Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.negative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.negative.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -30,15 +30,15 @@ ctx.roundRect(100, 50, -50, -25, [10, 0, 0, 0]); ctx.fill(); // All rects drawn-_assertPixel(offscreenCanvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255");+_assertPixel(canvas, 25,12, 0,255,0,255, "25,12", "0,255,0,255");+_assertPixel(canvas, 75,12, 0,255,0,255, "75,12", "0,255,0,255");+_assertPixel(canvas, 25,37, 0,255,0,255, "25,37", "0,255,0,255");+_assertPixel(canvas, 75,37, 0,255,0,255, "75,37", "0,255,0,255"); // Correct corners are rounded.-_assertPixel(offscreenCanvas, 1,1, 255,0,0,255, "1,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,48, 255,0,0,255, "98,48", "255,0,0,255");+_assertPixel(canvas, 1,1, 255,0,0,255, "1,1", "255,0,0,255");+_assertPixel(canvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");+_assertPixel(canvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");+_assertPixel(canvas, 98,48, 255,0,0,255, "98,48", "255,0,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't indicate any security fixes. This is a refactoring change rather than a security patch. 2. Vulnerability Existed: no The changes in the `_assertPixel` calls are simply following the variable name change and don't represent any security fixes. The test assertions remain functionally identical. The diff shows no evidence of security vulnerabilities being fixed. The changes are purely cosmetic/refactoring in nature, maintaining the same functionality while improving code readability through better variable naming. No security-related patterns (like input validation, memory safety issues, or access control) were modified in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.source-out.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.source-out.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0';@@ -28,8 +28,8 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` for consistency or readability purposes. Here's the analysis following your requested format:
Vulnerability Existed: no
No vulnerability found [File] [Lines 17-18, 28-29]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
The changes don't affect security, functionality, or introduce any security-related fixes. It's simply a variable renaming change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/reducers/project-text-search.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/reducers/project-text-search.js@@ -62,20 +62,4 @@ return state; }-export function getTextSearchOperation(state) {- return state.projectTextSearch.ongoingSearch;-}--export function getTextSearchResults(state) {- return state.projectTextSearch.results;-}--export function getTextSearchStatus(state) {- return state.projectTextSearch.status;-}--export function getTextSearchQuery(state) {- return state.projectTextSearch.query;-}- export default update;
Let me analyze the diff for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Exposure] [devtools/client/debugger/src/reducers/project-text-search.js] [Lines 62-76]
[Old Code]
export function getTextSearchOperation(state) {
return state.projectTextSearch.ongoingSearch;
}
export function getTextSearchResults(state) {
return state.projectTextSearch.results;
}
export function getTextSearchStatus(state) {
return state.projectTextSearch.status;
}
export function getTextSearchQuery(state) {
return state.projectTextSearch.query;
}
[Fixed Code]
[All getter functions removed]
Additional Details:
- The diff shows removal of several getter functions that exposed internal state
- While not clearly a security vulnerability, removing these functions could be part of a security hardening effort to limit state exposure
- Without more context about how these functions were used, it's hard to determine if this was fixing an actual vulnerability or just refactoring
- The change might be related to reducing attack surface by not exposing internal search state
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.moveTo.nonfinite.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.moveTo.nonfinite.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.moveTo(0, 0); ctx.lineTo(100, 0);@@ -29,7 +29,7 @@ ctx.lineTo(0, 50); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming without any security implications.
Answer Format for Each Vulnerability:
Vulnerability Existed: no
No security vulnerability found in this diff. The changes are purely variable name changes from 'offscreenCanvas' to 'canvas'.
Additional Notes:
- The changes are consistent throughout the file (variable renaming and corresponding reference updates)
- The functionality remains exactly the same
- No security-related patterns (input validation, sanitization, etc.) were modified
- The test assertions remain identical in behavior, just using the renamed variable
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.unaffected.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.unaffected.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -31,7 +31,7 @@ ctx.clip(); ctx.lineTo(0, 0); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding references. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.clip.unaffected.html] [Lines 17-18, 31]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -31,10 +31,10 @@ ctx.lineTo(200, 200); ctx.lineTo(1000, 200); ctx.stroke();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");+_assertPixel(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.html [Lines] 17-31
[Old Code] var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d');
[Fixed Code] var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.miter.rightangle.html [Lines] 31-35
[Old Code] _assertPixel(offscreenCanvas, ...) calls
[Fixed Code] _assertPixel(canvas, ...) calls
The changes appear to be purely variable renaming from `offscreenCanvas` to `canvas` and corresponding updates to the references. This doesn't indicate any security vulnerability fixes, but rather what seems to be a code style or consistency improvement. The functionality remains identical, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.pattern.transparent.2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.pattern.transparent.2.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var promise = new Promise(function(resolve, reject) { var xhr = new XMLHttpRequest();@@ -36,9 +36,9 @@ ctx.shadowColor = '#0f0'; ctx.fillStyle = pattern; ctx.fillRect(0, -50, 100, 50);- _assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");- _assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");- _assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+ _assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+ _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+ _assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); }, t_fail); }).then(t_pass, t_fail);
