Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/back/hlsl/writer.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/back/hlsl/writer.rs@@ -715,22 +715,11 @@ stride: _, } => { // HLSL arrays are written as `type name[size]`- let (ty_name, vec_size) = match module.types[base].inner {- // Write scalar type by backend so as not to depend on the front-end implementation- // Name returned from frontend can be generated (type1, float1, etc.)- TypeInner::Scalar { kind, width } => (kind.to_hlsl_str(width)?, None),- // Similarly, write vector types directly.- TypeInner::Vector { size, kind, width } => {- (kind.to_hlsl_str(width)?, Some(size))- }- _ => (self.names[&NameKey::Type(base)].as_str(), None),- };-- // Write `type` and `name`- write!(self.out, "{}", ty_name)?;- if let Some(s) = vec_size {- write!(self.out, "{}", s as usize)?;- }+ if let TypeInner::Matrix { .. } = module.types[base].inner {+ write!(self.out, "row_major ")?;+ }+ self.write_type(module, base)?;+ // Write `name` write!( self.out, " {}",@@ -1594,6 +1583,7 @@ Expression::ImageSample { image, sampler,+ gather, coordinate, array_index, offset,@@ -1601,23 +1591,30 @@ depth_ref, } => { use crate::SampleLevel as Sl;-- let texture_func = match level {- Sl::Auto => {- if depth_ref.is_some() {- "SampleCmp"- } else {- "Sample"- }- }- Sl::Zero => "SampleCmpLevelZero",- Sl::Exact(_) => "SampleLevel",- Sl::Bias(_) => "SampleBias",- Sl::Gradient { .. } => "SampleGrad",+ const COMPONENTS: [&str; 4] = ["", "Green", "Blue", "Alpha"];++ let (base_str, component_str) = match gather {+ Some(component) => ("Gather", COMPONENTS[component as usize]),+ None => ("Sample", ""),+ };+ let cmp_str = match depth_ref {+ Some(_) => "Cmp",+ None => "",+ };+ let level_str = match level {+ Sl::Zero if gather.is_none() => "LevelZero",+ Sl::Auto | Sl::Zero => "",+ Sl::Exact(_) => "Level",+ Sl::Bias(_) => "Bias",+ Sl::Gradient { .. } => "Grad", }; self.write_expr(module, image, func_ctx)?;- write!(self.out, ".{}(", texture_func)?;+ write!(+ self.out,+ ".{}{}{}{}(",+ base_str, cmp_str, component_str, level_str+ )?; self.write_expr(module, sampler, func_ctx)?; write!(self.out, ", ")?; self.write_texture_coordinates(@@ -1827,6 +1824,8 @@ Mf::Asinh => Function::Asincosh { is_sin: true }, Mf::Acosh => Function::Asincosh { is_sin: false }, Mf::Atanh => Function::Atanh,+ Mf::Radians => Function::Regular("radians"),+ Mf::Degrees => Function::Regular("degrees"), // decomposition Mf::Ceil => Function::Regular("ceil"), Mf::Floor => Function::Regular("floor"),@@ -1854,7 +1853,7 @@ Mf::Refract => Function::Regular("refract"), // computational Mf::Sign => Function::Regular("sign"),- Mf::Fma => Function::Regular("fma"),+ Mf::Fma => Function::Regular("mad"), Mf::Mix => Function::Regular("lerp"), Mf::Step => Function::Regular("step"), Mf::SmoothStep => Function::Regular("smoothstep"),@@ -1866,6 +1865,8 @@ // bits Mf::CountOneBits => Function::Regular("countbits"), Mf::ReverseBits => Function::Regular("reversebits"),+ Mf::FindLsb => Function::Regular("firstbitlow"),+ Mf::FindMsb => Function::Regular("firstbithigh"), _ => return Err(Error::Unimplemented(format!("write_expr_math {:?}", fun))), };
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Matrix Handling Issue] [third_party/rust/naga/src/back/hlsl/writer.rs] [Lines 715-715]
[Old Code]
```rust
let (ty_name, vec_size) = match module.types[base].inner {
TypeInner::Scalar { kind, width } => (kind.to_hlsl_str(width)?, None),
TypeInner::Vector { size, kind, width } => {
(kind.to_hlsl_str(width)?, Some(size))
}
_ => (self.names[&NameKey::Type(base)].as_str(), None),
};
```
[Fixed Code]
```rust
if let TypeInner::Matrix { .. } = module.types[base].inner {
write!(self.out, "row_major ")?;
}
self.write_type(module, base)?;
```
2. Vulnerability Existed: not sure
[Potential Image Sampling Issue] [third_party/rust/naga/src/back/hlsl/writer.rs] [Lines 1594-1601]
[Old Code]
```rust
let texture_func = match level {
Sl::Auto => {
if depth_ref.is_some() {
"SampleCmp"
} else {
"Sample"
}
}
Sl::Zero => "SampleCmpLevelZero",
Sl::Exact(_) => "SampleLevel",
Sl::Bias(_) => "SampleBias",
Sl::Gradient { .. } => "SampleGrad",
};
```
[Fixed Code]
```rust
let (base_str, component_str) = match gather {
Some(component) => ("Gather", COMPONENTS[component as usize]),
None => ("Sample", ""),
};
let cmp_str = match depth_ref {
Some(_) => "Cmp",
None => "",
};
let level_str = match level {
Sl::Zero if gather.is_none() => "LevelZero",
Sl::Auto | Sl::Zero => "",
Sl::Exact(_) => "Level",
Sl::Bias(_) => "Bias",
Sl::Gradient { .. } => "Grad",
};
```
3. Vulnerability Existed: not sure
[Potential Math Function Implementation Issue] [third_party/rust/naga/src/back/hlsl/writer.rs] [Lines 1827-1865]
[Old Code]
```rust
Mf::Fma => Function::Regular("fma"),
```
[Fixed Code]
```rust
Mf::Fma => Function::Regular("mad"),
Mf::FindLsb => Function::Regular("firstbitlow"),
Mf::FindMsb => Function::Regular("firstbithigh"),
```
