Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/AudioStream.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/AudioStream.cpp@@ -134,24 +134,26 @@ double mBasePosition; };-AudioStream::AudioStream(DataSource& aSource)- : mMonitor("AudioStream"),- mChannels(0),- mOutChannels(0),- mTimeStretcher(nullptr),+AudioStream::AudioStream(DataSource& aSource, uint32_t aInRate,+ uint32_t aOutputChannels,+ AudioConfig::ChannelLayout::ChannelMap aChannelMap)+ : mTimeStretcher(nullptr),+ mMonitor("AudioStream"),+ mOutChannels(aOutputChannels),+ mChannelMap(aChannelMap),+ mAudioClock(aInRate), mState(INITIALIZED), mDataSource(aSource),- mPrefillQuirk(false), mAudioThreadId(ProfilerThreadId{}),- mSandboxed(CubebUtils::SandboxEnabled()) {}+ mSandboxed(CubebUtils::SandboxEnabled()),+ mPlaybackComplete(false),+ mPlaybackRate(1.0f),+ mPreservesPitch(true) {} AudioStream::~AudioStream() { LOG("deleted, state %d", mState); MOZ_ASSERT(mState == SHUTDOWN && !mCubebStream, "Should've called Shutdown() before deleting an AudioStream");- if (mTimeStretcher) {- soundtouch::destroySoundTouchObj(mTimeStretcher);- } } size_t AudioStream::SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const {@@ -164,8 +166,8 @@ return amount; }-nsresult AudioStream::EnsureTimeStretcherInitializedUnlocked() {- mMonitor.AssertCurrentThreadOwns();+nsresult AudioStream::EnsureTimeStretcherInitialized() {+ AssertIsOnAudioThread(); if (!mTimeStretcher) { mTimeStretcher = soundtouch::createSoundTouchObj(); mTimeStretcher->setSampleRate(mAudioClock.GetInputRate());@@ -194,59 +196,25 @@ nsresult AudioStream::SetPlaybackRate(double aPlaybackRate) { TRACE("AudioStream::SetPlaybackRate");- // MUST lock since the rate transposer is used from the cubeb callback,- // and rate changes can cause the buffer to be reallocated- MonitorAutoLock mon(mMonitor);- NS_ASSERTION( aPlaybackRate > 0.0, "Can't handle negative or null playbackrate in the AudioStream.");- // Avoid instantiating the resampler if we are not changing the playback rate.- // GetPreservesPitch/SetPreservesPitch don't need locking before calling- if (aPlaybackRate == mAudioClock.GetPlaybackRate()) {+ if (aPlaybackRate == mPlaybackRate) { return NS_OK; }- if (EnsureTimeStretcherInitializedUnlocked() != NS_OK) {- return NS_ERROR_FAILURE;- }-- mAudioClock.SetPlaybackRate(aPlaybackRate);-- if (mAudioClock.GetPreservesPitch()) {- mTimeStretcher->setTempo(aPlaybackRate);- mTimeStretcher->setRate(1.0f);- } else {- mTimeStretcher->setTempo(1.0f);- mTimeStretcher->setRate(aPlaybackRate);- }+ mPlaybackRate = static_cast<float>(aPlaybackRate);+ return NS_OK; } nsresult AudioStream::SetPreservesPitch(bool aPreservesPitch) {- TRACE("AudiOStream::SetPreservesPitch");- // MUST lock since the rate transposer is used from the cubeb callback,- // and rate changes can cause the buffer to be reallocated- MonitorAutoLock mon(mMonitor);-- // Avoid instantiating the timestretcher instance if not needed.- if (aPreservesPitch == mAudioClock.GetPreservesPitch()) {+ TRACE("AudioStream::SetPreservesPitch");+ if (aPreservesPitch == mPreservesPitch) { return NS_OK; }- if (EnsureTimeStretcherInitializedUnlocked() != NS_OK) {- return NS_ERROR_FAILURE;- }-- if (aPreservesPitch) {- mTimeStretcher->setTempo(mAudioClock.GetPlaybackRate());- mTimeStretcher->setRate(1.0f);- } else {- mTimeStretcher->setTempo(1.0f);- mTimeStretcher->setRate(mAudioClock.GetPlaybackRate());- }-- mAudioClock.SetPreservesPitch(aPreservesPitch);+ mPreservesPitch = aPreservesPitch; return NS_OK; }@@ -267,32 +235,23 @@ return aFunction(mCubebStream.get(), std::forward<Args>(aArgs)...); }-nsresult AudioStream::Init(uint32_t aNumChannels,- AudioConfig::ChannelLayout::ChannelMap aChannelMap,- uint32_t aRate, AudioDeviceInfo* aSinkInfo) {+nsresult AudioStream::Init(AudioDeviceInfo* aSinkInfo) { auto startTime = TimeStamp::Now(); TRACE("AudioStream::Init");- LOG("%s channels: %d, rate: %d", __FUNCTION__, aNumChannels, aRate);- mChannels = aNumChannels;- mOutChannels = aNumChannels;-+ LOG("%s channels: %d, rate: %d", __FUNCTION__, mOutChannels,+ mAudioClock.GetInputRate()); mSinkInfo = aSinkInfo;- // Hasn't started playing audio yet.- mPlaybackComplete = false;- cubeb_stream_params params;- params.rate = aRate;+ params.rate = mAudioClock.GetInputRate(); params.channels = mOutChannels;- params.layout = static_cast<uint32_t>(aChannelMap);+ params.layout = static_cast<uint32_t>(mChannelMap); params.format = ToCubebFormat<AUDIO_OUTPUT_FORMAT>::value; params.prefs = CubebUtils::GetDefaultStreamPrefs(CUBEB_DEVICE_TYPE_OUTPUT); // This is noop if MOZ_DUMP_AUDIO is not set.- mDumpFile.Open("AudioStream", mOutChannels, aRate);-- mAudioClock.Init(aRate);+ mDumpFile.Open("AudioStream", mOutChannels, mAudioClock.GetInputRate()); cubeb* cubebContext = CubebUtils::GetCubebContext(); if (!cubebContext) {@@ -300,10 +259,6 @@ CubebUtils::ReportCubebStreamInitFailure(true); return NS_ERROR_DOM_MEDIA_CUBEB_INITIALIZATION_ERR; }-- // cubeb's winmm backend prefills buffers on init rather than stream start.- // See https://github.com/kinetiknz/cubeb/issues/150- mPrefillQuirk = !strcmp(cubeb_get_backend_id(cubebContext), "winmm"); return OpenCubeb(cubebContext, params, startTime, CubebUtils::GetFirstStream());@@ -458,34 +413,56 @@ mCubebStream.reset(); }+ // After `cubeb_stream_stop` has been called, there is no audio thread+ // anymore. We can delete the time stretcher.+ if (mTimeStretcher) {+ soundtouch::destroySoundTouchObj(mTimeStretcher);+ mTimeStretcher = nullptr;+ }+ mState = SHUTDOWN; mEndedPromise.ResolveIfExists(true, __func__); } int64_t AudioStream::GetPosition() { TRACE("AudioStream::GetPosition");+#ifndef XP_MACOSX MonitorAutoLock mon(mMonitor);+#endif int64_t frames = GetPositionInFramesUnlocked(); return frames >= 0 ? mAudioClock.GetPosition(frames) : -1; } int64_t AudioStream::GetPositionInFrames() { TRACE("AudioStream::GetPositionInFrames");+#ifndef XP_MACOSX MonitorAutoLock mon(mMonitor);+#endif int64_t frames = GetPositionInFramesUnlocked();+ return frames >= 0 ? mAudioClock.GetPositionInFrames(frames) : -1; } int64_t AudioStream::GetPositionInFramesUnlocked() { TRACE("AudioStream::GetPositionInFramesUnlocked");+#ifndef XP_MACOSX mMonitor.AssertCurrentThreadOwns();+#endif if (mState == ERRORED) { return -1; } uint64_t position = 0;- if (InvokeCubeb(cubeb_stream_get_position, &position) != CUBEB_OK) {+ int rv;++#ifndef XP_MACOSX+ rv = InvokeCubeb(cubeb_stream_get_position, &position);+#else+ rv = cubeb_stream_get_position(mCubebStream.get(), &position);+#endif++ if (rv != CUBEB_OK) { return -1; } return static_cast<int64_t>(std::min<uint64_t>(position, INT64_MAX));@@ -503,8 +480,7 @@ void AudioStream::GetUnprocessed(AudioBufferWriter& aWriter) { TRACE("AudioStream::GetUnprocessed");- mMonitor.AssertCurrentThreadOwns();-+ AssertIsOnAudioThread(); // Flush the timestretcher pipeline, if we were playing using a playback rate // other than 1.0. if (mTimeStretcher && mTimeStretcher->numSamples()) {@@ -520,29 +496,27 @@ // next time we switch a playback rate other than 1.0. NS_WARNING_ASSERTION(mTimeStretcher->numUnprocessedSamples() == 0, "no samples");+ } else if (mTimeStretcher) {+ // Don't need it anymore: playbackRate is 1.0, and the time stretcher has+ // been flushed.+ soundtouch::destroySoundTouchObj(mTimeStretcher);+ mTimeStretcher = nullptr; } while (aWriter.Available() > 0) {- UniquePtr<Chunk> c = mDataSource.PopFrames(aWriter.Available());- if (c->Frames() == 0) {+ uint32_t count = mDataSource.PopFrames(aWriter.Ptr(), aWriter.Available(),+ mAudioThreadChanged);+ if (count == 0) { break; }- MOZ_ASSERT(c->Frames() <= aWriter.Available());- if (IsValidAudioFormat(c.get())) {- aWriter.Write(c->Data(), c->Frames());- } else {- // Write silence if invalid format.- aWriter.WriteZeros(c->Frames());- }+ aWriter.Advance(count); } } void AudioStream::GetTimeStretched(AudioBufferWriter& aWriter) { TRACE("AudioStream::GetTimeStretched");- mMonitor.AssertCurrentThreadOwns();-- // We need to call the non-locking version, because we already have the lock.- if (EnsureTimeStretcherInitializedUnlocked() != NS_OK) {+ AssertIsOnAudioThread();+ if (EnsureTimeStretcherInitialized() != NS_OK) { return; }@@ -550,32 +524,23 @@ ceil(aWriter.Available() * mAudioClock.GetPlaybackRate()); while (mTimeStretcher->numSamples() < aWriter.Available()) {- UniquePtr<Chunk> c = mDataSource.PopFrames(toPopFrames);- if (c->Frames() == 0) {+ // pop into a temp buffer, and put into the stretcher.+ AutoTArray<AudioDataValue, 1000> buf;+ auto size = CheckedUint32(mOutChannels) * toPopFrames;+ if (!size.isValid()) {+ // The overflow should not happen in normal case.+ LOGW("Invalid member data: %d channels, %d frames", mOutChannels,+ toPopFrames);+ return;+ }+ buf.SetLength(size.value());+ // ensure no variable channel count or something like that+ uint32_t count =+ mDataSource.PopFrames(buf.Elements(), toPopFrames, mAudioThreadChanged);+ if (count == 0) { break; }- MOZ_ASSERT(c->Frames() <= toPopFrames);- if (IsValidAudioFormat(c.get())) {- mTimeStretcher->putSamples(c->Data(), c->Frames());- } else {- // Write silence if invalid format.- AutoTArray<AudioDataValue, 1000> buf;- auto size = CheckedUint32(mOutChannels) * c->Frames();- if (!size.isValid()) {- // The overflow should not happen in normal case.- LOGW("Invalid member data: %d channels, %d frames", mOutChannels,- c->Frames());- return;- }- buf.SetLength(size.value());- size = size * sizeof(AudioDataValue);- if (!size.isValid()) {- LOGW("The required memory size is too large.");- return;- }- memset(buf.Elements(), 0, size.value());- mTimeStretcher->putSamples(buf.Elements(), c->Frames());- }+ mTimeStretcher->putSamples(buf.Elements(), count); } auto* timeStretcher = mTimeStretcher;@@ -590,46 +555,61 @@ ProfilerThreadId id = profiler_current_thread_id(); if (id != mAudioThreadId) { mAudioThreadId = id;+ mAudioThreadChanged = true; return true; }+ mAudioThreadChanged = false; return false; }+void AudioStream::AssertIsOnAudioThread() const {+ // This can be called right after CheckThreadIdChanged, because the audio+ // thread can change when not sandboxed.