Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.zero.4.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.zero.4.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.roundRect(100, 25, 0, 0, [0]); ctx.lineTo(0, 25); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring (variable renaming). Here's the analysis:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.zero.4.worker.js] [Lines 13-23]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` and update all references to it. There are no security implications to this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-color/t424-hsl-values-b-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-color/t424-hsl-values-b-3.html@@ -6,7 +6,6 @@ <link rel="author" title="Intel" href="http://www.intel.com"> <link rel="help" href="http://www.w3.org/TR/css3-color/#hsl-color" /> <link rel="match" href="t424-hsl-values-b-3-ref.html" />-<meta name="flags" content="" /> <meta name="assert" content="Implementation of algorithm for converting hsl() colors to rgb() colors." /> <style> table { border-spacing: 0; padding: 0; border: none; }
Based on the provided diff, I don't see any security vulnerabilities being fixed. The change appears to be a simple removal of an empty meta tag for flags, which doesn't relate to security.
Answer:
Vulnerability Existed: no
No security vulnerability found in this diff
[Old Code]
<meta name="flags" content="" />
[Fixed Code]
(removed line)
Additional Notes:
- The change is purely cosmetic/structural (removing an empty meta tag)
- No security-related functionality was modified
- No known vulnerability patterns (XSS, injection, etc.) are present in this change
- This appears to be test file cleanup rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp@@ -21,6 +21,7 @@ #include "mozilla/SandboxSettings.h" #include "mozilla/StaticPrefs_network.h" #include "mozilla/StaticPrefs_security.h"+#include "mozilla/StaticPrefs_widget.h" #include "mozilla/UniquePtr.h" #include "mozilla/Telemetry.h" #include "mozilla/WinDllServices.h"@@ -31,6 +32,7 @@ #include "nsDirectoryServiceDefs.h" #include "nsIFile.h" #include "nsIProperties.h"+#include "nsIXULRuntime.h" #include "nsServiceManagerUtils.h" #include "nsString.h" #include "nsTHashtable.h"@@ -646,7 +648,10 @@ } if (aSandboxLevel > 4) {- result = mPolicy->SetAlternateDesktop(false);+ // Alternate winstation breaks native theming.+ bool useAlternateWinstation =+ StaticPrefs::widget_non_native_theme_enabled();+ result = mPolicy->SetAlternateDesktop(useAlternateWinstation); if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) { LOG_W("SetAlternateDesktop failed, result: %i, last error: %x", result, ::GetLastError());@@ -684,19 +689,13 @@ MOZ_RELEASE_ASSERT(sandbox::SBOX_ALL_OK == result, "Invalid flags for SetProcessMitigations.");- ContentWin32kLockdownState win32kLockdownState =+ nsIXULRuntime::ContentWin32kLockdownState win32kLockdownState = GetContentWin32kLockdownState(); LOG_W("Win32k Lockdown State: '%s'", ContentWin32kLockdownStateToString(win32kLockdownState));- // The file content process has some win32k usage particular to it, for- // example at least moz-icon usage, but we don't want to block enabling for- // other content processes. We might want to use moz-icon in the privileged- // about content process in the future, so we would need to exclude that as- // well or remote moz-icon.