Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.rotate.zero.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.rotate.zero.html@@ -17,15 +17,15 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50); ctx.rotate(0); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, here's the analysis following the required format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.rotate.zero.html] [Lines 17-27]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` for consistency or readability. There are no security-related changes in this diff, no changes to the actual functionality, and no known vulnerabilities being addressed. The test's behavior remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.letterSpacing.change.font.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.letterSpacing.change.font.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.letterSpacing, '0px', "ctx.letterSpacing", "'0px'"); _assertSame(ctx.wordSpacing, '0px', "ctx.wordSpacing", "'0px'");
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.letterSpacing.change.font.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes appear to be purely variable renaming from `offscreenCanvas` to `canvas` with no security implications. This is likely a code style/readability improvement rather than a security fix. No known vulnerability patterns are present in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/mozapps/extensions/test/xpcshell/test_signed_install.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/mozapps/extensions/test/xpcshell/test_signed_install.js@@ -113,7 +113,11 @@ AddonTestUtils.registerJSON(testserver, "/update.json", RESPONSE); }-async function test_install_broken(file, expectedError) {+async function test_install_broken(+ file,+ expectedError,+ expectNullAddon = true+) { let install = await AddonManager.getInstallForFile(file); await Assert.rejects( install.install(),@@ -123,7 +127,10 @@ Assert.equal(install.state, AddonManager.STATE_DOWNLOAD_FAILED); Assert.equal(install.error, expectedError);- Assert.equal(install.addon, null);++ if (expectNullAddon) {+ Assert.equal(install.addon, null);+ } } async function test_install_working(file, expectedSignedState) {@@ -224,6 +231,55 @@ await test_install_working(file, AddonManager.SIGNEDSTATE_SIGNED); });+add_task(+ {+ pref_set: [["xpinstall.signatures.dev-root", true]],+ // `xpinstall.signatures.dev-root` is not taken into account on release+ // builds because `MOZ_REQUIRE_SIGNING` is set to `true`.+ skip_if: () => AppConstants.MOZ_REQUIRE_SIGNING,+ },+ async function test_install_valid_file_with_different_root_cert() {+ const TEST_CASES = [+ {+ title: "XPI without ID in manifest",+ xpi: "data/webext-implicit-id.xpi",+ expectedMessage: /Cannot find id for addon .+ Preference xpinstall.signatures.dev-root is set/,+ },+ {+ title: "XPI with ID in manifest",+ xpi: DATA + ADDONS.signed1,+ expectedMessage: /Add-on [email protected] is not correctly signed/,+ },+ ];++ for (const { title, xpi, expectedMessage } of TEST_CASES) {+ info(`test_install_valid_file_with_different_root_cert: ${title}`);++ const file = do_get_file(xpi);++ const awaitConsole = new Promise(resolve => {+ Services.console.registerListener(function listener(message) {+ if (expectedMessage.test(message.message)) {+ Services.console.unregisterListener(listener);+ resolve();+ }+ });+ });++ await test_install_broken(+ file,+ AddonManager.ERROR_CORRUPT_FILE,+ // We don't expect the `addon` property on the `install` object to be+ // `null` because that seems to happen later (when the signature is+ // checked).+ false+ );++ await awaitConsole;+ }+ }+);+ // Try to install an add-on signed with SHA-256 add_task(async function test_install_valid_sha256() { // Bug 1509093
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Error Handling Improvement] [toolkit/mozapps/extensions/test/xpcshell/test_signed_install.js] [Lines 113-127]
[Old Code]
async function test_install_broken(file, expectedError) {
let install = await AddonManager.getInstallForFile(file);
await Assert.rejects(
install.install(),
expectedError,
"Install should have failed"
);
Assert.equal(install.state, AddonManager.STATE_DOWNLOAD_FAILED);
Assert.equal(install.error, expectedError);
Assert.equal(install.addon, null);
}
[Fixed Code]
async function test_install_broken(
file,
expectedError,
expectNullAddon = true
) {
let install = await AddonManager.getInstallForFile(file);
await Assert.rejects(
install.install(),
expectedError,
"Install should have failed"
);
Assert.equal(install.state, AddonManager.STATE_DOWNLOAD_FAILED);
Assert.equal(install.error, expectedError);
if (expectNullAddon) {
Assert.equal(install.addon, null);
}
}
Additional Details: The change makes the null addon check conditional, which could be related to fixing a potential timing issue in error handling, but it's not clear if this was fixing a specific security vulnerability.
2. Vulnerability Existed: not sure
[Signature Verification Improvement] [toolkit/mozapps/extensions/test/xpcshell/test_signed_install.js] [Lines 224-231]
[Old Code]
(No equivalent code existed before)
[Fixed Code]
add_task(
{
pref_set: [["xpinstall.signatures.dev-root", true]],
// `xpinstall.signatures.dev-root` is not taken into account on release
// builds because `MOZ_REQUIRE_SIGNING` is set to `true`.
skip_if: () => AppConstants.MOZ_REQUIRE_SIGNING,
},
async function test_install_valid_file_with_different_root_cert() {
[...]
}
);
Additional Details: The new test case appears to verify proper handling of add-ons with different root certificates, which could be related to certificate chain validation security, but without more context it's unclear if this fixes a specific vulnerability.
3. Vulnerability Existed: not sure
[Error Message Handling] [toolkit/mozapps/extensions/test/xpcshell/test_signed_install.js] [Lines 231-255]
[Old Code]
(No equivalent code existed before)
[Fixed Code]
const TEST_CASES = [
{
title: "XPI without ID in manifest",
xpi: "data/webext-implicit-id.xpi",
expectedMessage: /Cannot find id for addon .+ Preference xpinstall.signatures.dev-root is set/,
},
{
title: "XPI with ID in manifest",
xpi: DATA + ADDONS.signed1,
expectedMessage: /Add-on [email protected] is not correctly signed/,
},
];
[...]
const awaitConsole = new Promise(resolve => {
Services.console.registerListener(function listener(message) {
if (expectedMessage.test(message.message)) {
Services.console.unregisterListener(listener);
resolve();
}
});
});
Additional Details: The addition of console message verification suggests improved error handling, but it's unclear if this addresses a specific security vulnerability.