+ MOZ_ASSERT(mAudioThreadId.load() == profiler_current_thread_id());+}++void AudioStream::UpdatePlaybackRateIfNeeded() {+ AssertIsOnAudioThread();+ if (mAudioClock.GetPreservesPitch() == mPreservesPitch &&+ mAudioClock.GetPlaybackRate() == mPlaybackRate) {+ return;+ }++ EnsureTimeStretcherInitialized();++ mAudioClock.SetPlaybackRate(mPlaybackRate);+ mAudioClock.SetPreservesPitch(mPreservesPitch);++ if (mPreservesPitch) {+ mTimeStretcher->setTempo(mPlaybackRate);+ mTimeStretcher->setRate(1.0f);+ } else {+ mTimeStretcher->setTempo(1.0f);+ mTimeStretcher->setRate(mPlaybackRate);+ }+}+ long AudioStream::DataCallback(void* aBuffer, long aFrames) {- if (!mSandboxed && CheckThreadIdChanged()) {+ if (CheckThreadIdChanged() && !mSandboxed) { CubebUtils::GetAudioThreadRegistry()->Register(mAudioThreadId); } WebCore::DenormalDisabler disabler; TRACE_AUDIO_CALLBACK_BUDGET(aFrames, mAudioClock.GetInputRate()); TRACE("AudioStream::DataCallback");- MonitorAutoLock mon(mMonitor); MOZ_ASSERT(mState != SHUTDOWN, "No data callback after shutdown"); if (SoftRealTimeLimitReached()) { DemoteThreadFromRealTime(); }++ UpdatePlaybackRateIfNeeded(); auto writer = AudioBufferWriter( Span<AudioDataValue>(reinterpret_cast<AudioDataValue*>(aBuffer), mOutChannels * aFrames), mOutChannels, aFrames);- if (mPrefillQuirk) {- // Don't consume audio data until Start() is called.- // Expected only with cubeb winmm backend.- if (mState == INITIALIZED) {- NS_WARNING("data callback fires before cubeb_stream_start() is called");- mAudioClock.UpdateFrameHistory(0, aFrames);- return writer.WriteZeros(aFrames);- }- } else {- MOZ_ASSERT(mState != INITIALIZED);- }-- // NOTE: wasapi (others?) can call us back *after* stop()/Shutdown() (mState- // == SHUTDOWN) Bug 996162- if (mAudioClock.GetInputRate() == mAudioClock.GetOutputRate()) { GetUnprocessed(writer); } else {@@ -639,8 +619,11 @@ // Always send audible frames first, and silent frames later. // Otherwise it will break the assumption of FrameHistory. if (!mDataSource.Ended()) {+#ifndef XP_MACOSX+ MonitorAutoLock mon(mMonitor);+#endif mAudioClock.UpdateFrameHistory(aFrames - writer.Available(),- writer.Available());+ writer.Available(), mAudioThreadChanged); if (writer.Available() > 0) { TRACE_COMMENT("AudioStream::DataCallback", "Underrun: %d frames missing", writer.Available());@@ -648,9 +631,17 @@ writer.WriteZeros(writer.Available()); } } else {- // No more new data in the data source. Don't send silent frames so the- // cubeb stream can start draining.- mAudioClock.UpdateFrameHistory(aFrames - writer.Available(), 0);+ // No more new data in the data source, and the drain has completed. We+ // don't need the time stretcher anymore at this point.+ if (mTimeStretcher && writer.Available()) {+ soundtouch::destroySoundTouchObj(mTimeStretcher);+ mTimeStretcher = nullptr;+ }+#ifndef XP_MACOSX+ MonitorAutoLock mon(mMonitor);+#endif+ mAudioClock.UpdateFrameHistory(aFrames - writer.Available(), 0,+ mAudioThreadChanged); } mDumpFile.Write(static_cast<const AudioDataValue*>(aBuffer),@@ -681,27 +672,54 @@ bool AudioStream::IsPlaybackCompleted() const { return mPlaybackComplete; }-AudioClock::AudioClock()- : mOutRate(0),- mInRate(0),+AudioClock::AudioClock(uint32_t aInRate)+ : mOutRate(aInRate),+ mInRate(aInRate), mPreservesPitch(true), mFrameHistory(new FrameHistory()) {}-void AudioClock::Init(uint32_t aRate) {- mOutRate = aRate;- mInRate = aRate;-}--void AudioClock::UpdateFrameHistory(uint32_t aServiced, uint32_t aUnderrun) {+void AudioClock::UpdateFrameHistory(uint32_t aServiced, uint32_t aUnderrun,+ bool aAudioThreadChanged) {+#ifdef XP_MACOSX+ if (aAudioThreadChanged) {+ mCallbackInfoQueue.ResetThreadIds();+ }+ // Flush the local items, if any, and then attempt to enqueue the current+ // item. This is only a fallback mechanism, under non-critical load this is+ // just going to enqueue an item in the queue.+ while (!mAudioThreadCallbackInfo.IsEmpty()) {+ CallbackInfo& info = mAudioThreadCallbackInfo[0];+ // If still full, keep it audio-thread side for now.+ if (mCallbackInfoQueue.Enqueue(info) != 1) {+ break;+ }+ mAudioThreadCallbackInfo.RemoveElementAt(0);+ }+ CallbackInfo info(aServiced, aUnderrun, mOutRate);+ if (mCallbackInfoQueue.Enqueue(info) != 1) {+ NS_WARNING(+ "mCallbackInfoQueue full, storing the values in the audio thread.");+ mAudioThreadCallbackInfo.AppendElement(info);+ }+#else mFrameHistory->Append(aServiced, aUnderrun, mOutRate);-}--int64_t AudioClock::GetPositionInFrames(int64_t aFrames) const {+#endif+}++int64_t AudioClock::GetPositionInFrames(int64_t aFrames) { CheckedInt64 v = UsecsToFrames(GetPosition(aFrames), mInRate); return v.isValid() ? v.value() : -1; }-int64_t AudioClock::GetPosition(int64_t frames) const {+int64_t AudioClock::GetPosition(int64_t frames) {+#ifdef XP_MACOSX+ // Dequeue all history info, and apply them before returning the position+ // based on frame history.+ CallbackInfo info;+ while (mCallbackInfoQueue.Dequeue(&info, 1)) {+ mFrameHistory->Append(info.mServiced, info.mUnderrun, info.mOutputRate);+ }+#endif return mFrameHistory->GetPosition(frames); }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Race Condition in AudioStream::GetPosition [dom/media/AudioStream.cpp] [Lines 426-429, 436-439, 446-449]
[Old Code]
```
int64_t AudioStream::GetPosition() {
TRACE("AudioStream::GetPosition");
MonitorAutoLock mon(mMonitor);
int64_t frames = GetPositionInFramesUnlocked();
return frames >= 0 ? mAudioClock.GetPosition(frames) : -1;
}
int64_t AudioStream::GetPositionInFrames() {
TRACE("AudioStream::GetPositionInFrames");
MonitorAutoLock mon(mMonitor);
int64_t frames = GetPositionInFramesUnlocked();
return frames >= 0 ? mAudioClock.GetPositionInFrames(frames) : -1;
}
int64_t AudioStream::GetPositionInFramesUnlocked() {
TRACE("AudioStream::GetPositionInFramesUnlocked");
mMonitor.AssertCurrentThreadOwns();
```
[Fixed Code]
```
int64_t AudioStream::GetPosition() {
TRACE("AudioStream::GetPosition");
#ifndef XP_MACOSX
MonitorAutoLock mon(mMonitor);
#endif
int64_t frames = GetPositionInFramesUnlocked();
return frames >= 0 ? mAudioClock.GetPosition(frames) : -1;
}
int64_t AudioStream::GetPositionInFrames() {
TRACE("AudioStream::GetPositionInFrames");
#ifndef XP_MACOSX
MonitorAutoLock mon(mMonitor);
#endif
int64_t frames = GetPositionInFramesUnlocked();
return frames >= 0 ? mAudioClock.GetPositionInFrames(frames) : -1;
}
int64_t AudioStream::GetPositionInFramesUnlocked() {
TRACE("AudioStream::GetPositionInFramesUnlocked");
#ifndef XP_MACOSX
mMonitor.AssertCurrentThreadOwns();
#endif
```
2. Vulnerability Existed: yes
Race Condition in AudioStream::DataCallback [dom/media/AudioStream.cpp] [Lines 589-591]
[Old Code]
```
long AudioStream::DataCallback(void* aBuffer, long aFrames) {
if (!mSandboxed && CheckThreadIdChanged()) {
CubebUtils::GetAudioThreadRegistry()->Register(mAudioThreadId);
}
```
[Fixed Code]
```
long AudioStream::DataCallback(void* aBuffer, long aFrames) {
if (CheckThreadIdChanged() && !mSandboxed) {
CubebUtils::GetAudioThreadRegistry()->Register(mAudioThreadId);
}
```
3. Vulnerability Existed: not sure
Potential Memory Leak [dom/media/AudioStream.cpp] [Lines 416-419]
[Old Code]
```
AudioStream::~AudioStream() {
LOG("deleted, state %d", mState);
MOZ_ASSERT(mState == SHUTDOWN && !mCubebStream,
"Should've called Shutdown() before deleting an AudioStream");
if (mTimeStretcher) {
soundtouch::destroySoundTouchObj(mTimeStretcher);
}
}
```
[Fixed Code]
```
AudioStream::~AudioStream() {
LOG("deleted, state %d", mState);
MOZ_ASSERT(mState == SHUTDOWN && !mCubebStream,
"Should've called Shutdown() before deleting an AudioStream");
}
```
The changes appear to address several potential race conditions and thread safety issues, particularly around position tracking and audio thread registration. The most significant changes involve modifying the locking behavior for position-related methods and fixing the order of operations in thread ID checking. The memory leak potential is less clear, as the time stretcher cleanup was moved to the Shutdown() method instead.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/xpconnect/src/xpcpublic.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/xpconnect/src/xpcpublic.h@@ -55,6 +55,7 @@ namespace JS { class Compartment;+class ContextOptions; class Realm; class RealmOptions; class Value;@@ -581,6 +582,7 @@ bool ShouldDiscardSystemSource(); void SetPrefableRealmOptions(JS::RealmOptions& options);+void SetPrefableContextOptions(JS::ContextOptions& options); class ErrorBase { public:
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Leak or Context Isolation Issue] [js/xpconnect/src/xpcpublic.h] [Lines 55-58, 581-583]
[Old Code]
namespace JS {
class Compartment;
class Realm;
class RealmOptions;
class Value;
void SetPrefableRealmOptions(JS::RealmOptions& options);
[Fixed Code]
namespace JS {
class Compartment;
class ContextOptions;
class Realm;
class RealmOptions;
class Value;
void SetPrefableRealmOptions(JS::RealmOptions& options);
void SetPrefableContextOptions(JS::ContextOptions& options);
Additional Details:
- The diff shows the addition of `class ContextOptions` and a new function `SetPrefableContextOptions`
- While this could potentially relate to security context management, there's not enough context to determine if this fixes a specific vulnerability
- The changes suggest improved control over JavaScript context options, which could be security-related, but without more context about the implementation, we can't be certain
Note: The changes appear to be adding functionality rather than directly fixing a vulnerability. The security implications would depend on how these new capabilities are used in the rest of the codebase.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/dav1d/src/ppc/cdef_init_tmpl.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/dav1d/src/ppc/cdef_init_tmpl.c@@ -32,7 +32,7 @@ #include "src/cdef.h" #include "src/cpu.h"-#include "src/ppc/types.h"+#include "src/ppc/dav1d_types.h" #if BITDEPTH == 8 static inline i16x8 vconstrain(const i16x8 diff, const int16_t threshold,