- if (!aIsFileProcess &&- (win32kLockdownState == ContentWin32kLockdownState::LockdownEnabled)) {+ if (GetContentWin32kLockdownEnabled()) { result = AddWin32kLockdownPolicy(mPolicy, false); MOZ_RELEASE_ASSERT(result == sandbox::SBOX_ALL_OK, "Failed to add the win32k lockdown policy");@@ -1244,6 +1243,111 @@ return true; }+bool SandboxBroker::SetSecurityLevelForUtilityProcess(+ mozilla::ipc::SandboxingKind aSandbox) {+ if (!mPolicy) {+ return false;+ }++ auto result =+ SetJobLevel(mPolicy, sandbox::JOB_LOCKDOWN, 0 /* ui_exceptions */);+ SANDBOX_ENSURE_SUCCESS(+ result,+ "SetJobLevel should never fail with these arguments, what happened?");++ result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,+ sandbox::USER_LOCKDOWN);+ SANDBOX_ENSURE_SUCCESS(+ result,+ "SetTokenLevel should never fail with these arguments, what happened?");++ result = mPolicy->SetAlternateDesktop(true);+ if (NS_WARN_IF(result != sandbox::SBOX_ALL_OK)) {+ LOG_W("SetAlternateDesktop failed, result: %i, last error: %x", result,+ ::GetLastError());+ }++ result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);+ SANDBOX_ENSURE_SUCCESS(result,+ "SetIntegrityLevel should never fail with these "+ "arguments, what happened?");++ result =+ mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);+ SANDBOX_ENSURE_SUCCESS(result,+ "SetDelayedIntegrityLevel should never fail with "+ "these arguments, what happened?");++ mPolicy->SetLockdownDefaultDacl();+ mPolicy->AddRestrictingRandomSid();++ sandbox::MitigationFlags mitigations =+ sandbox::MITIGATION_BOTTOM_UP_ASLR | sandbox::MITIGATION_HEAP_TERMINATE |+ sandbox::MITIGATION_SEHOP | sandbox::MITIGATION_EXTENSION_POINT_DISABLE |+ sandbox::MITIGATION_DEP_NO_ATL_THUNK | sandbox::MITIGATION_DEP |+ sandbox::MITIGATION_IMAGE_LOAD_PREFER_SYS32;++ const Maybe<Vector<const wchar_t*>>& exceptionModules =+ GetPrespawnCigExceptionModules();+ if (exceptionModules.isSome()) {+ mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;+ }++ result = mPolicy->SetProcessMitigations(mitigations);+ SANDBOX_ENSURE_SUCCESS(result, "Invalid flags for SetProcessMitigations.");++ if (exceptionModules.isSome()) {+ // This needs to be called after MITIGATION_FORCE_MS_SIGNED_BINS is set+ // because of DCHECK in PolicyBase::AddRuleInternal.+ result = InitSignedPolicyRulesToBypassCig(mPolicy, exceptionModules.ref());+ SANDBOX_ENSURE_SUCCESS(result, "Failed to initialize signed policy rules.");+ }++ result = AddWin32kLockdownPolicy(mPolicy, false);+ SANDBOX_ENSURE_SUCCESS(result, "Failed to add the win32k lockdown policy");++ mitigations = sandbox::MITIGATION_STRICT_HANDLE_CHECKS |+ sandbox::MITIGATION_DLL_SEARCH_ORDER;++ if (exceptionModules.isNothing()) {+ mitigations |= sandbox::MITIGATION_FORCE_MS_SIGNED_BINS;+ }++ result = mPolicy->SetDelayedProcessMitigations(mitigations);+ SANDBOX_ENSURE_SUCCESS(result,+ "Invalid flags for SetDelayedProcessMitigations.");++ // Add the policy for the client side of a pipe. It is just a file+ // in the \pipe\ namespace. We restrict it to pipes that start with+ // "chrome." so the sandboxed process cannot connect to system services.+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,+ sandbox::TargetPolicy::FILES_ALLOW_ANY,+ L"\\??\\pipe\\chrome.*");+ SANDBOX_ENSURE_SUCCESS(+ result,+ "With these static arguments AddRule should never fail, what happened?");++ // Add the policy for the client side of the crash server pipe.+ result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,+ sandbox::TargetPolicy::FILES_ALLOW_ANY,+ L"\\??\\pipe\\gecko-crash-server-pipe.*");+ SANDBOX_ENSURE_SUCCESS(+ result,+ "With these static arguments AddRule should never fail, what happened?");++ switch (aSandbox) {+ case mozilla::ipc::SandboxingKind::GENERIC_UTILITY:+ // Nothing specific to perform yet?+ break;++ default:+ MOZ_ASSERT(false, "Invalid SandboxingKind");+ break;+ }++ return true;+}+ bool SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel, bool aIsRemoteLaunch) { if (!mPolicy) {
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
[Inconsistent Win32k Lockdown Policy] [security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp] [Lines 684-694]
[Old Code]
if (!aIsFileProcess &&
(win32kLockdownState == ContentWin32kLockdownState::LockdownEnabled)) {
result = AddWin32kLockdownPolicy(mPolicy, false);
MOZ_RELEASE_ASSERT(result == sandbox::SBOX_ALL_OK,
"Failed to add the win32k lockdown policy");
}
[Fixed Code]