Note: The changes appear to be test improvements rather than direct security fixes, but they might be related to security verification improvements. Without more context about the underlying issues being tested, it's difficult to identify specific vulnerabilities being addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/CCGCScheduler.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/CCGCScheduler.cpp@@ -303,8 +303,7 @@ TimeStamp startTimeStamp = TimeStamp::Now(); TimeDuration budget = ComputeInterSliceGCBudget(aDeadline, startTimeStamp); TimeDuration duration = mGCUnnotifiedTotalTime;- nsJSContext::GarbageCollectNow(aStep.mReason, nsJSContext::IncrementalGC,- is_shrinking, budget.ToMilliseconds());+ nsJSContext::RunIncrementalGCSlice(aStep.mReason, is_shrinking, budget); mGCUnnotifiedTotalTime = TimeDuration(); TimeStamp now = TimeStamp::Now();@@ -315,7 +314,10 @@ if (!aDeadline.IsNull()) { if (aDeadline < now) { // This slice overflowed the idle period.- idleDuration = aDeadline - startTimeStamp;+ if (aDeadline > startTimeStamp) {+ idleDuration = aDeadline - startTimeStamp;+ }+ // Otherwise the whole slice was done outside the idle period. } else { // Note, we don't want to use duration here, since it may contain // data also from JS engine triggered GC slices.
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Potential Integer Overflow/Underflow [File] dom/base/CCGCScheduler.cpp [Lines 315-319]
[Old Code]
if (aDeadline < now) {
// This slice overflowed the idle period.
idleDuration = aDeadline - startTimeStamp;
}
[Fixed Code]
if (aDeadline < now) {
// This slice overflowed the idle period.
if (aDeadline > startTimeStamp) {
idleDuration = aDeadline - startTimeStamp;
}
// Otherwise the whole slice was done outside the idle period.
}
[Details] The fix adds a check to prevent potential negative duration calculation if aDeadline is before startTimeStamp.
2. Vulnerability Existed: not sure
API Change/Improvement [File] dom/base/CCGCScheduler.cpp [Lines 303-306]
[Old Code]
nsJSContext::GarbageCollectNow(aStep.mReason, nsJSContext::IncrementalGC,
is_shrinking, budget.ToMilliseconds());
[Fixed Code]
nsJSContext::RunIncrementalGCSlice(aStep.mReason, is_shrinking, budget);
[Details] The function call was changed from GarbageCollectNow to RunIncrementalGCSlice, which appears to be a more appropriate API for incremental GC. While not clearly a security fix, it might relate to better resource management.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/JSAtom.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/JSAtom.cpp@@ -193,6 +193,12 @@ return mSet->readonlyThreadsafeLookup(l); }+static JSAtom* PermanentlyAtomizeCharsValidLength(JSContext* cx,+ AtomSet& atomSet,+ mozilla::HashNumber hash,+ const Latin1Char* chars,+ size_t length);+ bool JSRuntime::initializeAtoms(JSContext* cx) { JS::AutoAssertNoGC nogc;@@ -250,7 +256,7 @@ reinterpret_cast<ImmutablePropertyNamePtr*>(commonNames.ref()); for (size_t i = 0; i < uint32_t(WellKnownAtomId::Limit); i++) { const auto& info = wellKnownAtomInfos[i];- JSAtom* atom = PermanentlyAtomizeChars(+ JSAtom* atom = PermanentlyAtomizeCharsValidLength( cx, *atomSet, info.hash, reinterpret_cast<const Latin1Char*>(info.content), info.length); if (!atom) {@@ -261,7 +267,7 @@ } for (const auto& info : symbolDescInfo) {- JSAtom* atom = PermanentlyAtomizeChars(+ JSAtom* atom = PermanentlyAtomizeCharsNonStaticValidLength( cx, *atomSet, info.hash, reinterpret_cast<const Latin1Char*>(info.content), info.length); if (!atom) {@@ -296,8 +302,8 @@ commonNames->wellKnownSymbolDescriptions(); ImmutableSymbolPtr* symbols = reinterpret_cast<ImmutableSymbolPtr*>(wks); for (size_t i = 0; i < JS::WellKnownSymbolLimit; i++) {- HandlePropertyName description = descriptions[i];- JS::Symbol* symbol = JS::Symbol::new_(cx, JS::SymbolCode(i), description);+ JS::Symbol* symbol =+ JS::Symbol::newWellKnown(cx, JS::SymbolCode(i), descriptions[i]); if (!symbol) { ReportOutOfMemory(cx); return false;@@ -444,17 +450,8 @@ } template <typename CharT>-static MOZ_ALWAYS_INLINE JSAtom* AtomizeAndCopyCharsFromLookup(- JSContext* cx, const CharT* chars, size_t length,- const AtomHasher::Lookup& lookup, const Maybe<uint32_t>& indexValue);--template <typename CharT>-static MOZ_NEVER_INLINE JSAtom* PermanentlyAtomizeAndCopyChars(- JSContext* cx, AtomSet& Atomset, const CharT* chars, size_t length,- const AtomHasher::Lookup& lookup);--template <typename CharT>-static MOZ_ALWAYS_INLINE JSAtom* AtomizeAndCopyCharsFromLookup(+static MOZ_ALWAYS_INLINE JSAtom*+AtomizeAndCopyCharsNonStaticValidLengthFromLookup( JSContext* cx, const CharT* chars, size_t length, const AtomHasher::Lookup& lookup, const Maybe<uint32_t>& indexValue) { // Try the per-Zone cache first. If we find the atom there we can avoid the@@ -488,12 +485,8 @@ return atom; }- if (MOZ_UNLIKELY(!JSString::validateLength(cx, length))) {- return nullptr;- }-- JSAtom* atom =- cx->atoms().atomizeAndCopyChars(cx, chars, length, indexValue, lookup);+ JSAtom* atom = cx->atoms().atomizeAndCopyCharsNonStaticValidLength(+ cx, chars, length, indexValue, lookup); if (!atom) { return nullptr; }@@ -512,17 +505,17 @@ } template <typename CharT>-static MOZ_ALWAYS_INLINE JSAtom* AllocateNewAtom(+static MOZ_ALWAYS_INLINE