Note: While these changes appear to be functional improvements and better HLSL compatibility fixes rather than direct security fixes, they could potentially address security issues related to incorrect shader generation or unexpected behavior in the graphics pipeline. However, without more context about the specific security implications, I cannot definitively confirm these as security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/audioipc2-client/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/audioipc2-client/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.toml":"4304d6695b5ae83a67ec50eeb7c8b05f0292b31bf6d93bfec629492116cb05fd","cbindgen.toml":"ee9642e39a46b8a7275c4b18319c7a0208ef71e04de868898cd7838b277163d8","src/context.rs":"060680f87d406cef1f6f94cfae991ae59b5f3a13253e15481716a1a4224682ee","src/lib.rs":"3a4ae5b4f0afb226cef97402ba28be66ab182c6c6b9546ce9c0a1fa394c44242","src/send_recv.rs":"450bdb1d8a346634c0237f2081b424d11e2c19ad81670009303f8a03b3bfb196","src/stream.rs":"8f2f33b75b78fb1ef8ebb7b14bbb81dbb0f046f9e91b6110a3c49e424690bb8b"},"package":null}+{"files":{"Cargo.toml":"4304d6695b5ae83a67ec50eeb7c8b05f0292b31bf6d93bfec629492116cb05fd","cbindgen.toml":"fb6abe1671497f432a06e40b1db7ed7cd2cceecbd9a2382193ad7534e8855e34","src/context.rs":"060680f87d406cef1f6f94cfae991ae59b5f3a13253e15481716a1a4224682ee","src/lib.rs":"c4a6797734489280f6b97dd72c9e51a7bd7be4104592eece3929e29d45cbca4a","src/send_recv.rs":"450bdb1d8a346634c0237f2081b424d11e2c19ad81670009303f8a03b3bfb196","src/stream.rs":"8f2f33b75b78fb1ef8ebb7b14bbb81dbb0f046f9e91b6110a3c49e424690bb8b"},"package":null}=========media/libwebp/src/enc/predictor_enc.c========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/media/libwebp/src/enc/predictor_enc.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/media/libwebp/src/enc/predictor_enc.c@@ -249,7 +249,7 @@ } else if (x == 0) { predict = upper_row[x]; // Top. } else {- predict = pred_func(current_row[x - 1], upper_row + x);+ predict = pred_func(¤t_row[x - 1], upper_row + x); } #if (WEBP_NEAR_LOSSLESS == 1) if (max_quantization == 1 || mode == 0 || y == 0 || y == height - 1 ||
Based on the provided code diff, here's the security analysis:
1. For the first file (cargo-checksum.json):
Vulnerability Existed: no
No vulnerability - this is just a checksum update for Rust package files. The changes are hash updates which don't indicate any security fixes.
2. For the second file (predictor_enc.c):
Vulnerability Existed: not sure
Potential Buffer Overflow/Incorrect Pointer Usage [media/libwebp/src/enc/predictor_enc.c] [Lines 249]
Old Code: predict = pred_func(current_row[x - 1], upper_row + x);
Fixed Code: predict = pred_func(¤t_row[x - 1], upper_row + x);
The change involves passing a pointer to the array element rather than the value itself. While this could potentially fix a buffer overflow or incorrect memory access issue, without seeing the implementation of pred_func, I can't be certain if this was an actual security fix or just a functional correction. The change suggests the function expects a pointer rather than a value, which could prevent memory corruption if the function was incorrectly accessing memory.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/abspos/table-caption-is-containing-block-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/abspos/table-caption-is-containing-block-001.html@@ -3,7 +3,6 @@ <link rel="author" title="David Grogan" href="[email protected]"> <link rel="help" href="https://www.w3.org/TR/CSS22/tables.html#model"> <link rel="match" href="../../reference/ref-filled-green-100px-square.xht">-<meta name="flags" content="" /> <meta name="assert" content="relpos caption is containing block for abspos child" /> <title> Captions and abspos descendants
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/CSS2/abspos/table-caption-is-containing-block-001.html [Lines] 3-6 Old Code: `<meta name="flags" content="" />` Fixed Code: (removed line) Additional Details: - The diff shows removal of an empty meta tag with a "flags" attribute - This appears to be a test file cleanup rather than a security fix - No known vulnerability patterns or security issues are addressed by this change - The change is likely related to test metadata cleanup or test framework requirements No security vulnerabilities were identified in this diff. The change appears to be a benign modification of test file metadata.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/NativeObject.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/NativeObject.cpp@@ -2662,11 +2662,6 @@ HandleNativeObject from, Handle<PlainObject*> excludedItems, bool* optimized) {- MOZ_ASSERT(- !target->isUsedAsPrototype(),- "CopyDataPropertiesNative should only be called during object literal "- "construction"- "which precludes that |target| is the prototype of any other object"); #ifdef ENABLE_RECORD_TUPLE MOZ_ASSERT(!js::IsExtendedPrimitive(*target)); #endif
Analysis of the code diff:
1. Vulnerability Existed: not sure
[Assertion Removal] [js/src/vm/NativeObject.cpp] [Lines 2662-2666]
[Old Code]
MOZ_ASSERT(
!target->isUsedAsPrototype(),
"CopyDataPropertiesNative should only be called during object literal "
"construction"
"which precludes that |target| is the prototype of any other object");
[Fixed Code]
[Removed]
Additional Details:
- The diff shows the removal of a MOZ_ASSERT statement that was checking whether the target object is used as a prototype.
- While this isn't a direct security fix, removing assertions could potentially affect security if the assertion was guarding against an unsafe condition.
- Without more context about how this function is used, it's hard to determine if this was a security-related change or just a cleanup.
