Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.2.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,12 +27,12 @@ ctx.beginPath(); ctx.arc(50, 50, 50, 0, Math.PI, true); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 20,48, 0,255,0,255, "20,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 20,48, 0,255,0,255, "20,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` for consistency or readability purposes. Here's the structured response: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.shape.2.html] [Lines 17-27] [Old Code: Used variable name 'offscreenCanvas'] [Fixed Code: Changed variable name to 'canvas'] The changes don't affect security in any way - they're just variable renaming and all subsequent references to the variable were updated accordingly. No security-related functionality was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/security/test/https-first/browser_navigation.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/security/test/https-first/browser_navigation.js@@ -18,18 +18,21 @@ async function testNavigations() { // Load initial site++ let url1 = REQUEST_URL + "file_navigation.html?foo1";+ let url2 = REQUEST_URL + "file_navigation.html?foo2";+ let url3 = REQUEST_URL + "file_navigation.html?foo3";+ let loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser);- BrowserTestUtils.loadURI(gBrowser, REQUEST_URL + "file_navigation.html?foo1");+ BrowserTestUtils.loadURI(gBrowser, url1); await loaded; // Load another site loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); await SpecialPowers.spawn( gBrowser.selectedBrowser,- [REQUEST_URL],- async function(url) {- content.location.href = url + "file_navigation.html?foo2";- }+ [url2],+ async url => (content.location.href = url) ); await loaded;@@ -37,10 +40,8 @@ loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); await SpecialPowers.spawn( gBrowser.selectedBrowser,- [REQUEST_URL],- async function(url) {- content.location.href = url + "file_navigation.html?foo3";- }+ [url3],+ async url => (content.location.href = url) ); await loaded; is(@@ -51,7 +52,7 @@ // Go back one site by clicking the back button info("Clicking back button");- loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser);+ loaded = BrowserTestUtils.waitForLocationChange(gBrowser, url2); let backButton = document.getElementById("back-button"); backButton.click(); await loaded;@@ -63,7 +64,7 @@ // Go back again info("Clicking back button again");- loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser);+ loaded = BrowserTestUtils.waitForLocationChange(gBrowser, url1); backButton.click(); await loaded; is(
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential URL Injection] [dom/security/test/https-first/browser_navigation.js] [Lines 18-21, 26-29, 35-38] [Old Code] BrowserTestUtils.loadURI(gBrowser, REQUEST_URL + "file_navigation.html?foo1"); content.location.href = url + "file_navigation.html?foo2"; content.location.href = url + "file_navigation.html?foo3"; [Fixed Code] let url1 = REQUEST_URL + "file_navigation.html?foo1"; let url2 = REQUEST_URL + "file_navigation.html?foo2"; let url3 = REQUEST_URL + "file_navigation.html?foo3"; BrowserTestUtils.loadURI(gBrowser, url1); content.location.href = url; content.location.href = url; Additional Details: The change improves code organization by pre-constructing URLs, but it's unclear if this fixes a security issue. The modification could potentially help prevent URL injection by making the URL construction more explicit, but there's no clear evidence of a vulnerability being fixed. 2. Vulnerability Existed: not sure [Navigation Race Condition] [dom/security/test/https-first/browser_navigation.js] [Lines 51, 63] [Old Code] loaded = BrowserTestUtils.browserLoaded(gBrowser.selectedBrowser); [Fixed Code] loaded = BrowserTestUtils.waitForLocationChange(gBrowser, url2); loaded = BrowserTestUtils.waitForLocationChange(gBrowser, url1); Additional Details: The change from browserLoaded to waitForLocationChange makes the test more precise by explicitly waiting for specific URL changes rather than any page load. While this improves test reliability, it's unclear if this fixes an actual security vulnerability or just makes the tests more robust. The change could potentially prevent race conditions in navigation testing.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/forms/nsCheckboxRadioFrame.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/forms/nsCheckboxRadioFrame.h@@ -33,10 +33,7 @@ } virtual void BuildDisplayList(nsDisplayListBuilder* aBuilder,- const nsDisplayListSet& aLists) override {- DO_GLOBAL_REFLOW_COUNT_DSP("nsCheckboxRadioFrame");- DisplayBorderBackgroundOutline(aBuilder, aLists);- }+ const nsDisplayListSet& aLists) override; /** * Both GetMinISize and GetPrefISize will return whatever GetIntrinsicISize
Based on the provided code diff, here's the analysis:
Vulnerability Existed: not sure
[Potential Performance Optimization] [layout/forms/nsCheckboxRadioFrame.h] [Lines 33-37]
[Old Code]
virtual void BuildDisplayList(nsDisplayListBuilder* aBuilder,
const nsDisplayListSet& aLists) override {
DO_GLOBAL_REFLOW_COUNT_DSP("nsCheckboxRadioFrame");
DisplayBorderBackgroundOutline(aBuilder, aLists);
}
[Fixed Code]
virtual void BuildDisplayList(nsDisplayListBuilder* aBuilder,
const nsDisplayListSet& aLists) override;
Additional Details:
The change moves the implementation of BuildDisplayList from the header file to a separate implementation file. While this could potentially be related to security (as moving code out of headers can reduce exposure), it appears to be primarily a performance optimization or code organization change. There's no clear security vulnerability being fixed here, but the change could have security implications by reducing the attack surface of inline functions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/wr/WebRenderBridgeParent.