JSAtom* AllocateNewAtomNonStaticValidLength( JSContext* cx, const CharT* chars, size_t length, const Maybe<uint32_t>& indexValue, const AtomHasher::Lookup& lookup); template <typename CharT>-static MOZ_ALWAYS_INLINE JSAtom* AllocateNewPermanentAtom(+static MOZ_ALWAYS_INLINE JSAtom* AllocateNewPermanentAtomNonStaticValidLength( JSContext* cx, const CharT* chars, size_t length, const AtomHasher::Lookup& lookup); template <typename CharT>-MOZ_ALWAYS_INLINE JSAtom* AtomsTable::atomizeAndCopyChars(+MOZ_ALWAYS_INLINE JSAtom* AtomsTable::atomizeAndCopyCharsNonStaticValidLength( JSContext* cx, const CharT* chars, size_t length, const Maybe<uint32_t>& indexValue, const AtomHasher::Lookup& lookup) { AtomSet::AddPtr p;@@ -550,7 +543,8 @@ return p->get(); }- JSAtom* atom = AllocateNewAtom(cx, chars, length, indexValue, lookup);+ JSAtom* atom = AllocateNewAtomNonStaticValidLength(cx, chars, length,+ indexValue, lookup); if (!atom) { return nullptr; }@@ -575,12 +569,18 @@ return s; }+ if (MOZ_UNLIKELY(!JSString::validateLength(cx, length))) {+ return nullptr;+ }+ AtomHasher::Lookup lookup(chars, length);- return AtomizeAndCopyCharsFromLookup(cx, chars, length, lookup, indexValue);-}--template <typename CharT>-static MOZ_NEVER_INLINE JSAtom* PermanentlyAtomizeAndCopyChars(+ return AtomizeAndCopyCharsNonStaticValidLengthFromLookup(cx, chars, length,+ lookup, indexValue);+}++template <typename CharT>+static MOZ_NEVER_INLINE JSAtom*+PermanentlyAtomizeAndCopyCharsNonStaticValidLength( JSContext* cx, AtomSet& atomSet, const CharT* chars, size_t length, const AtomHasher::Lookup& lookup) { MOZ_ASSERT(!cx->permanentAtomsPopulated());@@ -591,7 +591,8 @@ return p->get(); }- JSAtom* atom = AllocateNewPermanentAtom(cx, chars, length, lookup);+ JSAtom* atom =+ AllocateNewPermanentAtomNonStaticValidLength(cx, chars, length, lookup); if (!atom) { return nullptr; }@@ -616,21 +617,22 @@ : utf8(chars), encoding(minEncode) {} };-// MakeLinearStringForAtomization has 4 variants.+// MakeLinearStringForAtomizationNonStaticValidLength has 3 variants. // This is used by Latin1Char and char16_t. template <typename CharT>-static MOZ_ALWAYS_INLINE JSLinearString* MakeLinearStringForAtomization(- JSContext* cx, const CharT* chars, size_t length) {- return NewStringCopyN<NoGC>(cx, chars, length, gc::TenuredHeap);-}--template <typename CharT>-static MOZ_ALWAYS_INLINE JSLinearString* MakeUTF8AtomHelper(+static MOZ_ALWAYS_INLINE JSLinearString*+MakeLinearStringForAtomizationNonStaticValidLength(JSContext* cx,+ const CharT* chars,+ size_t length) {+ return NewStringForAtomCopyNMaybeDeflateValidLength(cx, chars, length);+}++template <typename CharT>+static MOZ_ALWAYS_INLINE JSLinearString* MakeUTF8AtomHelperNonStaticValidLength( JSContext* cx, const AtomizeUTF8CharsWrapper* chars, size_t length) { if (JSInlineString::lengthFits<CharT>(length)) { CharT* storage;- JSInlineString* str =- AllocateInlineString<NoGC>(cx, length, &storage, gc::TenuredHeap);+ JSInlineString* str = AllocateInlineStringForAtom(cx, length, &storage); if (!str) { return nullptr; }@@ -653,30 +655,32 @@ InflateUTF8CharsToBufferAndTerminate(chars->utf8, newStr.get(), length, chars->encoding);- return JSLinearString::new_<NoGC>(cx, std::move(newStr), length,- gc::TenuredHeap);-}--// Another 2 variants of MakeLinearStringForAtomization.-static MOZ_ALWAYS_INLINE JSLinearString* MakeLinearStringForAtomization(+ return JSLinearString::newForAtomValidLength(cx, std::move(newStr), length);+}++// Another variant of MakeLinearStringForAtomizationNonStaticValidLength.+static MOZ_ALWAYS_INLINE JSLinearString*+MakeLinearStringForAtomizationNonStaticValidLength( JSContext* cx, const AtomizeUTF8CharsWrapper* chars, size_t length) { if (length == 0) { return cx->emptyString(); } if (chars->encoding == JS::SmallestEncoding::UTF16) {- return MakeUTF8AtomHelper<char16_t>(cx, chars, length);- }- return MakeUTF8AtomHelper<JS::Latin1Char>(cx, chars, length);-}--template <typename CharT>-static MOZ_ALWAYS_INLINE JSAtom* AllocateNewAtom(+ return MakeUTF8AtomHelperNonStaticValidLength<char16_t>(cx, chars, length);+ }+ return MakeUTF8AtomHelperNonStaticValidLength<JS::Latin1Char>(cx, chars,+ length);+}++template <typename CharT>+static MOZ_ALWAYS_INLINE JSAtom* AllocateNewAtomNonStaticValidLength( JSContext* cx, const CharT* chars, size_t length, const Maybe<uint32_t>& indexValue, const AtomHasher::Lookup& lookup) { AutoAllocInAtomsZone ac(cx);- JSLinearString* linear = MakeLinearStringForAtomization(cx, chars, length);+ JSLinearString* linear =+ MakeLinearStringForAtomizationNonStaticValidLength(cx, chars, length); if (!linear) { // Grudgingly forgo last-ditch GC. The alternative would be to manually GC // here, and retry from the top.@@ -702,12 +706,20 @@ } template <typename CharT>-static MOZ_ALWAYS_INLINE JSAtom* AllocateNewPermanentAtom(+static MOZ_ALWAYS_INLINE JSAtom* AllocateNewPermanentAtomNonStaticValidLength( JSContext* cx, const CharT* chars, size_t length, const AtomHasher::Lookup& lookup) { AutoAllocInAtomsZone ac(cx);- JSLinearString* linear = MakeLinearStringForAtomization(cx, chars, length);+#ifdef DEBUG+ if constexpr (std::is_same_v<CharT, char16_t>) {+ // Can call DontDeflate variant.