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [Header File Renaming] [third_party/dav1d/src/ppc/cdef_init_tmpl.c] [Lines 32] [Old Code] #include "src/ppc/types.h" [Fixed Code] #include "src/ppc/dav1d_types.h" Additional Details: This appears to be a simple header file renaming change where "types.h" was renamed to "dav1d_types.h". There's no indication of a security vulnerability being fixed here - it's likely just an internal code organization change. The change doesn't affect any security-critical functionality, memory management, or input validation. It's simply updating an include path to reflect a renamed header file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/ipc/glue/ProtocolUtils.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/ipc/glue/ProtocolUtils.cpp@@ -62,6 +62,11 @@ nsPrintfCString errorMsg("%s %s\n", where, why); actor->GetIPCChannel()->Listener()->ProcessingError( HasResultCodes::MsgProcessingError, errorMsg.get());++ MOZ_ASSERT_UNLESS_FUZZING(false,+ "Please ensure to IPC_FAIL only when in an "+ "unrecoverable, unexpected state.");+ return IPCResult(false); }@@ -332,27 +337,8 @@ return mToplevel->GetIPCChannel(); }-void IProtocol::SetEventTargetForActor(IProtocol* aActor,- nsISerialEventTarget* aEventTarget) {- // Make sure we have a manager for the internal method to access.- aActor->SetManager(this);- mToplevel->SetEventTargetForActorInternal(aActor, aEventTarget);-}--void IProtocol::ReplaceEventTargetForActor(IProtocol* aActor,- nsISerialEventTarget* aEventTarget) {- MOZ_ASSERT(aActor->Manager());- mToplevel->ReplaceEventTargetForActor(aActor, aEventTarget);-}- nsISerialEventTarget* IProtocol::GetActorEventTarget() {- // FIXME: It's a touch sketchy that we don't return a strong reference here.- RefPtr<nsISerialEventTarget> target = GetActorEventTarget(this);- return target;-}-already_AddRefed<nsISerialEventTarget> IProtocol::GetActorEventTarget(- IProtocol* aActor) {- return mToplevel->GetActorEventTarget(aActor);+ return GetIPCChannel()->GetWorkerEventTarget(); } void IProtocol::SetId(int32_t aId) {@@ -506,16 +492,6 @@ return false; }-bool IProtocol::ChannelCall(IPC::Message* aMsg, IPC::Message* aReply) {- UniquePtr<IPC::Message> msg(aMsg);- if (CanSend()) {- return GetIPCChannel()->Call(std::move(msg), aReply);- }-- WarnMessageDiscarded(msg.get());- return false;-}- #ifdef DEBUG void IProtocol::WarnMessageDiscarded(IPC::Message* aMsg) { NS_WARNING(nsPrintfCString("IPC message '%s' discarded: actor cannot send",@@ -600,7 +576,6 @@ : IProtocol(aProtoId, aSide), mOtherPid(base::kInvalidProcessId), mLastLocalId(0),- mEventTargetMutex("ProtocolEventTargetMutex"), mChannel(aName, this) { mToplevel = this; }@@ -663,20 +638,7 @@ // If there's already an ID, just return that. return aRouted->Id(); }- int32_t id = RegisterID(aRouted, NextId());-- // Inherit our event target from our manager.- if (IProtocol* manager = aRouted->Manager()) {- MutexAutoLock lock(mEventTargetMutex);- if (nsCOMPtr<nsISerialEventTarget> target =- mEventTargetMap.Get(manager->Id())) {- MOZ_ASSERT(!mEventTargetMap.Contains(id),- "Don't insert with an existing ID");- mEventTargetMap.InsertOrUpdate(id, std::move(target));- }- }-- return id;+ return RegisterID(aRouted, NextId()); } int32_t IToplevelProtocol::RegisterID(IProtocol* aRouted, int32_t aId) {@@ -693,9 +655,6 @@ MOZ_ASSERT(mActorMap.Contains(aId), "Attempting to remove an ID not in the actor map"); mActorMap.Remove(aId);-- MutexAutoLock lock(mEventTargetMutex);- mEventTargetMap.Remove(aId); } Shmem::SharedMemory* IToplevelProtocol::CreateSharedMemory(@@ -794,88 +753,6 @@ Shmem::Dealloc(Shmem::PrivateIPDLCaller(), rawmem); } return true;-}--already_AddRefed<nsISerialEventTarget> IToplevelProtocol::GetMessageEventTarget(- const Message& aMsg) {- int32_t route = aMsg.routing_id();-- Maybe<MutexAutoLock> lock;- lock.emplace(mEventTargetMutex);-- nsCOMPtr<nsISerialEventTarget> target = mEventTargetMap.Get(route);-- if (aMsg.is_constructor()) {- ActorHandle handle;- PickleIterator iter = PickleIterator(aMsg);- if (!IPC::ReadParam(&aMsg, &iter, &handle)) {- return nullptr;- }--#ifdef DEBUG- // If this function is called more than once for the same message, the actor- // handle ID will already be in the map, but it should have the same target.- nsCOMPtr<nsISerialEventTarget> existingTgt =- mEventTargetMap.Get(handle.mId);- MOZ_ASSERT(existingTgt == target || existingTgt == nullptr);-#endif /* DEBUG */-- mEventTargetMap.InsertOrUpdate(handle.mId, nsCOMPtr{target});- }-- return target.forget();-}--already_AddRefed<nsISerialEventTarget> IToplevelProtocol::GetActorEventTarget(- IProtocol* aActor) {- MOZ_RELEASE_ASSERT(aActor->Id() != kNullActorId &&- aActor->Id() != kFreedActorId);-- MutexAutoLock lock(mEventTargetMutex);- nsCOMPtr<nsISerialEventTarget> target = mEventTargetMap.Get(aActor->Id());- return target.forget();-}--nsISerialEventTarget* IToplevelProtocol::GetActorEventTarget() {- // The EventTarget of a ToplevelProtocol shall never be set.- return nullptr;-}--void IToplevelProtocol::SetEventTargetForActorInternal(- IProtocol* aActor, nsISerialEventTarget* aEventTarget) {- // The EventTarget of a ToplevelProtocol shall never be set.- MOZ_RELEASE_ASSERT(aActor != this);-- // We should only call this function on actors that haven't been used for IPC- // code yet. Otherwise we'll be posting stuff to the wrong event target before- // we're called.- MOZ_RELEASE_ASSERT(aActor->Id() == kNullActorId ||- aActor->Id() == kFreedActorId);-- MOZ_ASSERT(aActor->Manager() && aActor->ToplevelProtocol() == this);-- // Register the actor early. When it's registered again, it will keep the same- // ID.- int32_t id = Register(aActor);- aActor->SetId(id);-- MutexAutoLock lock(mEventTargetMutex);- // FIXME bug 1445121 - sometimes the id is already mapped.- mEventTargetMap.InsertOrUpdate(id, nsCOMPtr{aEventTarget});-}--void IToplevelProtocol::ReplaceEventTargetForActor(- IProtocol* aActor, nsISerialEventTarget* aEventTarget) {- // The EventTarget of a ToplevelProtocol shall never be set.- MOZ_RELEASE_ASSERT(aActor != this);-- int32_t id = aActor->Id();- // The ID of the actor should have existed.- MOZ_RELEASE_ASSERT(id != kNullActorId && id != kFreedActorId);-- MutexAutoLock lock(mEventTargetMutex);- MOZ_ASSERT(mEventTargetMap.Contains(id), "Only replace an existing ID");- mEventTargetMap.InsertOrUpdate(id, nsCOMPtr{aEventTarget}); } IPDLResolverInner::IPDLResolverInner(UniquePtr<IPC::Message> aReply,
Based on the provided diff, I'll analyze the security implications:
1. First vulnerability:
Vulnerability Existed: yes
Missing Input Validation in IPC Error Handling [ipc/glue/ProtocolUtils.cpp] [Lines 62-67]
[Old Code]
nsPrintfCString errorMsg("%s %s\n", where, why);
actor->GetIPCChannel()->Listener()->ProcessingError(
HasResultCodes::MsgProcessingError, errorMsg.get());
return IPCResult(false);
[Fixed Code]
nsPrintfCString errorMsg("%s %s\n", where, why);
actor->GetIPCChannel()->Listener()->ProcessingError(
HasResultCodes::MsgProcessingError, errorMsg.get());
MOZ_ASSERT_UNLESS_FUZZING(false,
"Please ensure to IPC_FAIL only when in an "
"unrecoverable, unexpected state.");
return IPCResult(false);
2. Second vulnerability:
Vulnerability Existed: yes
Race Condition in Event Target Management [ipc/glue/ProtocolUtils.cpp] [Multiple locations]
[Old Code]
(Multiple methods for event target management including SetEventTargetForActor, ReplaceEventTargetForActor, GetActorEventTarget with mutex usage)
[Fixed Code]
(All event target management code removed, simplified to use channel's worker event target)
3. Third vulnerability:
Vulnerability Existed: yes
Potential Memory Leak in Channel Call [ipc/glue/ProtocolUtils.cpp] [Lines 492-502]
[Old Code]
bool IProtocol::ChannelCall(IPC::Message* aMsg, IPC::Message* aReply) {
UniquePtr<IPC::Message> msg(aMsg);
if (CanSend()) {
return GetIPCChannel()->Call(std::move(msg), aReply);
}
WarnMessageDiscarded(msg.get());
return false;
}
[Fixed Code]
(Entire method removed)
The changes appear to:
1. Add stricter validation for IPC failure cases
2. Remove complex and potentially unsafe event target management code that could lead to race conditions
3. Remove a potentially unsafe channel call method that could lead to memory leaks or improper message handling
The most significant security improvement is the removal of the complex event target management system which could have led to race conditions or inconsistent state in multi-threaded scenarios. The addition of the MOZ_ASSERT_UNLESS_FUZZING check also helps catch improper IPC failure cases during development.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/utils/result-list.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/utils/result-list.js@@ -14,6 +14,9 @@ // https://nolanlawson.com/2018/09/25/accurately-measuring-layout-on-the-web/ requestAnimationFrame(() => { setTimeout(() => {+ if (!resultEl.scrollIntoView) {+ return;+ } resultEl.scrollIntoView({ block: "nearest", behavior: "auto" }); }); });
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Null Reference Vulnerability] [devtools/client/debugger/src/utils/result-list.js] [Lines 14-19]
[Old Code]
```javascript
requestAnimationFrame(() => {
setTimeout(() => {
resultEl.scrollIntoView({ block: "nearest", behavior: "auto" });
});
});
```
[Fixed Code]
```javascript
requestAnimationFrame(() => {
setTimeout(() => {
if (!resultEl.scrollIntoView) {
return;
}
resultEl.scrollIntoView({ block: "nearest", behavior: "auto" });
});
});
```
The change adds a check for the existence of the `scrollIntoView` method on `resultEl` before calling it. While this prevents a potential null reference error, it's not clear if this was actually exploitable as a security vulnerability or just a defensive programming improvement. The vulnerability name is speculative since we don't have evidence this was actually being exploited.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/base/content/test/forms/browser_selectpopup.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/base/content/test/forms/browser_selectpopup.js@@ -323,10 +323,7 @@ add_task(async function setup() { await SpecialPowers.pushPrefEnv({- set: [- ["dom.select_popup_in_parent.enabled", true],- ["dom.forms.select.customstyling", true],- ],+ set: [["dom.forms.select.customstyling", true]], }); });
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
Potential Configuration Vulnerability [browser/base/content/test/forms/browser_selectpopup.js] [Lines 323-327]
[Old Code]
```
await SpecialPowers.pushPrefEnv({
set: [
["dom.select_popup_in_parent.enabled", true],
["dom.forms.select.customstyling", true],
],
});
```
[Fixed Code]
```
await SpecialPowers.pushPrefEnv({
set: [["dom.forms.select.customstyling", true]],
});
```
Additional Details:
