Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/canvas/DrawTargetWebgl.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/canvas/DrawTargetWebgl.cpp@@ -329,6 +329,9 @@ already_AddRefed<SourceSurface> DrawTargetWebgl::Snapshot() { // If already using the Skia fallback, then just snapshot that. if (mSkiaValid) {+ if (mSkiaLayer) {+ FlattenSkia();+ } return mSkia->Snapshot(); }@@ -403,14 +406,16 @@ bool DrawTargetWebgl::LockBits(uint8_t** aData, IntSize* aSize, int32_t* aStride, SurfaceFormat* aFormat, IntPoint* aOrigin) {- if (mSkiaValid) {+ // Can only access pixels if there is valid, flattened Skia data.+ if (mSkiaValid && !mSkiaLayer) { return mSkia->LockBits(aData, aSize, aStride, aFormat, aOrigin); } return false; } void DrawTargetWebgl::ReleaseBits(uint8_t* aData) {- if (mSkiaValid) {+ // Can only access pixels if there is valid, flattened Skia data.+ if (mSkiaValid && !mSkiaLayer) { mSkia->ReleaseBits(aData); } }@@ -424,7 +429,7 @@ if (!mVertexBuffer) { mVertexBuffer = mWebgl->CreateBuffer(); static const float rectData[8] = {0.0f, 0.0f, 1.0f, 0.0f,- 0.0f, 1.0f, 1.0f, 1.0f};+ 1.0f, 1.0f, 0.0f, 1.0f}; mWebgl->BindVertexArray(mVertexArray.get()); mWebgl->BindBuffer(LOCAL_GL_ARRAY_BUFFER, mVertexBuffer.get()); mWebgl->RawBufferData(LOCAL_GL_ARRAY_BUFFER,@@ -556,7 +561,20 @@ const IntRect& aSourceRect, const IntPoint& aDestination) { if (mSkiaValid) {- MarkSkiaChanged();+ if (mSkiaLayer) {+ if (IntRect(aDestination, aSourceRect.Size()).Contains(GetRect())) {+ // If the the destination would override the entire layer, discard the+ // layer.+ mSkiaLayer = false;+ } else if (!IsOpaque(aSurface->GetFormat())) {+ // If the surface is not opaque, copying it into the layer results in+ // unintended blending rather than a copy to the destination.+ FlattenSkia();+ }+ } else {+ // If there is no layer, copying is safe.+ MarkSkiaChanged();+ } mSkia->CopySurface(aSurface, aSourceRect, aDestination); return; }@@ -646,7 +664,8 @@ Maybe<DeviceColor> aMaskColor, RefPtr<TextureHandle>* aHandle, bool aTransformed, bool aClipped,- bool aAccelOnly, bool aForceUpdate) {+ bool aAccelOnly, bool aForceUpdate,+ const StrokeOptions* aStrokeOptions) { if (aRect.IsEmpty()) { return true; }@@ -678,11 +697,13 @@ return false; } // Invalidate the WebGL target and prepare the Skia target for drawing.- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); if (aTransformed) { // If transforms are requested, then just translate back to FillRect. if (aMaskColor) { mSkia->Mask(ColorPattern(*aMaskColor), aPattern, aOptions);+ } else if (aStrokeOptions) {+ mSkia->StrokeRect(aRect, aPattern, *aStrokeOptions, aOptions); } else { mSkia->FillRect(aRect, aPattern, aOptions); }@@ -698,6 +719,8 @@ } else { mSkia->Mask(ColorPattern(*aMaskColor), aPattern, aOptions); }+ } else if (aStrokeOptions) {+ mSkia->StrokeRect(aRect, aPattern, *aStrokeOptions, aOptions); } else { mSkia->FillRect(aRect, aPattern, aOptions); }@@ -808,7 +831,8 @@ mWebgl->UniformData(LOCAL_GL_FLOAT_VEC4, mSolidProgramColor, false, {(const uint8_t*)colorData, sizeof(colorData)}); // Finally draw the colored rectangle.- mWebgl->DrawArrays(LOCAL_GL_TRIANGLE_STRIP, 0, 4);+ mWebgl->DrawArrays(+ aStrokeOptions ? LOCAL_GL_LINE_LOOP : LOCAL_GL_TRIANGLE_FAN, 0, 4); break; } case PatternType::SURFACE: {@@ -1071,7 +1095,8 @@ {(const uint8_t*)texBounds, sizeof(texBounds)}); // Finally draw the image rectangle.- mWebgl->DrawArrays(LOCAL_GL_TRIANGLE_STRIP, 0, 4);+ mWebgl->DrawArrays(+ aStrokeOptions ? LOCAL_GL_LINE_LOOP : LOCAL_GL_TRIANGLE_FAN, 0, 4); break; } default:@@ -1133,8 +1158,8 @@ aHandle->Invalidate(); // If the handle has an associated SourceSurface, unlink it. UnlinkSurfaceTexture(aHandle);- // If the handle has an associated GlyphCacheEntry, unlink it.- if (RefPtr<GlyphCacheEntry> entry = aHandle->GetGlyphCacheEntry()) {+ // If the handle has an associated CacheEntry, unlink it.+ if (RefPtr<CacheEntry> entry = aHandle->GetCacheEntry()) { entry->Unlink(); } // Deduct the used space from the total.@@ -1163,7 +1188,126 @@ void DrawTargetWebgl::FillRect(const Rect& aRect, const Pattern& aPattern, const DrawOptions& aOptions) {- DrawRect(aRect, aPattern, aOptions);+ if (SupportsPattern(aPattern)) {+ DrawRect(aRect, aPattern, aOptions);+ } else if (!mWebglValid) {+ MarkSkiaChanged(aOptions);+ mSkia->FillRect(aRect, aPattern, aOptions);+ } else {+ // If the pattern is unsupported, then transform the rect to a path so it+ // can be cached.+ SkPath skiaPath;+ skiaPath.addRect(RectToSkRect(aRect));+ RefPtr<PathSkia> path = new PathSkia(skiaPath, FillRule::FILL_WINDING);+ DrawPath(path, aPattern, aOptions);+ }+}++void CacheEntry::Link(const RefPtr<TextureHandle>& aHandle) {+ mHandle = aHandle;+ mHandle->SetCacheEntry(this);+}++// When the CacheEntry becomes unused, it marks the corresponding+// TextureHandle as unused and unlinks it from the CacheEntry. The+// entry is removed from its containing Cache, if applicable.+void CacheEntry::Unlink() {+ RemoveFromList();++ // The entry may not have a valid handle if rasterization failed.+ if (mHandle) {+ mHandle->SetCacheEntry(nullptr);+ mHandle = nullptr;+ }+}++// Hashes a path and pattern to a single hash value that can be used for quick+// comparisons. This currently avoids to expensive hashing of internal path+// and pattern data for speed, relying instead on later exact comparisons for+// disambiguation.+HashNumber PathCacheEntry::HashPath(const SkPath& aPath,+ const Pattern* aPattern,+ const Matrix& aTransform,+ const IntRect& aBounds) {+ HashNumber hash = 0;+ hash = AddToHash(hash, aPath.countVerbs());+ hash = AddToHash(hash, aPath.countPoints());+ hash = AddToHash(hash, aBounds.width);+ hash = AddToHash(hash, aBounds.height);+ if (aPattern) {+ hash = AddToHash(hash, (int)aPattern->GetType());+ }+ return hash;+}++// When caching rendered geometry, we need to ensure the scale and orientation+// is approximately the same. The offset will be considered separately.+static inline bool HasMatchingScale(const Matrix& aTransform1,+ const Matrix& aTransform2) {+ return FuzzyEqual(aTransform1._11, aTransform2._11) &&+ FuzzyEqual(aTransform1._12, aTransform2._12) &&+ FuzzyEqual(aTransform1._21, aTransform2._21) &&+ FuzzyEqual(aTransform1._22, aTransform2._22);+}++// Determines if an existing path cache entry matches an incoming path and+// pattern.+bool PathCacheEntry::MatchesPath(const SkPath& aPath, const Pattern* aPattern,+ const StrokeOptions* aStrokeOptions,+ const Matrix& aTransform,+ const IntRect& aBounds, HashNumber aHash) {+ return aHash == mHash && HasMatchingScale(aTransform, mTransform) &&+ aBounds.Size() == mBounds.Size() && aPath == mPath &&+ (!aPattern ? !mPattern : mPattern && *aPattern == *mPattern) &&+ (!aStrokeOptions+ ? !mStrokeOptions+ : mStrokeOptions && *aStrokeOptions == *mStrokeOptions);+}++PathCacheEntry::PathCacheEntry(const SkPath& aPath, Pattern* aPattern,+ StoredStrokeOptions* aStrokeOptions,+ const Matrix& aTransform, const IntRect& aBounds,+ const Point& aOrigin, HashNumber aHash)+ : CacheEntryImpl<PathCacheEntry>(aTransform, aBounds, aHash),+ mPath(aPath),+ mOrigin(aOrigin),+ mPattern(aPattern),+ mStrokeOptions(aStrokeOptions) {}++// Attempt to find a matching entry in the path cache. If one isn't found,+// a new entry will be created. The caller should check whether the contained+// texture handle is valid to determine if it will need to render the text run+// or just reuse the cached texture.+already_AddRefed<PathCacheEntry> PathCache::FindOrInsertEntry(+ const SkPath& aPath, const Pattern* aPattern,+ const StrokeOptions* aStrokeOptions, const Matrix& aTransform,+ const IntRect& aBounds, const Point& aOrigin) {+ HashNumber hash =+ PathCacheEntry::HashPath(aPath, aPattern, aTransform, aBounds);+ for (const RefPtr<PathCacheEntry>& entry : mEntries) {+ if (entry->MatchesPath(aPath, aPattern, aStrokeOptions, aTransform, aBounds,+ hash)) {+ return do_AddRef(entry);+ }+ }+ Pattern* pattern = nullptr;+ if (aPattern) {+ pattern = aPattern->Clone();+ if (!pattern) {+ return nullptr;+ }+ }+ StoredStrokeOptions* strokeOptions = nullptr;+ if (aStrokeOptions) {+ strokeOptions = aStrokeOptions->Clone();+ if (!strokeOptions) {+ return nullptr;+ }+ }+ RefPtr<PathCacheEntry> entry = new PathCacheEntry(+ aPath, pattern, strokeOptions, aTransform, aBounds, aOrigin, hash);+ mEntries.insertFront(entry);+ return entry.forget(); } void DrawTargetWebgl::Fill(const Path* aPath, const Pattern& aPattern,@@ -1171,12 +1315,116 @@ if (!aPath || aPath->GetBackendType() != BackendType::SKIA) { return; }- const auto& skiaPath = static_cast<const PathSkia*>(aPath)->GetPath();+ const SkPath& skiaPath = static_cast<const PathSkia*>(aPath)->GetPath(); SkRect rect;- if (skiaPath.isRect(&rect)) {+ // Draw the path as a simple rectangle with a supported pattern when possible.