Based on the provided code diff, here's the analysis following the required format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.pattern.transparent.2.worker.js] [Lines 13-14, 36-38]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
Additional Details:
The changes appear to be purely cosmetic/refactoring, changing the variable name from 'offscreenCanvas' to 'canvas' for consistency or readability. There are no security-related changes in this diff. The functionality remains exactly the same, just with a different variable name. No security vulnerabilities were fixed or introduced by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/media/libdav1d/vcs_version.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/media/libdav1d/vcs_version.h@@ -1,2 +1,2 @@ /* auto-generated, do not edit */-#define DAV1D_VERSION "7b99b0e17fbd86f0847684798b182f9122545580"+#define DAV1D_VERSION "b562b7f648e26e64fae892495527b5b275d53183"
Analysis of the provided code diff:
1. Vulnerability Existed: no
Version Update [File] media/libdav1d/vcs_version.h [Lines] 1-2
Old Code: #define DAV1D_VERSION "7b99b0e17fbd86f0847684798b182f9122545580"
Fixed Code: #define DAV1D_VERSION "b562b7f648e26e64fae892495527b5b275d53183"
Additional Details:
- This appears to be a routine version update of the libdav1d library
- The change only updates the version hash/identifier
- No security-related changes are evident in this diff
- No known vulnerabilities are being patched in this specific change
- This is likely part of normal maintenance to track the current version of the library
The diff shows a version update but doesn't indicate any security fixes or vulnerability patches. It's a standard version identifier change that might be part of a larger update.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hsl-6.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hsl-6.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsl(0, 100%, 50%,)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security-related fixes. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 20]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or brevity, which doesn't impact security. The functionality remains exactly the same. There are no changes to the actual security-sensitive operations or input handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/strsim/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/strsim/src/lib.rs@@ -1,29 +1,42 @@ //! This library implements string similarity metrics.++#![forbid(unsafe_code)] use std::char; use std::cmp::{max, min}; use std::collections::HashMap;+use std::error::Error;+use std::fmt::{self, Display, Formatter};+use std::hash::Hash;+use std::str::Chars; #[derive(Debug, PartialEq)] pub enum StrSimError {- DifferentLengthArgs-}+ DifferentLengthArgs,+}++impl Display for StrSimError {+ fn fmt(&self, fmt: &mut Formatter) -> Result<(), fmt::Error> {+ let text = match self {+ StrSimError::DifferentLengthArgs => "Differing length arguments provided",+ };++ write!(fmt, "{}", text)+ }+}++impl Error for StrSimError {} pub type HammingResult = Result<usize, StrSimError>;-/// Calculates the number of positions in the two strings where the characters-/// differ. Returns an error if the strings have different lengths.-///-/// ```-/// use strsim::hamming;-///-/// match hamming("hamming", "hammers") {-/// Ok(distance) => assert_eq!(3, distance),-/// Err(why) => panic!("{:?}", why)-/// }-/// ```-pub fn hamming(a: &str, b: &str) -> HammingResult {- let (mut ita, mut itb, mut count) = (a.chars(), b.chars(), 0);+/// Calculates the number of positions in the two sequences where the elements+/// differ. Returns an error if the sequences have different lengths.+pub fn generic_hamming<Iter1, Iter2, Elem1, Elem2>(a: Iter1, b: Iter2) -> HammingResult+ where Iter1: IntoIterator<Item=Elem1>,+ Iter2: IntoIterator<Item=Elem2>,+ Elem1: PartialEq<Elem2> {+ let (mut ita, mut itb) = (a.into_iter(), b.into_iter());+ let mut count = 0; loop { match (ita.next(), itb.next()){ (Some(x), Some(y)) => if x != y { count += 1 },@@ -33,25 +46,37 @@ } }-/// Calculates the Jaro similarity between two strings. The returned value+/// Calculates the number of positions in the two strings where the characters+/// differ. Returns an error if the strings have different lengths.+///+/// ```+/// use strsim::{hamming, StrSimError::DifferentLengthArgs};+///+/// assert_eq!(Ok(3), hamming("hamming", "hammers"));+///+/// assert_eq!(Err(DifferentLengthArgs), hamming("hamming", "ham"));+/// ```+pub fn hamming(a: &str, b: &str) -> HammingResult {+ generic_hamming(a.chars(), b.chars())+}++/// Calculates the Jaro similarity between two sequences. The returned value /// is between 0.0 and 1.0 (higher value means more similar).-///-/// ```-/// use strsim::jaro;-///-/// assert!((0.392 - jaro("Friedrich Nietzsche", "Jean-Paul Sartre")).abs() <-/// 0.001);-/// ```-pub fn jaro(a: &str, b: &str) -> f64 {- if a == b { return 1.0; }-- let a_len = a.chars().count();- let b_len = b.chars().count();+pub fn generic_jaro<'a, 'b, Iter1, Iter2, Elem1, Elem2>(a: &'a Iter1, b: &'b Iter2) -> f64+ where &'a Iter1: IntoIterator<Item=Elem1>,+ &'b Iter2: IntoIterator<Item=Elem2>,+ Elem1: PartialEq<Elem2> {+ let a_len = a.into_iter().count();+ let b_len = b.into_iter().count(); // The check for lengths of one here is to prevent integer overflow when // calculating the search range.- if a_len == 0 || b_len == 0 || (a_len == 1 && b_len == 1) {+ if a_len == 0 && b_len == 0 {+ return 1.0;+ } else if a_len == 0 || b_len == 0 { return 0.0;+ } else if a_len == 1 && b_len == 1 {+ return if a.into_iter().eq(b.into_iter()) { 1.0} else { 0.0 }; } let search_range = (max(a_len, b_len) / 2) - 1;@@ -65,7 +90,7 @@ let mut transpositions = 0.0; let mut b_match_index = 0;- for (i, a_char) in a.chars().enumerate() {+ for (i, a_elem) in a.into_iter().enumerate() { let min_bound = // prevent integer wrapping if i > search_range {@@ -80,9 +105,9 @@ continue; }- for (j, b_char) in b.chars().enumerate() {- if min_bound <= j && j <= max_bound && a_char == b_char &&- !b_consumed[j] {+ for (j, b_elem) in b.into_iter().enumerate() {+ if min_bound <= j && j <= max_bound && a_elem == b_elem &&+ !b_consumed[j] { b_consumed[j] = true; matches += 1.0;@@ -100,27 +125,47 @@ 0.0 } else { (1.0 / 3.0) * ((matches / a_len as f64) +- (matches / b_len as f64) +- ((matches - transpositions) / matches))- }-}--/// Like Jaro but gives a boost to strings that have a common prefix.