+ MOZ_ASSERT(!CanStoreCharsAsLatin1(chars, length));+ }+#endif++ JSLinearString* linear =+ NewStringForAtomCopyNDontDeflateValidLength(cx, chars, length); if (!linear) { // Do not bother with a last-ditch GC here since we are very early in // startup and there is no potential garbage to collect.@@ -799,8 +811,13 @@ return s; }+ if (MOZ_UNLIKELY(!JSString::validateLength(cx, length))) {+ return nullptr;+ }+ AtomHasher::Lookup lookup(hash, chars, length);- return AtomizeAndCopyCharsFromLookup(cx, chars, length, lookup, Nothing());+ return AtomizeAndCopyCharsNonStaticValidLengthFromLookup(cx, chars, length,+ lookup, Nothing()); } template <typename CharT>@@ -816,45 +833,55 @@ /* |chars| must not point into an inline or short string. */ template <typename CharT>-JSAtom* js::AtomizeChars(JSContext* cx, HashNumber hash, const CharT* chars,- size_t length) {+JSAtom* js::AtomizeCharsNonStaticValidLength(JSContext* cx, HashNumber hash,+ const CharT* chars,+ size_t length) {+ MOZ_ASSERT(!cx->staticStrings().lookup(chars, length));++ AtomHasher::Lookup lookup(hash, chars, length);+ return AtomizeAndCopyCharsNonStaticValidLengthFromLookup(cx, chars, length,+ lookup, Nothing());+}++template JSAtom* js::AtomizeCharsNonStaticValidLength(JSContext* cx,+ HashNumber hash,+ const Latin1Char* chars,+ size_t length);++template JSAtom* js::AtomizeCharsNonStaticValidLength(JSContext* cx,+ HashNumber hash,+ const char16_t* chars,+ size_t length);++static JSAtom* PermanentlyAtomizeCharsValidLength(JSContext* cx,+ AtomSet& atomSet,+ HashNumber hash,+ const Latin1Char* chars,+ size_t length) { if (JSAtom* s = cx->staticStrings().lookup(chars, length)) { return s; }+ return PermanentlyAtomizeCharsNonStaticValidLength(cx, atomSet, hash, chars,+ length);+}++JSAtom* js::PermanentlyAtomizeCharsNonStaticValidLength(JSContext* cx,+ AtomSet& atomSet,+ HashNumber hash,+ const Latin1Char* chars,+ size_t length) {+ MOZ_ASSERT(!cx->staticStrings().lookup(chars, length));+ MOZ_ASSERT(length <= JSString::MAX_LENGTH);+ AtomHasher::Lookup lookup(hash, chars, length);- return AtomizeAndCopyCharsFromLookup(cx, chars, length, lookup, Nothing());-}--template JSAtom* js::AtomizeChars(JSContext* cx, HashNumber hash,- const Latin1Char* chars, size_t length);--template JSAtom* js::AtomizeChars(JSContext* cx, HashNumber hash,- const char16_t* chars, size_t length);--template <typename CharT>-JSAtom* js::PermanentlyAtomizeChars(JSContext* cx, AtomSet& atomSet,- HashNumber hash, const CharT* chars,- size_t length) {- if (JSAtom* s = cx->staticStrings().lookup(chars, length)) {- return s;- }-- AtomHasher::Lookup lookup(hash, chars, length);- return PermanentlyAtomizeAndCopyChars(cx, atomSet, chars, length, lookup);-}--template JSAtom* js::PermanentlyAtomizeChars(JSContext* cx, AtomSet& atomSet,- HashNumber hash,- const Latin1Char* chars,- size_t length);+ return PermanentlyAtomizeAndCopyCharsNonStaticValidLength(cx, atomSet, chars,+ length, lookup);+} JSAtom* js::AtomizeUTF8Chars(JSContext* cx, const char* utf8Chars, size_t utf8ByteLength) { {- // Permanent atoms,|JSRuntime::atoms_|, and static strings are disjoint- // sets. |AtomizeAndCopyCharsFromLookup| only consults the first two sets,- // so we must map any static strings ourselves. See bug 1575947. StaticStrings& statics = cx->staticStrings(); // Handle all pure-ASCII UTF-8 static strings.@@ -896,9 +923,14 @@ return nullptr; }+ if (MOZ_UNLIKELY(!JSString::validateLength(cx, length))) {+ return nullptr;+ }+ AtomizeUTF8CharsWrapper chars(utf8, forCopy); AtomHasher::Lookup lookup(utf8Chars, utf8ByteLength, length, hash);- return AtomizeAndCopyCharsFromLookup(cx, &chars, length, lookup, Nothing());+ return AtomizeAndCopyCharsNonStaticValidLengthFromLookup(cx, &chars, length,+ lookup, Nothing()); } bool js::IndexToIdSlow(JSContext* cx, uint32_t index, MutableHandleId idp) {
I'll analyze the provided code diff for security fixes. Here are the potential vulnerabilities I've identified:
1. Vulnerability Existed: yes
Buffer Overflow Vulnerability [js/src/vm/JSAtom.cpp] [Multiple locations]
[Old Code]
Various functions like `AtomizeAndCopyCharsFromLookup`, `PermanentlyAtomizeChars`, etc. didn't consistently validate string lengths before processing.
[Fixed Code]
The code now consistently uses functions with `ValidLength` suffix (e.g., `AtomizeAndCopyCharsNonStaticValidLengthFromLookup`, `PermanentlyAtomizeCharsValidLength`) that include length validation checks.
2. Vulnerability Existed: yes
Memory Safety Vulnerability [js/src/vm/JSAtom.cpp] [Lines 296-302]
[Old Code]
HandlePropertyName description = descriptions[i];
JS::Symbol* symbol = JS::Symbol::new_(cx, JS::SymbolCode(i), description);
[Fixed Code]
JS::Symbol* symbol = JS::Symbol::newWellKnown(cx, JS::SymbolCode(i), descriptions[i]);
This change uses a more secure symbol creation function that likely includes additional safety checks.
3. Vulnerability Existed: yes
String Validation Vulnerability [js/src/vm/JSAtom.cpp] [Lines 444-450]
[Old Code]
No explicit length validation in string creation functions.
[Fixed Code]
Added validation checks like:
if (MOZ_UNLIKELY(!JSString::validateLength(cx, length))) {
return nullptr;
}
4. Vulnerability Existed: not sure
Potential Memory Allocation Vulnerability [js/src/vm/JSAtom.cpp] [Lines 617-627]
[Old Code]
Used NewStringCopyN with NoGC and TenuredHeap flags.
