Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/toolchain/fix-stacks.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/toolchain/fix-stacks.yml@@ -26,7 +26,7 @@ fetches: toolchain: - linux64-binutils- - linux64-clang-13+ - linux64-clang-toolchain - linux64-rust-1.57 - sysroot-x86_64-linux-gnu@@ -38,8 +38,8 @@ toolchain-artifact: public/build/fix-stacks.tar.zst fetches: toolchain:- - linux64-cctools-port-clang-13- - linux64-clang-13+ - linux64-cctools-port+ - linux64-clang-toolchain - linux64-rust-macos-1.57 - macosx64-sdk-11.0@@ -51,8 +51,8 @@ toolchain-artifact: public/build/fix-stacks.tar.zst fetches: toolchain:- - linux64-cctools-port-clang-13- - linux64-clang-13+ - linux64-cctools-port+ - linux64-clang-toolchain - linux64-rust-macos-1.57 - macosx64-sdk-11.0@@ -70,6 +70,6 @@ tooltool-downloads: internal fetches: toolchain:- - linux64-clang-13+ - linux64-clang-toolchain - linux64-liblowercase - linux64-rust-windows-1.57
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be updates to toolchain dependencies, likely for version updates or consistency in naming conventions. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found [File] taskcluster/ci/toolchain/fix-stacks.yml [Lines] 26-70 [Old Code] Various references to linux64-clang-13 and linux64-cctools-port-clang-13 [Fixed Code] Updated to linux64-clang-toolchain and linux64-cctools-port The changes involve: 1. Replacing "linux64-clang-13" with "linux64-clang-toolchain" in multiple places 2. Replacing "linux64-cctools-port-clang-13" with "linux64-cctools-port" These appear to be maintenance changes rather than security fixes, possibly updating to newer or more standardized toolchain package names. There's no indication of any security vulnerability being addressed through these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_openbsd.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_openbsd.json@@ -25523,7 +25523,6 @@ "-Wno-shorten-64-to-32" ], "defines": [- "MULTI_MONITOR_SCREENSHARE", "WEBRTC_USE_PIPEWIRE", "USE_GLIB=1", "_FILE_OFFSET_BITS=64",
Analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Information Exposure] [dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_openbsd.json] [Lines 25523-25527]
[Old Code]
```json
"defines": [
"MULTI_MONITOR_SCREENSHARE",
"WEBRTC_USE_PIPEWIRE",
"USE_GLIB=1",
"_FILE_OFFSET_BITS=64",
```
[Fixed Code]
```json
"defines": [
"WEBRTC_USE_PIPEWIRE",
"USE_GLIB=1",
"_FILE_OFFSET_BITS=64",
```
Additional Details: The removal of "MULTI_MONITOR_SCREENSHARE" could indicate a security-related change, possibly addressing potential information exposure through screen sharing features. However, without more context about why this define was removed, we cannot be certain if this was a security fix or just a feature removal.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/base/content/browser.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/base/content/browser.js@@ -223,11 +223,25 @@ ["DownloadsButton", "DownloadsIndicatorView"], "chrome://browser/content/downloads/indicator.js" );-XPCOMUtils.defineLazyScriptGetter(- this,- "gEditItemOverlay",- "chrome://browser/content/places/editBookmark.js"-);+if (+ Services.prefs.getBoolPref(+ "browser.bookmarks.editDialog.delayedApply.enabled",+ false+ )+) {+ XPCOMUtils.defineLazyScriptGetter(+ this,+ "gEditItemOverlay",+ "chrome://browser/content/places/editBookmark.js"+ );+} else {+ XPCOMUtils.defineLazyScriptGetter(+ this,+ "gEditItemOverlay",+ "chrome://browser/content/places/instantEditBookmark.js"+ );+}+ XPCOMUtils.defineLazyScriptGetter( this, "gGfxUtils",@@ -4006,7 +4020,7 @@ window.location.href != AppConstants.BROWSER_CHROME_URL || gURLBar.readOnly ) {- let win = getTopWin(true);+ let win = getTopWin({ skipPopups: true }); if (win) { // If there's an open browser window, it should handle this command win.focus();@@ -4263,6 +4277,63 @@ ); var where = newWindowPref == 3 ? "tab" : "window"; openTrustedLinkIn(this.searchEnginesURL, where);+ },++ /**+ * Infobar to notify the user's search engine has been removed+ * and replaced with an application default search engine.+ *+ * @param {string} oldEngine+ * name of the engine to be moved and replaced.+ * @param {string} newEngine+ * name of the application default engine to replaced the removed engine.+ */+ removalOfSearchEngineNotificationBox(oldEngine, newEngine) {+ let messageFragment = document.createDocumentFragment();+ let message = document.createElement("span");+ let link = document.createXULElement("label", {+ is: "text-link",+ });++ link.href = Services.urlFormatter.formatURLPref(+ "browser.search.searchEngineRemoval"+ );+ link.setAttribute("data-l10n-name", "remove-search-engine-article");+ document.l10n.setAttributes(message, "remove-search-engine-message", {+ oldEngine,+ newEngine,+ });++ message.appendChild(link);+ messageFragment.appendChild(message);++ let button = [+ {+ "l10n-id": "remove-search-engine-button",+ primary: true,+ callback() {+ const notificationBox = gNotificationBox.getNotificationWithValue(+ "search-engine-removal"+ );+ gNotificationBox.removeNotification(notificationBox);+ },+ },+ ];++ gNotificationBox.appendNotification(+ "search-engine-removal",+ {+ label: messageFragment,+ priority: gNotificationBox.PRIORITY_SYSTEM,+ },+ button+ );++ // Update engine name in the placeholder to the new default engine name.+ this._updateURLBarPlaceholderFromDefaultEngine(+ PrivateBrowsingUtils.isWindowPrivate(window),+ false+ ).catch(Cu.reportError); }, };@@ -6353,6 +6424,16 @@ }, };+function showFullScreenViewContextMenuItems(popup) {+ for (let node of popup.querySelectorAll('[contexttype="fullscreen"]')) {+ node.hidden = !window.fullScreen;+ }+ let autoHide = popup.querySelector(".fullscreen-context-autohide");+ if (autoHide) {+ FullScreen.getAutohide(autoHide);+ }+}+ function onViewToolbarsPopupShowing(aEvent, aInsertPoint) { var popup = aEvent.target; if (popup != aEvent.currentTarget) {@@ -6404,6 +6485,9 @@ let removeFromToolbar = popup.querySelector( ".customize-context-removeFromToolbar" );+ // Show/hide fullscreen context menu items and set the+ // autohide item's checked state to mirror the autohide pref.+ showFullScreenViewContextMenuItems(popup); // View -> Toolbars menu doesn't have the moveToPanel or removeFromToolbar items. if (!moveToPanel || !removeFromToolbar) { return;
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Lazy Loading Security Issue] [browser/base/content/browser.js] [Lines 223-238]
[Old Code]
XPCOMUtils.defineLazyScriptGetter(
this,
"gEditItemOverlay",
"chrome://browser/content/places/editBookmark.js"
);
[Fixed Code]
if (
Services.prefs.getBoolPref(
"browser.bookmarks.editDialog.delayedApply.enabled",
false
)
) {
XPCOMUtils.defineLazyScriptGetter(
this,
"gEditItemOverlay",