- The assertion was documenting an important invariant about when the function should be called, so its removal might indicate either:
* The invariant is no longer true (which could be security-relevant)
* The check was moved elsewhere
* The assertion was deemed unnecessary
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-fonts/font-features-across-space-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-fonts/font-features-across-space-1.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/css-fonts-3/#font-feature-settings-prop"/> <link rel="match" href="font-features-across-space-1-ref.html"/> <link rel="reviewer" title="Chris Lilley" href="mailto:[email protected]" />-<meta name="flags" content=""/> <meta name="assert" content="Ligature features should be handled across spaces with font-feature-settings"/> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <style type="text/css">
Based on the provided code diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] [Lines 7] Old Code: <meta name="flags" content=""/> Fixed Code: (line removed) Additional Details: - The change simply removes a meta tag with empty "flags" attribute - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification doesn't introduce or fix any security-related functionality The diff shows only the removal of an unused meta tag, which doesn't appear to have any security implications. This is likely just a cleanup of test file metadata rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.nonfinite.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.nonfinite.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -42,7 +42,7 @@ ctx.fillRect(0, Infinity, Infinity, Infinity); ctx.fillRect(0, Infinity, 100, Infinity); ctx.fillRect(0, 0, Infinity, Infinity);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.fillRect.nonfinite.worker.js] [Lines 13-14, 42]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't indicate any security fixes. The functionality remains the same, just with more consistent variable naming. There are no security vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/plugins/gdk-pixbuf/pixbufloader-jxl.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/plugins/gdk-pixbuf/pixbufloader-jxl.c@@ -86,7 +86,12 @@ G_DEFINE_TYPE(GdkPixbufJxlAnimationIter, gdk_pixbuf_jxl_animation_iter, GDK_TYPE_PIXBUF_ANIMATION_ITER);-static void gdk_pixbuf_jxl_animation_init(GdkPixbufJxlAnimation *obj) {}+static void gdk_pixbuf_jxl_animation_init(GdkPixbufJxlAnimation *obj) {+ // Suppress "unused function" warnings.+ (void)glib_autoptr_cleanup_GdkPixbufJxlAnimation;+ (void)GDK_JXL_ANIMATION;+ (void)GDK_IS_JXL_ANIMATION;+} static gboolean gdk_pixbuf_jxl_animation_is_static_image( GdkPixbufAnimation *anim) {@@ -154,6 +159,9 @@ } static void gdk_pixbuf_jxl_animation_iter_init(GdkPixbufJxlAnimationIter *obj) {+ (void)glib_autoptr_cleanup_GdkPixbufJxlAnimationIter;+ (void)GDK_JXL_ANIMATION_ITER;+ (void)GDK_IS_JXL_ANIMATION_ITER; } static int gdk_pixbuf_jxl_animation_iter_get_delay_time(
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: no
No specific vulnerability found [File] third_party/jpeg-xl/plugins/gdk-pixbuf/pixbufloader-jxl.c [Lines] 86-91, 154-156
[Old Code]
```c
static void gdk_pixbuf_jxl_animation_init(GdkPixbufJxlAnimation *obj) {}
```
[Fixed Code]
```c
static void gdk_pixbuf_jxl_animation_init(GdkPixbufJxlAnimation *obj) {
// Suppress "unused function" warnings.
(void)glib_autoptr_cleanup_GdkPixbufJxlAnimation;
(void)GDK_JXL_ANIMATION;
(void)GDK_IS_JXL_ANIMATION;
}
```
Additional Details: The changes appear to be adding unused variable suppression rather than fixing a security vulnerability.
2. Vulnerability Existed: no
No specific vulnerability found [File] third_party/jpeg-xl/plugins/gdk-pixbuf/pixbufloader-jxl.c [Lines] 154-156
[Old Code]
```c
static void gdk_pixbuf_jxl_animation_iter_init(GdkPixbufJxlAnimationIter *obj) {
```
[Fixed Code]
```c
static void gdk_pixbuf_jxl_animation_iter_init(GdkPixbufJxlAnimationIter *obj) {
(void)glib_autoptr_cleanup_GdkPixbufJxlAnimationIter;
(void)GDK_JXL_ANIMATION_ITER;
(void)GDK_IS_JXL_ANIMATION_ITER;
```
Additional Details: Similar to the first change, this appears to be adding unused variable suppression rather than fixing a security vulnerability.
The changes in this diff appear to be related to code quality/maintenance (suppressing unused variable warnings) rather than security fixes. No actual vulnerabilities were addressed in these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/downloads/test/unit/test_DownloadsViewableInternally.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/downloads/test/unit/test_DownloadsViewableInternally.js@@ -3,10 +3,12 @@ const PREF_SVG_DISABLED = "svg.disabled"; const PREF_WEBP_ENABLED = "image.webp.enabled";+const PREF_AVIF_ENABLED = "image.avif.enabled"; const PDF_MIME = "application/pdf"; const OCTET_MIME = "application/octet-stream"; const XML_MIME = "text/xml"; const SVG_MIME = "image/svg+xml";+const AVIF_MIME = "image/avif"; const WEBP_MIME = "image/webp"; const { Integration } = ChromeUtils.import(@@ -70,37 +72,46 @@ } function checkAll(mime, ext, expected) {- checkPreferInternal(mime, ext, expected);+ checkPreferInternal(mime, ext, expected && ext != "xml" && ext != "svg"); checkShouldView(mime, ext, expected);- checkWasRegistered(ext, expected);+ if (ext != "xml" && ext != "svg") {+ checkWasRegistered(ext, expected);+ } } add_task(async function test_viewable_internally() {- Services.prefs.setCharPref(PREF_ENABLED_TYPES, "xml , svg,webp");+ Services.prefs.setCharPref(PREF_ENABLED_TYPES, "xml , svg,avif,webp"); Services.prefs.setBoolPref(PREF_SVG_DISABLED, false); Services.prefs.setBoolPref(PREF_WEBP_ENABLED, true);+ Services.prefs.setBoolPref(PREF_AVIF_ENABLED, true); checkAll(XML_MIME, "xml", false); checkAll(SVG_MIME, "svg", false); checkAll(WEBP_MIME, "webp", false);+ checkAll(AVIF_MIME, "avif", false); DownloadsViewableInternally.register(); checkAll(XML_MIME, "xml", true); checkAll(SVG_MIME, "svg", true); checkAll(WEBP_MIME, "webp", true);-- // Remove SVG so it won't be cleared- Services.prefs.clearUserPref(PREF_BRANCH_WAS_REGISTERED + "svg");-- // Disable xml and svg, check that xml becomes disabled- Services.prefs.setCharPref(PREF_ENABLED_TYPES, "webp");-- checkAll(XML_MIME, "xml", false);- checkAll(WEBP_MIME, "webp", true);-- // SVG shouldn't be cleared- checkPreferInternal(SVG_MIME, "svg", true);+ checkAll(AVIF_MIME, "avif", true);++ // Remove webp so it won't be cleared+ Services.prefs.clearUserPref(PREF_BRANCH_WAS_REGISTERED + "webp");++ // Disable xml, avif and webp, check that avif becomes disabled+ Services.prefs.setCharPref(PREF_ENABLED_TYPES, "svg");++ // (XML is externally managed, and we just cleared the webp pref)+ checkAll(XML_MIME, "xml", true);+ checkPreferInternal(WEBP_MIME, "webp", true);++ // Avif should be disabled+ checkAll(AVIF_MIME, "avif", false);++ // SVG shouldn't be cleared as it's still enabled+ checkAll(SVG_MIME, "svg", true); Assert.ok( shouldView(PDF_MIME),@@ -116,14 +127,16 @@ ); Assert.ok(!shouldView(OCTET_MIME, "exe"), ".exe shouldn't be accepted");- Assert.ok(!shouldView(XML_MIME), "text/xml should be disabled by pref");- Assert.ok(!shouldView(SVG_MIME), "image/xml+svg should be disabled by pref");+ Assert.ok(!shouldView(WEBP_MIME), "imave/webp should be disabled by pref");+ Assert.ok(!shouldView(AVIF_MIME), "image/avif should be disabled by pref"); // Enable, check that everything is enabled again- Services.prefs.setCharPref(PREF_ENABLED_TYPES, "xml,svg,webp");-- checkPreferInternal(XML_MIME, "xml", true);- checkPreferInternal(SVG_MIME, "svg", true);+ Services.prefs.setCharPref(PREF_ENABLED_TYPES, "xml,svg,webp,avif");++ checkAll(XML_MIME, "xml", true);+ checkAll(SVG_MIME, "svg", true);+ checkPreferInternal(WEBP_MIME, "webp", true);+ checkPreferInternal(AVIF_MIME, "avif", true); Assert.ok( shouldView(PDF_MIME),@@ -160,18 +173,18 @@ Assert.equal(handler.alwaysAskBeforeHandling, ask); }- // Enable viewable internally, XML should not be replaced, SVG and WebP should be saved.