]. Note that JS
// strings are UTF16 but the filename will be converted to UTF8
// when saving which could take up more space, and we want a
// maximum of 255 bytes (not characters). Here, we iterate
// and crop at shorter and shorter points until we fit into
// 255 bytes.
let suffix = "";
for (let cropSize = 246; cropSize >= 0; cropSize -= 32) {
if (new Blob([clipFilename]).size > 246) {
clipFilename = clipFilename.substring(0, cropSize);
suffix = "[...]";
} else {
break;
}
}
clipFilename += suffix;
Additional Details:
The fix improves filename length handling by:
1. Properly accounting for UTF-8 encoding which may use more bytes than UTF-16
2. Using a more reliable method (Blob.size) to measure actual byte size
3. Implementing a more robust truncation algorithm that guarantees the filename won't exceed filesystem limits
4. Adding comments explaining the safety considerations
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.properties.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.properties.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.getImageData(0, 0, 10, 10); _assertSame(typeof(imgdata.width), 'number', "typeof(imgdata.width)", "'number'");
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 15-16]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- This appears to be a simple variable renaming from `offscreenCanvas` to `canvas` for consistency or readability purposes.
- No security vulnerability is being addressed in this change.
- The functionality remains exactly the same, only the variable name changes.
- No security-related APIs or sensitive operations are involved in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.direction.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.measure.direction.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.direction = "ltr"; metrics = ctx.measureText('hello');
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`
- No security implications are apparent in this change
- This seems to be a code style/consistency improvement rather than a security fix
- No known vulnerability is being addressed here
The diff shows only a variable renaming change with no apparent security impact. The functionality remains identical, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/invalidation/input-pseudo-classes-in-has.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/invalidation/input-pseudo-classes-in-has.html@@ -9,14 +9,22 @@ <script src="/resources/testdriver-actions.js"></script> <script src="/resources/testdriver-vendor.js"></script> <style>- .ancestor:has(input:checked) { color: green }- .ancestor:has(input:indeterminate) { color: yellowgreen }+ .ancestor:has(#checkme:checked) { color: green }+ .ancestor:has(#checkme:indeterminate) { color: yellowgreen }+ .ancestor:has(#checkme:disabled) { color: blue }+ .ancestor:has(#textinput:read-only) { color: skyblue }+ .ancestor:has(#textinput:placeholder-shown) { color: navy }+ .ancestor:has(#radioinput:default) { color: lightblue }+ .ancestor:has(#textinput:valid) { color: lightgreen }+ .ancestor:has(#numberinput:out-of-range) { color: darkgreen }+ .ancestor:has(#numberinput:required) { color: pink } </style> <div id=subject class=ancestor>- <div>- <input type="checkbox" name="my-checkbox" id="checkme">- <label for="checkme">Check me!</label>- </div>+ <input type="checkbox" name="my-checkbox" id="checkme">+ <label for="checkme">Check me!</label>+ <input type="text" id="textinput" required>+ <input id="radioinput" checked>+ <input id="numberinput" type="number" min="1" max="10" value="5"> </div> <script> test(() => {@@ -46,5 +54,34 @@ "ancestor should be green"); }- });+ checkme.disabled = true;+ assert_equals(getComputedStyle(subject).color, "rgb(0, 0, 255)",+ "ancestor should be blue");++ textinput.readOnly = true;+ assert_equals(getComputedStyle(subject).color, "rgb(135, 206, 235)",+ "ancestor should be skyblue");+ textinput.readOnly = false;++ textinput.placeholder = 'placeholder text';+ assert_equals(getComputedStyle(subject).color, "rgb(0, 0, 128)",+ "ancestor should be navy");++ radioinput.type = 'radio';+ assert_equals(getComputedStyle(subject).color, "rgb(173, 216, 230)",+ "ancestor should be lightblue");++ textinput.value = "text input";+ assert_equals(getComputedStyle(subject).color, "rgb(144, 238, 144)",+ "ancestor should be lightgreen");++ numberinput.value = 12;+ assert_equals(getComputedStyle(subject).color, "rgb(0, 100, 0)",+ "ancestor should be darkgreen");++ numberinput.required = true;+ assert_equals(getComputedStyle(subject).color, "rgb(255, 192, 203)",+ "ancestor should be pink");++ }); </script>=========third_party/rust/futures-util/src/future/either.rs========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/futures-util/src/future/either.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/futures-util/src/future/either.rs@@ -184,8 +184,6 @@ use core::pin::Pin; use core::task::{Context, Poll};- #[cfg(feature = "read-initializer")]- use futures_io::Initializer; use futures_io::{ AsyncBufRead, AsyncRead, AsyncSeek, AsyncWrite, IoSlice, IoSliceMut, Result, SeekFrom, };@@ -195,14 +193,6 @@ A: AsyncRead, B: AsyncRead, {- #[cfg(feature = "read-initializer")]- unsafe fn initializer(&self) -> Initializer {- match self {- Either::Left(x) => x.initializer(),- Either::Right(x) => x.initializer(),- }- }- fn poll_read( self: Pin<&mut Self>, cx: &mut Context<'_>,
Based on the provided code diff, I'll analyze it for security fixes:
1. For the first file (input-pseudo-classes-in-has.html):
Vulnerability Existed: no
This appears to be a test file modification that adds more test cases for CSS selector invalidation. There are no security vulnerabilities being fixed here, just expanded test coverage.