The diff shows the removal of the "dom.select_popup_in_parent.enabled" preference setting. While this might indicate a security-related change (as preference changes often relate to security features), without more context about why this preference was removed, we can't definitively say if this was fixing a vulnerability or just a test configuration change. The change could be related to security hardening by disabling a potentially risky feature, but this is speculative.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.end.rtl.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.end.rtl.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);@@ -28,12 +28,12 @@ ctx.fillStyle = '#0f0'; ctx.textAlign = 'end'; ctx.fillText('DD', 0, 37.5);- _assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2); }).then(t_pass, t_fail); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` for consistency or readability purposes. Here's the analysis following the requested format:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 28-33]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, ...);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, ...);
The changes don't affect security in any way - they're just variable name changes with no impact on functionality or security posture. The rest of the code remains identical in behavior, only referencing the canvas through a differently named variable.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/test/unit/test_http3_perf.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/test/unit/test_http3_perf.js@@ -74,7 +74,7 @@ do_get_profile(); prefs = Services.prefs;- prefs.setBoolPref("network.http.http3.enabled", true);+ prefs.setBoolPref("network.http.http3.enable", true); prefs.setCharPref("network.dns.localDomains", "foo.example.com"); // We always resolve elements of localDomains as it's hardcoded without the // following pref:@@ -253,7 +253,7 @@ } function testsDone() {- prefs.clearUserPref("network.http.http3.enabled");+ prefs.clearUserPref("network.http.http3.enable"); prefs.clearUserPref("network.dns.localDomains"); prefs.clearUserPref("network.proxy.allow_hijacking_localhost"); dump("testDone\n");
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] netwerk/test/unit/test_http3_perf.js [Lines] 74,253
[Old Code] prefs.setBoolPref("network.http.http3.enabled", true);
[Fixed Code] prefs.setBoolPref("network.http.http3.enable", true);
[Old Code] prefs.clearUserPref("network.http.http3.enabled");
[Fixed Code] prefs.clearUserPref("network.http.http3.enable");
Additional Details:
The changes appear to be a simple preference name correction from "network.http.http3.enabled" to "network.http.http3.enable". This doesn't indicate a security vulnerability but rather a consistency fix in preference naming. The functionality remains the same, just using the correct preference name. No security implications are apparent from this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/talos/talos/gecko_profile.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/talos/talos/gecko_profile.py@@ -48,8 +48,12 @@ # Make sure no archive already exists in the location where # we plan to output our profiler archive+ # If individual talos is ran (--activeTest) instead of suite (--suite)+ # the "suite" key will be empty and we'll name the profile after+ # the test name self.profile_arcname = os.path.join(- self.upload_dir, "profile_{0}.zip".format(test_config["suite"])+ self.upload_dir,+ "profile_{0}.zip".format(test_config.get("suite", test_config["name"])), ) # We delete the archive if the current test is the first in the suite
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: no
[No specific vulnerability] [testing/talos/talos/gecko_profile.py] [Lines 48-54]
[Old Code]
```python
self.profile_arcname = os.path.join(
self.upload_dir, "profile_{0}.zip".format(test_config["suite"])
```
[Fixed Code]
```python
self.profile_arcname = os.path.join(
self.upload_dir,
"profile_{0}.zip".format(test_config.get("suite", test_config["name"])),
)
```
Additional Details:
- The change appears to be a robustness improvement rather than a security fix
- The modification makes the code more resilient by handling cases where "suite" key might not exist in test_config
- Uses dict.get() with a fallback to "name" key instead of direct dictionary access
- Prevents potential KeyError exceptions but doesn't address any known security vulnerability
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-5.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsl-5.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsl(0, 100%, 50% /)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily variable renaming and don't involve any security-related modifications.
Analysis:
1. Vulnerability Existed: no
- No security vulnerability found in the diff
- The changes are:
- Variable renamed from `offscreenCanvas` to `canvas`
- Corresponding change in `_assertPixel` call to use the new variable name
- These changes don't address any security issues but rather improve code consistency
The diff shows only refactoring changes with no security implications. The test case remains the same, just using a different variable name. The test still checks the same color parsing behavior in canvas.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.undefined.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.undefined.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.getImageData(0, 0, 10, 10); imgdata.data[0] = 100;
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.object.undefined.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- This appears to be a simple variable renaming change from 'offscreenCanvas' to 'canvas'
- No security vulnerability is being fixed here
- The change is likely for consistency with other test cases or code style guidelines
- The functionality remains exactly the same, just with a different variable name
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-168a.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-168a.xml@@ -9,7 +9,6 @@ <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="reference/this-test-has-passed-desc.xht"/>- <meta name="flags" content="" /> </head> <body> <p>This test has <span></span>.</p>
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability [File] testing/web-platform/tests/css/selectors/old-tests/css3-modsel-168a.xml [Lines] 9
Old Code: <meta name="flags" content="" />
Fixed Code: (removed line)
Additional details:
- The diff shows removal of an empty meta tag with "flags" attribute
- This appears to be a test file cleanup rather than a security fix
- No known vulnerabilities are associated with this change
- The modification seems related to test configuration rather than security
The change doesn't appear to address any security vulnerability but rather cleans up test metadata. The empty flags meta tag wasn't serving any purpose and was likely removed as part of general code maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.complex.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.complex.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.font = 'small-caps italic 400 12px/2 Unknown Font, sans-serif'; _assertSame(ctx.font, 'italic small-caps 12px "Unknown Font", sans-serif', "ctx.font", "'italic small-caps 12px \"Unknown Font\", sans-serif'");
Let me analyze the code diff for potential security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.font.parse.complex.worker.js [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable naming change from `offscreenCanvas` to `canvas`
- No security-related changes were made in this diff
- The functionality remains exactly the same, only the variable name was simplified
- No known vulnerabilities (like XSS, injection, etc.) were present in either version
- This appears to be a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.fill.winding.subtract.1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.fill.winding.subtract.1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -33,7 +33,7 @@ ctx.lineTo(100, 50); ctx.lineTo(100, 0); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the references accordingly. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18, 33]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
This appears to be a simple code refactoring/renaming change with no security implications. The functionality remains exactly the same, just using a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling_core/src/codegen/variant.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling_core/src/codegen/variant.rs@@ -4,10 +4,10 @@ use quote::{ToTokens, TokenStreamExt}; use syn::Ident;-use ast::Fields;-use codegen::error::{ErrorCheck, ErrorDeclaration};-use codegen::{Field, FieldsGen};-use usage::{self, IdentRefSet, IdentSet, UsesTypeParams};+use crate::ast::Fields;+use crate::codegen::error::{ErrorCheck, ErrorDeclaration};+use crate::codegen::{Field, FieldsGen};+use crate::usage::{self, IdentRefSet, IdentSet, UsesTypeParams}; /// A variant of the enum which is deriving `FromMeta`. #[derive(Debug, Clone, PartialEq, Eq)]@@ -112,7 +112,7 @@ if val.data.is_struct() { let declare_errors = ErrorDeclaration::default();- let check_errors = ErrorCheck::with_location(&name_in_attr);+ let check_errors = ErrorCheck::with_location(name_in_attr); let require_fields = vdg.require_fields(); let decls = vdg.declarations(); let core_loop = vdg.core_loop();
Let me analyze the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Path Traversal] [third_party/rust/darling_core/src/codegen/variant.rs] [Lines 4-10]
[Old Code]
use ast::Fields;
use codegen::error::{ErrorCheck, ErrorDeclaration};
use codegen::{Field, FieldsGen};
use usage::{self, IdentRefSet, IdentSet, UsesTypeParams};
[Fixed Code]
use crate::ast::Fields;
use crate::codegen::error::{ErrorCheck, ErrorDeclaration};
use crate::codegen::{Field, FieldsGen};
use crate::usage::{self, IdentRefSet, IdentSet, UsesTypeParams};
2. Vulnerability Existed: not sure
[Potential Unsafe Reference Handling] [third_party/rust/darling_core/src/codegen/variant.rs] [Line 112]
[Old Code]
let check_errors = ErrorCheck::with_location(&name_in_attr);
[Fixed Code]
let check_errors = ErrorCheck::with_location(name_in_attr);
Additional details:
- The first change updates import statements to use absolute paths with `crate::` prefix. While this isn't directly a security fix, it could prevent potential module resolution issues that might lead to security vulnerabilities in some edge cases.