+ // Enable viewable internally, SVG and XML should not be replaced, WebP should be saved. Services.prefs.setCharPref(PREF_ENABLED_TYPES, "svg,webp,xml"); Assert.equal(- Services.prefs.getIntPref(PREF_BRANCH_PREVIOUS_ACTION + "svg"),- Ci.nsIHandlerInfo.saveToDisk,- "svg action should be saved"- );- Assert.equal(- Services.prefs.getBoolPref(PREF_BRANCH_PREVIOUS_ASK + "svg"),- true,- "svg ask should be saved"+ Services.prefs.prefHasUserValue(PREF_BRANCH_PREVIOUS_ACTION + "svg"),+ false,+ "svg action should not be stored"+ );+ Assert.equal(+ Services.prefs.prefHasUserValue(PREF_BRANCH_PREVIOUS_ASK + "svg"),+ false,+ "svg ask should not be stored" ); Assert.equal( Services.prefs.getIntPref(PREF_BRANCH_PREVIOUS_ACTION + "webp"),@@ -185,10 +198,10 @@ ); {- let handler = MIMEService.getFromTypeAndExtension(XML_MIME, "xml");+ let handler = MIMEService.getFromTypeAndExtension(SVG_MIME, "svg"); Assert.equal( handler.preferredAction,- Ci.nsIHandlerInfo.useSystemDefault,+ Ci.nsIHandlerInfo.saveToDisk, "svg action should be preserved" ); Assert.equal(@@ -198,27 +211,37 @@ ); // Clean up HandlerService.remove(handler);+ handler = MIMEService.getFromTypeAndExtension(XML_MIME, "xml");+ Assert.equal(+ handler.preferredAction,+ Ci.nsIHandlerInfo.useSystemDefault,+ "xml action should be preserved"+ );+ Assert.equal(+ !!handler.alwaysAskBeforeHandling,+ true,+ "xml ask should be preserved"+ );+ // Clean up+ HandlerService.remove(handler); } // It should still be possible to view XML internally checkShouldView(XML_MIME, "xml", true);- checkWasRegistered("xml", true); checkAll(SVG_MIME, "svg", true); checkAll(WEBP_MIME, "webp", true); // Disable SVG to test SVG enabled check (depends on the pref) Services.prefs.setBoolPref(PREF_SVG_DISABLED, true);- // Should have restored the settings from above+ checkAll(SVG_MIME, "svg", false);+ Services.prefs.setBoolPref(PREF_SVG_DISABLED, false); { let handler = MIMEService.getFromTypeAndExtension(SVG_MIME, "svg");- Assert.equal(handler.preferredAction, Ci.nsIHandlerInfo.saveToDisk);- Assert.equal(!!handler.alwaysAskBeforeHandling, true);- // Clean up- HandlerService.remove(handler);- }- checkAll(SVG_MIME, "svg", false);-- Services.prefs.setBoolPref(PREF_SVG_DISABLED, false);+ handler.preferredAction = Ci.nsIHandlerInfo.saveToDisk;+ handler.alwaysAskBeforeHandling = false;+ HandlerService.store(handler);+ }+ checkAll(SVG_MIME, "svg", true); // Test WebP enabled check (depends on the pref)
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be primarily functional enhancements and test case modifications related to adding AVIF image format support and adjusting the behavior of XML and SVG handling. Here's the analysis following your requested format: 1. Vulnerability Existed: no No security vulnerability found File: browser/components/downloads/test/unit/test_DownloadsViewableInternally.js The changes are primarily: - Added AVIF support (new constants and tests) - Modified test logic for XML/SVG handling - Adjusted preference handling in tests The diff shows: 1. Addition of AVIF-related constants and tests 2. Changes to how XML and SVG extensions are handled in checkAll() 3. Modified test cases to verify new behavior 4. Adjustments to preference handling tests These changes appear to be functional improvements rather than security fixes. The modifications are focused on: - Supporting a new image format (AVIF) - Refining the handling of certain file types (XML/SVG) - Updating test cases to match new behavior No CVE or known vulnerability patterns were identified in these changes. The modifications seem to be part of normal feature development and test maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mfbt/SPSCQueue.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mfbt/SPSCQueue.h@@ -225,18 +225,14 @@ /** * Get the number of available elements for consuming. *- * Only safely called on the consumer thread. This can be less than the actual- * number of elements in the queue, since the mWriteIndex is updated at the- * very end of the Enqueue method on the producer thread, but consequently- * always returns a number of elements such that a call to Dequeue return this- * number of elements.+ * This can be less than the actual number of elements in the queue, since the+ * mWriteIndex is updated at the very end of the Enqueue method on the+ * producer thread, but consequently always returns a number of elements such+ * that a call to Dequeue return this number of elements. * * @return The number of available elements for reading. */ int AvailableRead() const {-#ifdef DEBUG- AssertCorrectThread(mConsumerId);-#endif return AvailableReadInternal( mReadIndex.load(std::memory_order::memory_order_relaxed), mWriteIndex.load(std::memory_order::memory_order_relaxed));@@ -244,18 +240,14 @@ /** * Get the number of available elements for writing. *- * Only safely called on the producer thread. This can be less than than the- * actual number of slots that are available, because mReadIndex is update at- * the very end of the Deque method. It always returns a number such that a- * call to Enqueue with this number will succeed in enqueuing this number of- * elements.+ * This can be less than than the actual number of slots that are available,+ * because mReadIndex is updated at the very end of the Deque method. It+ * always returns a number such that a call to Enqueue with this number will+ * succeed in enqueuing this number of elements. * * @return The number of empty slots in the buffer, available for writing. */ int AvailableWrite() const {-#ifdef DEBUG- AssertCorrectThread(mProducerId);-#endif return AvailableWriteInternal( mReadIndex.load(std::memory_order::memory_order_relaxed), mWriteIndex.load(std::memory_order::memory_order_relaxed));
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
Thread Safety Issue (Potential Race Condition) [mfbt/SPSCQueue.h] [Lines 225-244]
Old Code:
```cpp
#ifdef DEBUG
AssertCorrectThread(mConsumerId);
#endif
```
Fixed Code:
```cpp
// Thread assertion checks removed
```
Additional Details: The removal of thread assertion checks in DEBUG mode might indicate a potential thread safety issue, though the relaxed memory ordering suggests this is intentional for performance in a single-producer/single-consumer queue.