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/wr/WebRenderBridgeParent.cpp@@ -245,19 +245,31 @@ explicit ScheduleSharedSurfaceRelease(WebRenderBridgeParent* aWrBridge) : mWrBridge(aWrBridge), mSurfaces(20) {}+ ~ScheduleSharedSurfaceRelease() override {+ if (!mSurfaces.IsEmpty()) {+ MOZ_ASSERT_UNREACHABLE("Unreleased surfaces!");+ gfxCriticalNote << "ScheduleSharedSurfaceRelease destroyed non-empty";+ NotifyInternal(/* aFromCheckpoint */ false);+ }+ }+ void Add(const wr::ImageKey& aKey, const wr::ExternalImageId& aId) { mSurfaces.AppendElement(wr::ExternalImageKeyPair{aKey, aId}); } void Notify(wr::Checkpoint) override {+ NotifyInternal(/* aFromCheckpoint */ true);+ }++ private:+ void NotifyInternal(bool aFromCheckpoint) { CompositorThread()->Dispatch(- NewRunnableMethod<nsTArray<wr::ExternalImageKeyPair>>(+ NewRunnableMethod<nsTArray<wr::ExternalImageKeyPair>, bool>( "ObserveSharedSurfaceRelease", mWrBridge, &WebRenderBridgeParent::ObserveSharedSurfaceRelease,- std::move(mSurfaces)));- }-- private:+ std::move(mSurfaces), aFromCheckpoint));+ }+ RefPtr<WebRenderBridgeParent> mWrBridge; nsTArray<wr::ExternalImageKeyPair> mSurfaces; };@@ -448,6 +460,8 @@ Maybe<Range<uint8_t>> ptr = aReader.GetReadPointerOrCopy(aOp.bytes(), sourceBytes); if (ptr.isNothing()) {+ gfxCriticalNote << "No read pointer from reader for sanitizing font "+ << aOp.key().mHandle; return false; } Range<uint8_t>& source = ptr.ref();@@ -490,6 +504,7 @@ } }+ bool success = true; for (const auto& cmd : aResourceUpdates) { switch (cmd.type()) { case OpUpdateResource::TOpAddImage: {@@ -500,11 +515,12 @@ } wr::Vec<uint8_t> bytes;- if (!reader.Read(op.bytes(), bytes)) {+ if (reader.Read(op.bytes(), bytes)) {+ aUpdates.AddImage(op.key(), op.descriptor(), bytes);+ } else { gfxCriticalNote << "TOpAddImage failed";- return false;+ success = false; }- aUpdates.AddImage(op.key(), op.descriptor(), bytes); break; } case OpUpdateResource::TOpUpdateImage: {@@ -515,11 +531,12 @@ } wr::Vec<uint8_t> bytes;- if (!reader.Read(op.bytes(), bytes)) {+ if (reader.Read(op.bytes(), bytes)) {+ aUpdates.UpdateImageBuffer(op.key(), op.descriptor(), bytes);+ } else { gfxCriticalNote << "TOpUpdateImage failed";- return false;+ success = false; }- aUpdates.UpdateImageBuffer(op.key(), op.descriptor(), bytes); break; } case OpUpdateResource::TOpAddBlobImage: {@@ -530,13 +547,14 @@ } wr::Vec<uint8_t> bytes;- if (!reader.Read(op.bytes(), bytes)) {+ if (reader.Read(op.bytes(), bytes)) {+ aUpdates.AddBlobImage(op.key(), op.descriptor(), mBlobTileSize, bytes,+ wr::ToDeviceIntRect(op.visibleRect()));+ } else { gfxCriticalNote << "TOpAddBlobImage failed";- return false;+ success = false; }- aUpdates.AddBlobImage(op.key(), op.descriptor(), mBlobTileSize, bytes,- wr::ToDeviceIntRect(op.visibleRect())); break; } case OpUpdateResource::TOpUpdateBlobImage: {@@ -547,13 +565,14 @@ } wr::Vec<uint8_t> bytes;- if (!reader.Read(op.bytes(), bytes)) {+ if (reader.Read(op.bytes(), bytes)) {+ aUpdates.UpdateBlobImage(op.key(), op.descriptor(), bytes,+ wr::ToDeviceIntRect(op.visibleRect()),+ wr::ToLayoutIntRect(op.dirtyRect()));+ } else { gfxCriticalNote << "TOpUpdateBlobImage failed";- return false;+ success = false; }- aUpdates.UpdateBlobImage(op.key(), op.descriptor(), bytes,- wr::ToDeviceIntRect(op.visibleRect()),- wr::ToLayoutIntRect(op.dirtyRect())); break; } case OpUpdateResource::TOpSetBlobImageVisibleArea: {@@ -576,7 +595,7 @@ const auto& op = cmd.get_OpAddSharedExternalImage(); // gfxCriticalNote is called on error if (!AddSharedExternalImage(op.externalImageId(), op.key(), aUpdates)) {- return false;+ success = false; } break; }@@ -587,7 +606,7 @@ // gfxCriticalNote is called on error if (!PushExternalImageForTexture(op.externalImageId(), op.key(), texture, op.isUpdate(), aUpdates)) {- return false;+ success = false; } break; }@@ -603,14 +622,13 @@ if (!UpdateSharedExternalImage(op.externalImageId(), op.key(), op.dirtyRect(), aUpdates, scheduleRelease)) {- return false;+ success = false; } break; } case OpUpdateResource::TOpAddRawFont: { if (!ReadRawFont(cmd.get_OpAddRawFont(), reader, aUpdates)) {- gfxCriticalNote << "TOpAddRawFont failed";- return false;+ success = false; } break; }@@ -622,11 +640,12 @@ } wr::Vec<uint8_t> bytes;- if (!reader.Read(op.bytes(), bytes)) {+ if (reader.Read(op.bytes(), bytes)) {+ aUpdates.AddFontDescriptor(op.key(), bytes, op.fontIndex());+ } else { gfxCriticalNote << "TOpAddFontDescriptor failed";- return false;+ success = false; }- aUpdates.AddFontDescriptor(op.key(), bytes, op.fontIndex()); break; } case OpUpdateResource::TOpAddFontInstance: {@@ -638,14 +657,15 @@ } wr::Vec<uint8_t> variations;- if (!reader.Read(op.variations(), variations)) {+ if (reader.Read(op.variations(), variations)) {+ aUpdates.AddFontInstance(op.instanceKey(), op.fontKey(),+ op.glyphSize(), op.options().ptrOr(nullptr),+ op.platformOptions().ptrOr(nullptr),+ variations);+ } else { gfxCriticalNote << "TOpAddFontInstance failed";- return false;+ success = false; }- aUpdates.AddFontInstance(op.instanceKey(), op.fontKey(), op.glyphSize(),- op.options().ptrOr(nullptr),- op.platformOptions().ptrOr(nullptr),- variations); break; } case OpUpdateResource::TOpDeleteImage: {@@ -703,7 +723,9 @@ : wr::Checkpoint::FrameTexturesUpdated; aUpdates.Notify(when, std::move(scheduleRelease)); }- return true;++ MOZ_ASSERT(success);+ return success; } void WebRenderBridgeParent::AddPrivateExternalImage(@@ -893,10 +915,22 @@ } void WebRenderBridgeParent::ObserveSharedSurfaceRelease(- const nsTArray<wr::ExternalImageKeyPair>& aPairs) {+ const nsTArray<wr::ExternalImageKeyPair>& aPairs,+ const bool& aFromCheckpoint) { if (!mDestroyed) { Unused << SendWrReleasedImages(aPairs); }++ if (!aFromCheckpoint && mAsyncImageManager) {+ // We failed to receive a checkpoint notification, so we are releasing these+ // surfaces blind. Let's wait until the next epoch to complete releasing.+ for (const auto& pair : aPairs) {+ mAsyncImageManager->HoldExternalImage(mPipelineId, mWrEpoch, pair.id);+ }+ return;+ }++ // We hit the checkpoint, so we know we can safely release the surfaces now. for (const auto& pair : aPairs) { SharedSurfacesParent::Release(pair.id); }@@ -944,11 +978,11 @@ RollbackWrEpoch(); }+ mApi->SendTransaction(txn);+ if (!success) { return IPC_FAIL(this, "Invalid WebRender resource data shmem or address."); }-- mApi->SendTransaction(txn); return IPC_OK(); }@@ -1118,10 +1152,8 @@ const nsTArray<ipc::Shmem>& aLargeShmems, const TimeStamp& aTxnStartTime, wr::TransactionBuilder& aTxn, wr::Epoch aWrEpoch, bool aObserveLayersUpdate) {- if (NS_WARN_IF(!UpdateResources(aResourceUpdates, aSmallShmems, aLargeShmems,- aTxn))) {- return false;- }+ bool success =+ UpdateResources(aResourceUpdates, aSmallShmems, aLargeShmems, aTxn); wr::Vec<uint8_t> dlItems(std::move(aDLItems)); wr::Vec<uint8_t> dlCache(std::move(aDLCache));@@ -1159,7 +1191,7 @@ // We will schedule generating a frame after the scene // build is done, so we don't need to do it here.