if (GetContentWin32kLockdownEnabled()) {
result = AddWin32kLockdownPolicy(mPolicy, false);
MOZ_RELEASE_ASSERT(result == sandbox::SBOX_ALL_OK,
"Failed to add the win32k lockdown policy");
}
2. Vulnerability Existed: yes
[Potential Desktop Isolation Bypass] [security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp] [Lines 646-648]
[Old Code]
result = mPolicy->SetAlternateDesktop(false);
[Fixed Code]
bool useAlternateWinstation =
StaticPrefs::widget_non_native_theme_enabled();
result = mPolicy->SetAlternateDesktop(useAlternateWinstation);
3. Vulnerability Existed: not sure
[New Utility Process Sandbox Implementation] [security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp] [Lines 1243-1354]
[Old Code]
[N/A - Entire function is new]
[Fixed Code]
[Entire SetSecurityLevelForUtilityProcess function is new]
The first vulnerability shows a fix for inconsistent Win32k lockdown policy application, where the old code had special exceptions for file processes. The second vulnerability addresses potential desktop isolation bypass by making alternate desktop usage configurable based on theme settings. The third item is marked "not sure" as it's a completely new function being added, which could be either a security enhancement or a fix for an undocumented vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/painting/RetainedDisplayListBuilder.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/painting/RetainedDisplayListBuilder.h@@ -9,11 +9,14 @@ #include "nsDisplayList.h" #include "mozilla/Maybe.h"-#include "mozilla/TypedEnumBits.h"+#include "mozilla/EnumSet.h" class nsWindowSizes; namespace mozilla {++class nsDisplayItem;+class nsDisplayList; /** * RetainedDisplayListData contains frame invalidation information. It is stored@@ -23,12 +26,9 @@ struct RetainedDisplayListData { NS_DECLARE_FRAME_PROPERTY_DELETABLE(DisplayListData, RetainedDisplayListData)- enum class FrameFlags : uint8_t {- None = 0,- Modified = 1 << 0,- HasProps = 1 << 1,- HadWillChange = 1 << 2- };+ enum class FrameFlag : uint8_t { Modified, HasProps, HadWillChange };++ using FrameFlags = mozilla::EnumSet<FrameFlag, uint8_t>; RetainedDisplayListData() : mModifiedFramesCount(0) {}@@ -46,9 +46,7 @@ } /**- * Returns a mutable reference to flags set for the given |aFrame|. If the- * frame does not exist in this RetainedDisplayListData, it is added with- * default constructible flags FrameFlags::None.+ * Returns a mutable reference to flags set for the given |aFrame|. */ FrameFlags& Flags(nsIFrame* aFrame) { return mFrames.LookupOrInsert(aFrame); }@@ -57,6 +55,18 @@ * is not in this RetainedDisplayListData. */ FrameFlags GetFlags(nsIFrame* aFrame) const { return mFrames.Get(aFrame); }++ bool IsModified(nsIFrame* aFrame) const {+ return GetFlags(aFrame).contains(FrameFlag::Modified);+ }++ bool HasProps(nsIFrame* aFrame) const {+ return GetFlags(aFrame).contains(FrameFlag::HasProps);+ }++ bool HadWillChange(nsIFrame* aFrame) const {+ return GetFlags(aFrame).contains(FrameFlag::HadWillChange);+ } /** * Returns an iterator to the underlying frame storage.@@ -77,8 +87,6 @@ nsTHashMap<nsPtrHashKey<nsIFrame>, FrameFlags> mFrames; uint32_t mModifiedFramesCount; };--MOZ_MAKE_ENUM_CLASS_BITWISE_OPERATORS(RetainedDisplayListData::FrameFlags) /** * Returns RetainedDisplayListData property for the given |aRootFrame|, or@@ -187,6 +195,9 @@ * the frames in the modified frame lists. */ void ClearFramesWithProps();++ void ClearReuseableDisplayItems() { mBuilder.ClearReuseableDisplayItems(); }+ void AddSizeOfIncludingThis(nsWindowSizes&) const; NS_DECLARE_FRAME_PROPERTY_DELETABLE(Cached, RetainedDisplayListBuilder)@@ -249,15 +260,30 @@ nsIFrame** aOutModifiedAGR); nsIFrame* RootReferenceFrame() { return mBuilder.RootReferenceFrame(); }++ /**+ * Tries to perform a simple partial display list build without display list+ * merging. In this mode, only the top-level stacking context items and their+ * contents are reused, when the frame subtree has not been modified.