2. Vulnerability Existed: not sure
Documentation Accuracy Improvement [mfbt/SPSCQueue.h] [Lines 225-244]
Old Code:
```cpp
* Only safely called on the consumer thread. This can be less than the actual
* number of elements in the queue, since the mWriteIndex is updated at the
* very end of the Enqueue method on the producer thread, but consequently
* always returns a number of elements such that a call to Dequeue return this
* number of elements.
```
Fixed Code:
```cpp
* This can be less than the actual number of elements in the queue, since the
* mWriteIndex is updated at the very end of the Enqueue method on the
* producer thread, but consequently always returns a number of elements such
* that a call to Dequeue return this number of elements.
```
Additional Details: The documentation was updated to remove the thread-specific calling restrictions, suggesting the methods are now considered thread-safe without the assertions.
Note: While these changes don't clearly indicate a specific vulnerability (like buffer overflow or injection), they do show modifications to thread safety mechanisms which could have security implications in concurrent scenarios. The changes appear to be more about performance optimization and documentation accuracy than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/bumpalo/src/boxed.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/bumpalo/src/boxed.rs@@ -647,39 +647,25 @@ } }-macro_rules! array_impls {- ($($N: expr)+) => {- $(- /// This impl replaces unsize coercion.- impl<'a, T> From<Box<'a, [T; $N]>> for Box<'a, [T]> {- fn from(mut arr: Box<'a, [T; $N]>) -> Box<'a, [T]> {- let ptr = core::ptr::slice_from_raw_parts_mut(arr.as_mut_ptr(), $N);- mem::forget(arr);- unsafe { Box::from_raw(ptr) }- }- }--- /// This impl replaces unsize coercion.- impl<'a, T> TryFrom<Box<'a, [T]>> for Box<'a, [T; $N]> {- type Error = Box<'a, [T]>;- fn try_from(mut slice: Box<'a, [T]>) -> Result<Box<'a, [T; $N]>, Box<'a, [T]>> {- if slice.len() == $N {- let ptr = slice.as_mut_ptr() as *mut [T; $N];- mem::forget(slice);- Ok(unsafe { Box::from_raw(ptr) })- } else {- Err(slice)- }- }- }- )+- }-}--array_impls! {- 0 1 2 3 4 5 6 7 8 9- 10 11 12 13 14 15 16 17 18 19- 20 21 22 23 24 25 26 27 28 29- 30 31 32-}+/// This impl replaces unsize coercion.+impl<'a, T, const N: usize> From<Box<'a, [T; N]>> for Box<'a, [T]> {+ fn from(mut arr: Box<'a, [T; N]>) -> Box<'a, [T]> {+ let ptr = core::ptr::slice_from_raw_parts_mut(arr.as_mut_ptr(), N);+ mem::forget(arr);+ unsafe { Box::from_raw(ptr) }+ }+}++/// This impl replaces unsize coercion.+impl<'a, T, const N: usize> TryFrom<Box<'a, [T]>> for Box<'a, [T; N]> {+ type Error = Box<'a, [T]>;+ fn try_from(mut slice: Box<'a, [T]>) -> Result<Box<'a, [T; N]>, Box<'a, [T]>> {+ if slice.len() == N {+ let ptr = slice.as_mut_ptr() as *mut [T; N];+ mem::forget(slice);+ Ok(unsafe { Box::from_raw(ptr) })+ } else {+ Err(slice)+ }+ }+}
Let me analyze the code diff for potential security vulnerabilities.
Vulnerability Existed: not sure
Potential Memory Safety Issue [File] third_party/rust/bumpalo/src/boxed.rs [Lines 647-]
[Old Code]
macro_rules! array_impls {
($($N: expr)+) => {
$(
impl<'a, T> From<Box<'a, [T; $N]>> for Box<'a, [T]> {
fn from(mut arr: Box<'a, [T; $N]>) -> Box<'a, [T]> {
let ptr = core::ptr::slice_from_raw_parts_mut(arr.as_mut_ptr(), $N);
mem::forget(arr);
unsafe { Box::from_raw(ptr) }
}
}
// ... similar TryFrom implementation ...
)+
}
}
[Fixed Code]
impl<'a, T, const N: usize> From<Box<'a, [T; N]>> for Box<'a, [T]> {
fn from(mut arr: Box<'a, [T; N]>) -> Box<'a, [T]> {
let ptr = core::ptr::slice_from_raw_parts_mut(arr.as_mut_ptr(), N);
mem::forget(arr);
unsafe { Box::from_raw(ptr) }
}
}
// ... similar TryFrom implementation ...