- return true;+ return success; } bool WebRenderBridgeParent::ProcessDisplayListData(@@ -1182,23 +1214,20 @@ sender.emplace(mApi, &txn); }- if (NS_WARN_IF(- !ProcessWebRenderParentCommands(aDisplayList.mCommands, txn))) {- return false;- }+ bool success = ProcessWebRenderParentCommands(aDisplayList.mCommands, txn); if (aDisplayList.mDLItems && aDisplayList.mDLCache &&- aDisplayList.mDLSpatialTree && aValidTransaction &&- !SetDisplayList(aDisplayList.mRect,- std::move(aDisplayList.mDLItems.ref()),- std::move(aDisplayList.mDLCache.ref()),- std::move(aDisplayList.mDLSpatialTree.ref()),- aDisplayList.mDLDesc, aDisplayList.mResourceUpdates,- aDisplayList.mSmallShmems, aDisplayList.mLargeShmems,- aTxnStartTime, txn, aWrEpoch, aObserveLayersUpdate)) {- return false;- }- return true;+ aDisplayList.mDLSpatialTree && aValidTransaction) {+ success = SetDisplayList(+ aDisplayList.mRect, std::move(aDisplayList.mDLItems.ref()),+ std::move(aDisplayList.mDLCache.ref()),+ std::move(aDisplayList.mDLSpatialTree.ref()),+ aDisplayList.mDLDesc, aDisplayList.mResourceUpdates,+ aDisplayList.mSmallShmems, aDisplayList.mLargeShmems,+ aTxnStartTime, txn, aWrEpoch, aObserveLayersUpdate) &&+ success;+ }+ return success; } mozilla::ipc::IPCResult WebRenderBridgeParent::RecvSetDisplayList(@@ -1245,12 +1274,8 @@ bool validTransaction = aDisplayList.mIdNamespace == mIdNamespace; bool observeLayersUpdate = ShouldParentObserveEpoch();- if (!ProcessDisplayListData(aDisplayList, wrEpoch, aTxnStartTime,- validTransaction, observeLayersUpdate)) {- wr::IpcResourceUpdateQueue::ReleaseShmems(this, aDisplayList.mSmallShmems);- wr::IpcResourceUpdateQueue::ReleaseShmems(this, aDisplayList.mLargeShmems);- return IPC_FAIL(this, "Failed to process DisplayListData.");- }+ bool success = ProcessDisplayListData(aDisplayList, wrEpoch, aTxnStartTime,+ validTransaction, observeLayersUpdate); if (!validTransaction && observeLayersUpdate) { mCompositorBridge->ObserveLayersUpdate(GetLayersId(),@@ -1281,6 +1306,10 @@ wr::IpcResourceUpdateQueue::ReleaseShmems(this, aDisplayList.mSmallShmems); wr::IpcResourceUpdateQueue::ReleaseShmems(this, aDisplayList.mLargeShmems);+ if (!success) {+ return IPC_FAIL(this, "Failed to process DisplayListData.");+ }+ return IPC_OK(); }@@ -1300,16 +1329,14 @@ // AsyncImagePipelineManager. Unused << GetNextWrEpoch();- if (aData.mIdNamespace == mIdNamespace &&- !UpdateResources(aData.mResourceUpdates, aData.mSmallShmems,- aData.mLargeShmems, txn)) {- return false;+ bool success = true;+ if (aData.mIdNamespace == mIdNamespace) {+ success = UpdateResources(aData.mResourceUpdates, aData.mSmallShmems,+ aData.mLargeShmems, txn); } if (!aData.mCommands.IsEmpty()) {- if (!ProcessWebRenderParentCommands(aData.mCommands, txn)) {- return false;- }+ success = ProcessWebRenderParentCommands(aData.mCommands, txn) && success; } if (ShouldParentObserveEpoch()) {@@ -1342,7 +1369,7 @@ mAsyncImageManager->SetWillGenerateFrame(); }- return true;+ return success; } mozilla::ipc::IPCResult WebRenderBridgeParent::RecvEmptyTransaction(@@ -1387,16 +1414,11 @@ bool scheduleAnyComposite = false; wr::RenderReasons renderReasons = wr::RenderReasons::NONE;+ bool success = true; if (aTransactionData) { bool scheduleComposite = false;- if (!ProcessEmptyTransactionUpdates(*aTransactionData,- &scheduleComposite)) {- wr::IpcResourceUpdateQueue::ReleaseShmems(this,- aTransactionData->mSmallShmems);- wr::IpcResourceUpdateQueue::ReleaseShmems(this,- aTransactionData->mLargeShmems);- return IPC_FAIL(this, "Failed to process empty transaction update.");- }+ success =+ ProcessEmptyTransactionUpdates(*aTransactionData, &scheduleComposite); scheduleAnyComposite = scheduleAnyComposite || scheduleComposite; renderReasons |= wr::RenderReasons::RESOURCE_UPDATE; }@@ -1438,6 +1460,11 @@ wr::IpcResourceUpdateQueue::ReleaseShmems(this, aTransactionData->mLargeShmems); }++ if (!success) {+ return IPC_FAIL(this, "Failed to process empty transaction update.");+ }+ return IPC_OK(); }@@ -1460,11 +1487,13 @@ wr::TransactionBuilder txn(mApi); txn.SetLowPriority(!IsRootWebRenderBridgeParent());- if (!ProcessWebRenderParentCommands(aCommands, txn)) {+ bool success = ProcessWebRenderParentCommands(aCommands, txn);+ mApi->SendTransaction(txn);++ if (!success) { return IPC_FAIL(this, "Invalid parent command found"); }- mApi->SendTransaction(txn); return IPC_OK(); }@@ -1476,6 +1505,7 @@ wr::TransactionBuilder txnForImageBridge(mApi); wr::AutoTransactionSender sender(mApi, &txnForImageBridge);+ bool success = true; for (nsTArray<WebRenderParentCommand>::index_type i = 0; i < aCommands.Length(); ++i) { const WebRenderParentCommand& cmd = aCommands[i];@@ -1530,7 +1560,9 @@ // process PID in the upper 32 bits of the id, verify that this is as // expected. if ((data.id() >> 32) != (uint64_t)OtherPid()) {- return false;+ gfxCriticalNote << "TOpAddCompositorAnimations bad id";+ success = false;+ continue; } if (data.animations().Length()) { if (RefPtr<OMTASampler> sampler = GetOMTASampler()) {@@ -1552,7 +1584,9 @@ } } }- return true;++ MOZ_ASSERT(success);+ return success; } void WebRenderBridgeParent::FlushSceneBuilds() {
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: yes
Resource Leak Vulnerability [File] gfx/layers/wr/WebRenderBridgeParent.cpp [Lines 245-263]
[Old Code]
explicit ScheduleSharedSurfaceRelease(WebRenderBridgeParent* aWrBridge)
: mWrBridge(aWrBridge), mSurfaces(20) {}
void Add(const wr::ImageKey& aKey, const wr::ExternalImageId& aId) {
mSurfaces.AppendElement(wr::ExternalImageKeyPair{aKey, aId});
}
[Fixed Code]
explicit ScheduleSharedSurfaceRelease(WebRenderBridgeParent* aWrBridge)
: mWrBridge(aWrBridge), mSurfaces(20) {}
~ScheduleSharedSurfaceRelease() override {
if (!mSurfaces.IsEmpty()) {
MOZ_ASSERT_UNREACHABLE("Unreleased surfaces!");
gfxCriticalNote << "ScheduleSharedSurfaceRelease destroyed non-empty";
NotifyInternal(/* aFromCheckpoint */ false);
}
}
void Add(const wr::ImageKey& aKey, const wr::ExternalImageId& aId) {
mSurfaces.AppendElement(wr::ExternalImageKeyPair{aKey, aId});
}
2. Vulnerability Existed: yes
Race Condition Vulnerability [File] gfx/layers/wr/WebRenderBridgeParent.cpp [Lines 893-920]
[Old Code]
void WebRenderBridgeParent::ObserveSharedSurfaceRelease(
const nsTArray<wr::ExternalImageKeyPair>& aPairs) {
if (!mDestroyed) {
Unused << SendWrReleasedImages(aPairs);
}
for (const auto& pair : aPairs) {
SharedSurfacesParent::Release(pair.id);
}
}
[Fixed Code]
void WebRenderBridgeParent::ObserveSharedSurfaceRelease(
const nsTArray<wr::ExternalImageKeyPair>& aPairs,
const bool& aFromCheckpoint) {
if (!mDestroyed) {
Unused << SendWrReleasedImages(aPairs);
}
if (!aFromCheckpoint && mAsyncImageManager) {
// We failed to receive a checkpoint notification, so we are releasing these
// surfaces blind. Let's wait until the next epoch to complete releasing.