+ if (skiaPath.isRect(&rect) && SupportsPattern(aPattern)) { DrawRect(SkRectToRect(rect), aPattern, aOptions); } else {- MarkSkiaChanged();+ DrawPath(aPath, aPattern, aOptions);+ }+}++void DrawTargetWebgl::DrawPath(const Path* aPath, const Pattern& aPattern,+ const DrawOptions& aOptions,+ const StrokeOptions* aStrokeOptions) {+ // If there is a WebGL context, then try to cache the path to avoid slow+ // fallbacks.+ if (mWebglValid && SupportsDrawOptions(aOptions)) {+ // Get the transformed bounds for the path and conservatively check if the+ // bounds overlap the canvas.+ const PathSkia* pathSkia = static_cast<const PathSkia*>(aPath);+ Rect bounds = pathSkia->GetFastBounds(mTransform, aStrokeOptions)+ .Intersect(Rect(mSkia->GetRect()));+ if (bounds.IsEmpty()) {+ return;+ }+ IntRect intBounds = RoundedOut(bounds);+ // If the pattern is a solid color, then this will be used along with a path+ // mask to render the path, as opposed to baking the pattern into the cached+ // path texture.+ Maybe<DeviceColor> color =+ aPattern.GetType() == PatternType::COLOR+ ? Some(static_cast<const ColorPattern&>(aPattern).mColor)+ : Nothing();+ if (!mPathCache) {+ mPathCache = MakeUnique<PathCache>();+ }+ // Look for an existing path cache entry, if possible, or otherwise create+ // one.+ RefPtr<PathCacheEntry> entry = mPathCache->FindOrInsertEntry(+ pathSkia->GetPath(), color ? nullptr : &aPattern, aStrokeOptions,+ mTransform, intBounds, bounds.TopLeft());+ if (entry) {+ RefPtr<TextureHandle> handle = entry->GetHandle();+ if (handle && handle->IsValid()) {+ // If the entry has a valid texture handle still, use it. However, only+ // the rounded integer bounds of the path are considered, so we need to+ // be careful to subtract off the old subpixel offset from the cached+ // patch and add in the new subpixel offset. The integer bounds origin+ // is subtracted from the path offset when it is cached, so we rather+ // need to consider the offset as the difference between the path's real+ // bounds origin and the rounded integer origin.+ Point oldOffset = entry->GetOrigin() - entry->GetBounds().TopLeft();+ Point newOffset = bounds.TopLeft() - intBounds.TopLeft();+ Rect offsetRect = Rect(intBounds) + (newOffset - oldOffset);+ SurfacePattern pathPattern(nullptr, ExtendMode::CLAMP,+ Matrix::Translation(offsetRect.TopLeft()));+ if (DrawRect(offsetRect, pathPattern, aOptions, color, &handle, false,+ true, true)) {+ return;+ }+ } else {+ // If there isn't a valid texture handle, then we need to rasterize the+ // path in a software canvas and upload this to a texture. Solid color+ // patterns will be rendered as a path mask that can then be modulated+ // with any color. Other pattern types have to rasterize the pattern+ // directly into the cached texture.+ handle = nullptr;+ RefPtr<DrawTargetSkia> pathDT = new DrawTargetSkia;+ if (pathDT->Init(intBounds.Size(),+ color ? SurfaceFormat::A8 : SurfaceFormat::B8G8R8A8)) {+ pathDT->SetTransform(mTransform *+ Matrix::Translation(-intBounds.TopLeft()));+ DrawOptions drawOptions(1.0f, CompositionOp::OP_OVER,+ aOptions.mAntialiasMode);+ static const ColorPattern maskPattern(+ DeviceColor(1.0f, 1.0f, 1.0f, 1.0f));+ const Pattern& cachePattern = color ? maskPattern : aPattern;+ if (aStrokeOptions) {+ pathDT->Stroke(aPath, cachePattern, *aStrokeOptions, drawOptions);+ } else {+ pathDT->Fill(aPath, cachePattern, drawOptions);+ }+ RefPtr<SourceSurface> pathSurface = pathDT->Snapshot();+ if (pathSurface) {+ SurfacePattern pathPattern(+ pathSurface, ExtendMode::CLAMP,+ Matrix::Translation(intBounds.TopLeft()));+ // Try and upload the rasterized path to a texture. If there is a+ // valid texture handle after this, then link it to the entry.+ // Otherwise, we might have fallen back to software drawing the+ // path, so unlink it from the entry and bail out.+ if (DrawRect(Rect(intBounds), pathPattern, aOptions, color, &handle,+ false, true) &&+ handle) {+ entry->Link(handle);+ } else {+ entry->Unlink();+ }+ return;+ }+ }+ }+ }+ }++ // There was no path cache entry available to use, so fall back to drawing the+ // path with Skia.+ MarkSkiaChanged(aOptions);+ if (aStrokeOptions) {+ mSkia->Stroke(aPath, aPattern, *aStrokeOptions, aOptions);+ } else { mSkia->Fill(aPath, aPattern, aOptions); } }@@ -1198,7 +1446,7 @@ if (!SupportsDrawOptions(aOptions) || aMask.GetType() != PatternType::SURFACE || aSource.GetType() != PatternType::COLOR) {- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); mSkia->Mask(aSource, aMask, aOptions); return; }@@ -1212,7 +1460,7 @@ Point aOffset, const DrawOptions& aOptions) { if (!SupportsDrawOptions(aOptions) || aSource.GetType() != PatternType::COLOR) {- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); mSkia->MaskSurface(aSource, aMask, aOffset, aOptions); } else { auto sourceColor = static_cast<const ColorPattern&>(aSource).mColor;@@ -1341,23 +1589,52 @@ void DrawTargetWebgl::StrokeRect(const Rect& aRect, const Pattern& aPattern, const StrokeOptions& aStrokeOptions, const DrawOptions& aOptions) {- MarkSkiaChanged();- mSkia->StrokeRect(aRect, aPattern, aStrokeOptions, aOptions);+ // TODO: Support other stroke options. Ensure that we only stroke with the+ // default settings for now.+ if (aStrokeOptions == StrokeOptions() && mTransform.PreservesDistance()) {+ DrawRect(aRect, aPattern, aOptions, Nothing(), nullptr, true, true, false,+ false, &aStrokeOptions);+ } else if (!mWebglValid || !SupportsPattern(aPattern)) {+ MarkSkiaChanged(aOptions);+ mSkia->StrokeRect(aRect, aPattern, aStrokeOptions, aOptions);+ } else {+ // If the stroke options are unsupported, then transform the rect to a path+ // so it can be cached.+ SkPath skiaPath;+ skiaPath.addRect(RectToSkRect(aRect));+ RefPtr<PathSkia> path = new PathSkia(skiaPath, FillRule::FILL_WINDING);+ DrawPath(path, aPattern, aOptions, &aStrokeOptions);+ } } void DrawTargetWebgl::StrokeLine(const Point& aStart, const Point& aEnd, const Pattern& aPattern, const StrokeOptions& aStrokeOptions, const DrawOptions& aOptions) {- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); mSkia->StrokeLine(aStart, aEnd, aPattern, aStrokeOptions, aOptions); } void DrawTargetWebgl::Stroke(const Path* aPath, const Pattern& aPattern, const StrokeOptions& aStrokeOptions, const DrawOptions& aOptions) {- MarkSkiaChanged();- mSkia->Stroke(aPath, aPattern, aStrokeOptions, aOptions);+ if (!aPath || aPath->GetBackendType() != BackendType::SKIA) {+ return;+ }+ const auto& skiaPath = static_cast<const PathSkia*>(aPath)->GetPath();+ SkRect rect;+ SkPoint line[2];+ if (!mWebglValid) {+ MarkSkiaChanged(aOptions);+ mSkia->Stroke(aPath, aPattern, aStrokeOptions, aOptions);+ } else if (skiaPath.isRect(&rect)) {+ StrokeRect(SkRectToRect(rect), aPattern, aStrokeOptions, aOptions);+ } else if (skiaPath.isLine(line)) {+ StrokeLine(SkPointToPoint(line[0]), SkPointToPoint(line[1]), aPattern,+ aStrokeOptions, aOptions);+ } else {+ DrawPath(aPath, aPattern, aOptions, &aStrokeOptions);+ } } void DrawTargetWebgl::StrokeGlyphs(ScaledFont* aFont,@@ -1365,7 +1642,7 @@ const Pattern& aPattern, const StrokeOptions& aStrokeOptions, const DrawOptions& aOptions) {- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); mSkia->StrokeGlyphs(aFont, aBuffer, aPattern, aStrokeOptions, aOptions); }@@ -1399,16 +1676,6 @@ return hash; }-// When caching text runs, we need to ensure the scale and orientation of the-// text is approximately the same. The offset will be considered separately.