2. For the second file (either.rs):
Vulnerability Existed: not sure
Potential Removal of Unsafe Initializer [third_party/rust/futures-util/src/future/either.rs] [Lines 184-195]
Old Code:
```
#[cfg(feature = "read-initializer")]
unsafe fn initializer(&self) -> Initializer {
match self {
Either::Left(x) => x.initializer(),
Either::Right(x) => x.initializer(),
}
}
```
Fixed Code:
(Removed entirely)
Additional Details: The removal of an unsafe initialization function could potentially be related to security, but without more context about why this was removed and whether the `read-initializer` feature was a security concern, I can't be certain. The removal of unsafe code is generally good for security, but I can't identify a specific vulnerability being fixed here.
Note: The second change might be related to security hardening by removing unsafe code, but without more context about the `read-initializer` feature and its security implications, I can't definitively say this was fixing a vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/ssl/SharedCertVerifier.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/ssl/SharedCertVerifier.h@@ -27,12 +27,11 @@ BRNameMatchingPolicy::Mode nameMatchingMode, NetscapeStepUpPolicy netscapeStepUpPolicy, CertificateTransparencyMode ctMode, CRLiteMode crliteMode,- uint64_t crliteCTMergeDelaySeconds, const Vector<EnterpriseCert>& thirdPartyCerts)- : mozilla::psm::CertVerifier(- odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays,- sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode,- crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}+ : mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout, ocspHardTimeout,+ certShortLifetimeInDays, sha1Mode,+ nameMatchingMode, netscapeStepUpPolicy,+ ctMode, crliteMode, thirdPartyCerts) {} }; } // namespace psm
Let me analyze this code diff for potential security fixes.
Vulnerability Existed: not sure
[Parameter Removal] [security/manager/ssl/SharedCertVerifier.h] [Lines 27-35]
[Old Code]
: mozilla::psm::CertVerifier(
odc, osc, ocspSoftTimeout, ocspHardTimeout, certShortLifetimeInDays,
sha1Mode, nameMatchingMode, netscapeStepUpPolicy, ctMode,
crliteMode, crliteCTMergeDelaySeconds, thirdPartyCerts) {}
[Fixed Code]
: mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout, ocspHardTimeout,
certShortLifetimeInDays, sha1Mode,
nameMatchingMode, netscapeStepUpPolicy,
ctMode, crliteMode, thirdPartyCerts) {}
Additional Details:
- The change removes the `crliteCTMergeDelaySeconds` parameter from the constructor initialization
- Without more context about how this parameter was used, it's difficult to determine if this was a security fix
- This could be related to certificate verification timing or CRLite (Certificate Revocation List Lite) functionality
- The change might be related to security hardening by removing a potentially dangerous timing parameter, but this is speculative
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/modules/libjar/zipwriter/nsDeflateConverter.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/modules/libjar/zipwriter/nsDeflateConverter.cpp@@ -8,6 +8,7 @@ #include "nsStringStream.h" #include "nsComponentManagerUtils.h" #include "nsMemory.h"+#include "nsCRT.h" #include "plstr.h" #include "mozilla/UniquePtr.h"@@ -75,13 +76,14 @@ NS_ENSURE_ARG_POINTER(aListener);- if (!PL_strncasecmp(aToType, ZLIB_TYPE, sizeof(ZLIB_TYPE) - 1))+ if (!PL_strncasecmp(aToType, ZLIB_TYPE, sizeof(ZLIB_TYPE) - 1)) { mWrapMode = WRAP_ZLIB;- else if (!PL_strcasecmp(aToType, GZIP_TYPE) ||- !PL_strcasecmp(aToType, X_GZIP_TYPE))+ } else if (!nsCRT::strcasecmp(aToType, GZIP_TYPE) ||+ !nsCRT::strcasecmp(aToType, X_GZIP_TYPE)) { mWrapMode = WRAP_GZIP;- else+ } else { mWrapMode = WRAP_NONE;+ } nsresult rv = Init(); NS_ENSURE_SUCCESS(rv, rv);
Here's the analysis following the required format:
Vulnerability Existed: not sure
Potential String Comparison Vulnerability [File] [Lines 75-81]
[Old Code]
if (!PL_strncasecmp(aToType, ZLIB_TYPE, sizeof(ZLIB_TYPE) - 1))
mWrapMode = WRAP_ZLIB;
else if (!PL_strcasecmp(aToType, GZIP_TYPE) ||
!PL_strcasecmp(aToType, X_GZIP_TYPE))
mWrapMode = WRAP_GZIP;
else
mWrapMode = WRAP_NONE;
[Fixed Code]
if (!PL_strncasecmp(aToType, ZLIB_TYPE, sizeof(ZLIB_TYPE) - 1)) {
mWrapMode = WRAP_ZLIB;
} else if (!nsCRT::strcasecmp(aToType, GZIP_TYPE) ||
!nsCRT::strcasecmp(aToType, X_GZIP_TYPE)) {
mWrapMode = WRAP_GZIP;
} else {
mWrapMode = WRAP_NONE;
}
Additional Details:
1. The change replaces PL_strcasecmp with nsCRT::strcasecmp for GZIP_TYPE and X_GZIP_TYPE comparisons, which might indicate a potential security improvement in string handling.
2. The addition of braces improves code safety by preventing potential logic errors from missing braces.
3. While not clearly a security vulnerability, the change to use nsCRT::strcasecmp might be related to more secure string handling practices.
4. No specific CVE or vulnerability name is immediately apparent from this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.