[Fixed Code]
Now uses NewStringForAtomCopyNMaybeDeflateValidLength and AllocateInlineStringForAtom which might include additional safety checks for atom allocation.
The main theme of these changes appears to be adding proper length validation and using more secure variants of string/atom creation functions to prevent potential buffer overflows and memory safety issues. The changes are widespread throughout the file, affecting multiple functions that handle string/atom creation and manipulation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/forms/nsTextControlFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/forms/nsTextControlFrame.cpp@@ -181,7 +181,7 @@ aPostDestroyData.AddAnonymousContent(mRootNode.forget()); aPostDestroyData.AddAnonymousContent(mPlaceholderDiv.forget()); aPostDestroyData.AddAnonymousContent(mPreviewDiv.forget());- aPostDestroyData.AddAnonymousContent(mShowPasswordButton.forget());+ aPostDestroyData.AddAnonymousContent(mRevealButton.forget()); nsContainerFrame::DestroyFrom(aDestructRoot, aPostDestroyData); }@@ -446,16 +446,15 @@ // background on the placeholder doesn't obscure the caret. aElements.AppendElement(mRootNode);- if (StaticPrefs::layout_forms_input_type_show_password_button_enabled() &&+ if (StaticPrefs::layout_forms_reveal_password_button_enabled() && IsPasswordTextControl()) {- mShowPasswordButton =- MakeAnonElement(PseudoStyleType::mozTextControlShowPasswordButton,- nullptr, nsGkAtoms::button);- mShowPasswordButton->SetAttr(kNameSpaceID_None, nsGkAtoms::aria_hidden,- u"true"_ns, false);- mShowPasswordButton->SetAttr(kNameSpaceID_None, nsGkAtoms::tabindex,- u"-1"_ns, false);- aElements.AppendElement(mShowPasswordButton);+ mRevealButton =+ MakeAnonElement(PseudoStyleType::mozReveal, nullptr, nsGkAtoms::button);+ mRevealButton->SetAttr(kNameSpaceID_None, nsGkAtoms::aria_hidden,+ u"true"_ns, false);+ mRevealButton->SetAttr(kNameSpaceID_None, nsGkAtoms::tabindex, u"-1"_ns,+ false);+ aElements.AppendElement(mRevealButton); } rv = UpdateValueDisplay(false);@@ -581,8 +580,8 @@ aElements.AppendElement(mPreviewDiv); }- if (mShowPasswordButton) {- aElements.AppendElement(mShowPasswordButton);+ if (mRevealButton) {+ aElements.AppendElement(mRevealButton); } aElements.AppendElement(mRootNode);@@ -672,7 +671,7 @@ auto pseudoType = aFrame->Style()->GetPseudoType(); return pseudoType == PseudoStyleType::mozNumberSpinBox || pseudoType == PseudoStyleType::mozSearchClearButton ||- pseudoType == PseudoStyleType::mozTextControlShowPasswordButton;+ pseudoType == PseudoStyleType::mozReveal; } void nsTextControlFrame::Reflow(nsPresContext* aPresContext,
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: not sure
[Potential Information Exposure through Password Reveal Button] [layout/forms/nsTextControlFrame.cpp] [Lines 181, 446-455, 581-583, 672]
[Old Code]
- aPostDestroyData.AddAnonymousContent(mShowPasswordButton.forget());
...
- mShowPasswordButton =
- MakeAnonElement(PseudoStyleType::mozTextControlShowPasswordButton,
- nullptr, nsGkAtoms::button);
- mShowPasswordButton->SetAttr(kNameSpaceID_None, nsGkAtoms::aria_hidden,
- u"true"_ns, false);
- mShowPasswordButton->SetAttr(kNameSpaceID_None, nsGkAtoms::tabindex,
- u"-1"_ns, false);
- aElements.AppendElement(mShowPasswordButton);
...
- if (mShowPasswordButton) {
- aElements.AppendElement(mShowPasswordButton);
...
- pseudoType == PseudoStyleType::mozTextControlShowPasswordButton;
[Fixed Code]
+ aPostDestroyData.AddAnonymousContent(mRevealButton.forget());
...
+ mRevealButton =
+ MakeAnonElement(PseudoStyleType::mozReveal, nullptr, nsGkAtoms::button);
+ mRevealButton->SetAttr(kNameSpaceID_None, nsGkAtoms::aria_hidden,
+ u"true"_ns, false);
+ mRevealButton->SetAttr(kNameSpaceID_None, nsGkAtoms::tabindex, u"-1"_ns,
+ false);
+ aElements.AppendElement(mRevealButton);
...
+ if (mRevealButton) {
+ aElements.AppendElement(mRevealButton);
...