"chrome://browser/content/places/editBookmark.js"
);
} else {
XPCOMUtils.defineLazyScriptGetter(
this,
"gEditItemOverlay",
"chrome://browser/content/places/instantEditBookmark.js"
);
}
2. Vulnerability Existed: not sure
[Potential Popup Window Security Issue] [browser/base/content/browser.js] [Lines 4006]
[Old Code]
let win = getTopWin(true);
[Fixed Code]
let win = getTopWin({ skipPopups: true });
3. Vulnerability Existed: not sure
[Potential XSS in Search Engine Removal Notification] [browser/base/content/browser.js] [Lines 4263-4326]
[Old Code]
(New functionality added)
[Fixed Code]
(Includes new removalOfSearchEngineNotificationBox method with proper DOM manipulation and l10n handling)
4. Vulnerability Existed: not sure
[Potential Fullscreen Context Menu Security Issue] [browser/base/content/browser.js] [Lines 6353-6432]
[Old Code]
(New functionality added)
[Fixed Code]
(Includes new showFullScreenViewContextMenuItems function with proper fullscreen state checks)
Note: While I can identify several changes that appear to be security-related improvements, I cannot definitively confirm specific vulnerabilities without more context about the threat model or known vulnerabilities in these areas. The changes generally appear to improve security by:
1. Making script loading more configurable
2. Being more explicit about popup handling
3. Using safer DOM manipulation patterns
4. Adding proper fullscreen state checks
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/generic/ImageAccessible.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/generic/ImageAccessible.cpp@@ -11,6 +11,7 @@ #include "Role.h" #include "AccAttributes.h" #include "AccIterator.h"+#include "CacheConstants.h" #include "States.h" #include "imgIContainer.h"@@ -18,12 +19,13 @@ #include "nsGenericHTMLElement.h" #include "mozilla/dom/BrowsingContext.h" #include "mozilla/dom/Document.h"+#include "mozilla/dom/MutationEventBinding.h" #include "nsContentUtils.h" #include "nsIImageLoadingContent.h" #include "nsPIDOMWindow.h" #include "nsIURI.h"-using namespace mozilla::a11y;+namespace mozilla::a11y { NS_IMPL_ISUPPORTS_INHERITED(ImageAccessible, LinkableAccessible, imgINotificationObserver)@@ -105,6 +107,20 @@ role ImageAccessible::NativeRole() const { return roles::GRAPHIC; }+void ImageAccessible::DOMAttributeChanged(int32_t aNameSpaceID,+ nsAtom* aAttribute, int32_t aModType,+ const nsAttrValue* aOldValue,+ uint64_t aOldState) {+ LinkableAccessible::DOMAttributeChanged(aNameSpaceID, aAttribute, aModType,+ aOldValue, aOldState);++ if (aAttribute == nsGkAtoms::longdesc &&+ (aModType == dom::MutationEvent_Binding::ADDITION ||+ aModType == dom::MutationEvent_Binding::REMOVAL)) {+ SendCache(CacheDomain::Actions, CacheUpdateType::Update);+ }+}+ //////////////////////////////////////////////////////////////////////////////// // LocalAccessible@@ -137,7 +153,7 @@ nsCOMPtr<nsPIDOMWindowOuter> piWindow = document->GetWindow(); if (!piWindow) return false;- RefPtr<mozilla::dom::BrowsingContext> tmp;+ RefPtr<dom::BrowsingContext> tmp; return NS_SUCCEEDED(piWindow->Open(spec, u""_ns, u""_ns, /* aLoadInfo = */ nullptr, /* aForceNoOpener = */ false,@@ -147,13 +163,13 @@ //////////////////////////////////////////////////////////////////////////////// // ImageAccessible-nsIntPoint ImageAccessible::Position(uint32_t aCoordType) {- nsIntPoint point = Bounds().TopLeft();+LayoutDeviceIntPoint ImageAccessible::Position(uint32_t aCoordType) {+ LayoutDeviceIntPoint point = Bounds().TopLeft(); nsAccUtils::ConvertScreenCoordsTo(&point.x, &point.y, aCoordType, this); return point; }-nsIntSize ImageAccessible::Size() { return Bounds().Size(); }+LayoutDeviceIntSize ImageAccessible::Size() { return Bounds().Size(); } // LocalAccessible already_AddRefed<AccAttributes> ImageAccessible::NativeAttributes() {@@ -247,3 +263,5 @@ mImageRequestStatus = status; }++} // namespace mozilla::a11y
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[No specific vulnerability name] [accessible/generic/ImageAccessible.cpp] [Lines 11,18,19]
Old Code: Missing includes for CacheConstants.h and MutationEventBinding.h
Fixed Code: Added includes for CacheConstants.h and MutationEventBinding.h
Details: While not directly a security fix, adding necessary includes could prevent potential issues.
2. Vulnerability Existed: not sure
[Namespace scope vulnerability] [accessible/generic/ImageAccessible.cpp] [Lines 24]
Old Code: `using namespace mozilla::a11y;`
Fixed Code: Explicit namespace usage `namespace mozilla::a11y {`
Details: The change from using-directive to explicit namespace usage could help prevent namespace pollution or ambiguous references, though it's not clearly a security fix.
3. Vulnerability Existed: not sure
[Potential DOM attribute change handling] [accessible/generic/ImageAccessible.cpp] [Lines 105-117]
Old Code: Missing DOMAttributeChanged method
Fixed Code: Added DOMAttributeChanged method with specific handling for longdesc attribute changes
Details: The new method properly handles attribute changes and updates the cache, which could prevent stale data issues.
4. Vulnerability Existed: not sure
[Type safety improvement] [accessible/generic/ImageAccessible.cpp] [Lines 137-163]
Old Code: Using nsIntPoint/nsIntSize
Fixed Code: Using LayoutDeviceIntPoint/LayoutDeviceIntSize
Details: The change to more specific types could prevent potential type conversion issues, though it's not clearly a security fix.
Note: While there are several changes in the diff, none clearly indicate fixes for known vulnerabilities. The changes appear to be more about code quality, maintainability, and proper attribute change handling rather than direct security fixes. The most security-relevant change might be the proper handling of DOM attribute changes, but without more context, we can't be certain it addresses a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.paint.norepeat.coord3.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.paint.norepeat.coord3.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -35,10 +35,10 @@ ctx.fillRect(-50, -25, 100, 50); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 50, 25);- _assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");- _assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");- _assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");- _assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+ _assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+ _assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+ _assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+ _assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding references in the `_assertPixel` calls. This doesn't relate to any security fixes but rather improves code consistency or readability.