-///-/// ```-/// use strsim::jaro_winkler;-///-/// assert!((0.911 - jaro_winkler("cheeseburger", "cheese fries")).abs() <+ (matches / b_len as f64) ++ ((matches - transpositions) / matches))+ }+}++struct StringWrapper<'a>(&'a str);++impl<'a, 'b> IntoIterator for &'a StringWrapper<'b> {+ type Item = char;+ type IntoIter = Chars<'b>;++ fn into_iter(self) -> Self::IntoIter {+ self.0.chars()+ }+}++/// Calculates the Jaro similarity between two strings. The returned value+/// is between 0.0 and 1.0 (higher value means more similar).+///+/// ```+/// use strsim::jaro;+///+/// assert!((0.392 - jaro("Friedrich Nietzsche", "Jean-Paul Sartre")).abs() < /// 0.001); /// ```-pub fn jaro_winkler(a: &str, b: &str) -> f64 {- let jaro_distance = jaro(a, b);+pub fn jaro(a: &str, b: &str) -> f64 {+ generic_jaro(&StringWrapper(a), &StringWrapper(b))+}++/// Like Jaro but gives a boost to sequences that have a common prefix.+pub fn generic_jaro_winkler<'a, 'b, Iter1, Iter2, Elem1, Elem2>(a: &'a Iter1, b: &'b Iter2) -> f64+ where &'a Iter1: IntoIterator<Item=Elem1>,+ &'b Iter2: IntoIterator<Item=Elem2>,+ Elem1: PartialEq<Elem2> {+ let jaro_distance = generic_jaro(a, b); // Don't limit the length of the common prefix- let prefix_length = a.chars()- .zip(b.chars())- .take_while(|&(a_char, b_char)| a_char == b_char)- .count();+ let prefix_length = a.into_iter()+ .zip(b.into_iter())+ .take_while(|&(ref a_elem, ref b_elem)| a_elem == b_elem)+ .count(); let jaro_winkler_distance = jaro_distance + (0.1 * prefix_length as f64 * (1.0 - jaro_distance));@@ -132,36 +177,45 @@ } }+/// Like Jaro but gives a boost to strings that have a common prefix.+///+/// ```+/// use strsim::jaro_winkler;+///+/// assert!((0.911 - jaro_winkler("cheeseburger", "cheese fries")).abs() <+/// 0.001);+/// ```+pub fn jaro_winkler(a: &str, b: &str) -> f64 {+ generic_jaro_winkler(&StringWrapper(a), &StringWrapper(b))+}+ /// Calculates the minimum number of insertions, deletions, and substitutions-/// required to change one string into the other.-///-/// ```-/// use strsim::levenshtein;-///-/// assert_eq!(3, levenshtein("kitten", "sitting"));-/// ```-pub fn levenshtein(a: &str, b: &str) -> usize {- if a == b { return 0; }-- let a_len = a.chars().count();- let b_len = b.chars().count();-- if a_len == 0 { return b_len; }- if b_len == 0 { return a_len; }+/// required to change one sequence into the other.+///+/// ```+/// use strsim::generic_levenshtein;+///+/// assert_eq!(3, generic_levenshtein(&[1,2,3], &[1,2,3,4,5,6]));+/// ```+pub fn generic_levenshtein<'a, 'b, Iter1, Iter2, Elem1, Elem2>(a: &'a Iter1, b: &'b Iter2) -> usize+ where &'a Iter1: IntoIterator<Item=Elem1>,+ &'b Iter2: IntoIterator<Item=Elem2>,+ Elem1: PartialEq<Elem2> {+ let b_len = b.into_iter().count();++ if a.into_iter().next().is_none() { return b_len; } let mut cache: Vec<usize> = (1..b_len+1).collect(); let mut result = 0;- let mut distance_a;- let mut distance_b;-- for (i, a_char) in a.chars().enumerate() {- result = i;- distance_b = i;-- for (j, b_char) in b.chars().enumerate() {- let cost = if a_char == b_char { 0 } else { 1 };- distance_a = distance_b + cost;++ for (i, a_elem) in a.into_iter().enumerate() {+ result = i + 1;+ let mut distance_b = i;++ for (j, b_elem) in b.into_iter().enumerate() {+ let cost = if a_elem == b_elem { 0usize } else { 1usize };+ let distance_a = distance_b + cost; distance_b = cache[j]; result = min(result + 1, min(distance_a, distance_b + 1)); cache[j] = result;@@ -169,6 +223,18 @@ } result+}++/// Calculates the minimum number of insertions, deletions, and substitutions+/// required to change one string into the other.+///+/// ```+/// use strsim::levenshtein;+///+/// assert_eq!(3, levenshtein("kitten", "sitting"));+/// ```+pub fn levenshtein(a: &str, b: &str) -> usize {+ generic_levenshtein(&StringWrapper(a), &StringWrapper(b)) } /// Calculates a normalized score of the Levenshtein algorithm between 0.0 and@@ -227,7 +293,7 @@ min(prev_distances[j + 1] + 1, prev_distances[j] + cost)); if i > 0 && j > 0 && a_char != b_char &&- a_char == prev_b_char && b_char == prev_a_char {+ a_char == prev_b_char && b_char == prev_a_char { curr_distances[j + 1] = min(curr_distances[j + 1], prev_two_distances[j - 1] + 1); }@@ -244,74 +310,86 @@ }+/* Returns the final index for a value in a single vector that represents a fixed+ 2d grid */+fn flat_index(i: usize, j: usize, width: usize) -> usize {+ j * width + i+}+ /// Like optimal string alignment, but substrings can be edited an unlimited /// number of times, and the triangle inequality holds. /// /// ```-/// use strsim::damerau_levenshtein;-///-/// assert_eq!(2, damerau_levenshtein("ab", "bca"));-/// ```-pub fn damerau_levenshtein(a: &str, b: &str) -> usize {- if a == b { return 0; }-- let a_chars: Vec<char> = a.chars().collect();- let b_chars: Vec<char> = b.chars().collect();- let a_len = a_chars.len();- let b_len = b_chars.len();+/// use strsim::generic_damerau_levenshtein;+///+/// assert_eq!(2, generic_damerau_levenshtein(&[1,2], &[2,3,1]));+/// ```+pub fn generic_damerau_levenshtein<Elem>(a_elems: &[Elem], b_elems: &[Elem]) -> usize+ where Elem: Eq + Hash + Clone {+ let a_len = a_elems.len();+ let b_len = b_elems.len(); if a_len == 0 { return b_len; } if b_len == 0 { return a_len; }- let mut distances = vec![vec![0; b_len + 2]; a_len + 2];+ let width = a_len + 2;+ let mut distances = vec![0; (a_len + 2) * (b_len + 2)]; let max_distance = a_len + b_len;- distances[0][0] = max_distance;+ distances[0] = max_distance; for i in 0..(a_len + 1) {- distances[i + 1][0] = max_distance;- distances[i + 1][1] = i;+ distances[flat_index(i + 1, 0, width)] = max_distance;+ distances[flat_index(i + 1, 1, width)] = i; } for j in 0..(b_len + 1) {- distances[0][j + 1] = max_distance;- distances[1][j + 1] = j;- }-- let mut chars: HashMap<char, usize> = HashMap::new();+ distances[flat_index(0, j + 1, width)] = max_distance;+ distances[flat_index(1, j + 1, width)] = j;+ }++ let mut elems: HashMap<Elem, usize> = HashMap::with_capacity(64); for i in 1..(a_len + 1) { let mut db = 0; for j in 1..