Additional Details:
The change replaces a macro-generated implementation with a const generic version. While both versions use unsafe code (raw pointers and mem::forget), the new version is more type-safe as it uses Rust's const generics feature. The old macro-based approach could potentially lead to type confusion or memory safety issues if used incorrectly, though no specific vulnerability is confirmed here. The change appears to be more about modernization and type safety than fixing a known security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/canvas/ImageBitmap.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/canvas/ImageBitmap.cpp@@ -24,6 +24,7 @@ #include "mozilla/dom/WorkerRunnable.h" #include "mozilla/gfx/2D.h" #include "mozilla/gfx/Logging.h"+#include "mozilla/gfx/Scale.h" #include "mozilla/gfx/Swizzle.h" #include "mozilla/Mutex.h" #include "mozilla/ScopeExit.h"@@ -268,6 +269,83 @@ return dstDataSurface.forget(); }+/*+ * This helper function scales the data of the given DataSourceSurface,+ * _aSurface_, in the given area, _aCropRect_, into a new DataSourceSurface.+ * This might return null if it can not create a new SourceSurface or it cannot+ * read data from the given _aSurface_.+ *+ */+static already_AddRefed<DataSourceSurface> ScaleDataSourceSurface(+ DataSourceSurface* aSurface, const ImageBitmapOptions& aOptions) {+ MOZ_ASSERT(aSurface);++ const SurfaceFormat format = aSurface->GetFormat();+ const int bytesPerPixel = BytesPerPixel(format);++ const IntSize srcSize = aSurface->GetSize();+ int32_t tmp;++ CheckedInt<int32_t> checked;+ CheckedInt<int32_t> dstWidth(+ aOptions.mResizeWidth.WasPassed() ? aOptions.mResizeWidth.Value() : 0);+ CheckedInt<int32_t> dstHeight(+ aOptions.mResizeHeight.WasPassed() ? aOptions.mResizeHeight.Value() : 0);++ if (!dstWidth.isValid() || !dstHeight.isValid()) {+ return nullptr;+ }++ if (!dstWidth.value()) {+ checked = srcSize.width * dstHeight;+ if (!checked.isValid()) {+ return nullptr;+ }++ tmp = ceil(checked.value() / double(srcSize.height));+ dstWidth = tmp;+ } else if (!dstHeight.value()) {+ checked = srcSize.height * dstWidth;+ if (!checked.isValid()) {+ return nullptr;+ }++ tmp = ceil(checked.value() / double(srcSize.width));+ dstHeight = tmp;+ }++ const IntSize dstSize(dstWidth.value(), dstHeight.value());+ const int32_t dstStride = dstSize.width * bytesPerPixel;++ // Create a new SourceSurface.+ RefPtr<DataSourceSurface> dstDataSurface =+ Factory::CreateDataSourceSurfaceWithStride(dstSize, format, dstStride,+ true);++ if (NS_WARN_IF(!dstDataSurface)) {+ return nullptr;+ }++ // Copy the raw data into the newly created DataSourceSurface.+ DataSourceSurface::ScopedMap srcMap(aSurface, DataSourceSurface::READ);+ DataSourceSurface::ScopedMap dstMap(dstDataSurface, DataSourceSurface::WRITE);+ if (NS_WARN_IF(!srcMap.IsMapped()) || NS_WARN_IF(!dstMap.IsMapped())) {+ return nullptr;+ }++ uint8_t* srcBufferPtr = srcMap.GetData();+ uint8_t* dstBufferPtr = dstMap.GetData();++ bool res = Scale(srcBufferPtr, srcSize.width, srcSize.height,+ srcMap.GetStride(), dstBufferPtr, dstSize.width,+ dstSize.height, dstMap.GetStride(), aSurface->GetFormat());+ if (!res) {+ return nullptr;+ }++ return dstDataSurface.forget();+}+ static DataSourceSurface* FlipYDataSourceSurface(DataSourceSurface* aSurface) { MOZ_ASSERT(aSurface);@@ -369,6 +447,14 @@ if (aOptions.mImageOrientation == ImageOrientation::FlipY) { result = FlipYDataSourceSurface(result);+ if (NS_WARN_IF(!result)) {+ return nullptr;+ }+ }++ if (aOptions.mResizeWidth.WasPassed() || aOptions.mResizeHeight.WasPassed()) {+ dataSurface = result->GetDataSurface();+ result = ScaleDataSourceSurface(dataSurface, aOptions); if (NS_WARN_IF(!result)) { return nullptr; }@@ -505,6 +591,11 @@ flags |= nsLayoutUtils::SFE_ALLOW_NON_PREMULT; }+ if (aOptions.mColorSpaceConversion == ColorSpaceConversion::None &&+ aElement.IsHTMLElement(nsGkAtoms::img)) {+ flags |= nsLayoutUtils::SFE_NO_COLORSPACE_CONVERSION;+ }+ SurfaceFromElementResult res = nsLayoutUtils::SurfaceFromElement(&aElement, flags);@@ -820,7 +911,8 @@ } surface = dataSurface;- cropRect.MoveTo(0, 0);+ cropRect.SetRect(0, 0, dataSurface->GetSize().width,+ dataSurface->GetSize().height); needToReportMemoryAllocation = true; }@@ -834,6 +926,22 @@ if (NS_WARN_IF(!surface)) { return nullptr; }+ }++ // resize if required+ if (aOptions.mResizeWidth.WasPassed() || aOptions.mResizeHeight.WasPassed()) {+ if (!dataSurface) {+ dataSurface = surface->GetDataSurface();+ };++ surface = ScaleDataSourceSurface(dataSurface, aOptions);+ if (NS_WARN_IF(!surface)) {+ aRv.ThrowInvalidStateError("Failed to create resized image");+ return nullptr;+ }++ needToReportMemoryAllocation = true;+ cropRect.SetRect(0, 0, surface->GetSize().width, surface->GetSize().height); } if (requiresPremultiply || requiresUnpremultiply) {@@ -1330,7 +1438,6 @@ mGlobalObject(aGlobal), mInputStream(std::move(aInputStream)), mCropRect(aCropRect),- mOriginalCropRect(aCropRect), mMainThreadEventTarget(aMainThreadEventTarget), mOptions(aOptions), mThread(PR_GetCurrentThread()) {}@@ -1378,8 +1485,6 @@ nsCOMPtr<nsIInputStream> mInputStream; Maybe<IntRect> mCropRect;- Maybe<IntRect> mOriginalCropRect;- IntSize mSourceSize; nsCOMPtr<nsIEventTarget> mMainThreadEventTarget; const ImageBitmapOptions mOptions; void* mThread;@@ -1460,6 +1565,19 @@ "The crop rect height passed to createImageBitmap must be nonzero"); return promise.forget(); }+ }++ if (aOptions.mResizeWidth.WasPassed() && aOptions.mResizeWidth.Value() == 0) {+ aRv.ThrowInvalidStateError(+ "The resizeWidth passed to createImageBitmap must be nonzero");+ return promise.forget();+ }++ if (aOptions.mResizeHeight.WasPassed() &&+ aOptions.mResizeHeight.Value() == 0) {+ aRv.ThrowInvalidStateError(+ "The resizeHeight passed to createImageBitmap must be nonzero");+ return promise.forget(); } RefPtr<ImageBitmap> imageBitmap;@@ -1827,6 +1945,10 @@ frameFlags |= imgIContainer::FLAG_DECODE_NO_PREMULTIPLY_ALPHA; }+ if (mOptions.mColorSpaceConversion == ColorSpaceConversion::None) {+ frameFlags |= imgIContainer::FLAG_DECODE_NO_COLORSPACE_CONVERSION;+ }+ RefPtr<SourceSurface> surface = aImgContainer->GetFrame(whichFrame, frameFlags);@@ -1835,10 +1957,6 @@ nullptr, NS_ERROR_DOM_INVALID_STATE_ERR); return NS_OK; }-- // Store the sourceSize value for the- // MimeTypeAndDecodeAndCropBlobCompletedMainThread call.- mSourceSize = surface->GetSize(); // Crop the source surface if needed. RefPtr<SourceSurface> croppedSurface = surface;@@ -1876,12 +1994,27 @@ dataSurface = croppedSurface->GetDataSurface(); if (mCropRect.isSome()) {- mCropRect->MoveTo(0, 0);+ mCropRect->SetRect(0, 0, dataSurface->GetSize().width,+ dataSurface->GetSize().height); } } if (mOptions.mImageOrientation == ImageOrientation::FlipY) { croppedSurface = FlipYDataSourceSurface(dataSurface);+ }++ if (mOptions.mResizeWidth.WasPassed() || mOptions.mResizeHeight.WasPassed()) {+ dataSurface = croppedSurface->GetDataSurface();+ croppedSurface = ScaleDataSourceSurface(dataSurface, mOptions);+ if (NS_WARN_IF(!croppedSurface)) {+ MimeTypeAndDecodeAndCropBlobCompletedMainThread(+ nullptr, NS_ERROR_DOM_INVALID_STATE_ERR);+ return NS_OK;+ }+ if (mCropRect.isSome()) {+ mCropRect->SetRect(0, 0, croppedSurface->GetSize().width,+ croppedSurface->GetSize().height);+ } } if (NS_WARN_IF(!croppedSurface)) {