Here's the structured response following your format:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.pattern.paint.norepeat.coord3.worker.js
Changes involve variable renaming only
The diff shows:
1. Variable `offscreenCanvas` renamed to `canvas`
2. All subsequent references to this variable updated accordingly
3. No changes to the actual security-related logic or functionality of the code
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mfbt/Maybe.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mfbt/Maybe.h@@ -455,7 +455,7 @@ * avoid multiple calls. Unsafe unless |isSome()|. */ T extract() {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); T v = std::move(mStorage.val); reset(); return v;@@ -683,7 +683,7 @@ constexpr bool isNothing() const { return !mValue; } T& ref() const {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return *mValue; }@@ -743,98 +743,98 @@ template <typename T> constexpr T Maybe<T>::value() const& {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return ref(); } template <typename T> constexpr T Maybe<T>::value() && {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return std::move(ref()); } template <typename T> constexpr T Maybe<T>::value() const&& {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return std::move(ref()); } template <typename T> T* Maybe<T>::ptr() {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return &ref(); } template <typename T> constexpr const T* Maybe<T>::ptr() const {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return &ref(); } template <typename T> constexpr T* Maybe<T>::operator->() {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return ptr(); } template <typename T> constexpr const T* Maybe<T>::operator->() const {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return ptr(); } template <typename T> constexpr T& Maybe<T>::ref() & {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return mStorage.val; } template <typename T> constexpr const T& Maybe<T>::ref() const& {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return mStorage.val; } template <typename T> constexpr T&& Maybe<T>::ref() && {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return std::move(mStorage.val); } template <typename T> constexpr const T&& Maybe<T>::ref() const&& {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return std::move(mStorage.val); } template <typename T> constexpr T& Maybe<T>::operator*() & {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return ref(); } template <typename T> constexpr const T& Maybe<T>::operator*() const& {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return ref(); } template <typename T> constexpr T&& Maybe<T>::operator*() && {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return std::move(ref()); } template <typename T> constexpr const T&& Maybe<T>::operator*() const&& {- MOZ_DIAGNOSTIC_ASSERT(isSome());+ MOZ_RELEASE_ASSERT(isSome()); return std::move(ref()); } template <typename T> template <typename... Args> constexpr void Maybe<T>::emplace(Args&&... aArgs) {- MOZ_DIAGNOSTIC_ASSERT(!isSome());+ MOZ_RELEASE_ASSERT(!isSome()); ::new (KnownNotNull, &mStorage.val) T(std::forward<Args>(aArgs)...); mIsSome = true; }
Here's the analysis of the provided code diff for security fixes: Vulnerability Existed: yes Assertion Upgrade Vulnerability [mfbt/Maybe.h] [Multiple lines throughout file] [Old Code] Various instances of `MOZ_DIAGNOSTIC_ASSERT(isSome())` and `MOZ_DIAGNOSTIC_ASSERT(!isSome())` [Fixed Code] Replaced with `MOZ_RELEASE_ASSERT(isSome())` and `MOZ_RELEASE_ASSERT(!isSome())` Additional Details: The diff shows a systematic replacement of `MOZ_DIAGNOSTIC_ASSERT` with `MOZ_RELEASE_ASSERT` throughout the Maybe.h file. This is a security hardening change because: 1. `MOZ_RELEASE_ASSERT` is stronger than `MOZ_DIAGNOSTIC_ASSERT` - it will terminate the program in release builds if the assertion fails, while `MOZ_DIAGNOSTIC_ASSERT` might only log the failure 2. The assertions protect against null pointer dereferences and invalid memory access when working with Maybe<T> types 3. The change ensures consistent behavior across debug and release builds, making potential bugs more visible While not fixing a specific known vulnerability, this change prevents potential security issues that could arise from silently continuing after failed assertions in release builds. The pattern matches security best practices for defensive programming.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.fill.copy.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.fill.copy.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 0, 0.5)';@@ -23,7 +23,7 @@ ctx.fillStyle = 'rgba(0, 0, 255, 0.75)'; ctx.translate(0, 25); ctx.fillRect(0, 50, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming for better code clarity. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 23]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or brevity, without any security implications. The functionality remains exactly the same. No security vulnerabilities were addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-75b.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-75b.xml@@ -9,7 +9,6 @@ <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p class="green">This paragraph should have green background</p>
Based on the provided diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-75b.xml] [Lines 9] [Old Code: <meta name="flags" content="" />] [Fixed Code: (line removed)] Additional Details: - The change simply removes an empty meta tag with a "flags" attribute - This appears to be a test file cleanup rather than a security fix - No known vulnerability patterns or security issues are addressed by this change - The modification is likely related to test suite maintenance or standardization Note: While this doesn't represent a security fix, removing unnecessary tags can be considered good practice for code hygiene and maintainability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.invalid.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.invalid.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.textBaseline = 'top'; ctx.textBaseline = 'bogus';
Based on the provided code diff, I'll analyze it for security vulnerabilities:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.baseline.invalid.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
1. The changes appear to be purely variable naming changes (from 'offscreenCanvas' to 'canvas')
2. No security-relevant functionality is modified
3. The test still checks for invalid textBaseline values ('bogus')
4. This is likely a code style/consistency improvement rather than a security fix