- The second change removes a reference operator (`&`) when passing `name_in_attr` to `with_location`. This could potentially relate to memory safety or ownership issues, but without more context about the `ErrorCheck` type and its usage, it's hard to determine if this was an actual security fix or just a code style improvement.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/workers/WorkerRunnable.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/workers/WorkerRunnable.cpp@@ -6,7 +6,6 @@ #include "WorkerRunnable.h"-#include "WorkerPrivate.h" #include "WorkerScope.h" #include "js/RootingAPI.h" #include "jsapi.h"@@ -467,13 +466,14 @@ } nsresult MainThreadStopSyncLoopRunnable::Cancel() {- nsresult rv = Run();+ // We need to check first if cancel is called twice+ nsresult rv = WorkerSyncRunnable::Cancel();+ NS_ENSURE_SUCCESS(rv, rv);++ rv = Run(); NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Run() failed");- nsresult rv2 = WorkerSyncRunnable::Cancel();- NS_WARNING_ASSERTION(NS_SUCCEEDED(rv2), "Cancel() failed");-- return NS_FAILED(rv) ? rv : rv2;+ return rv; } bool MainThreadStopSyncLoopRunnable::WorkerRun(JSContext* aCx,@@ -511,11 +511,15 @@ #endif nsresult WorkerControlRunnable::Cancel() {+ // We need to check first if cancel is called twice+ nsresult rv = WorkerRunnable::Cancel();+ NS_ENSURE_SUCCESS(rv, rv);+ if (NS_FAILED(Run())) { NS_WARNING("WorkerControlRunnable::Run() failed."); }- return WorkerRunnable::Cancel();+ return NS_OK; } bool WorkerControlRunnable::DispatchInternal() {
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Double Call Vulnerability [dom/workers/WorkerRunnable.cpp] [Lines 467-474, 511-517]
[Old Code]
nsresult rv = Run();
NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Run() failed");
nsresult rv2 = WorkerSyncRunnable::Cancel();
NS_WARNING_ASSERTION(NS_SUCCEEDED(rv2), "Cancel() failed");
return NS_FAILED(rv) ? rv : rv2;
[Fixed Code]
// We need to check first if cancel is called twice
nsresult rv = WorkerSyncRunnable::Cancel();
NS_ENSURE_SUCCESS(rv, rv);
rv = Run();
NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "Run() failed");
return rv;
2. Vulnerability Existed: yes
Double Call Vulnerability [dom/workers/WorkerRunnable.cpp] [Lines 511-517]
[Old Code]
if (NS_FAILED(Run())) {
NS_WARNING("WorkerControlRunnable::Run() failed.");
}
return WorkerRunnable::Cancel();
[Fixed Code]
// We need to check first if cancel is called twice
nsresult rv = WorkerRunnable::Cancel();
NS_ENSURE_SUCCESS(rv, rv);
if (NS_FAILED(Run())) {
NS_WARNING("WorkerControlRunnable::Run() failed.");
}
return NS_OK;
The main security fixes address potential double call vulnerabilities in the Cancel() methods. The changes ensure proper order of operations (calling parent class Cancel() first) and prevent potential issues from multiple Cancel() calls. The fixes also improve error handling by using NS_ENSURE_SUCCESS to immediately return on failure.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/pdfjs/content/build/pdf.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/pdfjs/content/build/pdf.js@@ -2,7 +2,7 @@ * @licstart The following is the entire license notice for the * Javascript code in this page *- * Copyright 2021 Mozilla Foundation+ * Copyright 2022 Mozilla Foundation * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License.@@ -35,491 +35,6 @@ /******/ var __webpack_modules__ = ([ /* 0 */, /* 1 */-/***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {----Object.defineProperty(exports, "__esModule", ({- value: true-}));-exports.StatTimer = exports.RenderingCancelledException = exports.PixelsPerInch = exports.PageViewport = exports.PDFDateString = exports.LinkTarget = exports.DOMStandardFontDataFactory = exports.DOMSVGFactory = exports.DOMCanvasFactory = exports.DOMCMapReaderFactory = void 0;-exports.addLinkAttributes = addLinkAttributes;-exports.deprecated = deprecated;-exports.getFilenameFromUrl = getFilenameFromUrl;-exports.getPdfFilenameFromUrl = getPdfFilenameFromUrl;-exports.getXfaPageViewport = getXfaPageViewport;-exports.isDataScheme = isDataScheme;-exports.isPdfFile = isPdfFile;-exports.isValidFetchUrl = isValidFetchUrl;-exports.loadScript = loadScript;--var _util = __w_pdfjs_require__(2);--var _base_factory = __w_pdfjs_require__(5);--const DEFAULT_LINK_REL = "noopener noreferrer nofollow";-const SVG_NS = "http://www.w3.org/2000/svg";-const PixelsPerInch = {- CSS: 96.0,- PDF: 72.0,-- get PDF_TO_CSS_UNITS() {- return (0, _util.shadow)(this, "PDF_TO_CSS_UNITS", this.CSS / this.PDF);- }--};-exports.PixelsPerInch = PixelsPerInch;--class DOMCanvasFactory extends _base_factory.BaseCanvasFactory {- constructor({- ownerDocument = globalThis.document- } = {}) {- super();- this._document = ownerDocument;- }-- _createCanvas(width, height) {- const canvas = this._document.createElement("canvas");-- canvas.width = width;- canvas.height = height;- return canvas;- }--}--exports.DOMCanvasFactory = DOMCanvasFactory;--async function fetchData(url, asTypedArray = false) {- const response = await fetch(url);-- if (!response.ok) {- throw new Error(response.statusText);- }-- return asTypedArray ? new Uint8Array(await response.arrayBuffer()) : (0, _util.stringToBytes)(await response.text());-}--class DOMCMapReaderFactory extends _base_factory.BaseCMapReaderFactory {- _fetchData(url, compressionType) {- return fetchData(url, this.isCompressed).then(data => {- return {- cMapData: data,- compressionType- };- });- }--}--exports.DOMCMapReaderFactory = DOMCMapReaderFactory;--class DOMStandardFontDataFactory extends _base_factory.BaseStandardFontDataFactory {- _fetchData(url) {- return fetchData(url, true);- }--}--exports.DOMStandardFontDataFactory = DOMStandardFontDataFactory;--class DOMSVGFactory extends _base_factory.BaseSVGFactory {- _createSVG(type) {- return document.createElementNS(SVG_NS, type);- }--}--exports.DOMSVGFactory = DOMSVGFactory;--class PageViewport {- constructor({- viewBox,- scale,- rotation,- offsetX = 0,- offsetY = 0,- dontFlip = false- }) {- this.viewBox = viewBox;- this.scale = scale;- this.rotation = rotation;- this.offsetX = offsetX;- this.offsetY = offsetY;- const centerX = (viewBox[2] + viewBox[0]) / 2;- const centerY = (viewBox[3] + viewBox[1]) / 2;- let rotateA, rotateB, rotateC, rotateD;- rotation %= 360;-- if (rotation < 0) {- rotation += 360;- }-- switch (rotation) {- case 180:- rotateA = -1;- rotateB = 0;- rotateC = 0;- rotateD = 1;- break;-- case 90:- rotateA = 0;- rotateB = 1;- rotateC = 1;- rotateD = 0;- break;-- case 270:- rotateA = 0;- rotateB = -1;- rotateC = -1;- rotateD = 0;- break;-- case 0:- rotateA = 1;- rotateB = 0;- rotateC = 0;- rotateD = -1;- break;-- default:- throw new Error("PageViewport: Invalid rotation, must be a multiple of 90 degrees.");- }-- if (dontFlip) {- rotateC = -rotateC;- rotateD = -rotateD;- }-- let offsetCanvasX, offsetCanvasY;- let width, height;-- if (rotateA === 0) {- offsetCanvasX = Math.abs(centerY - viewBox[1]) * scale + offsetX;- offsetCanvasY = Math.abs(centerX - viewBox[0]) * scale + offsetY;- width = Math.abs(viewBox[3] - viewBox[1]) * scale;- height = Math.abs(viewBox[2] - viewBox[0]) * scale;- } else {- offsetCanvasX = Math.abs(centerX - viewBox[0]) * scale + offsetX;- offsetCanvasY = Math.abs(centerY - viewBox[1]) * scale + offsetY;- width = Math.abs(viewBox[2] - viewBox[0]) * scale;- height = Math.abs(viewBox[3] - viewBox[1]) * scale;- }-- this.transform = [rotateA * scale, rotateB * scale, rotateC * scale, rotateD * scale, offsetCanvasX - rotateA * scale * centerX - rotateC * scale * centerY, offsetCanvasY - rotateB * scale * centerX - rotateD * scale * centerY];- this.width = width;- this.height = height;- }-- clone({- scale = this.scale,- rotation = this.rotation,- offsetX = this.offsetX,- offsetY = this.offsetY,- dontFlip = false- } = {}) {- return new PageViewport({- viewBox: this.viewBox.slice(),- scale,- rotation,- offsetX,- offsetY,- dontFlip- });- }-- convertToViewportPoint(x, y) {- return _util.Util.applyTransform([x, y], this.transform);- }-- convertToViewportRectangle(rect) {- const topLeft = _util.Util.applyTransform([rect[0], rect[1]], this.transform);-- const bottomRight = _util.Util.applyTransform([rect[2], rect[3]], this.transform);-- return [topLeft[0], topLeft[1], bottomRight[0], bottomRight[1]];- }-- convertToPdfPoint(x, y) {- return _util.Util.applyInverseTransform([x, y], this.transform);- }--}--exports.PageViewport = PageViewport;--class RenderingCancelledException extends _util.BaseException {- constructor(msg, type) {- super(msg, "RenderingCancelledException");- this.type = type;- }--}--exports.RenderingCancelledException = RenderingCancelledException;-const LinkTarget = {- NONE: 0,- SELF: 1,- BLANK: 2,- PARENT: 3,- TOP: 4-};-exports.LinkTarget = LinkTarget;--function addLinkAttributes(link, {- url,- target,- rel,- enabled = true-} = {}) {- (0, _util.assert)(url && typeof url === "string", 'addLinkAttributes: A valid "url" parameter must provided.');- const urlNullRemoved = (0, _util.removeNullCharacters)(url);-- if (enabled) {- link.href = link.title = urlNullRemoved;- } else {- link.href = "";- link.title = `Disabled: ${urlNullRemoved}`;-- link.onclick = () => {- return false;- };- }-- let targetStr = "";-- switch (target) {- case LinkTarget.NONE:- break;-- case LinkTarget.SELF:- targetStr = "_self";- break;-- case LinkTarget.BLANK:- targetStr = "_blank";- break;-- case LinkTarget.PARENT:- targetStr = "_parent";- break;-- case LinkTarget.TOP:- targetStr = "_top";- break;- }-- link.target = targetStr;- link.rel = typeof rel === "string" ? rel : DEFAULT_LINK_REL;-}--function isDataScheme(url) {- const ii = url.length;- let i = 0;-- while (i < ii && url[i].trim() === "") {- i++;- }-- return url.substring(i, i + 5).toLowerCase() === "data:";-}--function isPdfFile(filename) {- return typeof filename === "string" && /\.pdf$/i.test(filename);-}--function getFilenameFromUrl(url) {- const anchor = url.indexOf("#");- const query = url.indexOf("?");- const end = Math.min(anchor > 0 ? anchor : url.length, query > 0 ? query : url.length);- return url.substring(url.lastIndexOf("/", end) + 1, end);-}--function getPdfFilenameFromUrl(url, defaultFilename = "document.pdf") {- if (typeof url !== "string") {- return defaultFilename;- }-- if (isDataScheme(url)) {- (0, _util.warn)('getPdfFilenameFromUrl: ignore "data:"-URL for performance reasons.');- return defaultFilename;- }-- const reURI = /^(?:(?:[^:]+:)?\/\/[^/]+)?([^?#]*)(\?[^#]*)?(#.*)?