(b_len + 1) {- let k = match chars.get(&b_chars[j - 1]) {- Some(value) => value.clone(),+ let k = match elems.get(&b_elems[j - 1]) {+ Some(&value) => value, None => 0 };- let l = db;-- let mut cost = 1;- if a_chars[i - 1] == b_chars[j - 1] {- cost = 0;+ let insertion_cost = distances[flat_index(i, j + 1, width)] + 1;+ let deletion_cost = distances[flat_index(i + 1, j, width)] + 1;+ let transposition_cost = distances[flat_index(k, db, width)] ++ (i - k - 1) + 1 + (j - db - 1);++ let mut substitution_cost = distances[flat_index(i, j, width)] + 1;+ if a_elems[i - 1] == b_elems[j - 1] { db = j;+ substitution_cost -= 1; }- let substitution_cost = distances[i][j] + cost;- let insertion_cost = distances[i][j + 1] + 1;- let deletion_cost = distances[i + 1][j] + 1;- let transposition_cost = distances[k][l] + (i - k - 1) + 1 +- (j - l - 1);-- distances[i + 1][j + 1] = min(substitution_cost,- min(insertion_cost,- min(deletion_cost,- transposition_cost)));+ distances[flat_index(i + 1, j + 1, width)] = min(substitution_cost,+ min(insertion_cost, min(deletion_cost, transposition_cost))); }- chars.insert(a_chars[i - 1], i);- }-- distances[a_len + 1][b_len + 1]+ elems.insert(a_elems[i - 1].clone(), i);+ }++ distances[flat_index(a_len + 1, b_len + 1, width)]+}++/// Like optimal string alignment, but substrings can be edited an unlimited+/// number of times, and the triangle inequality holds.+///+/// ```+/// use strsim::damerau_levenshtein;+///+/// assert_eq!(2, damerau_levenshtein("ab", "bca"));+/// ```+pub fn damerau_levenshtein(a: &str, b: &str) -> usize {+ let (x, y): (Vec<_>, Vec<_>) = (a.chars().collect(), b.chars().collect());+ generic_damerau_levenshtein(x.as_slice(), y.as_slice()) } /// Calculates a normalized score of the Damerau–Levenshtein algorithm between@@ -333,61 +411,133 @@ 1.0 - (damerau_levenshtein(a, b) as f64) / (a.chars().count().max(b.chars().count()) as f64) }+/// Returns an Iterator of char tuples.+fn bigrams(s: &str) -> impl Iterator<Item=(char, char)> + '_ {+ s.chars().zip(s.chars().skip(1))+}+++/// Calculates a Sørensen-Dice similarity distance using bigrams.+/// See http://en.wikipedia.org/wiki/S%C3%B8rensen%E2%80%93Dice_coefficient.+///+/// ```+/// use strsim::sorensen_dice;+///+/// assert_eq!(1.0, sorensen_dice("", ""));+/// assert_eq!(0.0, sorensen_dice("", "a"));+/// assert_eq!(0.0, sorensen_dice("french", "quebec"));+/// assert_eq!(1.0, sorensen_dice("ferris", "ferris"));+/// assert_eq!(1.0, sorensen_dice("ferris", "ferris"));+/// assert_eq!(0.8888888888888888, sorensen_dice("feris", "ferris"));+/// ```+pub fn sorensen_dice(a: &str, b: &str) -> f64 {+ // implementation guided by+ // https://github.com/aceakash/string-similarity/blob/f83ba3cd7bae874c20c429774e911ae8cff8bced/src/index.js#L6++ let a: String = a.chars().filter(|&x| !char::is_whitespace(x)).collect();+ let b: String = b.chars().filter(|&x| !char::is_whitespace(x)).collect();++ if a.len() == 0 && b.len() == 0 {+ return 1.0;+ }++ if a.len() == 0 || b.len() == 0 {+ return 0.0;+ }++ if a == b {+ return 1.0;+ }++ if a.len() == 1 && b.len() == 1 {+ return 0.0;+ }++ if a.len() < 2 || b.len() < 2 {+ return 0.0;+ }++ let mut a_bigrams: HashMap<(char, char), usize> = HashMap::new();++ for bigram in bigrams(&a) {+ *a_bigrams.entry(bigram).or_insert(0) += 1;+ }++ let mut intersection_size = 0;++ for bigram in bigrams(&b) {+ a_bigrams.entry(bigram).and_modify(|bi| {+ if *bi > 0 {+ *bi -= 1;+ intersection_size += 1;+ }+ });+ }++ (2 * intersection_size) as f64 / (a.len() + b.len() - 2) as f64+}++ #[cfg(test)] mod tests { use super::*; #[test]+ fn bigrams_iterator() {+ let mut bi = bigrams("abcde");++ assert_eq!(Some(('a', 'b')), bi.next());+ assert_eq!(Some(('b', 'c')), bi.next());+ assert_eq!(Some(('c', 'd')), bi.next());+ assert_eq!(Some(('d', 'e')), bi.next());+ assert_eq!(None, bi.next());+ }++ fn assert_hamming_dist(dist: usize, str1: &str, str2: &str) {+ assert_eq!(Ok(dist), hamming(str1, str2));+ }++ #[test] fn hamming_empty() {- match hamming("", "") {- Ok(distance) => { assert_eq!(0, distance); },- Err(why) => { panic!("{:?}", why); }- }+ assert_hamming_dist(0, "", "") } #[test] fn hamming_same() {- match hamming("hamming", "hamming") {- Ok(distance) => { assert_eq!(0, distance); },- Err(why) => { panic!("{:?}", why); }- }+ assert_hamming_dist(0, "hamming", "hamming")+ }++ #[test]+ fn hamming_numbers() {+ assert_eq!(Ok(1), generic_hamming(&[1, 2, 4], &[1, 2, 3])); } #[test] fn hamming_diff() {- match hamming("hamming", "hammers") {- Ok(distance) => { assert_eq!(3, distance); },- Err(why) => { panic!("{:?}", why); }- }+ assert_hamming_dist(3, "hamming", "hammers") } #[test] fn hamming_diff_multibyte() {- match hamming("hamming", "h香mmüng") {- Ok(distance) => { assert_eq!(2, distance); },- Err(why) => { panic!("{:?}", why); }- }+ assert_hamming_dist(2, "hamming", "h香mmüng"); } #[test] fn hamming_unequal_length() {- match hamming("ham", "hamming") {- Ok(_) => { panic!(); },- Err(why) => { assert_eq!(why, StrSimError::DifferentLengthArgs); }- }+ assert_eq!(+ Err(StrSimError::DifferentLengthArgs),+ generic_hamming("ham".chars(), "hamming".chars())+ ); } #[test] fn hamming_names() {- match hamming("Friedrich Nietzs", "Jean-Paul Sartre") {- Ok(distance) => { assert_eq!(14, distance); },- Err(why) => { panic!("{:?}", why); }- }+ assert_hamming_dist(14, "Friedrich Nietzs", "Jean-Paul Sartre") } #[test] fn jaro_both_empty() {- assert_eq!(1.0, jaro("", ""));+ assert_eq!(1.0, jaro("", "")); } #[test]@@ -422,6 +572,16 @@ } #[test]+ fn jaro_same_one_character() {+ assert_eq!(1.0, jaro("a", "a"));+ }++ #[test]+ fn generic_jaro_diff() {+ assert_eq!(0.0, generic_jaro(&[1, 2], &[3, 4]));+ }++ #[test] fn jaro_diff_one_and_two() { assert!((0.83 - jaro("a", "ab")).abs() < 0.01); }@@ -470,9 +630,9 @@ #[test] fn jaro_winkler_multibyte() { assert!((0.89 - jaro_winkler("testabctest", "testöঙ香test")).abs() <- 0.001);+ 0.001); assert!((0.89 - jaro_winkler("testöঙ香test", "testabctest")).abs() <- 0.001);+ 0.001); } #[test]@@ -487,6 +647,11 @@ } #[test]+ fn jaro_winkler_same_one_character() {+ assert_eq!(1.0, jaro_winkler("a", "a"));+ }++ #[test] fn jaro_winkler_diff_no_transposition() { assert!((0.840 - jaro_winkler("dwayne", "duane")).abs() < 0.001); }@@ -505,7 +670,7 @@ #[test] fn jaro_winkler_long_prefix() { assert!((0.911 - jaro_winkler("cheeseburger", "cheese fries")).abs() <- 0.001);+ 0.001); } #[test]@@ -522,7 +687,7 @@ fn jaro_winkler_very_long_prefix() { assert!((1.0 - jaro_winkler("thequickbrownfoxjumpedoverx", "thequickbrownfoxjumpedovery")).abs() <- 0.001);+ 0.001); } #[test]@@ -783,4 +948,58 @@ fn normalized_damerau_levenshtein_identical_strings() { assert!