No security vulnerabilities were identified in this diff. The changes are cosmetic in nature and don't affect the security properties of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/style/nsDOMCSSAttrDeclaration.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/style/nsDOMCSSAttrDeclaration.cpp@@ -201,12 +201,7 @@ aPropID == eCSSProperty_scale || aPropID == eCSSProperty_offset_path || aPropID == eCSSProperty_offset_distance || aPropID == eCSSProperty_offset_rotate ||- aPropID == eCSSProperty_offset_anchor || aPropID == eCSSProperty_left ||- aPropID == eCSSProperty_top || aPropID == eCSSProperty_right ||- aPropID == eCSSProperty_bottom ||- aPropID == eCSSProperty_background_position_x ||- aPropID == eCSSProperty_background_position_y ||- aPropID == eCSSProperty_background_position) {+ aPropID == eCSSProperty_offset_anchor) { nsIFrame* frame = mElement->GetPrimaryFrame(); if (frame) { ActiveLayerTracker::NotifyInlineStyleRuleModified(frame, aPropID, aValue,
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential CSS Property Validation Issue] [layout/style/nsDOMCSSAttrDeclaration.cpp] [Lines 201-208]
[Old Code]
aPropID == eCSSProperty_scale || aPropID == eCSSProperty_offset_path ||
aPropID == eCSSProperty_offset_distance ||
aPropID == eCSSProperty_offset_rotate ||
aPropID == eCSSProperty_offset_anchor || aPropID == eCSSProperty_left ||
aPropID == eCSSProperty_top || aPropID == eCSSProperty_right ||
aPropID == eCSSProperty_bottom ||
aPropID == eCSSProperty_background_position_x ||
aPropID == eCSSProperty_background_position_y ||
aPropID == eCSSProperty_background_position) {
[Fixed Code]
aPropID == eCSSProperty_scale || aPropID == eCSSProperty_offset_path ||
aPropID == eCSSProperty_offset_distance ||
aPropID == eCSSProperty_offset_rotate ||
aPropID == eCSSProperty_offset_anchor) {
Additional Details:
The diff shows a significant reduction in the number of CSS properties being checked in a conditional statement. While this doesn't appear to be a direct security fix, it could potentially relate to:
1. Reducing attack surface by limiting which properties trigger frame notifications
2. Fixing potential logic issues where too many properties were being included in this check
3. Performance optimization that might indirectly affect security by reducing edge cases
However, without more context about the purpose of this check and the ActiveLayerTracker::NotifyInlineStyleRuleModified function, I can't definitively identify a specific vulnerability being fixed. The change appears to focus on motion path and transform-related properties while removing positional properties from the check.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/midi/MIDIInput.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/midi/MIDIInput.cpp@@ -39,7 +39,11 @@ } void MIDIInput::Receive(const nsTArray<MIDIMessage>& aMsgs) {- nsCOMPtr<Document> doc = GetOwner() ? GetOwner()->GetDoc() : nullptr;+ if (!GetOwner()) {+ return; // Ignore messages once we've been disconnected from the owner+ }++ nsCOMPtr<Document> doc = GetOwner()->GetDoc(); if (!doc) { NS_WARNING("No document available to send MIDIMessageEvent to!"); return;
Here's the analysis following the specified format:
Vulnerability Existed: yes
Null Pointer Dereference [File] dom/midi/MIDIInput.cpp [Lines 39-43]
[Old Code]
void MIDIInput::Receive(const nsTArray<MIDIMessage>& aMsgs) {
nsCOMPtr<Document> doc = GetOwner() ? GetOwner()->GetDoc() : nullptr;
[Fixed Code]
void MIDIInput::Receive(const nsTArray<MIDIMessage>& aMsgs) {
if (!GetOwner()) {
return; // Ignore messages once we've been disconnected from the owner
}
nsCOMPtr<Document> doc = GetOwner()->GetDoc();
Additional Details:
- The vulnerability was a potential null pointer dereference in the old code where GetOwner() could return null, but the code would still attempt to call GetDoc() through the ternary operator.
- The fix adds an explicit early return check for null owner before attempting to access GetDoc(), making the code more robust against null pointer dereferences.
- While this might not be an externally exploitable security vulnerability in all cases, null pointer dereferences can lead to crashes and potential security issues in some environments.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/localstorage/ActorsChild.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/localstorage/ActorsChild.h@@ -87,8 +87,8 @@ PBackgroundLSSnapshotChild* AllocPBackgroundLSSnapshotChild( const nsString& aDocumentURI, const nsString& aKey,- const bool& aIncreasePeakUsage, const int64_t& aRequestedSize,- const int64_t& aMinSize, LSSnapshotInitInfo* aInitInfo) override;+ const bool& aIncreasePeakUsage, const int64_t& aMinSize,+ LSSnapshotInitInfo* aInitInfo) override; bool DeallocPBackgroundLSSnapshotChild( PBackgroundLSSnapshotChild* aActor) override;
Let me analyze the code diff for potential security vulnerabilities.
Vulnerability Existed: not sure
Potential Integer Overflow/Underflow Vulnerability [dom/localstorage/ActorsChild.h] [Lines 87-90]
[Old Code]
PBackgroundLSSnapshotChild* AllocPBackgroundLSSnapshotChild(
const nsString& aDocumentURI, const nsString& aKey,
const bool& aIncreasePeakUsage, const int64_t& aRequestedSize,
const int64_t& aMinSize, LSSnapshotInitInfo* aInitInfo) override;
[Fixed Code]
PBackgroundLSSnapshotChild* AllocPBackgroundLSSnapshotChild(
const nsString& aDocumentURI, const nsString& aKey,
const bool& aIncreasePeakUsage, const int64_t& aMinSize,
LSSnapshotInitInfo* aInitInfo) override;
Additional Details:
The main change is the removal of the `aRequestedSize` parameter. While this could potentially relate to security (such as preventing integer overflow/underflow issues when calculating storage sizes), there isn't enough context to confirm if this was an actual vulnerability or just a refactoring. The removal of a size parameter suggests possible concerns about size validation, but without more context about how these values were used, we can't be certain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp@@ -1690,9 +1690,9 @@ // nsChannelClassifier is the only consumer of this interface. NS_IMETHODIMP nsUrlClassifierDBService::Classify(nsIPrincipal* aPrincipal,- nsISerialEventTarget* aEventTarget, nsIURIClassifierCallback* c, bool* aResult) { NS_ENSURE_ARG(aPrincipal);+ MOZ_ASSERT(c); NS_ENSURE_ARG(aResult); if (aPrincipal->IsSystemPrincipal()) {@@ -1709,10 +1709,6 @@ auto actor = static_cast<URLClassifierChild*>( content->AllocPURLClassifierChild(IPC::Principal(aPrincipal), aResult)); MOZ_ASSERT(actor);-- if (aEventTarget) {- content->SetEventTargetForActor(actor, aEventTarget);- } if (!content->SendPURLClassifierConstructor( actor, IPC::Principal(aPrincipal), aResult)) {
Here's the analysis of the provided code diff:
1. Vulnerability Existed: yes
Null Pointer Dereference [File] toolkit/components/url-classifier/nsUrlClassifierDBService.cpp [Lines] 1690-1694
[Old Code]
nsUrlClassifierDBService::Classify(nsIPrincipal* aPrincipal,
nsISerialEventTarget* aEventTarget,
nsIURIClassifierCallback* c, bool* aResult) {
NS_ENSURE_ARG(aPrincipal);
NS_ENSURE_ARG(aResult);
[Fixed Code]
nsUrlClassifierDBService::Classify(nsIPrincipal* aPrincipal,
nsIURIClassifierCallback* c, bool* aResult) {
NS_ENSURE_ARG(aPrincipal);
MOZ_ASSERT(c);
NS_ENSURE_ARG(aResult);
Additional Details:
- The vulnerability was a potential null pointer dereference as the callback parameter 'c' wasn't being checked