-static inline bool HasMatchingScale(const Matrix& aTransform1,- const Matrix& aTransform2) {- return FuzzyEqual(aTransform1._11, aTransform2._11) &&- FuzzyEqual(aTransform1._12, aTransform2._12) &&- FuzzyEqual(aTransform1._21, aTransform2._21) &&- FuzzyEqual(aTransform1._22, aTransform2._22);-}- // Determines if an existing glyph cache entry matches an incoming text run. bool GlyphCacheEntry::MatchesGlyphs(const GlyphBuffer& aBuffer, const DeviceColor& aColor,@@ -1444,10 +1711,8 @@ const DeviceColor& aColor, const Matrix& aTransform, const IntRect& aBounds, HashNumber aHash)- : mColor(aColor),- mTransform(aTransform),- mBounds(aBounds),- mHash(aHash ? aHash : HashGlyphs(aBuffer, aTransform)) {+ : CacheEntryImpl<GlyphCacheEntry>(aTransform, aBounds, aHash),+ mColor(aColor) { // Store a copy of the glyph buffer with positions already quantized for fast // comparison later. Glyph* glyphs = new Glyph[aBuffer.mNumGlyphs];@@ -1470,47 +1735,20 @@ // or just reuse the cached texture. already_AddRefed<GlyphCacheEntry> GlyphCache::FindOrInsertEntry( const GlyphBuffer& aBuffer, const DeviceColor& aColor,- const Matrix& aTransform, const IntRect& aBounds, HashNumber aHash) {- if (!aHash) {- aHash = GlyphCacheEntry::HashGlyphs(aBuffer, aTransform);- }+ const Matrix& aTransform, const IntRect& aBounds) {+ HashNumber hash = GlyphCacheEntry::HashGlyphs(aBuffer, aTransform); for (const RefPtr<GlyphCacheEntry>& entry : mEntries) {- if (entry->MatchesGlyphs(aBuffer, aColor, aTransform, aBounds, aHash)) {+ if (entry->MatchesGlyphs(aBuffer, aColor, aTransform, aBounds, hash)) { return do_AddRef(entry); } } RefPtr<GlyphCacheEntry> entry =- new GlyphCacheEntry(aBuffer, aColor, aTransform, aBounds, aHash);+ new GlyphCacheEntry(aBuffer, aColor, aTransform, aBounds, hash); mEntries.insertFront(entry); return entry.forget(); } GlyphCache::GlyphCache(ScaledFont* aFont) : mFont(aFont) {}--void GlyphCacheEntry::Link(const RefPtr<TextureHandle>& aHandle) {- mHandle = aHandle;- mHandle->SetGlyphCacheEntry(this);-}--// When the GlyphCacheEntry becomes unused, it marks the corresponding-// TextureHandle as unused and unlinks it from the GlyphCacheEntry. The-// entry is removed from its containing GlyphCache, if applicable.-void GlyphCacheEntry::Unlink() {- if (isInList()) {- remove();- }- // The entry may not have a valid handle if rasterization failed.- if (mHandle) {- mHandle->SetGlyphCacheEntry(nullptr);- mHandle = nullptr;- }-}--GlyphCache::~GlyphCache() {- while (RefPtr<GlyphCacheEntry> entry = mEntries.popLast()) {- entry->Unlink();- }-} static void ReleaseGlyphCache(void* aPtr) { delete static_cast<GlyphCache*>(aPtr);@@ -1603,13 +1841,11 @@ mGlyphCaches.insertFront(cache); } // Hash the incoming text run and looking for a matching entry.- HashNumber hash = GlyphCacheEntry::HashGlyphs(aBuffer, mTransform); DeviceColor color = static_cast<const ColorPattern&>(aPattern).mColor;- color.a *= aOptions.mAlpha; DeviceColor aaColor = useColor ? color : DeviceColor(1.0f, 1.0f, 1.0f, 1.0f);- RefPtr<GlyphCacheEntry> entry = cache->FindOrInsertEntry(- aBuffer, aaColor, mTransform, intBounds, hash);+ RefPtr<GlyphCacheEntry> entry =+ cache->FindOrInsertEntry(aBuffer, aaColor, mTransform, intBounds); if (entry) { RefPtr<TextureHandle> handle = entry->GetHandle(); if (handle && handle->IsValid()) {@@ -1620,57 +1856,60 @@ // texture. SurfacePattern pattern(nullptr, ExtendMode::CLAMP, Matrix::Translation(intBounds.TopLeft()));- if (!DrawRect(Rect(intBounds), pattern, aOptions,- handle->GetFormat() == SurfaceFormat::A8 ? Some(color)- : Nothing(),- &handle, false, true, true)) {- MarkSkiaChanged();- mSkia->FillGlyphs(aFont, aBuffer, aPattern, aOptions);+ if (DrawRect(Rect(intBounds), pattern, aOptions,+ handle->GetFormat() == SurfaceFormat::A8 ? Some(color)+ : Nothing(),+ &handle, false, true, true)) {+ return; }- return;- }- handle = nullptr;-- // If we get here, either there wasn't a cached texture handle or it- // wasn't valid. Render the text run into a temporary target.- RefPtr<DrawTargetSkia> textDT = new DrawTargetSkia;- if (textDT->Init(intBounds.Size(), SurfaceFormat::B8G8R8A8)) {- textDT->SetTransform(mTransform *- Matrix::Translation(-intBounds.TopLeft()));- textDT->FillGlyphs(aFont, aBuffer, ColorPattern(aaColor));- RefPtr<SourceSurface> textSurface = textDT->Snapshot();- if (textSurface) {- if (!useColor) {- // If we don't expect the text surface to contain color glyphs- // such as from subpixel AA, then do one final check to see if- // any ended up in the result. If not, extract the alpha values- // from the surface so we can render it as a mask.- if (CheckForColorGlyphs(textSurface)) {- useColor = true;- } else {- textSurface = ExtractAlpha(textSurface);- if (!textSurface) {- // Failed extracting alpha for the text surface...- return;+ } else {+ handle = nullptr;++ // If we get here, either there wasn't a cached texture handle or it+ // wasn't valid. Render the text run into a temporary target.+ RefPtr<DrawTargetSkia> textDT = new DrawTargetSkia;+ if (textDT->Init(intBounds.Size(), SurfaceFormat::B8G8R8A8)) {+ textDT->SetTransform(mTransform *+ Matrix::Translation(-intBounds.TopLeft()));+ textDT->SetPermitSubpixelAA(useSubpixelAA);+ DrawOptions drawOptions(1.0f, CompositionOp::OP_OVER,+ aOptions.mAntialiasMode);+ textDT->FillGlyphs(aFont, aBuffer, ColorPattern(aaColor),+ drawOptions);+ RefPtr<SourceSurface> textSurface = textDT->Snapshot();+ if (textSurface) {+ if (!useColor) {+ // If we don't expect the text surface to contain color glyphs+ // such as from subpixel AA, then do one final check to see if+ // any ended up in the result. If not, extract the alpha values+ // from the surface so we can render it as a mask.+ if (CheckForColorGlyphs(textSurface)) {+ useColor = true;+ } else {+ textSurface = ExtractAlpha(textSurface);+ if (!textSurface) {+ // Failed extracting alpha for the text surface...+ return;+ } } }+ // Attempt to upload the rendered text surface into a texture+ // handle and draw it.+ SurfacePattern pattern(textSurface, ExtendMode::CLAMP,+ Matrix::Translation(intBounds.TopLeft()));+ if (DrawRect(Rect(intBounds), pattern, aOptions,+ useColor ? Nothing() : Some(color), &handle, false,+ true) &&+ handle) {+ // If drawing succeeded, then the text surface was uploaded to+ // a texture handle. Assign it to the glyph cache entry.+ entry->Link(handle);+ } else {+ // If drawing failed, remove the entry from the cache.+ entry->Unlink();+ }+ return; }- // Attempt to upload the rendered text surface into a texture- // handle and draw it.- SurfacePattern pattern(textSurface, ExtendMode::CLAMP,- Matrix::Translation(intBounds.TopLeft()));- if (DrawRect(Rect(intBounds), pattern, aOptions,- useColor ? Nothing() : Some(color), &handle, false,- true) &&- handle) {- // If drawing succeeded, then the text surface was uploaded to- // a texture handle. Assign it to the glyph cache entry.- entry->Link(handle);- } else {- // If drawing failed, remove the entry from the cache.- entry->Unlink();- }- return; } } }@@ -1679,8 +1918,25 @@ // If not able to cache the text run to a texture, then just fall back to // drawing with the Skia target.- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); mSkia->FillGlyphs(aFont, aBuffer, aPattern, aOptions);+}++void DrawTargetWebgl::MarkSkiaChanged(const DrawOptions& aOptions) {+ if (aOptions.mCompositionOp == CompositionOp::OP_OVER) {+ // Layering is only supporting for the default source-over composition op.+ if (!mSkiaValid) {+ // If the Skia context needs initialization, clear it and enable layering.+ mSkia->Clear();+ mSkiaValid = true;+ mSkiaLayer = true;+ }+ // The WebGL context is no longer up-to-date.+ mWebglValid = false;+ } else {+ // For other composition ops, just overwrite the Skia data.+ MarkSkiaChanged();+ } } // Attempts to read the contents of the WebGL context into the Skia target.@@ -1705,6 +1961,28 @@ } } mSkiaValid = true;+ // The Skia data is flat after reading, so disable any layering.+ mSkiaLayer = false;+}++// Reads data from the WebGL context and blends it with the current Skia layer.+void DrawTargetWebgl::FlattenSkia() {+ if (!mSkiaValid || !mSkiaLayer) {+ return;+ }+ if (!mWebgl->IsContextLost()) {+ RefPtr<DataSourceSurface> base =+ Factory::CreateDataSourceSurface(mSize, mFormat);+ if (base) {+ DataSourceSurface::ScopedMap baseMap(base, DataSourceSurface::WRITE);+ if (baseMap.IsMapped() &&+ ReadInto(baseMap.GetData(), baseMap.GetStride())) {+ mSkia->BlendSurface(base, GetRect(), IntPoint(),+ CompositionOp::OP_DEST_OVER);+ }+ }+ }+ mSkiaLayer = false; } // Attempts to draw the contents of the Skia target into the WebGL context.@@ -1722,9 +2000,12 @@ RefPtr<SourceSurface> skiaSnapshot = mSkia->Snapshot(); if (skiaSnapshot) { SurfacePattern pattern(skiaSnapshot, ExtendMode::CLAMP);+ // If there is a layer, blend the snapshot with the WebGL context,+ // otherwise copy it. DrawRect(Rect(GetRect()), pattern,- DrawOptions(1.0f, CompositionOp::OP_SOURCE), Nothing(),- &mSnapshotTexture, false, false, false, true);+ DrawOptions(1.0f, mSkiaLayer ? CompositionOp::OP_OVER+ : CompositionOp::OP_SOURCE),+ Nothing(), &mSnapshotTexture, false, false, false, true); } } return true;@@ -1793,7 +2074,7 @@ void DrawTargetWebgl::DrawFilter(FilterNode* aNode, const Rect& aSourceRect, const Point& aDestPoint, const DrawOptions& aOptions) {- MarkSkiaChanged();+ MarkSkiaChanged(aOptions); mSkia->DrawFilter(aNode, aSourceRect, aDestPoint, aOptions); }