((normalized_damerau_levenshtein("sunglasses", "sunglasses") - 1.0).abs() < 0.00001); }-}++ #[test]+ fn sorensen_dice_all() {+ // test cases taken from+ // https://github.com/aceakash/string-similarity/blob/f83ba3cd7bae874c20c429774e911ae8cff8bced/src/spec/index.spec.js#L11++ assert_eq!(1.0, sorensen_dice("a", "a"));+ assert_eq!(0.0, sorensen_dice("a", "b"));+ assert_eq!(1.0, sorensen_dice("", ""));+ assert_eq!(0.0, sorensen_dice("a", ""));+ assert_eq!(0.0, sorensen_dice("", "a"));+ assert_eq!(1.0, sorensen_dice("apple event", "apple event"));+ assert_eq!(0.9090909090909091, sorensen_dice("iphone", "iphone x"));+ assert_eq!(0.0, sorensen_dice("french", "quebec"));+ assert_eq!(1.0, sorensen_dice("france", "france"));+ assert_eq!(0.2, sorensen_dice("fRaNce", "france"));+ assert_eq!(0.8, sorensen_dice("healed", "sealed"));+ assert_eq!(+ 0.7878787878787878,+ sorensen_dice("web applications", "applications of the web")+ );+ assert_eq!(+ 0.92,+ sorensen_dice(+ "this will have a typo somewhere",+ "this will huve a typo somewhere"+ )+ );+ assert_eq!(+ 0.6060606060606061,+ sorensen_dice(+ "Olive-green table for sale, in extremely good condition.",+ "For sale: table in very good condition, olive green in colour."+ )+ );+ assert_eq!(+ 0.2558139534883721,+ sorensen_dice(+ "Olive-green table for sale, in extremely good condition.",+ "For sale: green Subaru Impreza, 210,000 miles"+ )+ );+ assert_eq!(+ 0.1411764705882353,+ sorensen_dice(+ "Olive-green table for sale, in extremely good condition.",+ "Wanted: mountain bike with at least 21 gears."+ )+ );+ assert_eq!(+ 0.7741935483870968,+ sorensen_dice("this has one extra word", "this has one word")+ );+ }+}
Let me analyze the code diff for security fixes. Here are the findings:
1. Vulnerability Existed: yes
Unsafe Code Removal [third_party/rust/strsim/src/lib.rs] [Line 1]
[Old Code] - (no unsafe code restriction)
[Fixed Code] + #![forbid(unsafe_code)]
2. Vulnerability Existed: yes
Integer Overflow Potential [third_party/rust/strsim/src/lib.rs] [Lines 62-68]
[Old Code]
if a_len == 0 || b_len == 0 || (a_len == 1 && b_len == 1) {
return 0.0;
}
[Fixed Code]
if a_len == 0 && b_len == 0 {
return 1.0;
} else if a_len == 0 || b_len == 0 {
return 0.0;
} else if a_len == 1 && b_len == 1 {
return if a.into_iter().eq(b.into_iter()) { 1.0} else { 0.0 };
}
3. Vulnerability Existed: yes
Potential Integer Overflow in Flat Index Calculation [third_party/rust/strsim/src/lib.rs] [Lines 312-315]
[Old Code] - (no flat_index function, used 2D vectors)
[Fixed Code]
fn flat_index(i: usize, j: usize, width: usize) -> usize {
j * width + i
}
4. Vulnerability Existed: not sure
Error Handling Improvement [third_party/rust/strsim/src/lib.rs] [Lines 10-24]
[Old Code]
pub enum StrSimError {
DifferentLengthArgs
}
[Fixed Code]
pub enum StrSimError {
DifferentLengthArgs,
}
impl Display for StrSimError {
fn fmt(&self, fmt: &mut Formatter) -> Result<(), fmt::Error> {
let text = match self {
StrSimError::DifferentLengthArgs => "Differing length arguments provided",
};
write!(fmt, "{}", text)
}
}
impl Error for StrSimError {}
The main security-related changes are:
1. Explicitly forbidding unsafe code
2. Fixing potential integer overflow issues in length checks
3. Adding bounds-checked flat index calculation
4. Improved error handling (though this is more of a robustness improvement than security)
The changes make the code more secure by preventing memory safety issues and integer overflows that could potentially be exploited.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.4.double.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.4.double.worker.js@@ -13,18 +13,18 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50); ctx.roundRect(0, 0, 100, 50, [0, 0, 0, 20]); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-31]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");
The changes appear to be purely cosmetic/refactoring, renaming the variable `offscreenCanvas` to `canvas`. There are no security-related changes in this diff. The functionality remains exactly the same, only the variable name has been changed for consistency or readability. No actual security vulnerabilities were addressed in this modification.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/ObjectFlags.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/ObjectFlags.h@@ -58,6 +58,9 @@ // used to invalidate IC/Warp code specializing on specific getter/setter // objects. See also the SMDOC comment in vm/GetterSetter.h. HadGetterSetterChange = 1 << 10,++ // If set, invoke the watchtower testing callback for changes to this object.+ UseWatchtowerTestingCallback = 1 << 11, }; using ObjectFlags = EnumFlags<ObjectFlag>;
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability] [js/src/vm/ObjectFlags.h] [Lines 58-61] [Old Code] HadGetterSetterChange = 1 << 10, [Fixed Code] HadGetterSetterChange = 1 << 10, // If set, invoke the watchtower testing callback for changes to this object. UseWatchtowerTestingCallback = 1 << 11, Analysis: 1. The diff shows an addition of a new flag `UseWatchtowerTestingCallback` but doesn't modify any existing code. 2. This appears to be a feature addition rather than a security fix. 3. The "watchtower" term suggests this might be related to monitoring/testing functionality. 4. No specific vulnerability is being addressed here, just an expansion of object flag capabilities. No security vulnerabilities were fixed in this diff - it's purely a feature addition. The change adds a new flag for testing/monitoring purposes without modifying any existing security-relevant code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/ssl/cert_storage/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/ssl/cert_storage/src/lib.rs@@ -59,10 +59,10 @@ use storage_variant::VariantType; use thin_vec::ThinVec; use xpcom::interfaces::{- nsICRLiteState, nsICertInfo, nsICertStorage, nsICertStorageCallback, nsIFile,- nsIHandleReportCallback, nsIIssuerAndSerialRevocationState, nsIMemoryReporter,- nsIMemoryReporterManager, nsIObserver, nsIPrefBranch, nsIRevocationState, nsISerialEventTarget,- nsISubjectAndPubKeyRevocationState, nsISupports,+ nsICRLiteCoverage, nsICRLiteState, nsICRLiteTimestamp, nsICertInfo, nsICertStorage,+ nsICertStorageCallback, nsIFile, nsIHandleReportCallback, nsIIssuerAndSerialRevocationState,+ nsIMemoryReporter, nsIMemoryReporterManager, nsIObserver, nsIPrefBranch, nsIRevocationState,+ nsISerialEventTarget, nsISubjectAndPubKeyRevocationState, nsISupports, }; use xpcom::{nsIID, GetterAddrefs, RefPtr, ThreadBoundRefPtr, XpCom};@@ -72,6 +72,8 @@ const PREFIX_SUBJECT: &str = "subject"; const PREFIX_CERT: &str = "cert"; const PREFIX_DATA_TYPE: &str = "datatype";++const COVERAGE_SERIALIZATION_VERSION: u8 = 1; type Rkv = rkv::Rkv<SafeModeEnvironment>; type SingleStore = rkv::SingleStore<SafeModeDatabase>;@@ -151,8 +153,10 @@ int_prefs: HashMap<String, u32>, #[ignore_malloc_size_of = "rental crate does not allow impls for rental structs"] crlite_filter: Option<holding::CRLiteFilter>,- /// Maps issuer spki hashes to sets of seiral numbers.