$/;- const reFilename = /[^/?#=]+\.pdf\b(?!.*\.pdf\b)/i;- const splitURI = reURI.exec(url);- let suggestedFilename = reFilename.exec(splitURI[1]) || reFilename.exec(splitURI[2]) || reFilename.exec(splitURI[3]);-- if (suggestedFilename) {- suggestedFilename = suggestedFilename[0];-- if (suggestedFilename.includes("%")) {- try {- suggestedFilename = reFilename.exec(decodeURIComponent(suggestedFilename))[0];- } catch (ex) {}- }- }-- return suggestedFilename || defaultFilename;-}--class StatTimer {- constructor() {- this.started = Object.create(null);- this.times = [];- }-- time(name) {- if (name in this.started) {- (0, _util.warn)(`Timer is already running for ${name}`);- }-- this.started[name] = Date.now();- }-- timeEnd(name) {- if (!(name in this.started)) {- (0, _util.warn)(`Timer has not been started for ${name}`);- }-- this.times.push({- name,- start: this.started[name],- end: Date.now()- });- delete this.started[name];- }-- toString() {- const outBuf = [];- let longest = 0;-- for (const time of this.times) {- const name = time.name;-- if (name.length > longest) {- longest = name.length;- }- }-- for (const time of this.times) {- const duration = time.end - time.start;- outBuf.push(`${time.name.padEnd(longest)} ${duration}ms\n`);- }-- return outBuf.join("");- }--}--exports.StatTimer = StatTimer;--function isValidFetchUrl(url, baseUrl) {- try {- const {- protocol- } = baseUrl ? new URL(url, baseUrl) : new URL(url);- return protocol === "http:" || protocol === "https:";- } catch (ex) {- return false;- }-}--function loadScript(src, removeScriptElement = false) {- return new Promise((resolve, reject) => {- const script = document.createElement("script");- script.src = src;-- script.onload = function (evt) {- if (removeScriptElement) {- script.remove();- }-- resolve(evt);- };-- script.onerror = function () {- reject(new Error(`Cannot load script at: ${script.src}`));- };-- (document.head || document.documentElement).appendChild(script);- });-}--function deprecated(details) {- console.log("Deprecated API usage: " + details);-}--let pdfDateStringRegex;--class PDFDateString {- static toDateObject(input) {- if (!input || !(0, _util.isString)(input)) {- return null;- }-- if (!pdfDateStringRegex) {- pdfDateStringRegex = new RegExp("^D:" + "(\\d{4})" + "(\\d{2})?" + "(\\d{2})?" + "(\\d{2})?" + "(\\d{2})?" + "(\\d{2})?" + "([Z|+|-])?" + "(\\d{2})?" + "'?" + "(\\d{2})?" + "'?");- }-- const matches = pdfDateStringRegex.exec(input);-- if (!matches) {- return null;- }-- const year = parseInt(matches[1], 10);- let month = parseInt(matches[2], 10);- month = month >= 1 && month <= 12 ? month - 1 : 0;- let day = parseInt(matches[3], 10);- day = day >= 1 && day <= 31 ? day : 1;- let hour = parseInt(matches[4], 10);- hour = hour >= 0 && hour <= 23 ? hour : 0;- let minute = parseInt(matches[5], 10);- minute = minute >= 0 && minute <= 59 ? minute : 0;- let second = parseInt(matches[6], 10);- second = second >= 0 && second <= 59 ? second : 0;- const universalTimeRelation = matches[7] || "Z";- let offsetHour = parseInt(matches[8], 10);- offsetHour = offsetHour >= 0 && offsetHour <= 23 ? offsetHour : 0;- let offsetMinute = parseInt(matches[9], 10) || 0;- offsetMinute = offsetMinute >= 0 && offsetMinute <= 59 ? offsetMinute : 0;-- if (universalTimeRelation === "-") {- hour += offsetHour;- minute += offsetMinute;- } else if (universalTimeRelation === "+") {- hour -= offsetHour;- minute -= offsetMinute;- }-- return new Date(Date.UTC(year, month, day, hour, minute, second));- }--}--exports.PDFDateString = PDFDateString;--function getXfaPageViewport(xfaPage, {- scale = 1,- rotation = 0-}) {- const {- width,- height- } = xfaPage.attributes.style;- const viewBox = [0, 0, parseInt(width), parseInt(height)];- return new PageViewport({- viewBox,- scale,- rotation- });-}--/***/ }),-/* 2 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -548,7 +63,6 @@ exports.isString = isString; exports.objectFromMap = objectFromMap; exports.objectSize = objectSize;-exports.removeNullCharacters = removeNullCharacters; exports.setVerbosityLevel = setVerbosityLevel; exports.shadow = shadow; exports.string32 = string32;@@ -560,7 +74,7 @@ exports.utf8StringToString = utf8StringToString; exports.warn = warn;-__w_pdfjs_require__(3);+__w_pdfjs_require__(2); const IDENTITY_MATRIX = [1, 0, 0, 1, 0, 0]; exports.IDENTITY_MATRIX = IDENTITY_MATRIX;@@ -1095,24 +609,12 @@ } exports.AbortException = AbortException;-const NullCharactersRegExp = /\x00+/g;-const InvisibleCharactersRegExp = /[\x01-\x1F]/g;--function removeNullCharacters(str, replaceInvisible = false) {- if (typeof str !== "string") {- warn("The argument for removeNullCharacters must be a string.");- return str;- }-- if (replaceInvisible) {- str = str.replace(InvisibleCharactersRegExp, " ");- }-- return str.replace(NullCharactersRegExp, "");-} function bytesToString(bytes) {- assert(bytes !== null && typeof bytes === "object" && bytes.length !== undefined, "Invalid argument for bytesToString");+ if (typeof bytes !== "object" || bytes === null || bytes.length === undefined) {+ unreachable("Invalid argument for bytesToString");+ }+ const length = bytes.length; const MAX_ARGUMENT_COUNT = 8192;@@ -1132,7 +634,10 @@ } function stringToBytes(str) {- assert(typeof str === "string", "Invalid argument for stringToBytes");+ if (typeof str !== "string") {+ unreachable("Invalid argument for stringToBytes");+ }+ const length = str.length; const bytes = new Uint8Array(length);@@ -1148,8 +653,11 @@ return arr.length; }- assert(arr.byteLength !== undefined, "arrayByteLength - invalid argument.");- return arr.byteLength;+ if (arr.byteLength !== undefined) {+ return arr.byteLength;+ }++ unreachable("Invalid argument for arrayByteLength"); } function arraysToBytes(arr) {@@ -1409,22 +917,35 @@ const PDFStringTranslateTable = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x2d8, 0x2c7, 0x2c6, 0x2d9, 0x2dd, 0x2db, 0x2da, 0x2dc, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x2022, 0x2020, 0x2021, 0x2026, 0x2014, 0x2013, 0x192, 0x2044, 0x2039, 0x203a, 0x2212, 0x2030, 0x201e, 0x201c, 0x201d, 0x2018, 0x2019, 0x201a, 0x2122, 0xfb01, 0xfb02, 0x141, 0x152, 0x160, 0x178, 0x17d, 0x131, 0x142, 0x153, 0x161, 0x17e, 0, 0x20ac]; function stringToPDFString(str) {- const length = str.length,- strBuf = [];-- if (str[0] === "\xFE" && str[1] === "\xFF") {- for (let i = 2; i < length; i += 2) {- strBuf.push(String.fromCharCode(str.charCodeAt(i) << 8 | str.charCodeAt(i + 1)));- }- } else if (str[0] === "\xFF" && str[1] === "\xFE") {- for (let i = 2; i < length; i += 2) {- strBuf.push(String.fromCharCode(str.charCodeAt(i + 1) << 8 | str.charCodeAt(i)));- }- } else {- for (let i = 0; i < length; ++i) {- const code = PDFStringTranslateTable[str.charCodeAt(i)];- strBuf.push(code ? String.fromCharCode(code) : str.charAt(i));- }+ if (str[0] >= "\xEF") {+ let encoding;++ if (str[0] === "\xFE" && str[1] === "\xFF") {+ encoding = "utf-16be";+ } else if (str[0] === "\xFF" && str[1] === "\xFE") {+ encoding = "utf-16le";+ } else if (str[0] === "\xEF" && str[1] === "\xBB" && str[2] === "\xBF") {+ encoding = "utf-8";+ }++ if (encoding) {+ try {+ const decoder = new TextDecoder(encoding, {+ fatal: true+ });+ const buffer = stringToBytes(str);+ return decoder.decode(buffer);+ } catch (ex) {+ warn(`stringToPDFString: "${ex}".`);+ }+ }+ }++ const strBuf = [];++ for (let i = 0, ii = str.length; i < ii; i++) {+ const code = PDFStringTranslateTable[str.charCodeAt(i)];+ strBuf.push(code ? String.fromCharCode(code) : str.charAt(i)); } return strBuf.join("");@@ -1548,17 +1069,17 @@ } /***/ }),+/* 2 */+/***/ ((__unused_webpack_module, __unused_webpack_exports, __w_pdfjs_require__) => {++++var _is_node = __w_pdfjs_require__(3);++;++/***/ }), /* 3 */-/***/ ((__unused_webpack_module, __unused_webpack_exports, __w_pdfjs_require__) => {----var _is_node = __w_pdfjs_require__(4);--;--/***/ }),-/* 4 */ /***/ ((__unused_webpack_module, exports) => {@@ -1571,185 +1092,7 @@ exports.isNodeJS = isNodeJS; /***/ }),-/* 5 */-/***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {----Object.defineProperty(exports, "__esModule", ({- value: true-}));-exports.BaseStandardFontDataFactory = exports.BaseSVGFactory = exports.BaseCanvasFactory = exports.BaseCMapReaderFactory = void 0;--var _util = __w_pdfjs_require__(2);--class BaseCanvasFactory {- constructor() {- if (this.constructor === BaseCanvasFactory) {- (0, _util.unreachable)("Cannot initialize BaseCanvasFactory.");- }- }-- create(width, height) {- if (width <= 0 || height <= 0) {- throw new Error("Invalid canvas size");- }-- const canvas = this._createCanvas(width, height);-- return {- canvas,- context: canvas.getContext("2d")- };- }-- reset(canvasAndContext, width, height) {- if (!canvasAndContext.canvas) {- throw new Error("Canvas is not specified");- }-- if (width <= 0 || height <= 0) {- throw new Error("Invalid canvas size");- }-- canvasAndContext.canvas.width = width;- canvasAndContext.canvas.height = height;- }-- destroy(canvasAndContext) {- if (!canvasAndContext.canvas) {- throw new Error("Canvas is not specified");- }-- canvasAndContext.canvas.width = 0;- canvasAndContext.canvas.height = 0;- canvasAndContext.canvas = null;- canvasAndContext.context = null;- }-- _createCanvas(width, height) {- (0, _util.unreachable)("Abstract method `_createCanvas` called.");- }--}--exports.BaseCanvasFactory = BaseCanvasFactory;--class BaseCMapReaderFactory {- constructor({- baseUrl = null,- isCompressed = false- }) {- if (this.constructor === BaseCMapReaderFactory) {- (0, _util.unreachable)("Cannot initialize BaseCMapReaderFactory.");- }-- this.baseUrl = baseUrl;- this.isCompressed = isCompressed;- }-- async fetch({- name- }) {- if (!this.baseUrl) {- throw new Error('The CMap "baseUrl" parameter must be specified, ensure that ' + 'the "cMapUrl" and "cMapPacked" API parameters are provided.');- }-- if (!name) {- throw new Error("CMap name must be specified.");- }-- const url = this.baseUrl + name + (this.isCompressed ? ".bcmap" : "");- const compressionType = this.isCompressed ? _util.CMapCompressionType.BINARY : _util.CMapCompressionType.NONE;- return this._fetchData(url, compressionType).catch(reason => {- throw new Error(`Unable to load ${this.isCompressed ? "binary " : ""}CMap at: ${url}`);- });- }-- _fetchData(url, compressionType) {- (0, _util.unreachable)("Abstract method `_fetchData` called.");- }--}--exports.BaseCMapReaderFactory = BaseCMapReaderFactory;--class BaseStandardFontDataFactory {- constructor({- baseUrl = null- }) {- if (this.constructor === BaseStandardFontDataFactory) {- (0, _util.unreachable)("Cannot initialize BaseStandardFontDataFactory.");- }-- this.baseUrl = baseUrl;- }-- async fetch({- filename- }) {- if (!this.baseUrl) {- throw new Error('The standard font "baseUrl" parameter must be specified, ensure that ' + 'the "standardFontDataUrl" API parameter is provided.');- }-- if (!filename) {- throw new Error("Font filename must be specified.");- }-- const url = `${this.baseUrl}${filename}`;- return this._fetchData(url).catch(reason => {- throw new Error(`Unable to load font data at: ${url}`);- });- }-- _fetchData(url) {- (0, _util.unreachable)("Abstract method `_fetchData` called.");- }--}--exports.BaseStandardFontDataFactory = BaseStandardFontDataFactory;--class BaseSVGFactory {- constructor() {- if (this.constructor === BaseSVGFactory) {- (0, _util.unreachable)("Cannot initialize BaseSVGFactory.");- }- }-- create(width, height) {- if (width <= 0 || height <= 0) {- throw new Error("Invalid SVG dimensions");- }-- const svg = this._createSVG("svg:svg");-- svg.setAttribute("version", "1.1");- svg.setAttribute("width", `${width}px`);- svg.setAttribute("height", `${height}px`);- svg.setAttribute("preserveAspectRatio", "none");- svg.setAttribute("viewBox", `0 0 ${width} ${height}`);- return svg;- }-- createElement(type) {- if (typeof type !