- The fix adds MOZ_ASSERT(c) to ensure the callback is not null
- The removal of the aEventTarget parameter and related code suggests this was an unused or unnecessary feature
2. Vulnerability Existed: yes
Unnecessary Privilege Escalation Risk [File] toolkit/components/url-classifier/nsUrlClassifierDBService.cpp [Lines] 1709-1711
[Old Code]
if (aEventTarget) {
content->SetEventTargetForActor(actor, aEventTarget);
}
[Fixed Code]
[Removed entirely]
Additional Details:
- The removed code could potentially be used to manipulate the event target for the classifier actor
- While not a direct vulnerability, removing unnecessary privilege/control mechanisms reduces attack surface
- The removal suggests this functionality wasn't needed and could have been a potential security risk if misused
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.self.2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.self.2.html@@ -18,20 +18,20 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 1, 100, 49); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 1);-ctx.drawImage(offscreenCanvas, 0, 1);+ctx.drawImage(canvas, 0, 1); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 2);-_assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);+_assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);+_assertPixelApprox(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);+_assertPixelApprox(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);+_assertPixelApprox(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2); t.done(); });
After analyzing the provided code diff, I can't identify any security vulnerabilities. The changes appear to be purely variable name refactoring (from `offscreenCanvas` to `canvas`) without any security implications. Here's the structured response: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.self.2.html] [18-20, 25-28] [Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); ... _assertPixelApprox(offscreenCanvas, ...)] [Fixed Code: var canvas = new OffscreenCanvas(100, 50); ... _assertPixelApprox(canvas, ...)] The changes are purely cosmetic/refactoring in nature and don't affect the security of the code. The functionality remains identical, just with a renamed variable.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/filter-effects/fecolormatrix-type.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/filter-effects/fecolormatrix-type.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/filter-effects-1/#feColorMatrixElement"> <link rel="help" href="http://www.w3.org/TR/filter-effects-1/#element-attrdef-fecolormatrix-type"> <link rel="match" href="fecolormatrix-type-ref.html">- <meta name="flags" content=""> <meta name="assert" content="If the test runs, you should see a auqamarine colored rectangle."> <style type="text/css">
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/filter-effects/fecolormatrix-type.html [Lines] 7 [Old Code] `<meta name="flags" content="">` [Fixed Code] (Line removed) Additional Details: The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications. This seems to be a cleanup change rather than a security fix. No known vulnerability is associated with this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/generic/ImageAccessible.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/generic/ImageAccessible.h@@ -37,16 +37,9 @@ virtual bool DoAction(uint8_t aIndex) const override; // ImageAccessible- nsIntPoint Position(uint32_t aCoordType);- nsIntSize Size();+ LayoutDeviceIntPoint Position(uint32_t aCoordType);+ LayoutDeviceIntSize Size();- protected:- virtual ~ImageAccessible();-- // LocalAccessible- virtual ENameValueFlag NativeName(nsString& aName) const override;-- private: /** * Return whether the element has a longdesc URI. */@@ -55,6 +48,18 @@ return uri; }+ protected:+ virtual ~ImageAccessible();++ // LocalAccessible+ virtual ENameValueFlag NativeName(nsString& aName) const override;++ virtual void DOMAttributeChanged(int32_t aNameSpaceID, nsAtom* aAttribute,+ int32_t aModType,+ const nsAttrValue* aOldValue,+ uint64_t aOldState) override;++ private: /** * Return an URI for showlongdesc action if any. */
Here's the analysis of the provided code diff: 1. Vulnerability Existed: not sure [Type Change in Image Position/Size Handling] [accessible/generic/ImageAccessible.h] [Lines 37-38] [Old Code] `nsIntPoint Position(uint32_t aCoordType);` `nsIntSize Size();` [Fixed Code] `LayoutDeviceIntPoint Position(uint32_t aCoordType);` `LayoutDeviceIntSize Size();` Additional Details: The change from nsIntPoint/LayoutDeviceIntPoint and nsIntSize/LayoutDeviceIntSize suggests a potential improvement in coordinate handling, but it's unclear if this was fixing a specific security vulnerability or just a general improvement. 2. Vulnerability Existed: not sure [Added DOM Attribute Change Handler] [accessible/generic/ImageAccessible.h] [Lines 54-57] [Old Code] (No equivalent code existed before) [Fixed Code] `virtual void DOMAttributeChanged(int32_t aNameSpaceID, nsAtom* aAttribute,` ` int32_t aModType,` ` const nsAttrValue* aOldValue,` ` uint64_t aOldState) override;` Additional Details: The addition of a DOM attribute change handler could be related to security (e.g., preventing XSS or attribute manipulation attacks), but without more context, it's impossible to determine if this was fixing a specific vulnerability. 3. Vulnerability Existed: not sure [Code Reorganization] [accessible/generic/ImageAccessible.h] [Lines 37-57] [Old Code] (Various protected/private members before HasLongDesc method) [Fixed Code] (HasLongDesc method moved before protected section) Additional Details: While this reorganization might improve code maintainability, there's no clear indication it fixes a security vulnerability. Note: The changes appear to be primarily about code organization and type improvements rather than explicit security fixes. The most significant change is the addition of the DOMAttributeChanged handler, which could have security implications, but without more context about the threat model or previous vulnerabilities, we can't be certain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/mozapps/installer/informulate.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/mozapps/installer/informulate.py@@ -46,15 +46,20 @@ "MOZ_APP_VERSION", "MOZ_APP_MAXVERSION", "MOZ_APP_ID",+ "MOZ_SOURCE_REPO",+ ]+ other_substitutions = [ "CC", "CXX", "AS",- "MOZ_SOURCE_REPO", ] all_key_value_pairs = { x.lower(): buildconfig.substs[x] for x in important_substitutions }+ all_key_value_pairs.update(+ {x.lower(): buildconfig.substs.get(x, "") for x in other_substitutions}+ ) build_id = os.environ["MOZ_BUILD_DATE"] all_key_value_pairs.update( {@@ -75,9 +80,9 @@ "build": { "id": build_id, "date": build_time.isoformat() + "Z",- "as": s["AS"],- "cc": s["CC"],- "cxx": s["CXX"],+ "as": all_key_value_pairs["as"],+ "cc": all_key_value_pairs["cc"],+ "cxx": all_key_value_pairs["cxx"], "host": s["host_alias"], "target": s["target_alias"], },
I'll analyze the provided code diff for security fixes following the specified format.