+ /// Maps issuer spki hashes to sets of serial numbers. crlite_stash: Option<HashMap<Vec<u8>, HashSet<Vec<u8>>>>,+ /// Maps an RFC 6962 LogID to a pair of 64 bit unix timestamps+ crlite_coverage: Option<HashMap<Vec<u8>, (u64, u64)>>, /// Tracks the number of asynchronous operations which have been dispatched but not completed. remaining_ops: i32, }@@ -167,6 +171,7 @@ int_prefs: HashMap::new(), crlite_filter: None, crlite_stash: None,+ crlite_coverage: None, remaining_ops: 0, }) }@@ -297,7 +302,7 @@ pub fn get_has_prior_data(&self, data_type: u8) -> Result<bool, SecurityStateError> { if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL {- return Ok(self.crlite_filter.is_some());+ return Ok(self.crlite_filter.is_some() && self.crlite_coverage.is_some()); } if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_INCREMENTAL { return Ok(self.crlite_stash.is_some());@@ -413,15 +418,29 @@ } }+ pub fn filter_covers_some_timestamp(&self, timestamps: &[CRLiteTimestamp]) -> bool {+ if let Some(crlite_coverage) = self.crlite_coverage.as_ref() {+ for entry in timestamps {+ if let Some(&(low, high)) = crlite_coverage.get(entry.log_id.as_ref()) {+ if low <= entry.timestamp && entry.timestamp <= high {+ return true;+ }+ }+ }+ }+ return false;+ }+ pub fn set_full_crlite_filter( &mut self, filter: Vec<u8>,- timestamp: u64,+ coverage_entries: &[(nsCString, u64, u64)], ) -> Result<(), SecurityStateError> { // First drop any existing crlite filter and clear the accumulated stash. { let _ = self.crlite_filter.take(); let _ = self.crlite_stash.take();+ let _ = self.crlite_coverage.take(); let mut path = get_store_path(&self.profile_path)?; path.push("crlite.stash"); // Truncate the stash file if it exists.@@ -438,31 +457,45 @@ let mut filter_file = File::create(&path)?; filter_file.write_all(&filter)?; }++ // Serialize the coverage metadata as a 1 byte version number followed by any number of 48+ // byte entries. Each entry is a 32 byte (opaque) log id, followed by two 8 byte+ // timestamps. Each timestamp is an 8 byte unsigned integer in little endian.+ let mut coverage_bytes = Vec::with_capacity(+ size_of::<u8>() + coverage_entries.len() * (32 + size_of::<u64>() + size_of::<u64>()),+ );+ coverage_bytes.push(COVERAGE_SERIALIZATION_VERSION);+ for (b64_log_id, min_t, max_t) in coverage_entries {+ let log_id = match base64::decode(&b64_log_id) {+ Ok(log_id) if log_id.len() == 32 => log_id,+ _ => {+ warn!("malformed log ID - skipping: {}", b64_log_id);+ continue;+ }+ };+ coverage_bytes.extend_from_slice(&log_id);+ coverage_bytes.extend_from_slice(&min_t.to_le_bytes());+ coverage_bytes.extend_from_slice(&max_t.to_le_bytes());+ }+ // Write the coverage file for the new filter+ let mut path = get_store_path(&self.profile_path)?;+ path.push("crlite.coverage");+ {+ let mut coverage_file = File::create(&path)?;+ coverage_file.write_all(&coverage_bytes)?;+ } self.load_crlite_filter()?;- let env_and_store = match self.env_and_store.as_mut() {- Some(env_and_store) => env_and_store,- None => return Err(SecurityStateError::from("env and store not initialized?")),- };- let mut writer = env_and_store.env.write()?;- // Make a note of the timestamp of the full filter.- env_and_store.store.put(- &mut writer,- &make_key!(- PREFIX_DATA_TYPE,- &[nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL]- ),- &Value::U64(timestamp),- )?;- writer.commit()?;+ Ok(()) } fn load_crlite_filter(&mut self) -> Result<(), SecurityStateError> {- if self.crlite_filter.is_some() {+ if self.crlite_filter.is_some() || self.crlite_coverage.is_some() { return Err(SecurityStateError::from(- "crlite_filter should be None here",+ "Both crlite_filter and crlite_coverage should be None here", )); }+ let mut path = get_store_path(&self.profile_path)?; path.push("crlite.filter"); // Before we've downloaded any filters, this file won't exist.@@ -478,8 +511,63 @@ } }) .map_err(|_| SecurityStateError::from("unable to initialize CRLite filter"))?;++ let mut path = get_store_path(&self.profile_path)?;+ path.push("crlite.coverage");+ if !path.exists() {+ return Ok(());+ }++ // Deserialize the coverage metadata.+ // The format is described in `set_full_crlite_filter`.+ let coverage_file = File::open(path)?;+ let mut coverage_reader = BufReader::new(coverage_file);+ match coverage_reader.read_u8() {+ Ok(COVERAGE_SERIALIZATION_VERSION) => (),+ _ => {+ return Err(SecurityStateError::from(+ "unable to initialize CRLite coverage",+ ))+ }+ }+ let mut crlite_coverage: HashMap<Vec<u8>, (u64, u64)> = HashMap::new();+ loop {+ let mut coverage_entry = [0u8; 48];+ match coverage_reader.read(&mut coverage_entry) {+ Ok(48) => (),+ Ok(0) => break, // end of file+ _ => {+ return Err(SecurityStateError::from(+ "unable to initialize CRLite coverage",+ ))+ }+ };+ let log_id = &coverage_entry[0..32];+ let min_timestamp: u64;+ let max_timestamp: u64;+ match (&coverage_entry[32..40]).read_u64::<LittleEndian>() {+ Ok(value) => min_timestamp = value,+ _ => {+ return Err(SecurityStateError::from(+ "unable to initialize CRLite coverage",+ ))+ }+ }+ match (&coverage_entry[40..48]).read_u64::<LittleEndian>() {+ Ok(value) => max_timestamp = value,+ _ => {+ return Err(SecurityStateError::from(+ "unable to initialize CRLite coverage",+ ))+ }+ }+ crlite_coverage.insert(log_id.to_vec(), (min_timestamp, max_timestamp));+ }+ let old_crlite_filter_should_be_none = self.crlite_filter.replace(crlite_filter); assert!(old_crlite_filter_should_be_none.is_none());+ let old_crlite_coverage_should_be_none = self.crlite_coverage.replace(crlite_coverage);+ assert!(old_crlite_coverage_should_be_none.is_none()); Ok(()) }@@ -518,35 +606,14 @@ issuer: &[u8], issuer_spki: &[u8], serial_number: &[u8],- ) -> Result<(u64, i16), SecurityStateError> {- let timestamp = {- let env_and_store = match self.env_and_store.as_ref() {- Some(env_and_store) => env_and_store,- None => return Err(SecurityStateError::from("env and store not initialized?")),- };- let reader = env_and_store.env.read()?;- match env_and_store.store.get(- &reader,- &make_key!