for (const auto& pair : aPairs) {
mAsyncImageManager->HoldExternalImage(mPipelineId, mWrEpoch, pair.id);
}
return;
}
// We hit the checkpoint, so we know we can safely release the surfaces now.
for (const auto& pair : aPairs) {
SharedSurfacesParent::Release(pair.id);
}
}
3. Vulnerability Existed: yes
Error Handling Vulnerability [File] gfx/layers/wr/WebRenderBridgeParent.cpp [Lines 490-723]
[Old Code]
// Multiple cases where errors would immediately return false
if (!reader.Read(op.bytes(), bytes)) {
gfxCriticalNote << "TOpAddImage failed";
return false;
}
[Fixed Code]
// Changed to accumulate errors and continue processing
bool success = true;
if (reader.Read(op.bytes(), bytes)) {
aUpdates.AddImage(op.key(), op.descriptor(), bytes);
} else {
gfxCriticalNote << "TOpAddImage failed";
success = false;
}
4. Vulnerability Existed: yes
Transaction Ordering Vulnerability [File] gfx/layers/wr/WebRenderBridgeParent.cpp [Lines 944-978]
[Old Code]
if (!success) {
return IPC_FAIL(this, "Invalid WebRender resource data shmem or address.");
}
mApi->SendTransaction(txn);
[Fixed Code]
mApi->SendTransaction(txn);
if (!success) {
return IPC_FAIL(this, "Invalid WebRender resource data shmem or address.");
}
5. Vulnerability Existed: not sure
Potential Memory Safety Issue [File] gfx/layers/wr/WebRenderBridgeParent.cpp [Lines 448-460]
[Old Code]
Maybe<Range<uint8_t>> ptr =
aReader.GetReadPointerOrCopy(aOp.bytes(), sourceBytes);
if (ptr.isNothing()) {
return false;
}
[Fixed Code]
Maybe<Range<uint8_t>> ptr =
aReader.GetReadPointerOrCopy(aOp.bytes(), sourceBytes);
if (ptr.isNothing()) {
gfxCriticalNote << "No read pointer from reader for sanitizing font "
<< aOp.key().mHandle;
return false;
}
The changes appear to address several security-related issues including resource leaks, race conditions, improved error handling, transaction ordering, and better memory safety through added validation and logging. The most significant changes are around proper resource cleanup and handling of shared surfaces.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/src/auxil/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/src/auxil/mod.rs@@ -14,6 +14,12 @@ pub const VENDOR: u32 = 0x5143; } }++/// Maximum binding size for the shaders that only support `i32` indexing.+/// Interestingly, the index itself can't reach that high, because the minimum+/// element size is 4 bytes, but the compiler toolchain still computes the+/// offset at some intermediate point, internally, as i32.+pub const MAX_I32_BINDING_SIZE: u32 = 1 << 31; pub fn map_naga_stage(stage: naga::ShaderStage) -> wgt::ShaderStages { match stage {
Analysis of the code diff: 1. Vulnerability Existed: not sure [Potential Integer Overflow] [third_party/rust/wgpu-hal/src/auxil/mod.rs] [Lines 14-20] [Old Code: (No code present before)] [Fixed Code: Added constant MAX_I32_BINDING_SIZE with value 1 << 31] Additional Details: - The diff adds a new constant MAX_I32_BINDING_SIZE with a value of 1 << 31 (2,147,483,648) - This appears to be related to shader binding size limits and i32 indexing constraints - While not clearly a security fix, the comment suggests this might be addressing potential integer overflow issues in shader compilation - The change appears to be adding a safeguard rather than fixing an existing vulnerability - Without more context about how this constant is used, we can't be certain if it's fixing a vulnerability or just adding a safety measure
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/remote/shared/messagehandler/test/browser/browser_session_data.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/remote/shared/messagehandler/test/browser/browser_session_data.js@@ -158,6 +158,36 @@ is(sessionDataSnapshot.size, 0, "session data should be empty again"); });+add_task(async function test_sessionDataRootOnlyModule() {+ const sessionId = "sessionData-test-rootOnly";++ const rootMessageHandler = createRootMessageHandler(sessionId);+ ok(rootMessageHandler, "Valid ROOT MessageHandler created");++ await BrowserTestUtils.loadURI(+ gBrowser,+ "https://example.com/document-builder.sjs?html=tab"+ );++ const windowGlobalCreated = rootMessageHandler.once("message-handler-event");++ // Updating the session data on the root message handler should not cause+ // failures for other message handlers if the module only exists for root.+ await rootMessageHandler.addSessionData({+ moduleName: "rootOnly",+ category: "session_data_root_only",+ contextDescriptor: {+ type: CONTEXT_DESCRIPTOR_TYPES.ALL,+ },+ values: [true],+ });++ await windowGlobalCreated;+ ok(true, "Window global has been initialized");++ rootMessageHandler.destroy();+});+ function checkSessionDataItem(item, moduleName, category, contextType, value) { is(item.moduleName, moduleName, "Data item has the expected module name"); is(item.category, category, "Data item has the expected category");
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be adding a new test case for session data handling rather than fixing security issues.
Analysis:
1. The diff adds a new test function `test_sessionDataRootOnlyModule` that verifies session data handling for root-only modules.