Based on the provided code diff, I'll analyze it for security vulnerabilities. Here are the findings:
1. Vulnerability Existed: yes
Memory Corruption - Improper Locking [dom/canvas/DrawTargetWebgl.cpp] [Lines 403-406, 419-422]
Old Code:
```cpp
if (mSkiaValid) {
return mSkia->LockBits(aData, aSize, aStride, aFormat, aOrigin);
}
```
Fixed Code:
```cpp
if (mSkiaValid && !mSkiaLayer) {
return mSkia->LockBits(aData, aSize, aStride, aFormat, aOrigin);
}
```
2. Vulnerability Existed: yes
Memory Corruption - Improper Release [dom/canvas/DrawTargetWebgl.cpp] [Lines 428-430]
Old Code:
```cpp
if (mSkiaValid) {
mSkia->ReleaseBits(aData);
}
```
Fixed Code:
```cpp
if (mSkiaValid && !mSkiaLayer) {
mSkia->ReleaseBits(aData);
}
```
3. Vulnerability Existed: not sure
Potential Integer Overflow [dom/canvas/DrawTargetWebgl.cpp] [Lines 424-429]
Old Code:
```cpp
static const float rectData[8] = {0.0f, 0.0f, 1.0f, 0.0f,
0.0f, 1.0f, 1.0f, 1.0f};
```
Fixed Code:
```cpp
static const float rectData[8] = {0.0f, 0.0f, 1.0f, 0.0f,
1.0f, 1.0f, 0.0f, 1.0f};
```
4. Vulnerability Existed: yes
Memory Corruption - Improper CopySurface Handling [dom/canvas/DrawTargetWebgl.cpp] [Lines 555-558]
Old Code:
```cpp
if (mSkiaValid) {
MarkSkiaChanged();
mSkia->CopySurface(aSurface, aSourceRect, aDestination);
```
Fixed Code:
```cpp
if (mSkiaValid) {
if (mSkiaLayer) {
if (IntRect(aDestination, aSourceRect.Size()).Contains(GetRect())) {
mSkiaLayer = false;
} else if (!IsOpaque(aSurface->GetFormat())) {
FlattenSkia();
}
} else {
MarkSkiaChanged();
}
mSkia->CopySurface(aSurface, aSourceRect, aDestination);
```
The changes appear to address several potential security issues:
1. Added checks for mSkiaLayer when locking/releasing bits to prevent accessing invalid memory
2. Modified vertex data ordering which might affect memory layout
3. Added proper handling for CopySurface operations when layers are involved
4. Added additional validation checks throughout the code
The most significant fixes are around proper memory access validation when dealing with Skia surfaces and layers, which could have led to memory corruption vulnerabilities if unvalidated operations were performed on invalid surfaces.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-grid/parsing/grid-shorthand-valid.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-grid/parsing/grid-shorthand-valid.html@@ -29,6 +29,7 @@ test_valid_value("grid", '[a] "a" 10px [a]'); test_valid_value("grid", '"a"'); test_valid_value("grid", '"a" auto', '"a"');+test_valid_value("grid", '"a a a"', '"a a a"'); test_valid_value("grid", '"a" / 10px'); test_valid_value("grid", '"a" / 20%'); test_valid_value("grid", '"a" / 5fr');@@ -51,6 +52,17 @@ test_valid_value("grid", '"a" "a" [a] "b" [a]'); test_valid_value("grid", '"a" [a] "b" [a] / 0', '"a" [a] "b" [a] / 0px'); test_valid_value("grid", '"a" "a" [a] [a] "b" / auto', '"a" "a" [a a] "b" / auto');+test_valid_value("grid", '100px / auto-flow dense 100px');+test_valid_value("grid", 'auto-flow dense 1fr / 100px');+test_valid_value("grid", '100px / dense auto-flow 100px', '100px / auto-flow dense 100px');+test_valid_value("grid", 'dense auto-flow 1fr / 100px', 'auto-flow dense 1fr / 100px');+test_valid_value("grid", '100px / auto-flow 100px');+test_valid_value("grid", 'auto-flow 1fr / 100px');+test_valid_value("grid", 'none / auto-flow 100px');+test_valid_value("grid", 'auto-flow 1fr / none');+test_valid_value("grid", 'auto / auto-flow 100px');+test_valid_value("grid", 'auto-flow 1fr / auto');+test_valid_value("grid", '1fr / 1fr'); // FIXME: add more values to test full syntax
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be test case additions for CSS grid shorthand property validation. Here's my analysis:
1. Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/css/css-grid/parsing/grid-shorthand-valid.html] [Lines 29-52]
[Old test cases]
[Added more test cases for grid shorthand validation]
The changes consist solely of adding new test cases for the CSS grid shorthand property, including:
1. Adding a test for quoted string with multiple spaces
2. Adding tests for auto-flow dense combinations
3. Adding tests for none/auto combinations
4. Adding a simple 1fr/1fr test case
These are all legitimate test additions for CSS property parsing and don't indicate any security fixes. The changes are purely related to expanding test coverage for the grid shorthand syntax.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/thebes/gfxPlatform.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/thebes/gfxPlatform.cpp@@ -24,6 +24,7 @@ #include "mozilla/ClearOnShutdown.h" #include "mozilla/StaticPrefs_accessibility.h" #include "mozilla/StaticPrefs_apz.h"+#include "mozilla/StaticPrefs_canvas.h" #include "mozilla/StaticPrefs_gfx.h" #include "mozilla/StaticPrefs_layout.h" #include "mozilla/StaticPrefs_layers.h"@@ -168,8 +169,6 @@ static int32_t gLastUsedFrameRate = -1; const ContentDeviceData* gContentDeviceInitData = nullptr;--static Mutex* gGfxPlatformPrefsLock = nullptr; Atomic<bool, MemoryOrdering::ReleaseAcquire> gfxPlatform::gCMSInitialized; CMSMode gfxPlatform::gCMSMode = CMSMode::Off;@@ -877,8 +876,6 @@ InitMoz2DLogging();- gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock");- /* Initialize the GfxInfo service. * Note: we can't call functions on GfxInfo that depend * on gPlatform until after it has been initialized@@ -937,6 +934,12 @@ gpu->LaunchGPUProcess(); }+ if (XRE_IsParentProcess()) {+ nsAutoCString allowlist;+ Preferences::GetCString("gfx.offscreencavas.domain-allowlist", allowlist);+ gfxVars::SetOffscreenCanvasDomainAllowlist(allowlist);+ }+ gLastUsedFrameRate = ForceSoftwareVsync() ? GetSoftwareVsyncRate() : -1; Preferences::RegisterCallback( FrameRatePrefChanged,@@ -1259,9 +1262,6 @@ } gfx::Factory::ShutDown();-- delete gGfxPlatformPrefsLock;- gfxVars::Shutdown(); gfxFont::DestroySingletons();@@ -2445,6 +2445,15 @@ FeatureState& gpuProc = gfxConfig::GetFeature(Feature::GPU_PROCESS);+ nsCString message;+ nsCString failureId;+ if (!gfxPlatform::IsGfxInfoStatusOkay(nsIGfxInfo::FEATURE_GPU_PROCESS,+ &message, failureId)) {+ gpuProc.Disable(FeatureStatus::Blocklisted, message.get(), failureId);+ // Don't return early here. We must continue the checks below in case+ // the user has force-enabled the GPU process.+ }+ // We require E10S - otherwise, there is very little benefit to the GPU // process, since the UI process must still use acceleration for // performance.
Based on the provided code diff, I'll analyze it for security fixes:
1. Vulnerability Existed: yes
Race Condition / Improper Synchronization [gfx/thebes/gfxPlatform.cpp] [Lines 168, 877, 1259]
[Old Code]
static Mutex* gGfxPlatformPrefsLock = nullptr;
...
gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock");
...
delete gGfxPlatformPrefsLock;
[Fixed Code]
(The mutex and its creation/deletion were completely removed)
2. Vulnerability Existed: yes
Missing Security Check / GPU Process Validation [gfx/thebes/gfxPlatform.cpp] [Lines 2445+]
[Old Code]
FeatureState& gpuProc = gfxConfig::GetFeature(Feature::GPU_PROCESS);
[Fixed Code]
FeatureState& gpuProc = gfxConfig::GetFeature(Feature::GPU_PROCESS);
nsCString message;
nsCString failureId;
if (!gfxPlatform::IsGfxInfoStatusOkay(nsIGfxInfo::FEATURE_GPU_PROCESS,
&message, failureId)) {
gpuProc.Disable(FeatureStatus::Blocklisted, message.get(), failureId);
// Don't return early here. We must continue the checks below in case
// the user has force-enabled the GPU process.