(- PREFIX_DATA_TYPE,- &[nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL]- ),- ) {- Ok(Some(Value::U64(timestamp))) => timestamp,- // If we don't have a timestamp yet, we won't have a filter. Return the earliest- // timestamp possible to indicate this to callers.- Ok(None) => return Ok((0, nsICertStorage::STATE_UNSET)),- Ok(_) => {- return Err(SecurityStateError::from(- "unexpected type when trying to get Value::U64",- ))- }- Err(_) => return Err(SecurityStateError::from("error getting CRLite timestamp")),- }- };+ timestamps: &[CRLiteTimestamp],+ ) -> Result<i16, SecurityStateError> { let enrollment_state = self.get_crlite_state(issuer, issuer_spki)?; if enrollment_state != nsICertStorage::STATE_ENFORCE {- return Ok((timestamp, nsICertStorage::STATE_NOT_ENROLLED));+ return Ok(nsICertStorage::STATE_NOT_ENROLLED);+ }+ if !self.filter_covers_some_timestamp(timestamps) {+ return Ok(nsICertStorage::STATE_NOT_COVERED); } let mut digest = Sha256::default(); digest.input(issuer_spki);@@ -556,13 +623,12 @@ let result = match &self.crlite_filter { Some(crlite_filter) => crlite_filter.rent(|filter| filter.has(&lookup_key)), // This can only happen if the backing file was deleted or if it or our database has- // become corrupted. In any case, we have no information, so again return the earliest- // timestamp to indicate this to the user.- None => return Ok((0, nsICertStorage::STATE_UNSET)),+ // become corrupted. In any case, we have no information.+ None => return Ok(nsICertStorage::STATE_NOT_COVERED), }; match result {- true => Ok((timestamp, nsICertStorage::STATE_ENFORCE)),- false => Ok((timestamp, nsICertStorage::STATE_UNSET)),+ true => Ok(nsICertStorage::STATE_ENFORCE),+ false => Ok(nsICertStorage::STATE_UNSET), } }@@ -927,6 +993,12 @@ } }+// Helper struct for get_crlite_revocation_state.+struct CRLiteTimestamp {+ log_id: ThinVec<u8>,+ timestamp: u64,+}+ // Helper struct for set_batch_state. Takes a prefix, two base64-encoded key // parts, and a security state value. struct EncodedSecurityState {@@ -1647,20 +1719,34 @@ unsafe fn SetFullCRLiteFilter( &self, filter: *const ThinVec<u8>,- timestamp: u64,+ coverage: *const ThinVec<RefPtr<nsICRLiteCoverage>>, callback: *const nsICertStorageCallback, ) -> nserror::nsresult { if !is_main_thread() { return NS_ERROR_NOT_SAME_THREAD; }- if filter.is_null() || callback.is_null() {+ if filter.is_null() || coverage.is_null() || callback.is_null() { return NS_ERROR_NULL_POINTER; }+ let filter_owned = (*filter).to_vec();++ let coverage = &*coverage;+ let mut coverage_entries = Vec::with_capacity(coverage.len());+ for entry in coverage {+ let mut b64_log_id = nsCString::new();+ try_ns!((*entry).GetB64LogID(&mut *b64_log_id).to_result(), or continue);+ let mut min_timestamp: u64 = 0;+ try_ns!((*entry).GetMinTimestamp(&mut min_timestamp).to_result(), or continue);+ let mut max_timestamp: u64 = 0;+ try_ns!((*entry).GetMaxTimestamp(&mut max_timestamp).to_result(), or continue);+ coverage_entries.push((b64_log_id, min_timestamp, max_timestamp));+ }+ let task = Box::new(try_ns!(SecurityStateTask::new( &*callback, &self.security_state,- move |ss| ss.set_full_crlite_filter(filter_owned, timestamp),+ move |ss| ss.set_full_crlite_filter(filter_owned, &coverage_entries), ))); let runnable = try_ns!(TaskRunnable::new("SetFullCRLiteFilter", task)); try_ns!(TaskRunnable::dispatch(runnable, self.queue.coerce()));@@ -1711,7 +1797,7 @@ issuer: *const ThinVec<u8>, issuerSPKI: *const ThinVec<u8>, serialNumber: *const ThinVec<u8>,- valid_before: *mut u64,+ timestamps: *const ThinVec<RefPtr<nsICRLiteTimestamp>>, state: *mut i16, ) -> nserror::nsresult { // TODO (bug 1541212): We really want to restrict this to non-main-threads only, but we@@ -1719,17 +1805,29 @@ if issuer.is_null() || issuerSPKI.is_null() || serialNumber.is_null()- || valid_before.is_null() || state.is_null()+ || timestamps.is_null() { return NS_ERROR_NULL_POINTER; }- *valid_before = 0;+ let timestamps = &*timestamps;+ let mut timestamp_entries = Vec::with_capacity(timestamps.len());+ for timestamp_entry in timestamps {+ let mut log_id = ThinVec::with_capacity(32);+ try_ns!(timestamp_entry.GetLogID(&mut log_id).to_result(), or continue);+ let mut timestamp: u64 = 0;+ try_ns!(timestamp_entry.GetTimestamp(&mut timestamp).to_result(), or continue);+ timestamp_entries.push(CRLiteTimestamp { log_id, timestamp });+ } *state = nsICertStorage::STATE_UNSET; let ss = get_security_state!(self);- match ss.get_crlite_revocation_state(&*issuer, &*issuerSPKI, &*serialNumber) {- Ok((crlite_timestamp, st)) => {- *valid_before = crlite_timestamp;+ match ss.get_crlite_revocation_state(+ &*issuer,+ &*issuerSPKI,+ &*serialNumber,+ ×tamp_entries,+ ) {+ Ok(st) => { *state = st; NS_OK }
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: yes
CRLite Coverage Validation [security/manager/ssl/cert_storage/src/lib.rs] [Lines 297, 302, 413-431, 606-612]
Old Code:
```rust
pub fn get_has_prior_data(&self, data_type: u8) -> Result<bool, SecurityStateError> {
if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL {
return Ok(self.crlite_filter.is_some());
}
```
Fixed Code:
```rust
pub fn get_has_prior_data(&self, data_type: u8) -> Result<bool, SecurityStateError> {
if data_type == nsICertStorage::DATA_TYPE_CRLITE_FILTER_FULL {
return Ok(self.crlite_filter.is_some() && self.crlite_coverage.is_some());
}
```
The fix adds coverage validation to ensure both the filter and coverage data exist before considering CRLite data valid.
2. Vulnerability Existed: yes
CRLite Timestamp Validation [security/manager/ssl/cert_storage/src/lib.rs] [Lines 606-612, 1719-1732]
Old Code:
```rust
pub fn get_crlite_revocation_state(
&self,
issuer: &[u8],
issuer_spki: &[u8],
serial_number: &[u8],
) -> Result<(u64, i16), SecurityStateError> {
```
Fixed Code:
```rust
pub fn get_crlite_revocation_state(
&self,
issuer: &[u8],
issuer_spki: &[u8],
serial_number: &[u8],
timestamps: &[CRLiteTimestamp],
) -> Result<i16, SecurityStateError> {
if !self.filter_covers_some_timestamp(timestamps) {
return Ok(nsICertStorage::STATE_NOT_COVERED);
}
```
The fix adds timestamp validation to ensure the CRLite filter covers the relevant time period before making revocation decisions.
3. Vulnerability Existed: yes
CRLite Coverage Data Storage [security/manager/ssl/cert_storage/src/lib.rs] [Lines 153-154, 418-441, 457-482]
Old Code:
```rust
crlite_stash: Option<HashMap<Vec<u8>, HashSet<Vec<u8>>>>,
```
Fixed Code:
```rust
crlite_stash: Option<HashMap<Vec<u8>, HashSet<Vec<u8>>>>,
crlite_coverage: Option<HashMap<Vec<u8>, (u64, u64)>>,
```
The fix adds proper storage for CRLite coverage data, including serialization/deserialization logic and file storage.