I'll analyze the code diff for security fixes following the specified format. 1. Vulnerability Existed: yes Integer Overflow Vulnerability [dom/canvas/ImageBitmap.cpp] [Lines 268-591] [Old Code] The original code didn't properly check for integer overflows when calculating new dimensions during image resizing operations. [Fixed Code] The new code adds proper integer overflow checks using CheckedInt when calculating destination dimensions in the ScaleDataSourceSurface function and throughout the file. 2. Vulnerability Existed: yes Input Validation Vulnerability [dom/canvas/ImageBitmap.cpp] [Lines 1460-1565] [Old Code] No validation for zero resize dimensions was present. [Fixed Code] Added explicit validation to reject zero values for resizeWidth and resizeHeight parameters with proper error messages. 3. Vulnerability Existed: not sure Memory Handling Vulnerability [dom/canvas/ImageBitmap.cpp] [Lines 1330-1438] [Old Code] Stored additional crop rect and source size information that might not be needed. [Fixed Code] Removed unnecessary mOriginalCropRect and mSourceSize members which could potentially reduce memory usage and attack surface. 4. Vulnerability Existed: yes Color Space Conversion Vulnerability [dom/canvas/ImageBitmap.cpp] [Lines 505-591] [Old Code] No explicit handling of color space conversion options for image elements. [Fixed Code] Added proper handling of color space conversion options with new flags (SFE_NO_COLORSPACE_CONVERSION and FLAG_DECODE_NO_COLORSPACE_CONVERSION). 5. Vulnerability Existed: not sure Surface Initialization Vulnerability [dom/canvas/ImageBitmap.cpp] [Lines 24-269] [Old Code] Missing scale-related headers and functionality. [Fixed Code] Added mozilla/gfx/Scale.h include and proper scaling functionality which might prevent potential issues with uninitialized surfaces. The changes appear to address several potential security issues, particularly around input validation, integer overflows, and proper handling of image processing operations. The most clear vulnerabilities fixed are the integer overflow checks and input validation for resize parameters.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/selection-overlay-and-spelling-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/selection-overlay-and-spelling-001.html@@ -10,7 +10,6 @@ <link rel="help" href="https://www.w3.org/TR/css-pseudo-4/#highlight-painting"> <link rel="match" href="reference/selection-overlay-and-spelling-001-ref.html">- <meta content="" name="flags"> <meta name="assert" content="In this test, the div::selection pseudo-element must be drawn over the div::spelling-error overlay."> <link rel="stylesheet" href="support/highlights.css">
Based on the provided diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/css-pseudo/selection-overlay-and-spelling-001.html [Lines] 10 [Old Code] `<meta content="" name="flags">` [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata rather than a security concern. - There's no indication of any security vulnerability being fixed in this change. - The modification seems to be cleanup of test configuration rather than addressing any security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsFlexContainerFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsFlexContainerFrame.cpp@@ -2514,6 +2514,14 @@ aAvailableBSizeForItem > 0, "We can only handle unconstrained or positive available block-size.");+ if (!StaticPrefs::layout_flexbox_item_final_reflow_optimization_enabled()) {+ FLEX_LOG(+ "[perf] Flex item %p needed a final reflow due to optimization being "+ "disabled via the preference",+ mFrame);+ return true;+ }+ // NOTE: even if aAvailableBSizeForItem == NS_UNCONSTRAINEDSIZE we can still // have continuations from an earlier constrained reflow. if (mFrame->GetPrevInFlow() || mFrame->GetNextInFlow()) {@@ -2650,6 +2658,7 @@ // dirty, and our current conditions are sufficiently similar to the most // recent "final reflow" that it should have left our subtree in the correct // state.)+ FLEX_LOG("[perf] Flex item %p didn't need a final reflow", mFrame); return false; }
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
Performance Optimization Toggle [layout/generic/nsFlexContainerFrame.cpp] [Lines 2514-2520, 2658]
[Old Code]
(No equivalent code existed before)
[Fixed Code]
if (!StaticPrefs::layout_flexbox_item_final_reflow_optimization_enabled()) {
FLEX_LOG(
"[perf] Flex item %p needed a final reflow due to optimization being "
"disabled via the preference",
mFrame);
return true;
}
2. Vulnerability Existed: no
Performance Logging Addition [layout/generic/nsFlexContainerFrame.cpp] [Line 2658]
[Old Code]
(No logging existed before)
[Fixed Code]
FLEX_LOG("[perf] Flex item %p didn't need a final reflow", mFrame);
The changes appear to be performance-related improvements rather than security fixes. The first change adds a preference-controlled optimization toggle, and the second adds performance logging. Neither change appears to address any security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.get.source.negative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.get.source.negative.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#000'; ctx.fillRect(0, 0, 100, 50);
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.get.source.negative.html [Lines] 17-18
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
The changes appear to be purely cosmetic/refactoring, renaming the variable from 'offscreenCanvas' to 'canvas'. There are no security-related changes in this diff. The functionality remains exactly the same, just with a different variable name. No security vulnerability is being addressed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/python/attrs/attr/_funcs.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/python/attrs/attr/_funcs.py@@ -24,7 +24,7 @@ ``attrs``-decorated. :param callable filter: A callable whose return code determines whether an attribute or element is included (``True``) or dropped (``False``). Is- called with the :class:`attr.Attribute` as the first argument and the+ called with the `attr.Attribute` as the first argument and the value as the second argument. :param callable dict_factory: A callable to produce dictionaries from. For example, to produce ordered dictionaries instead of normal Python@@ -130,7 +130,7 @@ ``attrs``-decorated. :param callable filter: A callable whose return code determines whether an attribute or element is included (``True``) or dropped (``False``). Is- called with the :class:`attr.Attribute` as the first argument and the+ called with the `attr.Attribute` as the first argument and the value as the second argument. :param callable tuple_factory: A callable to produce tuples from. For example, to produce lists instead of tuples.@@ -219,7 +219,7 @@ :param type cls: Class to introspect. :raise TypeError: If *cls* is not a class.- :rtype: :class:`bool`+ :rtype: bool """ return getattr(cls, "__attrs_attrs__", None) is not None@@ -239,7 +239,7 @@ class. .. deprecated:: 17.1.0- Use :func:`evolve` instead.+ Use `evolve` instead. """ import warnings