}
3. Vulnerability Existed: not sure
Potential Offscreen Canvas Security Control [gfx/thebes/gfxPlatform.cpp] [Lines 934+]
[Old Code]
(No domain allowlist check for offscreen canvas)
[Fixed Code]
if (XRE_IsParentProcess()) {
nsAutoCString allowlist;
Preferences::GetCString("gfx.offscreencavas.domain-allowlist", allowlist);
gfxVars::SetOffscreenCanvasDomainAllowlist(allowlist);
}
Note: For the third item, while this appears to be a security-related change (adding domain allowlist controls for offscreen canvas), I'm marking it as "not sure" because without more context about the specific threat model for offscreen canvas in Firefox, I can't definitively say this was fixing a known vulnerability versus adding a new security feature. The first two items are clearly security fixes - removing a potentially problematic mutex and adding proper GPU process validation checks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/prelude.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/prelude.rs@@ -1,13 +1,9 @@ use std::convert::TryInto;+#[cfg(feature = "debug")]+use std::fmt; use crate::vk; pub type VkResult<T> = Result<T, vk::Result>;--impl From<vk::Result> for VkResult<()> {- fn from(err_code: vk::Result) -> Self {- err_code.result()- }-} impl vk::Result { pub fn result(self) -> VkResult<()> {@@ -16,7 +12,7 @@ pub fn result_with_success<T>(self, v: T) -> VkResult<T> { match self {- vk::Result::SUCCESS => Ok(v),+ Self::SUCCESS => Ok(v), _ => Err(self), } }@@ -87,3 +83,31 @@ } } }++#[cfg(feature = "debug")]+pub(crate) fn debug_flags<Value: Into<u64> + Copy>(+ f: &mut fmt::Formatter,+ known: &[(Value, &'static str)],+ value: Value,+) -> fmt::Result {+ let mut first = true;+ let mut accum = value.into();+ for &(bit, name) in known {+ let bit = bit.into();+ if bit != 0 && accum & bit == bit {+ if !first {+ f.write_str(" | ")?;+ }+ f.write_str(name)?;+ first = false;+ accum &= !bit;+ }+ }+ if accum != 0 {+ if !first {+ f.write_str(" | ")?;+ }+ write!(f, "{:b}", accum)?;+ }+ Ok(())+}
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: no
No specific vulnerability found [third_party/rust/ash/src/prelude.rs] [Lines 1-13]
[Old Code]
```rust
impl From<vk::Result> for VkResult<()> {
fn from(err_code: vk::Result) -> Self {
err_code.result()
}
}
```
[Fixed Code]
(Removed entirely)
2. Vulnerability Existed: no
Code improvement (no vulnerability) [third_party/rust/ash/src/prelude.rs] [Lines 16-18]
[Old Code]
```rust
vk::Result::SUCCESS => Ok(v),
```
[Fixed Code]
```rust
Self::SUCCESS => Ok(v),
```
3. Vulnerability Existed: not sure
Potential debug information exposure [third_party/rust/ash/src/prelude.rs] [Lines 83-103]
[Old Code]
(No debug functionality present)
[Fixed Code]
```rust
#[cfg(feature = "debug")]
pub(crate) fn debug_flags<Value: Into<u64> + Copy>(
f: &mut fmt::Formatter,
known: &[(Value, &'static str)],
value: Value,
) -> fmt::Result {
// ... debug implementation ...
}
```
Note: The changes appear to be primarily code improvements and additions rather than security fixes. The debug functionality addition could potentially expose sensitive information if misused, but this is guarded by a feature flag and marked as pub(crate), limiting its exposure. No clear security vulnerabilities were fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-5.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-5.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsl(0, 100%, 50% /)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
I'll analyze the provided code diff following the specified format.
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-5.worker.js] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'hsl(0, 100%, 50% /)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'hsl(0, 100%, 50% /)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
The changes appear to be purely cosmetic/refactoring, renaming the variable `offscreenCanvas` to `canvas` for consistency. There are no security-related changes in this diff. The functionality remains the same, and the test case continues to verify the same behavior (invalid CSS color handling in canvas).
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/docs/contributor/files/adding-files.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/docs/contributor/files/adding-files.md@@ -38,7 +38,7 @@ ### `ChromeUtils.import()`-Some older DevTools JS modules use the Gecko [JavaScript code module](https://developer.mozilla.org/en-US/docs/Mozilla/JavaScript_code_modules/Using) format with the file extension `.jsm`. We are trying to move away from this format, so it's unlikely you would add a new one, but you might need to import an existing one in your code.+Some older DevTools JS modules use the Gecko JavaScript code module format with the file extension `.jsm`. We are trying to move away from this format, so it's unlikely you would add a new one, but you might need to import an existing one in your code. These modules are loaded using `ChromeUtils.import()`. To `import()` a file, you provide a `resource://` URL, which is exactly the source tree path.@@ -158,6 +158,6 @@ Localization files should follow a set of guidelines aimed at making it easier for people to translate the labels in these files in many languages.-[Find these guidelines on MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Localization/Localization_content_best_practices).+[Read best practices for developers](https://mozilla-l10n.github.io/documentation/localization/dev_best_practices.html). In particular, it's important to write self-explanatory comments for new keys, deleting unused keys, changing the key name when changing the meaning of a string, and more. So make sure you read through these guidelines should you have to modify a localization file in your patch.
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be documentation updates and URL changes without any security implications. Vulnerability Existed: no No security vulnerabilities found in the diff. The changes are documentation updates: 1. Removed MDN link for JavaScript code modules and simplified the description 2. Changed the localization guidelines link from MDN to mozilla-l10n.github.io These are purely documentation improvements with no security impact.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/python/taskcluster_taskgraph/taskgraph/util/treeherder.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/python/taskcluster_taskgraph/taskgraph/util/treeherder.py@@ -3,6 +3,8 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. import re++_JOINED_SYMBOL_RE = re.compile(r"([^(]*)\(([^)]*)\)$") def split_symbol(treeherder_symbol):@@ -11,7 +13,11 @@ groupSymbol = "?" symbol = treeherder_symbol if "(" in symbol:- groupSymbol, symbol = re.match(r"([^(]*)\(([^)]*)\)", symbol).groups()+ match = _JOINED_SYMBOL_RE.match(symbol)+ if match:+ groupSymbol, symbol = match.groups()+ else:+ raise Exception(f"`{symbol}` is not a valid treeherder symbol.") return groupSymbol, symbol@@ -49,7 +55,6 @@ dep_th_collection = list( dep_job.task.get("extra", {}).get("treeherder", {}).get("collection", {}).keys() )[0]- # XXX Doesn't yet support non-opt treeherder.setdefault("platform", f"{dep_th_platform}/{dep_th_collection}") treeherder.setdefault( "tier", dep_job.task.get("extra", {}).get("treeherder", {}).get("tier", 1)
Let me analyze the code diff for potential security vulnerabilities:
1. Vulnerability Existed: yes
Regular Expression Denial of Service (ReDoS) [third_party/python/taskcluster_taskgraph/taskgraph/util/treeherder.py] [Lines 3, 11-15]
[Old Code]
groupSymbol, symbol = re.match(r"([^(]*)\(([^)]*)\)", symbol).groups()
[Fixed Code]
_JOINED_SYMBOL_RE = re.compile(r"([^(]*)\(([^)]*)\)$")
match = _JOINED_SYMBOL_RE.match(symbol)
if match:
groupSymbol, symbol = match.groups()
else:
raise Exception(f"`{symbol}` is not a valid treeherder symbol.")
2. Vulnerability Existed: not sure
Input Validation Improvement [third_party/python/taskcluster_taskgraph/taskgraph/util/treeherder.py] [Lines 11-15]
[Old Code]
groupSymbol, symbol = re.match(r"([^(]*)\(([^)]*)\)", symbol).groups()
[Fixed Code]
match = _JOINED_SYMBOL_RE.match(symbol)
if match:
groupSymbol, symbol = match.groups()
else:
raise Exception(f"`{symbol}` is not a valid treeherder symbol.")
The main security improvement appears to be:
1. Pre-compiling the regex pattern which helps prevent ReDoS attacks by ensuring the pattern is compiled once
2. Adding proper input validation with an explicit check and error message instead of potentially failing silently or with a cryptic error
The changes also include better error handling which could prevent potential security issues from malformed input.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.destination-over.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.destination-over.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0';@@ -24,8 +24,8 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security aspects of the code.