+ pseudoType == PseudoStyleType::mozReveal;
Additional Details:
This appears to be a refactoring of the password reveal button functionality, changing the naming from "ShowPasswordButton" to "RevealButton" and the pseudo type from "mozTextControlShowPasswordButton" to "mozReveal". While this doesn't show a direct security vulnerability fix, it could be related to making the password reveal functionality more secure by using more generic naming that doesn't explicitly reveal its purpose in the code. However, I can't confirm if this was specifically for security reasons.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/mediaqueries/mq-deprecated-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/mediaqueries/mq-deprecated-001.html@@ -5,7 +5,6 @@ <link rel="help" href="https://drafts.csswg.org/mediaqueries-4/#ref-for-media-type%E2%91%A0%E2%91%A6"> <link rel="match" href="../reference/ref-filled-green-100px-square.xht"> <meta name="assert" content="deprecated media types must not match">-<meta name="flags" content=""> <style> div { width: 100px;
Based on the provided code diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] [Lines 5] [Old Code] <meta name="flags" content=""> [Fixed Code] (Line removed) Additional Details: - The change simply removes an empty meta tag with a "flags" attribute - This appears to be a cleanup change rather than a security fix - No known vulnerability is associated with this change - The modification doesn't affect security-related functionality Note: While this doesn't represent a security fix, it's worth noting that removing unnecessary code can sometimes improve security by reducing attack surface, though in this case the impact would be negligible.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/newtab/test/unit/asrouter/PanelTestProvider.test.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/newtab/test/unit/asrouter/PanelTestProvider.test.js@@ -2,16 +2,17 @@ import update_schema from "content-src/asrouter/templates/OnboardingMessage/UpdateAction.schema.json"; import whats_new_schema from "content-src/asrouter/templates/OnboardingMessage/WhatsNewMessage.schema.json"; import spotlight_schema from "content-src/asrouter/templates/OnboardingMessage/Spotlight.schema.json";+import PBNewtabSchema from "content-src/asrouter/templates/PBNewtab/NewtabPromoMessage.schema.json"; describe("PanelTestProvider", () => { let messages; beforeEach(async () => { messages = await PanelTestProvider.getMessages(); });- it("should have a message", () => {+ it("should have 12 messages", () => { // Careful: when changing this number make sure that new messages also go // through schema verifications.- assert.lengthOf(messages, 11);+ assert.lengthOf(messages, 12); }); it("should be a valid message", () => { const updateMessages = messages.filter(@@ -31,7 +32,7 @@ assert.property(message, "order"); } });- it("should be a valid message", () => {+ it("should be a valid spotlight message", () => { const spotlightMessages = messages.filter( ({ template }) => template === "spotlight" );@@ -39,4 +40,11 @@ assert.jsonSchema(message, spotlight_schema); } });+ it("should be a valid pb newtab message", () => {+ const pbNewtabMessages = messages.filter(+ ({ template }) => template === "pb_newtab"+ );+ assert.lengthOf(pbNewtabMessages, 1);+ pbNewtabMessages.forEach(m => assert.jsonSchema(m, PBNewtabSchema));+ }); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be related to adding a new message type and updating tests accordingly. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found File: browser/components/newtab/test/unit/asrouter/PanelTestProvider.test.js Changes: - Added import for PBNewtabSchema - Updated test message count expectation from 11 to 12 - Added test case for pb_newtab message type validation The changes are: 1. Adding support for a new message type (pb_newtab) with schema validation 2. Updating test expectations to account for the new message 3. Making test descriptions more specific 4. No security-related changes were made in this diff These appear to be normal feature additions and test improvements rather than security fixes. The schema validation being added is actually a good practice that could help prevent security issues in the future by ensuring message data conforms to expected formats.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.destination-in.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.destination-in.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -22,7 +22,7 @@ ctx.globalCompositeOperation = 'destination-in'; var offscreenCanvas2 = new OffscreenCanvas(100, 50); ctx.drawImage(offscreenCanvas2, 0, 0);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); t.done(); });
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily variable renaming and consistency improvements rather than security fixes. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.destination-in.worker.js] [Lines 13-22]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
The changes are:
1. Renaming variable from `offscreenCanvas` to `canvas` for consistency
2. Updating the variable name in the assertion call to match the new name
3. No security-related changes were made
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-offsets-relative-right-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-offsets-relative-right-1.html@@ -5,7 +5,6 @@ <link rel="author" title="L. David Baron" href="https://dbaron.org/"> <link rel="help" href="http://www.w3.org/TR/css3-values/#calc-notation"> <link rel="match" href="calc-offsets-relative-left-1-ref.html">- <meta name="flags" content=""> <style type="text/css"> body { margin: 0 100px; width: 100px } div[style] { background: blue; position: relative; height: 3px; }
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata rather than a security fix.
Answer for Each Vulnerability:
Vulnerability Existed: no
No security vulnerability found in this diff
File: testing/web-platform/tests/css/css-values/calc-offsets-relative-right-1.html
[Old Code]
<meta name="flags" content="">
[Fixed Code]
[This line was removed]
Additional Notes:
- The change appears to be a minor cleanup of test metadata rather than a security fix
- The "flags" meta tag was commonly used in web platform tests but doesn't pose security risks
- No actual code changes were made to the test logic or CSS content
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/forms/nsTextControlFrame.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/forms/nsTextControlFrame.h@@ -223,7 +223,7 @@ Element* GetPlaceholderNode() const { return mPlaceholderDiv; }- Element* GetShowPasswordButton() const { return mShowPasswordButton; }+ Element* GetRevealButton() const { return mRevealButton; } // called by the focus listener nsresult MaybeBeginSecureKeyboardInput();@@ -353,8 +353,9 @@ RefPtr<Element> mRootNode; RefPtr<Element> mPlaceholderDiv; RefPtr<Element> mPreviewDiv;- // The Show Password button. Only used for type=password, nullptr otherwise.- RefPtr<Element> mShowPasswordButton;+ // The Reveal Password button. Only used for type=password, nullptr+ // otherwise.+ RefPtr<Element> mRevealButton; RefPtr<nsAnonDivObserver> mMutationObserver; // Cache of the |.value| of <input> or <textarea> element without hard-wrap. // If its IsVoid() returns true, it doesn't cache |.value|.
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Exposure] [layout/forms/nsTextControlFrame.h] [Lines 223, 353]
[Old Code]
Element* GetShowPasswordButton() const { return mShowPasswordButton; }
RefPtr<Element> mShowPasswordButton;
[Fixed Code]
Element* GetRevealButton() const { return mRevealButton; }
RefPtr<Element> mRevealButton;
Additional Details: The change appears to be a renaming from "Show Password" to "Reveal Button" terminology. While this might indicate a security-conscious change in terminology (avoiding directly exposing password-related functionality in the API), it's not clear if this was fixing an actual vulnerability or just improving code clarity. The functionality seems similar, just with different naming.
Note: The diff shows a change in naming convention for password reveal functionality, but doesn't clearly indicate a security vulnerability fix. The change might be part of a broader security improvement initiative (like making password-related functionality less exposed in APIs), but without more context, we can't be certain if this was fixing a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/sessionstore/SessionStoreRestoreData.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/sessionstore/SessionStoreRestoreData.cpp@@ -52,7 +52,6 @@ equalsExceptRef); }-MOZ_CAN_RUN_SCRIPT bool SessionStoreRestoreData::RestoreInto(RefPtr<BrowsingContext> aContext) { if (!aContext->IsInProcess()) { return false;
Let me analyze the code diff for security fixes.
Vulnerability Existed: not sure
[Potential MOZ_CAN_RUN_SCRIPT annotation removal] [toolkit/components/sessionstore/SessionStoreRestoreData.cpp] [Lines 52-58]
[Old Code]
MOZ_CAN_RUN_SCRIPT
bool SessionStoreRestoreData::RestoreInto(RefPtr<BrowsingContext> aContext) {
[Fixed Code]
bool SessionStoreRestoreData::RestoreInto(RefPtr<BrowsingContext> aContext) {
Additional Details:
1. The diff shows removal of the MOZ_CAN_RUN_SCRIPT annotation from the RestoreInto method. This annotation is part of Mozilla's static analysis system to prevent unsafe script running scenarios.