4. Vulnerability Existed: not sure
Potential Memory Safety [security/manager/ssl/cert_storage/src/lib.rs] [Lines 1719-1732]
Old Code:
```rust
unsafe fn SetFullCRLiteFilter(
&self,
filter: *const ThinVec<u8>,
timestamp: u64,
```
Fixed Code:
```rust
unsafe fn SetFullCRLiteFilter(
&self,
filter: *const ThinVec<u8>,
coverage: *const ThinVec<RefPtr<nsICRLiteCoverage>>,
```
The change adds coverage data handling but it's unclear if there were memory safety issues in the old version. The unsafe block remains.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/dec_ans.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/dec_ans.h@@ -235,7 +235,11 @@ return ReadSymbolWithoutRefill(histo_idx, br); }- bool CheckANSFinalState() { return state_ == (ANS_SIGNATURE << 16u); }+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION+ bool CheckANSFinalState() const { return true; }+#else+ bool CheckANSFinalState() const { return state_ == (ANS_SIGNATURE << 16u); }+#endif template <typename BitReader> static JXL_INLINE uint32_t ReadHybridUintConfig(
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: yes
[Potential ANS State Validation Bypass] [third_party/jpeg-xl/lib/jxl/dec_ans.h] [Lines 235-239]
[Old Code]
bool CheckANSFinalState() { return state_ == (ANS_SIGNATURE << 16u); }
[Fixed Code]
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
bool CheckANSFinalState() const { return true; }
#else
bool CheckANSFinalState() const { return state_ == (ANS_SIGNATURE << 16u); }
#endif
Additional Details:
1. The change introduces a fuzzing-specific bypass for ANS state validation
2. The old code could potentially fail validation during fuzzing, preventing exploration of interesting code paths
3. The fix makes the method const-correct by adding const qualifier
4. This appears to be a fuzzing-related improvement rather than a direct security fix, but the original validation could have security implications if bypassed
Vulnerability Existed: not sure
[Potential State Validation Issue] [third_party/jpeg-xl/lib/jxl/dec_ans.h] [Lines 235-239]
[Old Code]
bool CheckANSFinalState() { return state_ == (ANS_SIGNATURE << 16u); }
[Fixed Code]
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
bool CheckANSFinalState() const { return true; }
#else
bool CheckANSFinalState() const { return state_ == (ANS_SIGNATURE << 16u); }
#endif
Additional Details:
1. The modification suggests the original state validation might have been too strict during fuzzing
2. It's unclear if this could have been exploited in production, hence marked as "not sure"
3. The change primarily improves fuzzing effectiveness while maintaining security in production builds
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsla-8.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsla-8.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(2.0943951024rad, 100.0%, 50.0%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, here's the analysis following the required format:
Vulnerability Existed: no
[No Vulnerability Found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsla-8.html] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl(2.0943951024rad, 100.0%, 50.0%)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl(2.0943951024rad, 100.0%, 50.0%)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't indicate any security fixes. The functionality remains identical, just with a different variable name. No security vulnerabilities were addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/python/taskcluster_taskgraph/taskgraph/util/path.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/python/taskcluster_taskgraph/taskgraph/util/path.py@@ -153,3 +153,20 @@ if relativepath.endswith("/") and not result.endswith("/"): result += "/" return result+++def ancestors(path):+ """Emit the parent directories of a path.++ Args:+ path (str): Path to emit parents of.++ Yields:+ str: Path of parent directory.+ """+ while path:+ yield path+ newpath = os.path.dirname(path)+ if newpath == path:+ break+ path = newpath
Analyzing the provided code diff, which adds a new `ancestors()` function to handle path operations:
1. Vulnerability Existed: no
No vulnerability found [File] third_party/python/taskcluster_taskgraph/taskgraph/util/path.py [Lines] 153-170
[Old Code]
(No previous code existed for this function)
[Fixed Code]
```python
def ancestors(path):
"""Emit the parent directories of a path.
Args:
path (str): Path to emit parents of.
Yields:
str: Path of parent directory.
"""
while path:
yield path
newpath = os.path.dirname(path)
if newpath == path:
break
path = newpath
```
The diff shows a new function being added rather than a security fix. The `ancestors()` function appears to be a safe implementation for iterating through parent directories, with proper termination when reaching the root directory. No security vulnerabilities are being addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.name-1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.name-1.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'darkbrown'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.name-1.worker.js [Lines] 13-21
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring, renaming the variable from `offscreenCanvas` to `canvas`. There's no indication of any security vulnerability being fixed in this change. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.1.double.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.1.double.html@@ -17,18 +17,18 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50); ctx.roundRect(0, 0, 100, 50, [20, 0, 0, 0]); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 1,1, 255,0,0,255, "1,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 255,0,0,255, "1,1", "255,0,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas` and updating the corresponding assertions. Here's my analysis:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.4.radii.1.double.html
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50);
Fixed Code: var canvas = new OffscreenCanvas(100, 50);
The rest of the changes are just updates to use the new variable name in the assertions, which doesn't represent any security fix. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var offscreenCanvas2 = new OffscreenCanvas(100, 50); assert_throws_js(TypeError, function() { offscreenCanvas2.getContext("2d\0"); });
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: not sure
[Potential Null Byte Injection] [testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: yes
[Null Byte Injection] [testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.html] [Line 21]
[Old Code]
(No explicit test for null byte in context string)
[Fixed Code]
assert_throws_js(TypeError, function() { offscreenCanvas2.getContext("2d\0"); });
Additional notes:
1. The first change appears to be a variable rename (offscreenCanvas → canvas) which doesn't seem security-related.
2. The second change explicitly tests for null byte handling in the context string, which is a security improvement as null bytes can be used in injection attacks.
3. The test addition confirms that the browser properly handles null bytes in context strings by throwing a TypeError, preventing potential null byte injection vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.negative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.negative.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -26,10 +26,10 @@ ctx.clearRect(100, 0, -50, 25); ctx.clearRect(0, 50, 50, -25); ctx.clearRect(100, 50, -50, -25);-_assertPixel(offscreenCanvas, 25,12, 0,0,0,0, "25,12", "0,0,0,0");-_assertPixel(offscreenCanvas, 75,12, 0,0,0,0, "75,12", "0,0,0,0");-_assertPixel(offscreenCanvas, 25,37, 0,0,0,0, "25,37", "0,0,0,0");-_assertPixel(offscreenCanvas, 75,37, 0,0,0,0, "75,37", "0,0,0,0");+_assertPixel(canvas, 25,12, 0,0,0,0, "25,12", "0,0,0,0");+_assertPixel(canvas, 75,12, 0,0,0,0, "75,12", "0,0,0,0");+_assertPixel(canvas, 25,37, 0,0,0,0, "25,37", "0,0,0,0");+_assertPixel(canvas, 75,37, 0,0,0,0, "75,37", "0,0,0,0"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.negative.html
Lines: 17-26
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d');
Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.clearRect.negative.html
Lines: 26-30
Old Code: _assertPixel(offscreenCanvas, 25,12, 0,0,0,0, "25,12", "0,0,0,0"); etc.
Fixed Code: _assertPixel(canvas, 25,12, 0,0,0,0, "25,12", "0,0,0,0"); etc.
The changes are purely cosmetic/refactoring in nature and don't appear to address any security issues. The test logic remains the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.