Here's the analysis following your format:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.destination-over.worker.js] [Lines 13-14, 24-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
The changes consist solely of renaming the variable from `offscreenCanvas` to `canvas` and updating the references accordingly. There are no security implications to these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/themes/windows/downloads/allDownloadsView.css+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/themes/windows/downloads/allDownloadsView.css@@ -32,7 +32,7 @@ This styling should be kept in sync with the style from the above file. */- @itemFocused@ {+ #downloadsListBox:focus > richlistitem[selected] { color: inherit; background-color: transparent; /* four gradients for the bevel highlights on each edge, one for blue background */@@ -61,7 +61,7 @@ --download-progress-fill-color: SelectedItem; }- #downloadsRichListBox richlistitem[selected] .downloadProgress::-moz-progress-bar {+ #downloadsListBox richlistitem[selected] .downloadProgress::-moz-progress-bar { --download-progress-fill-color: ButtonText; } }
Based on the provided CSS diff, I don't see any security vulnerabilities being fixed. The changes appear to be stylistic/selector updates rather than security-related fixes. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] browser/themes/windows/downloads/allDownloadsView.css [Lines] 32, 61
[Old Code]
@itemFocused@ {
#downloadsRichListBox richlistitem[selected] .downloadProgress::-moz-progress-bar {
[Fixed Code]
#downloadsListBox:focus > richlistitem[selected] {
#downloadsListBox richlistitem[selected] .downloadProgress::-moz-progress-bar {
The changes involve:
1. Replacing a placeholder selector (@itemFocused@) with a more specific CSS selector
2. Renaming "downloadsRichListBox" to "downloadsListBox" in a selector
These appear to be maintenance/refactoring changes rather than security fixes. No known CSS-related vulnerabilities are being addressed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.transparent.destination-out.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.transparent.destination-out.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 0, 0.5)';@@ -26,7 +26,7 @@ ctx.globalCompositeOperation = 'destination-out'; ctx.fillStyle = 'rgba(0, 0, 255, 0.75)'; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,32, "50,25", "0,255,0,32", 5);+_assertPixelApprox(canvas, 50,25, 0,255,0,32, "50,25", "0,255,0,32", 5); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely variable renaming and don't affect security aspects. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.transparent.destination-out.html] [Lines 17-26]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,32, "50,25", "0,255,0,32", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 0,255,0,32, "50,25", "0,255,0,32", 5);
The changes are:
1. Renaming variable 'offscreenCanvas' to 'canvas'
2. Updating the variable name in the assertion call
3. No security-related changes were made
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/image/decoders/icon/nsIconURI.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/image/decoders/icon/nsIconURI.cpp@@ -19,6 +19,7 @@ #include "nsIURL.h" #include "nsNetUtil.h" #include "plstr.h"+#include "nsCRT.h" #include <stdlib.h> using namespace mozilla;@@ -218,7 +219,7 @@ if (!sizeString.IsEmpty()) { const char* sizeStr = sizeString.get(); for (uint32_t i = 0; i < ArrayLength(kSizeStrings); i++) {- if (PL_strcasecmp(sizeStr, kSizeStrings[i]) == 0) {+ if (nsCRT::strcasecmp(sizeStr, kSizeStrings[i]) == 0) { mIconSize = i; break; }@@ -235,7 +236,7 @@ if (!stateString.IsEmpty()) { const char* stateStr = stateString.get(); for (uint32_t i = 0; i < ArrayLength(kStateStrings); i++) {- if (PL_strcasecmp(stateStr, kStateStrings[i]) == 0) {+ if (nsCRT::strcasecmp(stateStr, kStateStrings[i]) == 0) { mIconState = i; break; }@@ -412,7 +413,7 @@ rv = other->GetSpec(spec2); NS_ENSURE_SUCCESS(rv, rv);- if (!PL_strcasecmp(spec1.get(), spec2.get())) {+ if (!nsCRT::strcasecmp(spec1.get(), spec2.get())) { *result = true; } else { *result = false;@@ -435,7 +436,7 @@ return NS_OK; }- *aEquals = PL_strcasecmp("moz-icon", aScheme) ? false : true;+ *aEquals = nsCRT::strcasecmp("moz-icon", aScheme) == 0; return NS_OK; }
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Buffer Overflow/Insecure String Comparison] [image/decoders/icon/nsIconURI.cpp] [Lines 218, 235, 412, 435]
[Old Code]
if (PL_strcasecmp(sizeStr, kSizeStrings[i]) == 0)
if (PL_strcasecmp(stateStr, kStateStrings[i]) == 0)
if (!PL_strcasecmp(spec1.get(), spec2.get()))
*aEquals = PL_strcasecmp("moz-icon", aScheme) ? false : true;
[Fixed Code]
if (nsCRT::strcasecmp(sizeStr, kSizeStrings[i]) == 0)
if (nsCRT::strcasecmp(stateStr, kStateStrings[i]) == 0)
if (!nsCRT::strcasecmp(spec1.get(), spec2.get()))
*aEquals = nsCRT::strcasecmp("moz-icon", aScheme) == 0;
Additional Details:
- The diff shows a replacement of PL_strcasecmp with nsCRT::strcasecmp throughout the file
- While this change might indicate a security improvement (nsCRT functions are generally considered more secure), there's no direct evidence of a specific vulnerability being fixed
- The change could be related to potential buffer overflow issues (PL_strcasecmp doesn't check string lengths) or portability concerns
- Without more context about the specific vulnerabilities being addressed, we can't be certain this was a security fix
Note: The change in line 435 also includes a logic simplification (changing ternary to direct comparison), but this appears to be a code style improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/semantics/interactive-elements/the-dialog-element/inert-label-focus.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/semantics/interactive-elements/the-dialog-element/inert-label-focus.html@@ -25,8 +25,8 @@ absoluteTop += parentNode.offsetTop; }- const x = absoluteLeft + element.offsetWidth / 2;- const y = absoluteTop + element.offsetHeight / 2;+ const x = Math.round(absoluteLeft + element.offsetWidth / 2);+ const y = Math.round(absoluteTop + element.offsetHeight / 2); const actions = new test_driver.Actions() .pointerMove(x, y) .pointerDown()
Let me analyze the code diff for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability [testing/web-platform/tests/html/semantics/interactive-elements/the-dialog-element/inert-label-focus.html] [Lines 25-26]
Old Code:
const x = absoluteLeft + element.offsetWidth / 2;
const y = absoluteTop + element.offsetHeight / 2;
Fixed Code:
const x = Math.round(absoluteLeft + element.offsetWidth / 2);
const y = Math.round(absoluteTop + element.offsetHeight / 2);
Additional Details:
- The change simply adds Math.round() to the coordinate calculations for pointer movement in a test file
- This appears to be a precision improvement rather than a security fix
- No known vulnerability patterns or security issues are addressed by this change
- The modification is likely related to test reliability rather than security
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/container-queries/container-units-selection.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/container-queries/container-units-selection.html@@ -69,61 +69,33 @@ test(() => { try { c1.className = 'size w500 h400';- c2.className = 'inline w300';- c3.className = 'inline w100 h200 vertical';+ c2.className = 'inline w300 h200';- // Should select c2, and resolve against w300.- assert_unit_equals(child, '10qw', '30px');-- // Should select c3, and resolve against h200.- assert_unit_equals(child, '10qi', '20px');-- // Should select c3, and resolve against h200.- assert_unit_equals(child, '10qh', '20px');-- // Should select c1, and resolve against h400.- assert_unit_equals(child, '10qb', '40px');-- c3.classList.remove('vertical');-- // Should select c3, and resolve against w100.- assert_unit_equals(child, '10qw', '10px');-- // Should select c3, and resolve against w100.- assert_unit_equals(child, '10qi', '10px');-- // Should select c1, and resolve against h400.- assert_unit_equals(child, '10qh', '40px');-- // Should select c1, and resolve against h400.- assert_unit_equals(child, '10qb', '40px');-- } finally {- for (let c of [c1, c2, c3, c4, child])- c.className = '';- }- }, 'Container with vertical writing mode');-- test(() => {- try {- c1.className = 'size w500 h400';- c2.className = 'inline w300';-+ // [qi, qb] corresponds to [qw, qh]. assert_unit_equals(child, '10qw', '30px'); assert_unit_equals(child, '10qi', '30px'); assert_unit_equals(child, '10qh', '40px'); assert_unit_equals(child, '10qb', '40px'); child.className = 'vertical';+ // [qi, qb] now corresponds to [qh, qw].+ assert_unit_equals(child, '10qw', '30px');+ assert_unit_equals(child, '10qi', '40px');+ assert_unit_equals(child, '10qh', '40px');+ assert_unit_equals(child, '10qb', '30px');- assert_unit_equals(child, '10qw', '30px');- assert_unit_equals(child, '10qi', '30px');- assert_unit_equals(child, '10qh', '40px');- assert_unit_equals(child, '10qb', '40px');+ c2.classList.add('vertical');+ // The inline containment on #c2 now applies to the vertical axis.+ // [qi, qb] still corresponds to [qh, qw], but we now expect+ // qh to resolve against #c2, and qw to resolve against #c1.+ assert_unit_equals(child, '10qw', '50px');+ assert_unit_equals(child, '10qi', '20px');+ assert_unit_equals(child, '10qh', '20px');+ assert_unit_equals(child, '10qb', '50px'); } finally { for (let c of [c1, c2, c3, c4, child]) c.className = ''; }- }, 'Units are not affected by the writing-mode of the current element');+ }, 'Units respond to the writing-mode of the element'); </script>
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be functional test updates related to CSS container queries and writing modes, not security fixes. Here's the analysis following your requested format: Vulnerability Existed: no No security vulnerability found [testing/web-platform/tests/css/css-contain/container-queries/container-units-selection.html] [Lines 69-33] The changes are test case modifications for CSS container units behavior The diff shows test case restructuring and additional test scenarios The changes are: 1. Removing some redundant test cases 2. Adding more comprehensive test coverage for writing-mode behavior 3. Clarifying test descriptions 4. Adjusting expected values based on the new test structure These appear to be test improvements rather than security fixes. The modifications are focused on ensuring correct behavior of CSS container units in different writing modes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.4.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.4.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,10 +23,10 @@ ctx.moveTo(50, 25); ctx.arc(50, 25, 60, (512+1/2)*Math.PI, (1024-1)*Math.PI, false); ctx.fill();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect the security of the code. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.4.worker.js
Lines: 13-14, 23-26
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");
_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");
_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");
_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");
_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");
The changes only involve renaming the variable 'offscreenCanvas' to 'canvas' and updating all references to it. There are no changes to the actual functionality or security-related aspects of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/ReadRequest.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/ReadRequest.h@@ -26,7 +26,8 @@ virtual void ChunkSteps(JSContext* aCx, JS::Handle<JS::Value> aChunk, ErrorResult& aRv) = 0;- virtual void CloseSteps(JSContext* aCx, ErrorResult& aRv) = 0;+ MOZ_CAN_RUN_SCRIPT virtual void CloseSteps(JSContext* aCx,+ ErrorResult& aRv) = 0; virtual void ErrorSteps(JSContext* aCx, JS::Handle<JS::Value> e, ErrorResult& aRv) = 0;
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Script Execution Issue] [dom/streams/ReadRequest.h] [Lines 26-27]
[Old Code]
```cpp
virtual void CloseSteps(JSContext* aCx, ErrorResult& aRv) = 0;
```
[Fixed Code]
```cpp
MOZ_CAN_RUN_SCRIPT virtual void CloseSteps(JSContext* aCx,
ErrorResult& aRv) = 0;
```
Additional Details:
The change adds the `MOZ_CAN_RUN_SCRIPT` annotation to the `CloseSteps` virtual method. This annotation indicates that the method can execute script (JavaScript code). While this isn't a direct security fix, it's a safety improvement that helps prevent potential script execution in unexpected contexts, which could lead to security issues if not properly handled. The annotation helps static analysis tools verify proper handling of script-running methods.