1. Vulnerability Existed: not sure
Potential Information Exposure through Build Variables [File] [Lines 46-80]
[Old Code]
"MOZ_APP_VERSION",
"MOZ_APP_MAXVERSION",
"MOZ_APP_ID",
"CC",
"CXX",
"AS",
"MOZ_SOURCE_REPO",
]
all_key_value_pairs = {
x.lower(): buildconfig.substs[x] for x in important_substitutions
}
[Fixed Code]
"MOZ_APP_VERSION",
"MOZ_APP_MAXVERSION",
"MOZ_APP_ID",
"MOZ_SOURCE_REPO",
]
other_substitutions = [
"CC",
"CXX",
"AS",
]
all_key_value_pairs = {
x.lower(): buildconfig.substs[x] for x in important_substitutions
}
all_key_value_pairs.update(
{x.lower(): buildconfig.substs.get(x, "") for x in other_substitutions}
)
2. Vulnerability Existed: not sure
Potential Null Pointer Dereference [File] [Lines 75-80]
[Old Code]
"as": s["AS"],
"cc": s["CC"],
"cxx": s["CXX"],
[Fixed Code]
"as": all_key_value_pairs["as"],
"cc": all_key_value_pairs["cc"],
"cxx": all_key_value_pairs["cxx"],
The changes appear to:
1. Separate build configuration variables into two categories (important vs other) and handle the other ones more safely with .get() and default empty string
2. Change the reference of build tool variables (AS, CC, CXX) to use the safely collected values from all_key_value_pairs rather than directly from the substs
While these changes improve robustness and could prevent potential null reference issues, I'm not certain they address specific known vulnerabilities. The modifications seem more like defensive programming improvements than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.winding.1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.winding.1.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -31,7 +31,7 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.winding.1.worker.js [Lines] 13-31
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic, renaming the variable from `offscreenCanvas` to `canvas` for consistency or readability. There are no security-related changes in this diff. The functionality remains exactly the same, only the variable name has been updated.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.toomany.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.toomany.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_js(RangeError, () => { ctx.roundRect(0, 0, 100, 50, [0, 0, 0, 0, 0])}); t.done();
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.radius.toomany.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes appear to be purely variable naming changes (from 'offscreenCanvas' to 'canvas') rather than security fixes. The test's purpose remains the same - to verify that passing too many radius values to roundRect throws a RangeError. No security vulnerabilities are apparent in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/BodyStream.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/BodyStream.cpp@@ -8,6 +8,10 @@ #include "mozilla/CycleCollectedJSContext.h" #include "mozilla/dom/AutoEntryScript.h" #include "mozilla/dom/DOMException.h"+#ifdef MOZ_DOM_STREAMS+# include "mozilla/dom/ReadableStream.h"+# include "mozilla/dom/ReadableByteStreamController.h"+#endif #include "mozilla/dom/ScriptSettings.h" #include "mozilla/dom/WorkerCommon.h" #include "mozilla/dom/WorkerPrivate.h"@@ -50,10 +54,12 @@ mBodyStream = aBodyStream; }+#ifndef MOZ_DOM_STREAMS void BodyStreamHolder::ForgetBodyStream() { MOZ_ASSERT_IF(mStreamCreated, mBodyStream); mBodyStream = nullptr; }+#endif // BodyStream // ---------------------------------------------------------------------------@@ -127,6 +133,13 @@ stream->mWorkerRef = std::move(workerRef); }+#ifdef MOZ_DOM_STREAMS+ RefPtr<ReadableStream> body =+ ReadableStream::Create(aCx, aGlobal, aStreamHolder, aRv);+ if (aRv.Failed()) {+ return;+ }+#else aRv.MightThrowJSException(); JS::Rooted<JSObject*> body(aCx, JS::NewReadableExternalSourceStreamObject( aCx, stream, aStreamHolder));@@ -139,6 +152,7 @@ // guaranteed the jsapi will call FinalizeCallback when ReadableStream // js object is finalized. NS_ADDREF(stream.get());+#endif cleanup.release();@@ -150,16 +164,92 @@ #endif }+#ifdef MOZ_DOM_STREAMS+// UnderlyingSource.pull, implemented for BodyStream.+already_AddRefed<Promise> BodyStream::PullCallback(+ JSContext* aCx, ReadableStreamController& aController, ErrorResult& aRv) {+ MOZ_ASSERT(aController.IsByte());+ ReadableStream* stream = aController.AsByte()->Stream();+ MOZ_ASSERT(stream);++# if MOZ_DIAGNOSTIC_ASSERT_ENABLED+ MOZ_DIAGNOSTIC_ASSERT(stream->Disturbed());+# endif++ AssertIsOnOwningThread();++ MutexAutoLock lock(mMutex);++ MOZ_DIAGNOSTIC_ASSERT(mState == eInitializing || mState == eWaiting ||+ mState == eChecking || mState == eReading);++ RefPtr<Promise> resolvedWithUndefinedPromise =+ Promise::CreateResolvedWithUndefined(aController.GetParentObject(), aRv);+ if (aRv.Failed()) {+ return nullptr;+ }++ if (mState == eReading) {+ // We are already reading data.+ return resolvedWithUndefinedPromise.forget();+ }++ if (mState == eChecking) {+ // If we are looking for more data, there is nothing else we should do:+ // let's move this checking operation in a reading.+ MOZ_ASSERT(mInputStream);+ mState = eReading;++ return resolvedWithUndefinedPromise.forget();+ }++ if (mState == eInitializing) {+ // The stream has been used for the first time.+ mStreamHolder->MarkAsRead();+ }++ mState = eReading;++ if (!mInputStream) {+ // This is the first use of the stream. Let's convert the+ // mOriginalInputStream into an nsIAsyncInputStream.+ MOZ_ASSERT(mOriginalInputStream);++ nsCOMPtr<nsIAsyncInputStream> asyncStream;+ nsresult rv = NS_MakeAsyncNonBlockingInputStream(+ mOriginalInputStream.forget(), getter_AddRefs(asyncStream));+ if (NS_WARN_IF(NS_FAILED(rv))) {+ ErrorPropagation(aCx, lock, stream, rv);+ return nullptr;+ }++ mInputStream = asyncStream;+ mOriginalInputStream = nullptr;+ }++ MOZ_DIAGNOSTIC_ASSERT(mInputStream);+ MOZ_DIAGNOSTIC_ASSERT(!mOriginalInputStream);++ nsresult rv = mInputStream->AsyncWait(this, 0, 0, mOwningEventTarget);+ if (NS_WARN_IF(NS_FAILED(rv))) {+ ErrorPropagation(aCx, lock, stream, rv);+ return nullptr;+ }++ // All good.