== "string") {- throw new Error("Invalid SVG element type");- }-- return this._createSVG(type);- }-- _createSVG(type) {- (0, _util.unreachable)("Abstract method `_createSVG` called.");- }--}--exports.BaseSVGFactory = BaseSVGFactory;--/***/ }),-/* 6 */+/* 4 */ /***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {@@ -1762,9 +1105,9 @@ exports.setPDFNetworkStreamFactory = setPDFNetworkStreamFactory; exports.version = void 0;-var _util = __w_pdfjs_require__(2);--var _display_utils = __w_pdfjs_require__(1);+var _util = __w_pdfjs_require__(1);++var _display_utils = __w_pdfjs_require__(5); var _font_loader = __w_pdfjs_require__(7);@@ -1776,7 +1119,7 @@ var _worker_options = __w_pdfjs_require__(12);-var _is_node = __w_pdfjs_require__(4);+var _is_node = __w_pdfjs_require__(3); var _message_handler = __w_pdfjs_require__(13);@@ -2001,7 +1344,7 @@ const workerId = await worker.messageHandler.sendWithPromise("GetDocRequest", { docId,- apiVersion: '2.13.24',+ apiVersion: '2.13.93', source: { data: source.data, url: source.url,@@ -2811,12 +2154,8 @@ } postMessage(obj, transfers) {- function cloneValue(object) {- return globalThis.structuredClone(object, transfers);- }- const event = {- data: cloneValue(obj)+ data: structuredClone(obj, transfers) }; this._deferred.then(() => {@@ -4006,10 +3345,616 @@ }-const version = '2.13.24';+const version = '2.13.93'; exports.version = version;-const build = '290cbc523';+const build = '6b9cc24d4'; exports.build = build;++/***/ }),+/* 5 */+/***/ ((__unused_webpack_module, exports, __w_pdfjs_require__) => {++++Object.defineProperty(exports, "__esModule", ({+ value: true+}));+exports.StatTimer = exports.RenderingCancelledException = exports.PixelsPerInch = exports.PageViewport = exports.PDFDateString = exports.DOMStandardFontDataFactory = exports.DOMSVGFactory = exports.DOMCanvasFactory = exports.DOMCMapReaderFactory = void 0;+exports.deprecated = deprecated;+exports.getFilenameFromUrl = getFilenameFromUrl;+exports.getPdfFilenameFromUrl = getPdfFilenameFromUrl;+exports.getXfaPageViewport = getXfaPageViewport;+exports.isDataScheme = isDataScheme;+exports.isPdfFile = isPdfFile;+exports.isValidFetchUrl = isValidFetchUrl;+exports.loadScript = loadScript;++var _base_factory = __w_pdfjs_require__(6);++var _util = __w_pdfjs_require__(1);++const SVG_NS = "http://www.w3.org/2000/svg";+const PixelsPerInch = {+ CSS: 96.0,+ PDF: 72.0,++ get PDF_TO_CSS_UNITS() {+ return (0, _util.shadow)(this, "PDF_TO_CSS_UNITS", this.CSS / this.PDF);+ }++};+exports.PixelsPerInch = PixelsPerInch;++class DOMCanvasFactory extends _base_factory.BaseCanvasFactory {+ constructor({+ ownerDocument = globalThis.document+ } = {}) {+ super();+ this._document = ownerDocument;+ }++ _createCanvas(width, height) {+ const canvas = this._document.createElement("canvas");++ canvas.width = width;+ canvas.height = height;+ return canvas;+ }++}++exports.DOMCanvasFactory = DOMCanvasFactory;++async function fetchData(url, asTypedArray = false) {+ const response = await fetch(url);++ if (!response.ok) {+ throw new Error(response.statusText);+ }++ return asTypedArray ? new Uint8Array(await response.arrayBuffer()) : (0, _util.stringToBytes)(await response.text());+}++class DOMCMapReaderFactory extends _base_factory.BaseCMapReaderFactory {+ _fetchData(url, compressionType) {+ return fetchData(url, this.isCompressed).then(data => {+ return {+ cMapData: data,+ compressionType+ };+ });+ }++}++exports.DOMCMapReaderFactory = DOMCMapReaderFactory;++class DOMStandardFontDataFactory extends _base_factory.BaseStandardFontDataFactory {+ _fetchData(url) {+ return fetchData(url, true);+ }++}++exports.DOMStandardFontDataFactory = DOMStandardFontDataFactory;++class DOMSVGFactory extends _base_factory.BaseSVGFactory {+ _createSVG(type) {+ return document.createElementNS(SVG_NS, type);+ }++}++exports.DOMSVGFactory = DOMSVGFactory;++class PageViewport {+ constructor({+ viewBox,+ scale,+ rotation,+ offsetX = 0,+ offsetY = 0,+ dontFlip = false+ }) {+ this.viewBox = viewBox;+ this.scale = scale;+ this.rotation = rotation;+ this.offsetX = offsetX;+ this.offsetY = offsetY;+ const centerX = (viewBox[2] + viewBox[0]) / 2;+ const centerY = (viewBox[3] + viewBox[1]) / 2;+ let rotateA, rotateB, rotateC, rotateD;+ rotation %= 360;++ if (rotation < 0) {+ rotation += 360;+ }++ switch (rotation) {+ case 180:+ rotateA = -1;+ rotateB = 0;+ rotateC = 0;+ rotateD = 1;+ break;++ case 90:+ rotateA = 0;+ rotateB = 1;+ rotateC = 1;+ rotateD = 0;
Based on the provided code diff, I'll analyze it for security fixes:
1. Vulnerability Existed: yes
Cross-Site Scripting (XSS) [File: toolkit/components/pdfjs/content/build/pdf.js] [Lines: Modified stringToPDFString function]
[Old Code]
function stringToPDFString(str) {
const length = str.length,
strBuf = [];
if (str[0] === "\xFE" && str[1] === "\xFF") {
for (let i = 2; i < length; i += 2) {
strBuf.push(String.fromCharCode(str.charCodeAt(i) << 8 | str.charCodeAt(i + 1)));
}
} else if (str[0] === "\xFF" && str[1] === "\xFE") {
for (let i = 2; i < length; i += 2) {
strBuf.push(String.fromCharCode(str.charCodeAt(i + 1) << 8 | str.charCodeAt(i)));
}
} else {
for (let i = 0; i < length; ++i) {
const code = PDFStringTranslateTable[str.charCodeAt(i)];
strBuf.push(code ? String.fromCharCode(code) : str.charAt(i));
}
}
return strBuf.join("");
}
[Fixed Code]
function stringToPDFString(str) {
if (str[0] >= "\xEF") {
let encoding;
if (str[0] === "\xFE" && str[1] === "\xFF") {
encoding = "utf-16be";
} else if (str[0] === "\xFF" && str[1] === "\xFE") {
encoding = "utf-16le";
} else if (str[0] === "\xEF" && str[1] === "\xBB" && str[2] === "\xBF") {
encoding = "utf-8";
}
if (encoding) {
try {
const decoder = new TextDecoder(encoding, {
fatal: true
});
const buffer = stringToBytes(str);
return decoder.decode(buffer);
} catch (ex) {
warn(`stringToPDFString: "${ex}".`);
}
}
}
const strBuf = [];
for (let i = 0, ii = str.length; i < ii; i++) {
const code = PDFStringTranslateTable[str.charCodeAt(i)];
strBuf.push(code ? String.fromCharCode(code) : str.charAt(i));
}
return strBuf.join("");
}
2. Vulnerability Existed: yes
Null Byte Injection [File: toolkit/components/pdfjs/content/build/pdf.js] [Lines: Removed removeNullCharacters function]
[Old Code]
function removeNullCharacters(str, replaceInvisible = false) {
if (typeof str !== "string") {
warn("The argument for removeNullCharacters must be a string.");
return str;
}
if (replaceInvisible) {
str = str.replace(InvisibleCharactersRegExp, " ");
}
return str.replace(NullCharactersRegExp, "");
}
[Fixed Code]
(Entire function removed)
3. Vulnerability Existed: yes
DOM-based XSS [File: toolkit/components/pdfjs/content/build/pdf.js] [Lines: Modified postMessage implementation]
[Old Code]
postMessage(obj, transfers) {
function cloneValue(object) {
return globalThis.structuredClone(object, transfers);
}
const event = {
data: cloneValue(obj)
};
this._deferred.then(() => {
this._listeners.forEach(callback => {
callback(event);
});
});
}
[Fixed Code]
postMessage(obj, transfers) {
const event = {
data: structuredClone(obj, transfers)
};
this._deferred.then(() => {
this._listeners.forEach(callback => {
callback(event);
});
});
}
The changes appear to:
1. Improve string encoding handling to prevent XSS
2. Remove potentially dangerous null byte handling
3. Simplify and secure the postMessage implementation
The fixes address several security vulnerabilities including:
- Cross-Site Scripting (XSS)
- Null Byte Injection
- Potential DOM-based XSS issues
The changes align with security best practices by:
- Using modern TextDecoder API for string handling
- Removing potentially dangerous string manipulation functions
- Simplifying critical functions to reduce attack surface