Note: Without more context about how this method is used, it's difficult to determine if this was fixing an actual vulnerability or just adding defensive programming measures. The change appears to be more about improving code safety than fixing a specific known vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.bezierCurveTo.shape.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.bezierCurveTo.shape.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -28,11 +28,11 @@ ctx.moveTo(-2000, 3100); ctx.bezierCurveTo(-2000, -1000, 2100, -1000, 2100, 3100); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas` for consistency or readability. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.bezierCurveTo.shape.html] [Lines 17-28]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixel(offscreenCanvas, ...)]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixel(canvas, ...)]
The changes don't address any security issues but rather improve code consistency by using a more concise variable name. No actual functionality or security-related behavior was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsIFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsIFrame.cpp@@ -927,9 +927,11 @@ const RetainedDisplayListData* data = GetRetainedDisplayListData(rootFrame);- const bool inModifiedList =- data && (data->GetFlags(this) &- RetainedDisplayListData::FrameFlags::Modified);+ const bool inModifiedList = data && data->IsModified(this);++ if (inModifiedList) {+ DL_LOG(LogLevel::Warning, "Frame %p found in modified list", this);+ } MOZ_ASSERT(!inModifiedList, "A dtor added this frame to modified frames list!");@@ -1041,7 +1043,7 @@ GetFrameName(name); } #endif- DL_LOGD("Removing display item data for frame %p (%s)", this,+ DL_LOGV("Removing display item data for frame %p (%s)", this, NS_ConvertUTF16toUTF8(name).get()); // Destroying a WebRenderUserDataTable can cause destruction of other objects@@ -1060,18 +1062,6 @@ delete userDataTable; }- if (IsSubDocumentFrame()) {- const nsSubDocumentFrame* subdoc =- static_cast<const nsSubDocumentFrame*>(this);- nsFrameLoader* frameLoader = subdoc->FrameLoader();- if (frameLoader && frameLoader->GetRemoteBrowser()) {- // This is a remote browser that is going away, notify it that it is now- // hidden- frameLoader->GetRemoteBrowser()->UpdateEffects(- mozilla::dom::EffectsInfo::FullyHidden());- }- }- for (nsDisplayItem* i : DisplayItems()) { if (i->GetDependentFrame() == this && !i->HasDeletedFrame()) { i->Frame()->MarkNeedsDisplayItemRebuild();@@ -1087,22 +1077,24 @@ return; }+ nsIFrame* rootFrame = PresShell()->GetRootFrame();+ MOZ_ASSERT(rootFrame);++ RetainedDisplayListData* data = GetOrSetRetainedDisplayListData(rootFrame);+ const bool updateData = IsFrameModified() || HasOverrideDirtyRegion() || MayHaveWillChangeBudget(); if (!updateData) { // No RetainedDisplayListData to update.+ MOZ_DIAGNOSTIC_ASSERT(!data->IsModified(this),+ "Deleted frame is in modified frame list"); return; }-- nsIFrame* rootFrame = PresShell()->GetRootFrame();- MOZ_ASSERT(rootFrame);-- RetainedDisplayListData* data = GetOrSetRetainedDisplayListData(rootFrame); if (MayHaveWillChangeBudget()) { // Keep the frame in list, so it can be removed from the will-change budget.- data->Flags(this) = RetainedDisplayListData::FrameFlags::HadWillChange;+ data->Flags(this) = RetainedDisplayListData::FrameFlag::HadWillChange; return; }@@ -1134,24 +1126,24 @@ return; }+ nsIFrame* rootFrame = PresShell()->GetRootFrame();+ MOZ_ASSERT(rootFrame);++ if (rootFrame->IsFrameModified()) {+ return;+ }+ nsAutoString name; #ifdef DEBUG_FRAME_DUMP if (DL_LOG_TEST(LogLevel::Debug)) { GetFrameName(name); } #endif- DL_LOGD("RDL - Rebuilding display items for frame %p (%s)", this,++ DL_LOGV("RDL - Rebuilding display items for frame %p (%s)", this, NS_ConvertUTF16toUTF8(name).get());- nsIFrame* rootFrame = PresShell()->GetRootFrame();- MOZ_ASSERT(rootFrame);-- if (rootFrame->IsFrameModified()) {- return;- }- RetainedDisplayListData* data = GetOrSetRetainedDisplayListData(rootFrame);- if (data->ModifiedFramesCount() > StaticPrefs::layout_display_list_rebuild_frame_limit()) { // If the modified frames count is above the rebuild limit, mark the root@@ -2971,7 +2963,8 @@ int32_t devPixelRatio = aMaskedFrame->PresContext()->AppUnitsPerDevPixel(); gfxPoint devPixelOffsetToUserSpace = nsLayoutUtils::PointToGfxPoint(offsetToUserSpace, devPixelRatio);- gfxMatrix cssToDevMatrix = SVGUtils::GetCSSPxToDevPxMatrix(aMaskedFrame);+ CSSToLayoutDeviceScale cssToDevScale =+ aMaskedFrame->PresContext()->CSSToDevPixelScale(); nsPoint toReferenceFrame; aBuilder->FindReferenceFrameFor(aMaskedFrame, &toReferenceFrame);@@ -2990,7 +2983,9 @@ SVGUtils::eBBoxIncludeClipped | SVGUtils::eBBoxIncludeFill | SVGUtils::eBBoxIncludeMarkers | SVGUtils::eBBoxIncludeStroke | SVGUtils::eDoNotClipToBBoxOfContentInsideClipPath);- combinedClip = Some(cssToDevMatrix.TransformBounds(result));+ combinedClip = Some(+ ThebesRect((CSSRect::FromUnknownRect(ToRect(result)) * cssToDevScale)+ .ToUnknownRect())); } else { // The code for this case is adapted from ComputeMaskGeometry().@@ -3015,7 +3010,9 @@ gfxRect clipArea; if (maskFrames[i]) { clipArea = maskFrames[i]->GetMaskArea(aMaskedFrame);- clipArea = cssToDevMatrix.TransformBounds(clipArea);+ clipArea = ThebesRect(+ (CSSRect::FromUnknownRect(ToRect(clipArea)) * cssToDevScale)+ .ToUnknownRect()); } else { const auto& layer = svgReset->mMask.mLayers[i]; if (layer.mClip == StyleGeometryBox::NoClip) {@@ -3097,6 +3094,41 @@ bool mCreatedContainer = false; };+/**+ * Tries to reuse a top-level stacking context item from the previous paint.+ * Returns true if an item was reused, otherwise false.+ */+bool TryToReuseStackingContextItem(nsDisplayListBuilder* aBuilder,+ nsDisplayList* aList, nsIFrame* aFrame) {+ if (!aBuilder->IsForPainting() || !aBuilder->IsPartialUpdate() ||+ aBuilder->InInvalidSubtree()) {+ return false;+ }++ if (aFrame->IsFrameModified() || aFrame->HasModifiedDescendants()) {+ return false;+ }++ auto& items = aFrame->DisplayItems();+ auto* res = std::find_if(+ items.begin(), items.end(),+ [](nsDisplayItem* aItem) { return aItem->IsPreProcessed(); });++ if (res == items.end()) {+ return false;+ }++ nsDisplayItem* container = *res;+ MOZ_ASSERT(!container->GetAbove());+ MOZ_ASSERT(container->Frame() == aFrame);+ DL_LOGD("RDL - Found SC item %p (%s) (frame: %p)", container,+ container->Name(), container->Frame());++ aList->AppendToTop(container);+ aBuilder->ReuseDisplayItem(container);+ return true;+}+ void nsIFrame::BuildDisplayListForStackingContext( nsDisplayListBuilder* aBuilder, nsDisplayList* aList, bool* aCreatedContainerItem) {@@ -3111,7 +3143,18 @@ }); AutoCheckBuilder check(aBuilder);- if (HasAnyStateBits(NS_FRAME_TOO_DEEP_IN_FRAME_TREE)) return;++ if (aBuilder->IsReusingStackingContextItems() &&+ TryToReuseStackingContextItem(aBuilder, aList, this)) {+ if (aCreatedContainerItem) {+ *aCreatedContainerItem = true;+ }+ return;+ }++ if (HasAnyStateBits(NS_FRAME_TOO_DEEP_IN_FRAME_TREE)) {+ return;+ } const nsStyleDisplay* disp = StyleDisplay(); const nsStyleEffects* effects = StyleEffects();@@ -3266,7 +3309,8 @@ // // These conditions should match |CanStoreDisplayListBuildingRect()| in // RetainedDisplayListBuilder.cpp- if (aBuilder->IsPartialUpdate() && !aBuilder->InInvalidSubtree() &&+ if (!aBuilder->IsReusingStackingContextItems() &&+ aBuilder->IsPartialUpdate() && !aBuilder->InInvalidSubtree() && !IsFrameModified() && IsFixedPosContainingBlock() && !GetPrevContinuation() && !GetNextContinuation()) { dirtyRect = nsRect();@@ -3447,6 +3491,7 @@ MarkAbsoluteFramesForDisplayList(aBuilder); aBuilder->Check(); BuildDisplayList(aBuilder, set);+ SetBuiltDisplayList(true); aBuilder->Check(); aBuilder->DisplayCaret(this, set.Outlines());@@ -3722,6 +3767,8 @@ } if (hasPerspective) {+ transformItem->MarkWithAssociatedPerspective();+ if (clipCapturedBy == ContainerItemType::Perspective) { clipState.Restore(); }@@ -3810,15 +3857,39 @@ CreateOwnLayerIfNeeded(aBuilder, &resultList, nsDisplayOwnLayer::OwnLayerForStackingContext, &createdOwnLayer);+ if (createdOwnLayer) { ct.TrackContainer(resultList.GetTop()); }+ if (aBuilder->IsReusingStackingContextItems()) {+ if (resultList.IsEmpty()) {+ return;+ }++ nsDisplayItem* container = resultList.GetBottom();+ if (resultList.Count() > 1 || container->Frame() != this) {+ container = MakeDisplayItem<nsDisplayContainer>(+ aBuilder, this, containerItemASR, &resultList);+ } else {+ container = resultList.RemoveBottom();+ }++ // Mark the outermost display item as reusable. These display items and+ // their chidren can be reused during the next paint if no ancestor or+ // descendant frames have been modified.