2. The test checks that updating session data on the root message handler doesn't cause failures for other handlers when the module only exists for root.
3. No security-related changes or fixes are evident in this diff.
Answer Format Response:
Vulnerability Existed: no
No security vulnerabilities found in this diff. The changes appear to be adding test functionality for session data handling.
The changes are focused on testing functionality rather than addressing security issues. The test verifies proper behavior of session data handling when dealing with root-only modules, which is more about functionality testing than security hardening.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.3arg.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.3arg.html@@ -18,8 +18,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var promise1 = new Promise(function(resolve, reject) { var xhr = new XMLHttpRequest();@@ -48,10 +48,10 @@ ctx.drawImage(bitmap1, 100, 0); ctx.drawImage(bitmap1, 0, -50); ctx.drawImage(bitmap1, 0, 50);- _assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.3arg.html] [Lines 18-48]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixelApprox(offscreenCanvas, ...)]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixelApprox(canvas, ...)]
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/enc_heuristics.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/enc_heuristics.h@@ -35,8 +35,8 @@ // `aux_out` collects statistics and can be used to print debug images. virtual Status LossyFrameHeuristics( PassesEncoderState* enc_state, ModularFrameEncoder* modular_frame_encoder,- const ImageBundle* original_pixels, Image3F* opsin, ThreadPool* pool,- AuxOut* aux_out) = 0;+ const ImageBundle* original_pixels, Image3F* opsin,+ const JxlCmsInterface& cms, ThreadPool* pool, AuxOut* aux_out) = 0; // Custom fixed tree for lossless mode. Must set `tree` to a valid tree if // the function returns true.@@ -61,8 +61,8 @@ Status LossyFrameHeuristics(PassesEncoderState* enc_state, ModularFrameEncoder* modular_frame_encoder, const ImageBundle* original_pixels,- Image3F* opsin, ThreadPool* pool,- AuxOut* aux_out) override;+ Image3F* opsin, const JxlCmsInterface& cms,+ ThreadPool* pool, AuxOut* aux_out) override; bool HandlesColorConversion(const CompressParams& cparams, const ImageBundle& ib) override; };@@ -72,7 +72,8 @@ Status LossyFrameHeuristics(PassesEncoderState* enc_state, ModularFrameEncoder* modular_frame_encoder, const ImageBundle* linear, Image3F* opsin,- ThreadPool* pool, AuxOut* aux_out) override;+ const JxlCmsInterface& cms, ThreadPool* pool,+ AuxOut* aux_out) override; }; // Exposed here since it may be used by other EncoderHeuristics implementations
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Missing Color Management System (CMS) Parameter] [third_party/jpeg-xl/lib/jxl/enc_heuristics.h] [Lines 35-38, 61-64, 72-75]
[Old Code]
virtual Status LossyFrameHeuristics(
PassesEncoderState* enc_state, ModularFrameEncoder* modular_frame_encoder,
const ImageBundle* original_pixels, Image3F* opsin, ThreadPool* pool,
AuxOut* aux_out) = 0;
[Fixed Code]
virtual Status LossyFrameHeuristics(
PassesEncoderState* enc_state, ModularFrameEncoder* modular_frame_encoder,
const ImageBundle* original_pixels, Image3F* opsin,
const JxlCmsInterface& cms, ThreadPool* pool, AuxOut* aux_out) = 0;
Additional Details:
The diff shows the addition of a `const JxlCmsInterface& cms` parameter to the `LossyFrameHeuristics` method across multiple declarations. While this appears to be a functional improvement related to color management, I cannot definitively determine if this fixes a specific security vulnerability. The change suggests better handling of color management operations, which could potentially prevent color-related processing issues, but without more context about previous vulnerabilities or issues, I can't confirm if this was addressing a known security concern.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/nimbus/test/gtest/NimbusFeatures_GetTest.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/nimbus/test/gtest/NimbusFeatures_GetTest.cpp@@ -24,6 +24,62 @@ ASSERT_TRUE(NimbusFeatures::GetBool("foo"_ns, "enabled"_ns, false)); }+TEST(NimbusFeaturesGetRollout, Errors)+{+ ASSERT_EQ(Preferences::SetInt("nimbus.syncdefaultsstore.rollout.value", 7,+ PrefValueKind::User),+ NS_OK);+ ASSERT_EQ(NimbusFeatures::GetInt("rollout"_ns, "value"_ns, 0), 7);+ ASSERT_EQ(Preferences::SetBool("nimbus.syncdefaultsstore.rollout.enabled",+ true, PrefValueKind::User),+ NS_OK);+ ASSERT_TRUE(NimbusFeatures::GetBool("rollout"_ns, "enabled"_ns, false));+}++TEST(NimbusFeaturesExperimentPriorityOverRollouts, Errors)+{+ ASSERT_EQ(Preferences::SetInt("nimbus.syncdatastore.feature.value", 12,+ PrefValueKind::User),+ NS_OK);+ ASSERT_EQ(Preferences::SetInt("nimbus.syncdefaultsstore.feature.value", 22,+ PrefValueKind::User),+ NS_OK);+ ASSERT_EQ(NimbusFeatures::GetInt("feature"_ns, "value"_ns, 0), 12);+ ASSERT_EQ(Preferences::SetBool("nimbus.syncdatastore.feature.enabled", true,+ PrefValueKind::User),+ NS_OK);+ ASSERT_EQ(Preferences::SetBool("nimbus.syncdefaultsstore.feature.enabled",+ false, PrefValueKind::User),+ NS_OK);+ ASSERT_TRUE(NimbusFeatures::GetBool("feature"_ns, "enabled"_ns, false));+}++// Make sure user prefs take predence over experiments and rollouts+TEST(NimbusFeaturesDataSourcePrecedence, Errors)+{+ ASSERT_EQ(+ Preferences::SetInt("nimbus.testing.testInt", 29, PrefValueKind::User),+ NS_OK);+ ASSERT_EQ(NimbusFeatures::GetInt("testFeature"_ns, "testInt"_ns, 0), 29);++ ASSERT_EQ(Preferences::SetInt("nimbus.syncdatastore.testFeature.testInt", 12,+ PrefValueKind::User),+ NS_OK);+ ASSERT_EQ(Preferences::SetInt("nimbus.syncdefaultsstore.testFeature.testInt",+ 13, PrefValueKind::User),+ NS_OK);+ // Still return user pref+ ASSERT_EQ(NimbusFeatures::GetInt("testFeature"_ns, "testInt"_ns, 0), 29);+ // After user prefs it should default to experiment value+ Preferences::ClearUser("nimbus.testing.testInt");+ ASSERT_EQ(NimbusFeatures::GetInt("testFeature"_ns, "testInt"_ns, 0), 12);+ Preferences::ClearUser("nimbus.syncdatastore.testFeature.testInt");+ // After experiments it should default to rollouts+ ASSERT_EQ(NimbusFeatures::GetInt("testFeature"_ns, "testInt"_ns, 0), 13);+ // Cleanup+ Preferences::ClearUser("nimbus.syncdefaultsstore.testFeature.testInt");+}+ static void FooValueUpdated(const char* aPref, void* aUserData) { ASSERT_STREQ(aPref, "nimbus.syncdatastore.foo.value"); ASSERT_EQ(aUserData, reinterpret_cast<void*>(13));@@ -32,6 +88,13 @@ gPrefUpdate = true; ASSERT_EQ(NimbusFeatures::GetInt("foo"_ns, "value"_ns, 0), 24);+}++static void BarRolloutValueUpdated(const char* aPref, void* aUserData) {+ ASSERT_STREQ(aPref, "nimbus.syncdefaultsstore.bar.value");++ ASSERT_FALSE(gPrefUpdate);+ gPrefUpdate = true; } TEST(NimbusFeaturesGetFallback, Errors)@@ -60,6 +123,10 @@ ASSERT_EQ(NimbusFeatures::OnUpdate("foo"_ns, "value"_ns, FooValueUpdated, reinterpret_cast<void*>(13)), NS_OK);+ ASSERT_EQ(+ NimbusFeatures::OnUpdate("bar"_ns, "value"_ns, BarRolloutValueUpdated,+ reinterpret_cast<void*>(13)),+ NS_OK); ASSERT_EQ(Preferences::SetInt("nimbus.syncdatastore.foo.value", 24, PrefValueKind::User), NS_OK);@@ -72,6 +139,12 @@ PrefValueKind::User), NS_OK); ASSERT_FALSE(NimbusFeatures::GetBool("foo"_ns, "enabled"_ns, true));+ gPrefUpdate = false;++ ASSERT_EQ(Preferences::SetInt("nimbus.syncdefaultsstore.bar.value", 25,+ PrefValueKind::User),+ NS_OK);+ ASSERT_TRUE(gPrefUpdate); gPrefUpdate = false; // Verify OffUpdate requires a matching user data pointer to unregister.
Analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be adding new test cases and functionality for Nimbus feature rollouts and preference handling, but there are no security fixes evident in this diff. Here's the analysis following your requested format: Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are test additions and feature enhancements. The diff shows: 1. Addition of new test cases for rollout functionality 2. Testing of experiment priority over rollouts 3. Testing of preference precedence (user > experiment > rollout) 4. Addition of a new callback handler for rollout value updates 5. Expansion of existing test cases to cover more scenarios These changes appear to be feature enhancements and improved test coverage rather than security fixes. No security-related code patterns (like input validation, auth checks, etc.) were modified or added in this diff. If I were to speculate about potential security implications (though none are directly visible in this diff), it would be that: - The preference handling system could potentially be a vector for security issues if not properly secured - The rollout system might need to ensure proper authorization checks when modifying preferences But these are not vulnerabilities shown in the current diff, just general areas to consider for security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/windows/nsWindow.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/windows/nsWindow.h@@ -187,8 +187,7 @@ nsISupports* aData, nsIRunnable* aCallback) override; virtual void CleanupFullscreenTransition() override;- virtual nsresult MakeFullScreen(bool aFullScreen,- nsIScreen* aScreen = nullptr) override;+ virtual nsresult MakeFullScreen(bool aFullScreen) override; virtual void HideWindowChrome(bool aShouldHide) override; virtual void Invalidate(bool aEraseBackground = false, bool aUpdateNCArea = false,@@ -301,6 +300,8 @@ void SetSmallIcon(HICON aIcon); void SetBigIcon(HICON aIcon);+ void SetSmallIconNoData();+ void SetBigIconNoData(); static void SetIsRestoringSession(const bool aIsRestoringSession) { sIsRestoringSession = aIsRestoringSession;@@ -534,6 +535,8 @@ bool DispatchTouchEventFromWMPointer(UINT msg, LPARAM aLParam, const WinPointerInfo& aPointerInfo, mozilla::MouseButton aButton);++ void SetSizeModeInternal(nsSizeMode aMode); protected: static bool IsAsyncResponseEvent(UINT aMsg, LRESULT& aResult);
Let me analyze the code diff for potential security fixes:
1. First change (MakeFullScreen method):
Vulnerability Existed: not sure
[No specific vulnerability name] [widget/windows/nsWindow.h] [Lines 187-188]
[Old Code]
virtual nsresult MakeFullScreen(bool aFullScreen,
nsIScreen* aScreen = nullptr) override;
[Fixed Code]
virtual nsresult MakeFullScreen(bool aFullScreen) override;
Note: The removal of the optional screen parameter might be related to security, but without more context it's unclear if this was fixing a specific vulnerability.
2. Second change (icon-related methods):
Vulnerability Existed: not sure
[No specific vulnerability name] [widget/windows/nsWindow.h] [Lines 301-302]
[Old Code]
void SetSmallIcon(HICON aIcon);
void SetBigIcon(HICON aIcon);
[Fixed Code]
void SetSmallIcon(HICON aIcon);
void SetBigIcon(HICON aIcon);
void SetSmallIconNoData();
void SetBigIconNoData();
Note: The addition of NoData methods might be related to preventing information leaks or handling null icons securely, but this is speculative without more context.
3. Third change (SetSizeModeInternal method):
Vulnerability Existed: not sure
[No specific vulnerability name] [widget/windows/nsWindow.h] [Line 535]
[Old Code]
[No previous method]
[Fixed Code]
void SetSizeModeInternal(nsSizeMode aMode);
Note: The addition of this internal method might be related to security hardening, but its purpose isn't clear from the diff alone.
None of these changes clearly indicate specific known vulnerabilities, but they could be part of security hardening measures. More context would be needed to determine if they were fixing actual vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/QueueWithSizes.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/QueueWithSizes.h@@ -27,7 +27,16 @@ double mSize = 0.0f; };-using QueueWithSizes = LinkedList<ValueWithSize>;+// This type is a little tricky lifetime wise: Despite the fact that we're+// talking about linked list of VaueWithSize, what is actually stored in the+// list are dynamically allocated ValueWithSize*. As a result, these have to be+// deleted. There are two ways this lifetime is managed:+//+// 1. In DequeueValue we pop the first element into a UniquePtr, so that it is+// correctly cleaned up at destruction time.+// 2. We use an AutoCleanLinkedList which will delete elements when destroyed+// or `clear`ed.+using QueueWithSizes = AutoCleanLinkedList<ValueWithSize>; // https://streams.spec.whatwg.org/#is-non-negative-number inline bool IsNonNegativeNumber(double v) {@@ -59,7 +68,8 @@ return; }- // Step 4.+ // Step 4. See the comment on QueueWithSizes for the lifetime reasoning+ // around this allocation. ValueWithSize* valueWithSize = new ValueWithSize(aValue, aSize); aContainer->Queue().insertBack(valueWithSize); // Step 5.