+ return resolvedWithUndefinedPromise.forget();+}+#else void BodyStream::requestData(JSContext* aCx, JS::HandleObject aStream, size_t aDesiredSize) {-#if MOZ_DIAGNOSTIC_ASSERT_ENABLED+# if MOZ_DIAGNOSTIC_ASSERT_ENABLED bool disturbed; if (!JS::ReadableStreamIsDisturbed(aCx, aStream, &disturbed)) { JS_ClearPendingException(aCx); } else { MOZ_DIAGNOSTIC_ASSERT(disturbed); }-#endif+# endif AssertIsOnOwningThread();@@ -216,11 +306,19 @@ // All good. }-+#endif++#ifdef MOZ_DOM_STREAMS+void BodyStream::WriteIntoReadRequestBuffer(JSContext* aCx,+ ReadableStream* aStream,+ void* aBuffer, size_t aLength,+ size_t* aByteWritten) {+#else void BodyStream::writeIntoReadRequestBuffer(JSContext* aCx, JS::HandleObject aStream, void* aBuffer, size_t aLength, size_t* aByteWritten) {+#endif MOZ_DIAGNOSTIC_ASSERT(aBuffer); MOZ_DIAGNOSTIC_ASSERT(aByteWritten);@@ -256,8 +354,11 @@ // All good. }-JS::Value BodyStream::cancel(JSContext* aCx, JS::HandleObject aStream,- JS::HandleValue aReason) {+#ifdef MOZ_DOM_STREAMS+// UnderlyingSource.cancel callback, implmented for BodyStream.+already_AddRefed<Promise> BodyStream::CancelCallback(+ JSContext* aCx, const Optional<JS::Handle<JS::Value>>& aReason,+ ErrorResult& aRv) { AssertIsOnOwningThread(); if (mState == eInitializing) {@@ -276,14 +377,19 @@ mOriginalInputStream->Close(); }+ RefPtr<Promise> promise = Promise::CreateResolvedWithUndefined(mGlobal, aRv);+ if (aRv.Failed()) {+ return nullptr;+ }++ // Must come after all uses of members! ReleaseObjects();- return JS::UndefinedValue();-}--void BodyStream::onClosed(JSContext* aCx, JS::HandleObject aStream) {}--void BodyStream::onErrored(JSContext* aCx, JS::HandleObject aStream,- JS::HandleValue aReason) {++ return promise.forget();+}+#else+JS::Value BodyStream::cancel(JSContext* aCx, JS::HandleObject aStream,+ JS::HandleValue aReason) { AssertIsOnOwningThread(); if (mState == eInitializing) {@@ -295,9 +401,56 @@ mInputStream->CloseWithStatus(NS_BASE_STREAM_CLOSED); }+ // It could be that we don't have mInputStream yet, but we still have the+ // original stream. We need to close that too.+ if (mOriginalInputStream) {+ MOZ_ASSERT(!mInputStream);+ mOriginalInputStream->Close();+ }+ ReleaseObjects();-}-+ return JS::UndefinedValue();+}++void BodyStream::onClosed(JSContext* aCx, JS::HandleObject aStream) {}+#endif++#ifdef MOZ_DOM_STREAMS+// Non-standard UnderlyingSource.error callback.+void BodyStream::ErrorCallback() {+ AssertIsOnOwningThread();++ if (mState == eInitializing) {+ // The stream has been used for the first time.+ mStreamHolder->MarkAsRead();+ }++ if (mInputStream) {+ mInputStream->CloseWithStatus(NS_BASE_STREAM_CLOSED);+ }++ ReleaseObjects();+}+#else+void BodyStream::onErrored(JSContext* aCx, JS::HandleObject aStream,+ JS::HandleValue aReason) {+ AssertIsOnOwningThread();++ if (mState == eInitializing) {+ // The stream has been used for the first time.+ mStreamHolder->MarkAsRead();+ }++ if (mInputStream) {+ mInputStream->CloseWithStatus(NS_BASE_STREAM_CLOSED);+ }++ ReleaseObjects();+}++#endif++#ifndef MOZ_DOM_STREAMS void BodyStream::finalize() { // This can be called in any thread.@@ -306,6 +459,7 @@ stream->ReleaseObjects(); }+#endif BodyStream::BodyStream(nsIGlobalObject* aGlobal, BodyStreamHolder* aStreamHolder,@@ -320,11 +474,15 @@ MOZ_DIAGNOSTIC_ASSERT(aStreamHolder); }-BodyStream::~BodyStream() = default;-+#ifdef MOZ_DOM_STREAMS+void BodyStream::ErrorPropagation(JSContext* aCx,+ const MutexAutoLock& aProofOfLock,+ ReadableStream* aStream, nsresult aError) {+#else void BodyStream::ErrorPropagation(JSContext* aCx, const MutexAutoLock& aProofOfLock, JS::HandleObject aStream, nsresult aError) {+#endif AssertIsOnOwningThread(); // Nothing to do.@@ -350,11 +508,60 @@ { MutexAutoUnlock unlock(mMutex);+#ifdef MOZ_DOM_STREAMS+ // Don't re-error an already errored stream.+ if (aStream->State() == ReadableStream::ReaderState::Readable) {+ IgnoredErrorResult rv;+ ReadableStreamError(aCx, aStream, errorValue, rv);+ NS_WARNING_ASSERTION(!rv.Failed(), "Failed to error BodyStream");+ }+#else JS::ReadableStreamError(aCx, aStream, errorValue);+#endif } ReleaseObjects(aProofOfLock); }++#ifdef MOZ_DOM_STREAMS+void BodyStream::EnqueueChunkWithSizeIntoStream(JSContext* aCx,+ ReadableStream* aStream,+ uint64_t aAvailableData,+ ErrorResult& aRv) {+ // Create Chunk+ aRv.MightThrowJSException();+ JS::RootedObject chunk(aCx, JS_NewUint8Array(aCx, aAvailableData));+ if (!chunk) {+ aRv.StealExceptionFromJSContext(aCx);+ return;+ }++ size_t bytesWritten = 0;+ size_t unusedData = 0;+ {+ // JS::AutoSuppressGCAnalysis suppressGC(aCx);+ JS::AutoCheckCannotGC noGC;+ bool dummy;+ void* buffer = JS_GetArrayBufferViewData(chunk, &dummy, noGC);+ WriteIntoReadRequestBuffer(aCx, aStream, buffer, aAvailableData,+ &bytesWritten);++ unusedData = aAvailableData - bytesWritten;+ }++ MOZ_ASSERT(aStream->Controller()->IsByte());+ RefPtr<ReadableByteStreamController> byteStreamController =+ aStream->Controller()->AsByte();++ ReadableByteStreamControllerEnqueue(aCx, byteStreamController, chunk, aRv);+ if (aRv.Failed()) {+ return;+ }++ // Explicit cast to avoid narrowing warning.+ byteStreamController->SetQueueTotalSize((double)unusedData);+}+#endif NS_IMETHODIMP BodyStream::OnInputStreamReady(nsIAsyncInputStream* aStream) {@@ -381,13 +588,20 @@ MOZ_DIAGNOSTIC_ASSERT(mInputStream); MOZ_DIAGNOSTIC_ASSERT(mState == eReading || mState == eChecking);+ JSContext* cx = aes.cx();+#ifdef MOZ_DOM_STREAMS+ ReadableStream* stream = mStreamHolder->GetReadableStreamBody();+ if (!stream) {+ return NS_ERROR_FAILURE;+ }+#else JSObject* streamObj = mStreamHolder->GetReadableStreamBody(); if (!streamObj) { return NS_ERROR_FAILURE; }- JSContext* cx = aes.cx(); JS::Rooted<JSObject*> stream(cx, streamObj);+#endif uint64_t size = 0; nsresult rv = mInputStream->Available(&size);@@ -415,15 +629,50 @@ // as before the microtask checkpoint queued up above occurs. lock.reset();+#ifdef MOZ_DOM_STREAMS+ ErrorResult errorResult;+ EnqueueChunkWithSizeIntoStream(cx, stream, size, errorResult);+ errorResult.WouldReportJSException();+ if (errorResult.Failed()) {+ lock.emplace(mMutex);+ ErrorPropagation(cx, *lock, stream, errorResult.StealNSResult());+ return NS_OK;+ }+#else Unused << JS::ReadableStreamUpdateDataAvailableFromSource(cx, stream, size);-- // The previous call can execute JS (even up to running a nested event loop),- // so |mState| can't be asserted to have any particular value, even if the- // previous call succeeds.