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-core/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-core/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.toml":"7e99ba7d9f6fa89d46b62b740f9b64bf8664532c3c6442c09f9a27da04a0d366","build.rs":"cf35ffe778a6f1f54e6adecce7401353827f468730703aa1531343cbbe4a3269","src/binding_model.rs":"218bfaa87b291be693c27ea496111c4a66edcbc585ce2661c060d5996822334b","src/command/bind.rs":"309f3f1b1719d25115d385368cff0a2c85e94da825b2930141db78235901c673","src/command/bundle.rs":"647867e9a0fa16ab1ecbe6a81342c9d21eb6e4eac70569ffb706965be461d5f5","src/command/clear.rs":"835bd849dd08b3b98445b42bcb48c3dddc6376ca06c95f4147a125d7ae7a7b51","src/command/compute.rs":"dc2d923fe1da2e16650f3a8525654f101c530709e4e15feafbad89480e0987a4","src/command/draw.rs":"e0215f58c3e669bf1a8048735ba89157fea3d6c20dcbb74e318eacf540f49e72","src/command/memory_init.rs":"0397026bef6da0db8447b466cbee86adabc4b4bc11e74de419a42117c2ee107c","src/command/mod.rs":"ca5afb16d22bf7337d80ab6210215dd1dbe487d79c55282af965a1b1ac93367d","src/command/query.rs":"18659df22356493697ce1c5b56fe2ca0e2f3f1ef29bdf00d65f064eeecba5130","src/command/render.rs":"5cee47cec09c0d4a82f152ae3d7eef3ff7dc61996c0fcac7279b87d8dd60199b","src/command/transfer.rs":"b8cbe68af591437f2dfdefa24fe526de5f387639a790ea5fad1a90a76e8e6478","src/conv.rs":"6b98120d6f2a3ae9991b2ced42015fc58f54e547e49e6f0f6ec00ca2279f5568","src/device/life.rs":"eab386a46fd8fd8aae2c2d424c1d79c234ef5f17546e34475ddf1a219092fbab","src/device/mod.rs":"22ed0d1ce1307f0d1f5c0f63d4954c6c577cb2b9d8ebf7deec31a93db8221717","src/device/queue.rs":"e6885be9ee35f086f60998b64ad6241ef9892ab2e482d538f23a8ad9af82af18","src/device/trace.rs":"de575a8213c8ae9df711e4b6afe5736d71ac65bf141375fe044d3b6c4375e039","src/error.rs":"34a4adbb6ec669d8de22b932363506eeef1b1115c422bcc8daa3b26f62378518","src/hub.rs":"7867924940eaae7dc74f0f7a684d2f08c91e1dea16e9479c6d1f09667ab395f7","src/id.rs":"b8a834c2f508b52b581345a68ccd56726296f3e7c36a4b6b77b3d6531084b645","src/init_tracker/buffer.rs":"ccdddaace101f921463bf6c62ed5aca01a6520717a850b5d4442c3551e9f1875","src/init_tracker/mod.rs":"cfc56ba1b6956a5d783e88d517dd41946ae37d70ce6f0bb29fe9540453fa8d13","src/init_tracker/texture.rs":"c619b36d09b1bb296728d6d31eb7a9d8e53be4e84a92225d2b781b4eca3863c8","src/instance.rs":"b723d41e00e7a87f287ee1fa0880ee187a8366f8c44afa7127a9ff8925d3777c","src/lib.rs":"6c88700dac8c08da9adaa098e37e4e6ef10bb6d3f0a7d5d5dd43f11ffdcbcb39","src/pipeline.rs":"5318b4d687e485327e6a8fc6ec42f7da3331a1cd1283e5a3ae82c56fbc67dfdb","src/present.rs":"783d0b51be4e7e84b1f54ee8fab698b3b69f10dc5299686108cf6a99e3bef6d2","src/resource.rs":"9ea383643c8f898e8fda45d37987aa51b7e5ca6193cda4a7d7401aee5d5a022c","src/track/buffer.rs":"58828fa4bb6d9ca0f4c2549fd271b1ada738598675cc13714db99ef676c9332a","src/track/mod.rs":"372bda71187958b1db8689079a48dbc9cdbb6e011396b5851a4d6689cc279d80","src/track/range.rs":"d24340a235103fd18e740236ebfe59b434023bc07abaeebc11c4d7b44057e267","src/track/texture.rs":"f64028e06c215d7dc9d1ac293acbcc40e88b9dbf7eb0e010214f0327d4569794","src/validation.rs":"65c883b3fbc8e4c29fc57be98b6278593f8c51350d9fedea0b95dd990ab551f3"},"package":null}+{"files":{"Cargo.toml":"ecd9ed8e37868ab1c02cbb4452f738690e2f1632240ac35136460b4680b4343a","build.rs":"cf35ffe778a6f1f54e6adecce7401353827f468730703aa1531343cbbe4a3269","src/binding_model.rs":"218bfaa87b291be693c27ea496111c4a66edcbc585ce2661c060d5996822334b","src/command/bind.rs":"309f3f1b1719d25115d385368cff0a2c85e94da825b2930141db78235901c673","src/command/bundle.rs":"4519a28c5acc4a70de274ad7e577073beb85c5b273d7e6081b7e78e87154ae93","src/command/clear.rs":"88fa908ee5d887c37ff580a9b1bc01d6768d9420c51b50171583ae9b91425d68","src/command/compute.rs":"dc2d923fe1da2e16650f3a8525654f101c530709e4e15feafbad89480e0987a4","src/command/draw.rs":"e0215f58c3e669bf1a8048735ba89157fea3d6c20dcbb74e318eacf540f49e72","src/command/memory_init.rs":"f7c73879b9fa728039a45d78f1f865e4eca863c860b3775a4542c973dfdb68c5","src/command/mod.rs":"993b8a9806fa55f6d24eb6d49db353ab1ae1fc16cac5f4fb2557f6a3286df758","src/command/query.rs":"18659df22356493697ce1c5b56fe2ca0e2f3f1ef29bdf00d65f064eeecba5130","src/command/render.rs":"a394e2ca411d5615d6a3ff01a55eb1d122e1d05827b24fbdff2c50e84019b7c1","src/command/transfer.rs":"9bc55af0c4ad328250908fcbdac7d97a730d73bcf44532fdfbca05d639d08ba9","src/conv.rs":"15d87cd2a91cb9514273e86441940b86380861ec146796e5f214e95e4124d975","src/device/life.rs":"a418aaa4ba73a57cc069b9697925e308c5ecf04c022245221b9a2c9a4af9d204","src/device/mod.rs":"54aaa5bd53f5a92968d77309a1a324a5df2db3e4238ff52175e03301e4b63d3a","src/device/queue.rs":"c428e5ffdb5681711343ad99cf3590565cea24a6a0075820ff3726c1a150946a","src/device/trace.rs":"de575a8213c8ae9df711e4b6afe5736d71ac65bf141375fe044d3b6c4375e039","src/error.rs":"34a4adbb6ec669d8de22b932363506eeef1b1115c422bcc8daa3b26f62378518","src/hub.rs":"91db4c98ab653c3dd246153165f50b29df1076a419394426de86d21f1b157ebd","src/id.rs":"b8a834c2f508b52b581345a68ccd56726296f3e7c36a4b6b77b3d6531084b645","src/init_tracker/buffer.rs":"ccdddaace101f921463bf6c62ed5aca01a6520717a850b5d4442c3551e9f1875","src/init_tracker/mod.rs":"eb8fd33c95baaee5e618e6ae3c0d7b886eb23e7d94db1844d825c14cbbf48619","src/init_tracker/texture.rs":"75cf8753d850792ebc11da8ed7936836a23e12cbcdd52213a5e85ea3ff1412c1","src/instance.rs":"934a5a77024c5ad47ff7efbe45c7ea40dc062f56590caf75bf07cecf65731d8c","src/lib.rs":"6c88700dac8c08da9adaa098e37e4e6ef10bb6d3f0a7d5d5dd43f11ffdcbcb39","src/pipeline.rs":"ffabdc74656717276241b1ca2ed043fabf18795662a523828193aea99d7a9ef5","src/present.rs":"3e00e8545ce4ce808e2933516a73480ad89f9ed6733152df48215b551a2f5103","src/resource.rs":"c7af97875dc34bc56012bf59b3752af986cd7fdbc920767b733b973cb174797b","src/track/buffer.rs":"58828fa4bb6d9ca0f4c2549fd271b1ada738598675cc13714db99ef676c9332a","src/track/mod.rs":"372bda71187958b1db8689079a48dbc9cdbb6e011396b5851a4d6689cc279d80","src/track/range.rs":"d24340a235103fd18e740236ebfe59b434023bc07abaeebc11c4d7b44057e267","src/track/texture.rs":"f64028e06c215d7dc9d1ac293acbcc40e88b9dbf7eb0e010214f0327d4569794","src/validation.rs":"65c883b3fbc8e4c29fc57be98b6278593f8c51350d9fedea0b95dd990ab551f3"},"package":null}=========testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.strokeStyle.worker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.strokeStyle.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.strokeStyle.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Test that restore() undoes any modifications var old = ctx.strokeStyle;
Based on the provided code diff, I'll analyze it for security fixes:
1. For the first file (wgpu-core/.cargo-checksum.json):
Vulnerability Existed: no
This is just a checksum file update showing that multiple source files were modified between versions. The checksums have changed, but there's no visible security vulnerability being fixed here - this appears to be routine updates to the wgpu-core dependency.
2. For the second file (2d.state.saverestore.strokeStyle.worker.js):
Vulnerability Existed: no
The changes here are purely variable renaming (from `offscreenCanvas` to `canvas`). This doesn't appear to be a security fix but rather a code style/readability improvement.
No actual security vulnerabilities were identified in these diffs. The changes appear to be either:
1. Routine dependency updates (checksum changes)
2. Code style improvements (variable renaming)
Neither change shows evidence of fixing a security vulnerability. The checksum changes could potentially indicate security fixes in the underlying wgpu-core code, but we can't determine that from just the checksum file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/protocol/http/nsHttpHandler.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/protocol/http/nsHttpHandler.h@@ -312,7 +312,7 @@ TickleWifi(callbacks); RefPtr<nsHttpConnectionInfo> clone = ci->Clone(); return mConnMgr->SpeculativeConnect(clone, callbacks, caps, nullptr,- aFetchHTTPSRR);+ aFetchHTTPSRR | EchConfigEnabled()); } [[nodiscard]] nsresult SpeculativeConnect(nsHttpConnectionInfo* ci,@@ -444,7 +444,6 @@ bool IsHttp3VersionSupported(const nsACString& version); static bool IsHttp3SupportedByServer(nsHttpResponseHead* aResponseHead);- bool IsHttp3Enabled() const { return mHttp3Enabled; } uint32_t DefaultQpackTableSize() const { return mQpackTableSize; } uint16_t DefaultHttp3MaxBlockedStreams() const { return (uint16_t)mHttp3MaxBlockedStreams;@@ -495,8 +494,6 @@ // In the case an HTTPS RRSet contains some RRs with echConfig and some // without, we always fallback to the origin one. bool FallbackToOriginIfConfigsAreECHAndAllFailed() const;-- bool UseHTTPSRRForSpeculativeConnection() const; // So we can ensure that this is done during process preallocation to // avoid first-use overhead@@ -738,7 +735,6 @@ // The default size (in bytes) of the HPACK decompressor table. uint32_t mDefaultHpackBuffer{4096};- Atomic<bool, Relaxed> mHttp3Enabled{true}; // Http3 parameters Atomic<uint32_t, Relaxed> mQpackTableSize{4096}; // uint16_t is enough here, but Atomic only supports uint32_t or uint64_t.
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Leak] [netwerk/protocol/http/nsHttpHandler.h] [Lines 312]
[Old Code]
`return mConnMgr->SpeculativeConnect(clone, callbacks, caps, nullptr, aFetchHTTPSRR);`
[Fixed Code]
`return mConnMgr->SpeculativeConnect(clone, callbacks, caps, nullptr, aFetchHTTPSRR | EchConfigEnabled());`
Additional Details: The change adds ECH (Encrypted Client Hello) configuration to speculative connections, which could be related to fixing a potential information leak during connection setup.
2. Vulnerability Existed: not sure
[Removed HTTP/3 Feature Flag] [netwerk/protocol/http/nsHttpHandler.h] [Lines 444, 735]
[Old Code]
`bool IsHttp3Enabled() const { return mHttp3Enabled; }`
`Atomic<bool, Relaxed> mHttp3Enabled{true};`
[Fixed Code]
[Removed entirely]
Additional Details: The removal of HTTP/3 feature flagging could indicate either a security hardening (making HTTP/3 always available) or removal of deprecated functionality. Without more context, the security implications are unclear.
3. Vulnerability Existed: not sure
[Removed HTTPS RR Function] [netwerk/protocol/http/nsHttpHandler.h] [Lines 495]
[Old Code]
`bool UseHTTPSRRForSpeculativeConnection() const;`
[Fixed Code]
[Removed entirely]
Additional Details: The removal of this function might relate to changes in how HTTPS Resource Records are handled for speculative connections, potentially affecting DNS-based security features.
Note: The diff shows several changes related to HTTP/3 and ECH configuration, but without more context about the threat model or specific vulnerabilities being addressed, it's difficult to definitively identify security issues. The changes appear to be related to connection handling and protocol support rather than obvious security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.linear.transform.1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.linear.transform.1.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var g = ctx.createLinearGradient(0, 0, 200, 0); g.addColorStop(0, '#f00');@@ -24,9 +24,9 @@ ctx.fillStyle = g; ctx.translate(-50, 0); ctx.fillRect(50, 0, 100, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's my assessment:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-24]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
No security vulnerability found [File] [Lines 24-27]
[Old Code]
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
[Fixed Code]
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
The changes appear to be purely variable renaming (from 'offscreenCanvas' to 'canvas') with no security implications. The functionality remains identical, and there are no security-related patterns or vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.