Here's the analysis of the provided code diff: 1. Vulnerability Existed: yes Memory Leak Vulnerability [File] dom/streams/QueueWithSizes.h [Lines 27] [Old Code] using QueueWithSizes = LinkedList<ValueWithSize>; [Fixed Code] using QueueWithSizes = AutoCleanLinkedList<ValueWithSize>; Additional Details: - The vulnerability was a potential memory leak due to using a raw LinkedList that didn't automatically clean up dynamically allocated ValueWithSize objects. - The fix replaces it with AutoCleanLinkedList which properly manages memory by deleting elements when destroyed or cleared. 2. Vulnerability Existed: yes Unsafe Memory Management Vulnerability [File] dom/streams/QueueWithSizes.h [Lines 59] [Old Code] ValueWithSize* valueWithSize = new ValueWithSize(aValue, aSize); aContainer->Queue().insertBack(valueWithSize); [Fixed Code] (No code change, but the comment was added to explain the lifetime management) Additional Details: - While the code itself didn't change, the added comment clarifies the memory management strategy, indicating awareness of potential memory safety issues. - The vulnerability was potential memory leaks if the dynamically allocated ValueWithSize objects weren't properly cleaned up. - The fix is implemented through the change to AutoCleanLinkedList type, making this allocation safe as it will be automatically cleaned up.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-46.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-46.xml@@ -7,7 +7,6 @@ <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <div class="stub">
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/selectors/old-tests/css3-modsel-46.xml [Lines] 7 [Old Code] <meta name="flags" content="" /> [Fixed Code] (line removed) Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to have any security implications. 2. There's no evidence of any actual vulnerability being fixed here - this appears to be a minor cleanup change. 3. The "flags" meta tag doesn't appear to be related to any known security vulnerabilities in web standards. No other vulnerabilities were identified in this small diff. The change appears to be a minor cleanup rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-round-display/polar-anchor-left-top-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-round-display/polar-anchor-left-top-001.html@@ -4,7 +4,6 @@ <title>CSS Test: Anchor of the element</title> <link rel="author" title="Jihye Hong" href="mailto:[email protected]" /> <link rel="help" href="https://www.w3.org/TR/motion-1/#polar-anchor-property">- <meta name="flags" content=""> <meta name="assert" content="Test checks that the representative point of the element specified with 'polar-anchor'."> <style type="text/css"> .container {
Based on the provided diff, I don't see any security vulnerabilities being fixed. The change appears to be a minor cleanup of test metadata rather than a security-related fix.
Answer:
Vulnerability Existed: no
No security vulnerability found in this diff
[Old Code]
<meta name="flags" content="">
[Fixed Code]
(line removed)
Additional Notes:
- The change simply removes an empty meta tag that wasn't serving any purpose
- This appears to be a test file cleanup rather than a security fix
- No actual code logic was changed, just test metadata
- No known vulnerability patterns are present in this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/examples/port_messaging_example/app/src/main/AndroidManifest.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/examples/port_messaging_example/app/src/main/AndroidManifest.xml@@ -13,7 +13,9 @@ android:roundIcon="@mipmap/ic_launcher_round" android:supportsRtl="true" android:theme="@style/AppTheme">- <activity android:name=".MainActivity">+ <activity+ android:exported="true"+ android:name=".MainActivity"> <intent-filter> <action android:name="android.intent.action.MAIN" />@@ -22,4 +24,4 @@ </activity> </application>-</manifest>+</manifest>
Here's the analysis of the provided code diff:
1. Vulnerability Existed: yes
**Missing Exported Attribute for Activity** [mobile/android/examples/port_messaging_example/app/src/main/AndroidManifest.xml] [Lines 13-15]
Old Code:
```xml
<activity android:name=".MainActivity">
```
Fixed Code:
```xml
<activity
android:exported="true"
android:name=".MainActivity">
```
Additional Details: The fix adds the `android:exported` attribute to the activity, which is required for Android 12 (API level 31) and higher. Without this attribute, the activity could be vulnerable to unauthorized access from other apps. This addresses a potential security vulnerability where components could be accessed without proper restrictions.
2. Vulnerability Existed: not sure
**Potential Manifest Formatting Issue** [mobile/android/examples/port_messaging_example/app/src/main/AndroidManifest.xml] [Line 22]
Old Code:
```xml
</manifest>
```
Fixed Code:
```xml
</manifest>+</manifest>
```
Additional Details: The diff shows an unusual change in the closing manifest tag. This might be a formatting or diff display issue rather than an actual security fix. Without more context, it's unclear if this represents a security-related change. The `+` symbol in the diff output might be an artifact of the diff presentation rather than actual code change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-break/widows-orphans-009.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-break/widows-orphans-009.html@@ -20,7 +20,6 @@ -->- <meta name="flags" content=""> <meta name="assert" content="When column boxes are filled sequentially, their content should be distributed and fragmented in accordance with the 'orphans' and the 'widows' declarations. In the test, since the 3rd column box was going to get only 1 line box, then a class B break point should occur between the '7' and the '8' so that there is a minimum of 2 line boxes at the top of the 3rd column box. In doing so, the 'orphans: 2' declaration is still honored."> <style>
Based on the provided diff, I'll analyze it for security fixes: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/css/css-break/widows-orphans-009.html] [Lines 20] [Old Code: <meta name="flags" content="">] [Fixed Code: (removed)] Additional Details: 1. The change simply removes a meta tag with an empty "flags" attribute, which appears to be test-related metadata rather than a security fix. 2. The modification doesn't address any known vulnerability patterns (XSS, injection, etc.). 3. The change appears to be part of test cleanup rather than a security patch. 4. No security-related functionality was modified in this change. Since this is a test file and the change is minimal, there's no evidence of a security vulnerability being fixed. The change is more likely related to test maintenance or cleanup.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.winding.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.winding.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -29,10 +29,10 @@ ctx.roundRect(0, 25, 100, -25, [0]); ctx.roundRect(100, 25, -100, 25, [0]); ctx.fill();-_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");+_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");+_assertPixel(canvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");+_assertPixel(canvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");+_assertPixel(canvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. There are no security vulnerabilities being fixed in this diff. The changes are likely for code consistency or readability improvements. 2. Vulnerability Existed: no The diff shows no changes to the actual canvas operations or security-related functionality. All the canvas operations and assertions remain functionally identical, just using a different variable name. 3. Vulnerability Existed: no The test assertions (_assertPixel calls) remain exactly the same in terms of their parameters and expected values, only the variable name being passed has changed. This appears to be a refactoring change rather than a security fix. The modification doesn't address any known vulnerability patterns or security issues in the canvas operations or test assertions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-http3/src/server_events.