+ if (!container->IsReusedItem()) {+ container->SetReusable();+ }+ aList->AppendToTop(container);+ ct.TrackContainer(container);+ } else {+ aList->AppendToTop(&resultList);+ }+ if (aCreatedContainerItem) { *aCreatedContainerItem = ct.mCreatedContainer; }-- aList->AppendToTop(&resultList); } static nsDisplayItem* WrapInWrapList(nsDisplayListBuilder* aBuilder,@@ -3979,6 +4050,7 @@ aBuilder->AdjustWindowDraggingRegion(aChild); aBuilder->Check(); aChild->BuildDisplayList(aBuilder, aLists);+ aChild->SetBuiltDisplayList(true); aBuilder->Check(); aBuilder->DisplayCaret(aChild, aLists.Outlines()); #ifdef DEBUG@@ -4186,8 +4258,6 @@ child->PresShell()->EnsureFrameInApproximatelyVisibleList(child); awayFromCommonPath = true; }-- child->SetBuiltDisplayList(true); // Child is composited if it's transformed, partially transparent, or has // SVG effects or a blend mode..@@ -4270,7 +4340,8 @@ child->BuildDisplayListForStackingContext(aBuilder, &list, &builtContainerItem); wrapListASR = contASRTracker.GetContainerASR();- if (aBuilder->GetCaretFrame() == child) {+ if (!aBuilder->IsReusingStackingContextItems() &&+ aBuilder->GetCaretFrame() == child) { builtContainerItem = false; } } else {@@ -4285,6 +4356,7 @@ } child->MarkAbsoluteFramesForDisplayList(aBuilder);+ child->SetBuiltDisplayList(true); if (!awayFromCommonPath && // Some SVG frames might change opacity without invalidating the frame,@@ -4338,10 +4410,10 @@ buildingForChild.RestoreBuildingInvisibleItemsValue();- if (isPositioned || isStackingContext) {- // Genuine stacking contexts, and positioned pseudo-stacking-contexts,- // go in this level.- if (!list.IsEmpty()) {+ if (!list.IsEmpty()) {+ if (isPositioned || isStackingContext) {+ // Genuine stacking contexts, and positioned pseudo-stacking-contexts,+ // go in this level. nsDisplayItem* item = WrapInWrapList(aBuilder, child, &list, wrapListASR, builtContainerItem); if (isSVG) {@@ -4349,14 +4421,12 @@ } else { aLists.PositionedDescendants()->AppendToTop(item); }- }- } else if (!isSVG && disp->IsFloating(child)) {- if (!list.IsEmpty()) {+ } else if (!isSVG && disp->IsFloating(child)) { aLists.Floats()->AppendToTop( WrapInWrapList(aBuilder, child, &list, wrapListASR));- }- } else {- aLists.Content()->AppendToTop(&list);+ } else {+ aLists.Content()->AppendToTop(&list);+ } } // We delay placing the positioned descendants of positioned frames to here, // because in the absence of z-index this is the correct order for them.@@ -7991,6 +8061,14 @@ aTo += ToString(pseudoType).c_str(); } aTo += "]";++ if (IsFrameModified()) {+ aTo += nsPrintfCString(" modified");+ }++ if (HasModifiedDescendants()) {+ aTo += nsPrintfCString(" has-modified-descendants");+ } } void nsIFrame::List(FILE* out, const char* aPrefix, ListFlags aFlags) const {
Analyzing the provided code diff, I'll identify potential security vulnerabilities:
1. Vulnerability Existed: not sure
Memory Leak Vulnerability [File] nsIFrame.cpp [Lines 1060-1066]
[Old Code]
if (IsSubDocumentFrame()) {
const nsSubDocumentFrame* subdoc =
static_cast<const nsSubDocumentFrame*>(this);
nsFrameLoader* frameLoader = subdoc->FrameLoader();
if (frameLoader && frameLoader->GetRemoteBrowser()) {
frameLoader->GetRemoteBrowser()->UpdateEffects(
mozilla::dom::EffectsInfo::FullyHidden());
}
}
[Fixed Code]
(Removed in the new version)
Additional Details: The removal of this remote browser effects update code might indicate a potential memory leak if remote browser resources aren't properly cleaned up elsewhere.
2. Vulnerability Existed: not sure
Potential Integer Overflow Vulnerability [File] nsIFrame.cpp [Lines 2990-2993]
[Old Code]
gfxMatrix cssToDevMatrix = SVGUtils::GetCSSPxToDevPxMatrix(aMaskedFrame);
combinedClip = Some(cssToDevMatrix.TransformBounds(result));
[Fixed Code]
CSSToLayoutDeviceScale cssToDevScale =
aMaskedFrame->PresContext()->CSSToDevPixelScale();
combinedClip = Some(
ThebesRect((CSSRect::FromUnknownRect(ToRect(result)) * cssToDevScale)
.ToUnknownRect()));
Additional Details: The change in coordinate transformation approach might address potential integer overflow issues in the transformation calculations.
3. Vulnerability Existed: not sure
Potential Use-After-Free Vulnerability [File] nsIFrame.cpp [Lines 3097-3143]
[Old Code]
(No explicit item reuse handling)
[Fixed Code]
Added TryToReuseStackingContextItem function with extensive checks
Additional Details: The new code adds explicit checks for frame modification states when reusing display items, which could prevent use-after-free scenarios if frames are modified while their display items are being reused.
4. Vulnerability Existed: not sure
Information Leak Vulnerability [File] nsIFrame.cpp [Lines 927-931]
[Old Code]
const bool inModifiedList =
data && (data->GetFlags(this) &
RetainedDisplayListData::FrameFlags::Modified);
[Fixed Code]
const bool inModifiedList = data && data->IsModified(this);
if (inModifiedList) {
DL_LOG(LogLevel::Warning, "Frame %p found in modified list", this);
}
Additional Details: The added logging when frames are found in modified lists could help detect potential information leaks or unexpected frame modifications.
Note: Many of these changes appear to be part of a larger refactoring of the display list handling system, and while they may improve security by adding more checks and clearer state handling, it's difficult to identify specific vulnerabilities without more context about the overall system architecture.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-3.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(360120, 100%, 50%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-3.html] [Lines 17-18, 23]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
- This appears to be a simple variable renaming from `offscreenCanvas` to `canvas` throughout the file.
- There are no security-related changes in this diff.
- The functionality remains exactly the same, only the variable name was changed for consistency or readability.
- No actual security vulnerability was addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.start.rtl.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.start.rtl.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);@@ -32,12 +32,12 @@ ctx.fillStyle = '#0f0'; ctx.textAlign = 'start'; ctx.fillText('DD', 100, 37.5);- _assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2); }).then(t_pass, t_fail); });
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring changes where a variable name was changed from `offscreenCanvas` to `canvas` and all subsequent references were updated accordingly. There are no changes to security-sensitive operations or vulnerable patterns.
Here's the structured response:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.start.rtl.html] [Lines 17-32]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixelApprox(offscreenCanvas, ...)]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixelApprox(canvas, ...)]
The changes are purely variable renaming with no security implications. The functionality remains identical, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-round-display/polar-origin-and-anchor-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-round-display/polar-origin-and-anchor-001.html@@ -4,7 +4,6 @@ <title>CSS Test: Position an element with 'polar-origin' and 'polar-anchor'</title> <link rel="author" title="Jihye Hong" href="mailto:[email protected]" /> <link rel="help" href="https://www.w3.org/TR/motion-1/#motion-paths-overview/">- <meta name="flags" content=""> <meta name="assert" content="Test checks that the position of an element specified with 'polar-origin' and 'polar-anchor'."> <style type="text/css"> .container {
Based on the provided diff, I'll analyze it for potential security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-round-display/polar-origin-and-anchor-001.html [Lines] 4-7 [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional details: - The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification doesn't involve any security-sensitive operations or potentially dangerous content The diff shows only this single change, which doesn't appear to be security-related. The removal of an empty meta tag is likely just a cleanup of test file metadata.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.