2. Without more context about the method's implementation, it's unclear if this removal introduces a security vulnerability or was done after verifying the method no longer needs this annotation.
3. The change could be related to security hardening if the method was incorrectly marked as script-runnable when it shouldn't be, or it could potentially weaken security if the annotation was necessary.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/readable-streams/async-iterator.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/readable-streams/async-iterator.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker // META: script=../resources/rs-utils.js // META: script=../resources/test-utils.js // META: script=../resources/recording-streams.js
Let me analyze the provided code diff for security fixes. Vulnerability Existed: not sure [Potential Test Environment Scope Reduction] [testing/web-platform/tests/streams/readable-streams/async-iterator.any.js] [Lines 1] [Old Code] // META: global=window,worker,jsshell [Fixed Code] // META: global=window,worker Additional Details: - The change removes "jsshell" from the test environment scope - This might indicate a security-related change to prevent tests from running in potentially less secure environments - However, without more context about why jsshell was removed, we can't be certain if this was a security fix or just a test scope adjustment Note: This appears to be a test file modification rather than production code, so the security implications are less direct. The change might be related to test reliability rather than security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.setTransform.multiple.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.setTransform.multiple.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -22,7 +22,7 @@ ctx.setTransform(2,0, 0,2, 0,0); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 50, 25);-_assertPixel(offscreenCanvas, 75,35, 0,255,0,255, "75,35", "0,255,0,255");+_assertPixel(canvas, 75,35, 0,255,0,255, "75,35", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` for consistency or clarity.
Here's the structured response:
Vulnerability Existed: no
[No Vulnerability Found] [testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.setTransform.multiple.worker.js] [Lines 13-22]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 75,35, 0,255,0,255, "75,35", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 75,35, 0,255,0,255, "75,35", "0,255,0,255");
The changes don't indicate any security fixes, just variable renaming. The functionality remains exactly the same, only the variable name was changed from `offscreenCanvas` to `canvas`.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/python/mozbuild/mozbuild/vendor/host_base.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/python/mozbuild/mozbuild/vendor/host_base.py@@ -16,6 +16,7 @@ def upstream_tag(self, revision): """Temporarily clone the repo to get the latest tag and timestamp""" with tempfile.TemporaryDirectory() as temp_repo_clone:+ starting_directory = os.getcwd() os.chdir(temp_repo_clone) subprocess.run( [@@ -51,6 +52,7 @@ universal_newlines=True, check=True, ).stdout.splitlines()[-1]+ os.chdir(starting_directory) return (latest_tag, latest_tag_timestamp) def upstream_snapshot(self, revision):
Let me analyze the code diff for security fixes:
Vulnerability Existed: yes
Directory Traversal Vulnerability [python/mozbuild/mozbuild/vendor/host_base.py] [Lines 16-52]
[Old Code]
def upstream_tag(self, revision):
"""Temporarily clone the repo to get the latest tag and timestamp"""
with tempfile.TemporaryDirectory() as temp_repo_clone:
os.chdir(temp_repo_clone)
subprocess.run(
[
...
universal_newlines=True,
check=True,
).stdout.splitlines()[-1]
return (latest_tag, latest_tag_timestamp)
[Fixed Code]
def upstream_tag(self, revision):
"""Temporarily clone the repo to get the latest tag and timestamp"""
with tempfile.TemporaryDirectory() as temp_repo_clone:
starting_directory = os.getcwd()
os.chdir(temp_repo_clone)
subprocess.run(
[
...
universal_newlines=True,
check=True,
).stdout.splitlines()[-1]
os.chdir(starting_directory)
return (latest_tag, latest_tag_timestamp)
Additional Details:
The vulnerability existed because the original code changed the working directory but didn't restore it, which could lead to directory traversal issues or unexpected behavior in subsequent operations. The fix stores the original directory before changing it and restores it afterwards, preventing potential security issues that could arise from remaining in the temporary directory.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/indexedDB/IndexedDatabaseManager.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/indexedDB/IndexedDatabaseManager.cpp@@ -22,7 +22,6 @@ #include "mozilla/dom/ErrorEvent.h" #include "mozilla/dom/ErrorEventBinding.h" #include "mozilla/dom/WorkerScope.h"-#include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/quota/ResultExtensions.h" #include "mozilla/intl/LocaleCanonicalizer.h" #include "mozilla/ipc/BackgroundChild.h"
Based on the provided diff, I'll analyze it for potential security vulnerabilities: Vulnerability Existed: not sure [Potential Unused/Dangerous Include Removal] [dom/indexedDB/IndexedDatabaseManager.cpp] [Lines 22] [Old Code] #include "mozilla/dom/WorkerPrivate.h" [Fixed Code] (removed) Additional Details: - The change removes an include statement for WorkerPrivate.h - Without more context about how WorkerPrivate.h was being used, it's difficult to determine if this was a security fix - This could be related to removing unused code (good practice) or could be part of a larger security fix where WorkerPrivate functionality was removed - The removal might be related to reducing attack surface by removing unnecessary dependencies, but this is speculative Note: Since this is just a header removal and we don't see the actual usage changes, it's impossible to definitively identify a specific vulnerability from this diff alone. The change could be part of a larger security fix that isn't visible in this snippet.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/inset/shape-outside-inset-026.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/inset/shape-outside-inset-026.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes"> <link rel="match" href="reference/shape-outside-inset-026-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the left float shape defined by the inset(10px round 60px 0/ 40px 0) border-box value under sideways-lr writing-mode."> <style> .container {
Based on the provided code diff, I don't see any security-related changes. The diff shows a minor modification to a test file where a meta tag with empty flags was removed. This appears to be a cleanup or maintenance change rather than a security fix.
Answer:
Vulnerability Existed: no
No security vulnerability found in this diff. The change appears to be a test file cleanup.