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-http3/src/server_events.rs@@ -8,7 +8,9 @@ use crate::connection::Http3State; use crate::connection_server::Http3ServerHandler;-use crate::{Http3StreamInfo, Http3StreamType, Priority, Res};+use crate::{+ features::extended_connect::SessionCloseReason, Http3StreamInfo, Http3StreamType, Priority, Res,+}; use neqo_common::{qdebug, qinfo, Header}; use neqo_transport::server::ActiveConnectionRef; use neqo_transport::{AppError, Connection, StreamId, StreamType};@@ -234,6 +236,11 @@ } }+ #[must_use]+ pub fn state(&self) -> Http3State {+ self.stream_handler.handler.borrow().state()+ }+ /// Respond to a `WebTransport` session request. /// # Errors /// It may return `InvalidStreamId` if a stream does not exist anymore.@@ -246,6 +253,22 @@ &mut self.stream_handler.conn.borrow_mut(), self.stream_handler.stream_info.stream_id(), accept,+ )+ }++ /// # Errors+ /// It may return `InvalidStreamId` if a stream does not exist anymore.+ /// Also return an error if the stream was closed on the transport layer,+ /// but that information is not yet consumed on the http/3 layer.+ pub fn close_session(&mut self, error: u32, message: &str) -> Res<()> {+ self.stream_handler+ .handler+ .borrow_mut()+ .webtransport_close_session(+ &mut self.stream_handler.conn.borrow_mut(),+ self.stream_handler.stream_info.stream_id(),+ error,+ message, ) }@@ -314,7 +337,7 @@ }, SessionClosed { session: WebTransportRequest,- error: Option<AppError>,+ reason: SessionCloseReason, }, NewStream(Http3OrWebTransportStream), }@@ -473,10 +496,10 @@ pub(crate) fn webtransport_session_closed( &self, session: WebTransportRequest,- error: Option<AppError>,+ reason: SessionCloseReason, ) { self.insert(Http3ServerEvent::WebTransport(- WebTransportServerEvent::SessionClosed { session, error },+ WebTransportServerEvent::SessionClosed { session, reason }, )); }
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: not sure
[Potentially Improved Error Handling] [third_party/rust/neqo-http3/src/server_events.rs] [Lines 246-253, 314-337, 473-496]
[Old Code]
pub fn webtransport_accept_session(&mut self, accept: bool) -> Res<()> {
self.stream_handler
.handler
.borrow_mut()
.webtransport_accept_session(
&mut self.stream_handler.conn.borrow_mut(),
self.stream_handler.stream_info.stream_id(),
accept,
)
}
enum WebTransportServerEvent {
SessionClosed {
session: WebTransportRequest,
error: Option<AppError>,
},
}
pub(crate) fn webtransport_session_closed(
&self,
session: WebTransportRequest,
error: Option<AppError>,
) {
self.insert(Http3ServerEvent::WebTransport(
WebTransportServerEvent::SessionClosed { session, error },
));
}
[Fixed Code]
pub fn webtransport_accept_session(&mut self, accept: bool) -> Res<()> {
self.stream_handler
.handler
.borrow_mut()
.webtransport_accept_session(
&mut self.stream_handler.conn.borrow_mut(),
self.stream_handler.stream_info.stream_id(),
accept,
)
}
pub fn close_session(&mut self, error: u32, message: &str) -> Res<()> {
self.stream_handler
.handler
.borrow_mut()
.webtransport_close_session(
&mut self.stream_handler.conn.borrow_mut(),
self.stream_handler.stream_info.stream_id(),
error,
message,
)
}
enum WebTransportServerEvent {
SessionClosed {
session: WebTransportRequest,
reason: SessionCloseReason,
},
}
pub(crate) fn webtransport_session_closed(
&self,
session: WebTransportRequest,
reason: SessionCloseReason,
) {
self.insert(Http3ServerEvent::WebTransport(
WebTransportServerEvent::SessionClosed { session, reason },
));
}
Additional Details:
The changes introduce more structured error handling for WebTransport sessions, replacing the generic Option<AppError> with a specific SessionCloseReason type and adding a close_session method. While this improves error handling, it's not clear if this fixes a specific security vulnerability or is just a general improvement. The change could potentially help prevent certain types of error handling-related security issues, but without more context about SessionCloseReason, I can't be certain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/apz/src/CheckerboardEvent.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/apz/src/CheckerboardEvent.h@@ -31,7 +31,6 @@ MOZ_DEFINE_ENUM_AT_CLASS_SCOPE( RendertraceProperty, ( Page,- PaintedCriticalDisplayPort, PaintedDisplayPort, RequestedDisplayPort, UserVisible
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
Vulnerability Existed: not sure
[Potential Information Exposure] [gfx/layers/apz/src/CheckerboardEvent.h] [Lines 31-35]
[Old Code]
MOZ_DEFINE_ENUM_AT_CLASS_SCOPE(
RendertraceProperty, (
Page,
PaintedCriticalDisplayPort,
PaintedDisplayPort,
RequestedDisplayPort,
UserVisible
[Fixed Code]
MOZ_DEFINE_ENUM_AT_CLASS_SCOPE(
RendertraceProperty, (
Page,
PaintedDisplayPort,
RequestedDisplayPort,
UserVisible
Additional Details:
- The removal of "PaintedCriticalDisplayPort" might be related to reducing potentially sensitive information exposure, but without more context about what this enum value represented, I can't be certain if this was a security fix.
- The change could be simply removing unused code or reducing attack surface by removing a potentially sensitive display port property.
- There's no clear evidence of a specific vulnerability being fixed here, but the removal of display port related properties could be security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.tiny.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.tiny.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.font = '1px sans-serif'; _assertSame(ctx.font, '1px sans-serif', "ctx.font", "'1px sans-serif'");
Analysis of the provided code diff:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`
- No security implications are visible in this change
- The functionality remains exactly the same, only the variable name was made more concise
- No known vulnerabilities are addressed by this change
No other vulnerabilities or potential security issues were identified in this diff. The modification seems to be purely for code style/readability purposes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/protocol/http/nsHttpConnectionInfo.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/protocol/http/nsHttpConnectionInfo.cpp@@ -334,10 +334,10 @@ // Try to get the port and Alpn. If this record has SvcParamKeyPort defined, // the new port will be used as mRoutedPort. Maybe<uint16_t> port = aRecord->GetPort();- Maybe<Tuple<nsCString, SupportedAlpnType>> alpn = aRecord->GetAlpn();+ Maybe<Tuple<nsCString, SupportedAlpnRank>> alpn = aRecord->GetAlpn(); // Let the new conn info learn h3 will be used.- bool isHttp3 = alpn ? Get<1>(*alpn) == SupportedAlpnType::HTTP_3 : false;+ bool isHttp3 = alpn ? mozilla::net::IsHttp3(Get<1>(*alpn)) : false; LOG(("HTTPSSVC: use new routed host (%s) and new npnToken (%s)", name.get(), alpn ? Get<0>(*alpn).get() : "None"));
Here's the analysis of the provided code diff: 1. Vulnerability Existed: not sure [Potential HTTP/3 Protocol Handling Issue] [netwerk/protocol/http/nsHttpConnectionInfo.cpp] [Lines 334-338] [Old Code] ```cpp Maybe<Tuple<nsCString, SupportedAlpnType>> alpn = aRecord->GetAlpn(); bool isHttp3 = alpn ? Get<1>(*alpn) == SupportedAlpnType::HTTP_3 : false; ``` [Fixed Code] ```cpp Maybe<Tuple<nsCString, SupportedAlpnRank>> alpn = aRecord->GetAlpn(); bool isHttp3 = alpn ? mozilla::net::IsHttp3(Get<1>(*alpn)) : false; ``` Additional Details: - The change involves a modification in how HTTP/3 protocol detection is handled - The type changed from `SupportedAlpnType` to `SupportedAlpnRank` - The direct equality check for `HTTP_3` was replaced with a function call `IsHttp3()` - While this appears to be a security-related change (protocol handling), I can't definitively identify a specific vulnerability being fixed - The change might be related to more robust protocol negotiation or preventing potential protocol confusion attacks, but this is speculative
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.