+#endif++ // The previous call can execute JS (even up to running a nested event+ // loop), so |mState| can't be asserted to have any particular value, even+ // if the previous call succeeds. return NS_OK; }+#ifdef MOZ_DOM_STREAMS+/* static */+nsresult BodyStream::RetrieveInputStream(BodyStreamHolder* aStream,+ nsIInputStream** aInputStream) {+ MOZ_ASSERT(aStream);+ MOZ_ASSERT(aInputStream);+ BodyStream* stream = aStream->GetBodyStream();+ if (NS_WARN_IF(!stream)) {+ return NS_ERROR_DOM_INVALID_STATE_ERR;+ }++ stream->AssertIsOnOwningThread();++ // if mOriginalInputStream is null, the reading already started. We don't want+ // to expose the internal inputStream.+ if (NS_WARN_IF(!stream->mOriginalInputStream)) {+ return NS_ERROR_DOM_INVALID_STATE_ERR;+ }++ nsCOMPtr<nsIInputStream> inputStream = stream->mOriginalInputStream;+ inputStream.forget(aInputStream);+ return NS_OK;+}+#else /* static */ nsresult BodyStream::RetrieveInputStream( JS::ReadableStreamUnderlyingSource* aUnderlyingReadableStreamSource,@@ -445,6 +694,7 @@ inputStream.forget(aInputStream); return NS_OK; }+#endif void BodyStream::Close() { AssertIsOnOwningThread();@@ -460,7 +710,15 @@ ReleaseObjects(lock); return; }-+#ifdef MOZ_DOM_STREAMS+ ReadableStream* stream = mStreamHolder->GetReadableStreamBody();+ if (stream) {+ JSContext* cx = jsapi.cx();+ CloseAndReleaseObjects(cx, lock, stream);+ } else {+ ReleaseObjects(lock);+ }+#else JSObject* streamObj = mStreamHolder->GetReadableStreamBody(); if (streamObj) { JSContext* cx = jsapi.cx();@@ -469,8 +727,27 @@ } else { ReleaseObjects(lock); }-}-+#endif+}++#ifdef MOZ_DOM_STREAMS+void BodyStream::CloseAndReleaseObjects(JSContext* aCx,+ const MutexAutoLock& aProofOfLock,+ ReadableStream* aStream) {+ AssertIsOnOwningThread();+ MOZ_DIAGNOSTIC_ASSERT(mState != eClosed);++ ReleaseObjects(aProofOfLock);++ MutexAutoUnlock unlock(mMutex);++ if (aStream->State() == ReadableStream::ReaderState::Readable) {+ IgnoredErrorResult rv;+ ReadableStreamClose(aCx, aStream, rv);+ NS_WARNING_ASSERTION(!rv.Failed(), "Failed to Close Stream");+ }+}+#else void BodyStream::CloseAndReleaseObjects(JSContext* aCx, const MutexAutoLock& aProofOfLock, JS::HandleObject aStream) {@@ -488,6 +765,7 @@ JS::ReadableStreamClose(aCx, aStream); } }+#endif void BodyStream::ReleaseObjects() { MutexAutoLock lock(mMutex);@@ -533,16 +811,39 @@ } }+#ifdef MOZ_DOM_STREAMS+ ReadableStream* stream = mStreamHolder->GetReadableStreamBody();+ if (stream) {+ stream->ReleaseObjects();+ }+#else JSObject* streamObj = mStreamHolder->GetReadableStreamBody(); if (streamObj) { // Let's inform the JSEngine that we are going to be released. JS::ReadableStreamReleaseCCObject(streamObj); }+#endif mWorkerRef = nullptr; mGlobal = nullptr;+#ifdef MOZ_DOM_STREAMS+ // Since calling ForgetBodyStream can cause our current ref count to drop to+ // zero, which would be bad, because this means we'd be destroying the mutex+ // which aProofOfLock is holding; instead, we do this later by creating an+ // event.+ GetCurrentSerialEventTarget()->Dispatch(NS_NewCancelableRunnableFunction(+ "BodyStream::ReleaseObjects",+ [streamHolder = RefPtr{mStreamHolder->TakeBodyStream()}] {+ // Intentionally left blank: The destruction of this lambda will free+ // free the stream holder, thus releasing the bodystream.+ //+ // This is cancelable because if a worker cancels this, we're still fine+ // as the lambda will be successfully destroyed.+ }));+#else mStreamHolder->ForgetBodyStream();+#endif mStreamHolder->NullifyStream(); mStreamHolder = nullptr; }
Here is the security analysis of the provided code diff:
1. Vulnerability Existed: not sure
Potential Memory Leak [File] dom/base/BodyStream.cpp [Lines 811-842]
[Old Code]
mStreamHolder->ForgetBodyStream();
[Fixed Code]
GetCurrentSerialEventTarget()->Dispatch(NS_NewCancelableRunnableFunction(
"BodyStream::ReleaseObjects",
[streamHolder = RefPtr{mStreamHolder->TakeBodyStream()}] {}));
Details: The change appears to address a potential race condition where calling ForgetBodyStream directly could lead to premature destruction while a mutex is still locked. The new code schedules the cleanup asynchronously.
2. Vulnerability Existed: not sure
Stream Handling Improvement [File] dom/base/BodyStream.cpp [Lines 127-152]
[Old Code]
JS::Rooted<JSObject*> body(aCx, JS::NewReadableExternalSourceStreamObject(
aCx, stream, aStreamHolder));
[Fixed Code]
RefPtr<ReadableStream> body =
ReadableStream::Create(aCx, aGlobal, aStreamHolder, aRv);
Details: The change replaces direct JS API calls with a more abstracted ReadableStream interface, which may provide better security guarantees.
3. Vulnerability Existed: not sure
Error Handling Improvement [File] dom/base/BodyStream.cpp [Lines 306-313]
[Old Code]
void BodyStream::onErrored(JSContext* aCx, JS::HandleObject aStream,
JS::HandleValue aReason)
[Fixed Code]
void BodyStream::ErrorCallback()
Details: The change simplifies error handling by removing direct JS value handling, potentially reducing attack surface.
4. Vulnerability Existed: not sure
Resource Cleanup Improvement [File] dom/base/BodyStream.cpp [Lines 354-359]
[Old Code]
JS::Value BodyStream::cancel(JSContext* aCx, JS::HandleObject aStream,
JS::HandleValue aReason)
[Fixed Code]
already_AddRefed<Promise> BodyStream::CancelCallback(
JSContext* aCx, const Optional<JS::Handle<JS::Value>>& aReason,
ErrorResult& aRv)
Details: The change makes the cancel operation more robust by using promises and proper error handling.
Note: While these changes appear to improve security by making the code more robust and less prone to race conditions, the exact vulnerabilities being fixed (if any) are not explicitly stated in the diff. The changes seem to be part of a larger refactoring to use MOZ_DOM_STREAMS infrastructure.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.