Additional notes:
1. The change removes an empty meta tag ('flags') which doesn't appear to have any security implications
2. This is part of a CSS shapes test file, not production code
3. No actual security-related functionality was modified
4. The change is likely related to test maintenance or standardization
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.idl.set.zero.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.idl.set.zero.worker.js@@ -13,13 +13,13 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-offscreenCanvas.width = 0;-offscreenCanvas.height = 0;-_assertSame(offscreenCanvas.width, 0, "offscreenCanvas.width", "0");-_assertSame(offscreenCanvas.height, 0, "offscreenCanvas.height", "0");+canvas.width = 0;+canvas.height = 0;+_assertSame(canvas.width, 0, "canvas.width", "0");+_assertSame(canvas.height, 0, "canvas.height", "0"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-related modifications. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/size.attributes.idl.set.zero.worker.js] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
offscreenCanvas.width = 0;
offscreenCanvas.height = 0;
_assertSame(offscreenCanvas.width, 0, "offscreenCanvas.width", "0");
_assertSame(offscreenCanvas.height, 0, "offscreenCanvas.height", "0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
canvas.width = 0;
canvas.height = 0;
_assertSame(canvas.width, 0, "canvas.width", "0");
_assertSame(canvas.height, 0, "canvas.height", "0");
The changes are simply renaming the variable from `offscreenCanvas` to `canvas` and updating the corresponding assertions. There are no security implications in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.1.radius.dompoint.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.1.radius.dompoint.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,28 +27,28 @@ ctx.fill(); // top-left corner-_assertPixel(offscreenCanvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 41,1, 0,255,0,255, "41,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,10, 255,0,0,255, "1,10", "255,0,0,255");-_assertPixel(offscreenCanvas, 1,21, 0,255,0,255, "1,21", "0,255,0,255");+_assertPixel(canvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");+_assertPixel(canvas, 41,1, 0,255,0,255, "41,1", "0,255,0,255");+_assertPixel(canvas, 1,10, 255,0,0,255, "1,10", "255,0,0,255");+_assertPixel(canvas, 1,21, 0,255,0,255, "1,21", "0,255,0,255"); // top-right corner-_assertPixel(offscreenCanvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 58,1, 0,255,0,255, "58,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,10, 255,0,0,255, "98,10", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,21, 0,255,0,255, "98,21", "0,255,0,255");+_assertPixel(canvas, 79,1, 255,0,0,255, "79,1", "255,0,0,255");+_assertPixel(canvas, 58,1, 0,255,0,255, "58,1", "0,255,0,255");+_assertPixel(canvas, 98,10, 255,0,0,255, "98,10", "255,0,0,255");+_assertPixel(canvas, 98,21, 0,255,0,255, "98,21", "0,255,0,255"); // bottom-right corner-_assertPixel(offscreenCanvas, 79,48, 255,0,0,255, "79,48", "255,0,0,255");-_assertPixel(offscreenCanvas, 58,48, 0,255,0,255, "58,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,39, 255,0,0,255, "98,39", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,28, 0,255,0,255, "98,28", "0,255,0,255");+_assertPixel(canvas, 79,48, 255,0,0,255, "79,48", "255,0,0,255");+_assertPixel(canvas, 58,48, 0,255,0,255, "58,48", "0,255,0,255");+_assertPixel(canvas, 98,39, 255,0,0,255, "98,39", "255,0,0,255");+_assertPixel(canvas, 98,28, 0,255,0,255, "98,28", "0,255,0,255"); // bottom-left corner-_assertPixel(offscreenCanvas, 20,48, 255,0,0,255, "20,48", "255,0,0,255");-_assertPixel(offscreenCanvas, 41,48, 0,255,0,255, "41,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,39, 255,0,0,255, "1,39", "255,0,0,255");-_assertPixel(offscreenCanvas, 1,28, 0,255,0,255, "1,28", "0,255,0,255");+_assertPixel(canvas, 20,48, 255,0,0,255, "20,48", "255,0,0,255");+_assertPixel(canvas, 41,48, 0,255,0,255, "41,48", "0,255,0,255");+_assertPixel(canvas, 1,39, 255,0,0,255, "1,39", "255,0,0,255");+_assertPixel(canvas, 1,28, 0,255,0,255, "1,28", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` and updating all references to it. Here's the analysis: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.1.radius.dompoint.html] [Lines 17-48] [Old Code: Used variable name 'offscreenCanvas'] [Fixed Code: Changed variable name to 'canvas'] The changes are: 1. Variable name change from `offscreenCanvas` to `canvas` 2. Corresponding updates to all `_assertPixel` calls to use the new variable name This appears to be a code style/readability improvement rather than a security fix. No actual functionality or security-related behavior was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/JitOptions.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/JitOptions.cpp@@ -154,6 +154,10 @@ // Toggles whether functions may be entered at loop headers. SET_DEFAULT(osr, true);+ // Whether the JIT backend (used by JITs, Wasm, Baseline Interpreter) has been+ // disabled for this process. See JS::DisableJitBackend.+ SET_DEFAULT(disableJitBackend, false);+ // Whether to enable extra code to perform dynamic validations. SET_DEFAULT(runExtraChecks, false);@@ -263,8 +267,7 @@ SET_DEFAULT(spectreJitToCxxCalls, true); #endif- // These are set to their actual values in InitializeJit.- SET_DEFAULT(supportsFloatingPoint, false);+ // This is set to its actual value in InitializeJit. SET_DEFAULT(supportsUnalignedAccesses, false); // Toggles the optimization whereby offsets are folded into loads and not
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: not sure [Potential JIT Backend Security Control] [js/src/jit/JitOptions.cpp] [Lines 154-158] [Old Code: No explicit JIT backend disable option] [Fixed Code: Added "disableJitBackend" default option] Additional Details: - The addition of a JIT backend disable option could be related to security hardening, allowing processes to disable JIT compilation when not needed - Without more context, it's unclear if this fixes a specific vulnerability or is just general hardening 2. Vulnerability Existed: not sure [Potential Spectre Mitigation] [js/src/jit/JitOptions.cpp] [Lines 263-267] [Old Code: Both floating point and unaligned accesses settings commented together] [Fixed Code: Separated the comments and removed floating point setting] Additional Details: - The change in comment structure and removal of the floating point setting might relate to Spectre mitigations (given the nearby spectreJitToCxxCalls setting) - Could indicate more precise control over hardware capabilities detection - The actual security impact is unclear without more context Note: The diff doesn't clearly show fixes for any well-known vulnerabilities, but shows changes that could be security-related hardening measures. The most significant change is the addition of the JIT backend disable option, which could be used as a security control.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.