Based on the provided code diff, I don't see any security-related changes. The changes appear to be documentation formatting updates, changing from Sphinx-style documentation to more generic Python docstring formatting. Here's the analysis: 1. Vulnerability Existed: no Documentation Formatting Changes [third_party/python/attrs/attr/_funcs.py] [Lines 24, 130, 219, 239] [Old Code] Various instances of Sphinx-style formatting like `:class:`attr.Attribute`` [Fixed Code] Changed to generic Python docstring formatting like `attr.Attribute` The changes are purely related to documentation formatting and don't affect the actual functionality or security of the code. There are no security vulnerabilities being fixed in this diff. All changes are in docstrings and don't modify any executable code. The modifications include: 1. Changing `:class:`attr.Attribute`` to `attr.Attribute` 2. Changing `:rtype: :class:`bool`` to `:rtype: bool` 3. Changing `:func:`evolve`` to `evolve` These are all documentation improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.end.4.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.end.4.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -27,10 +27,10 @@ ctx.roundRect(-1, -1, 2000, 2000, [1000, 1000, 1000, 1000]); ctx.lineTo(-150, -150); ctx.stroke();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the variable name in assertions. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/tables/border-collapse-005.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/tables/border-collapse-005.html@@ -8,7 +8,6 @@ <link rel="help" href="https://drafts.csswg.org/css2/tables.html#collapsing-borders" /> <link rel="help" href="https://drafts.csswg.org/css3-tables/#collapsing-borders" /> <link rel="match" href="border-collapse-005-ref.html " />- <meta name="flags" content="" /> <meta name="assert" content="border-collapse should work correctly when a table has an empty tbody" /> <style> table {
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/CSS2/tables/border-collapse-005.html [Lines] 8 [Old Code] <meta name="flags" content="" /> [Fixed Code] (line removed) Additional Notes: - The diff shows removal of an empty meta tag for "flags" which doesn't appear to be security-related - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification is likely for code hygiene or test specification purposes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-38.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-38.xml@@ -6,7 +6,6 @@ ]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p>This very long paragraph should have a
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 6]
[Old Code] <meta name="flags" content="" />
[Fixed Code] (line removed)
Additional Details:
- The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to have any security implications
- This appears to be a test file cleanup rather than a security fix
- No known vulnerability patterns (XSS, injection, etc.) are present in this change
- The removed tag didn't contain any executable content or sensitive information
The modification seems to be part of routine maintenance rather than addressing a security issue. The empty meta tag removal doesn't correlate with any known vulnerability patterns in web security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.basic.2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.basic.2.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.basic.2.worker.js [Lines] 13-23
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring, renaming the variable from `offscreenCanvas` to `canvas`. There are no security-related changes in this diff. The functionality remains exactly the same, just with a different variable name. No security vulnerabilities were fixed or introduced by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/lint/hooks_clang_format.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/lint/hooks_clang_format.py@@ -12,8 +12,9 @@ topsrcdir = os.path.join(here, os.pardir, os.pardir) EXTRA_PATHS = (+ "python/mach",+ "python/mozbuild", "python/mozversioncontrol",- "python/mozbuild", "testing/mozbase/mozfile", "third_party/python/jsmin", )@@ -41,7 +42,7 @@ path_list = [] for filename in sorted(changedFiles): # Ignore files unsupported in clang-format- if filename.decode().endswith(extensions):+ if filename.endswith(extensions): path_list.append(filename) if not path_list:@@ -82,7 +83,8 @@ try: changedFiles = check_output(- ["git", "diff", "--staged", "--diff-filter=d", "--name-only", "HEAD"]+ ["git", "diff", "--staged", "--diff-filter=d", "--name-only", "HEAD"],+ text=True, ).split() # TODO we should detect if we are in a "add -p" mode and show a warning return run_clang_format(hooktype, changedFiles)
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Potential Encoding Issue [tools/lint/hooks_clang_format.py] [Lines 41-43]
Old Code:
```python
if filename.decode().endswith(extensions):
```
Fixed Code:
```python
if filename.endswith(extensions):
```
Note: The removal of `.decode()` suggests a potential encoding issue was addressed, but without more context about the input, it's unclear if this was a security fix or just a code improvement.
2. Vulnerability Existed: not sure
Potential Command Injection [tools/lint/hooks_clang_format.py] [Lines 82-85]
Old Code:
```python
changedFiles = check_output(
["git", "diff", "--staged", "--diff-filter=d", "--name-only", "HEAD"]
).split()
```
Fixed Code:
```python
changedFiles = check_output(
["git", "diff", "--staged", "--diff-filter=d", "--name-only", "HEAD"],
text=True,
).split()
```
Note: The addition of `text=True` parameter suggests better handling of command output, but it's unclear if this was fixing a specific security vulnerability or just improving robustness.
The changes appear to be more about code quality and robustness rather than explicit security fixes. Without more context about the threat model or previous vulnerabilities, it's difficult to identify specific security issues being addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.