+ */+ bool TrySimpleUpdate(const nsTArray<nsIFrame*>& aModifiedFrames,+ nsTArray<nsIFrame*>& aOutFramesWithProps);+ friend class MergeState; nsDisplayListBuilder mBuilder; RetainedDisplayList mList;- nsRect mPreviousVisibleRect; WeakFrame mPreviousCaret; RetainedDisplayListMetrics mMetrics; };+namespace RDLUtils {++void AssertFrameSubtreeUnmodified(const nsIFrame* aFrame);+void AssertDisplayItemUnmodified(nsDisplayItem* aItem);+void AssertDisplayListUnmodified(nsDisplayList* aList);++} // namespace RDLUtils } // namespace mozilla #endif // RETAINEDDISPLAYLISTBUILDER_H_
Analyzing the provided code diff, here are the security-related findings:
1. Vulnerability Existed: not sure
[Potential Type Safety Improvement] [layout/painting/RetainedDisplayListBuilder.h] [Lines 23-26]
[Old Code]
```cpp
enum class FrameFlags : uint8_t {
None = 0,
Modified = 1 << 0,
HasProps = 1 << 1,
HadWillChange = 1 << 2
};
```
[Fixed Code]
```cpp
enum class FrameFlag : uint8_t { Modified, HasProps, HadWillChange };
using FrameFlags = mozilla::EnumSet<FrameFlag, uint8_t>;
```
2. Vulnerability Existed: not sure
[Potential Memory Safety Improvement] [layout/painting/RetainedDisplayListBuilder.h] [Lines 46-48]
[Old Code]
```cpp
FrameFlags& Flags(nsIFrame* aFrame) { return mFrames.LookupOrInsert(aFrame); }
```
[Fixed Code]
```cpp
FrameFlags& Flags(nsIFrame* aFrame) { return mFrames.LookupOrInsert(aFrame); }
// Comment was removed about default constructible flags
```
3. Vulnerability Existed: not sure
[Potential Safety Checks Addition] [layout/painting/RetainedDisplayListBuilder.h] [Lines 260-264]
[Old Code]
(No equivalent code existed)
[Fixed Code]
```cpp
namespace RDLUtils {
void AssertFrameSubtreeUnmodified(const nsIFrame* aFrame);
void AssertDisplayItemUnmodified(nsDisplayItem* aItem);
void AssertDisplayListUnmodified(nsDisplayList* aList);
} // namespace RDLUtils
```
The changes appear to be primarily focused on code quality improvements and type safety rather than fixing specific security vulnerabilities. The switch from manual bit manipulation to EnumSet provides better type safety, and the addition of assertion utilities suggests improved validation checks, but no clear security vulnerabilities are being fixed in this diff. The changes are more likely related to maintainability and robustness than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/xul/nsTextBoxFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/xul/nsTextBoxFrame.cpp@@ -13,6 +13,7 @@ #include "mozilla/ComputedStyle.h" #include "mozilla/Preferences.h" #include "mozilla/PresShell.h"+#include "mozilla/intl/Segmenter.h" #include "mozilla/layers/RenderRootStateManager.h" #include "mozilla/gfx/2D.h" #include "nsFontMetrics.h"@@ -35,7 +36,6 @@ #include "nsIReflowCallback.h" #include "nsBoxFrame.h" #include "nsLayoutUtils.h"-#include "nsUnicodeProperties.h" #include "TextDrawTarget.h" #ifdef ACCESSIBILITY@@ -614,78 +614,67 @@ titleWidth = 0; }- using mozilla::unicode::ClusterIterator;- using mozilla::unicode::ClusterReverseIterator;+ using mozilla::intl::GraphemeClusterBreakIteratorUtf16;+ using mozilla::intl::GraphemeClusterBreakReverseIteratorUtf16; // ok crop things switch (mCropType) { case CropAuto: case CropNone: case CropRight: {- ClusterIterator iter(mTitle.Data(), mTitle.Length());- const char16_t* dataBegin = iter;- const char16_t* pos = dataBegin;- nscoord charWidth;+ const Span title(mTitle);+ GraphemeClusterBreakIteratorUtf16 iter(title);+ uint32_t pos = 0; nscoord totalWidth = 0;- while (!iter.AtEnd()) {- iter.Next();- const char16_t* nextPos = iter;- ptrdiff_t length = nextPos - pos;- charWidth =- nsLayoutUtils::AppUnitWidthOfString(pos, length, *fm, drawTarget);+ while (Maybe<uint32_t> nextPos = iter.Next()) {+ const nscoord charWidth = nsLayoutUtils::AppUnitWidthOfString(+ title.FromTo(pos, *nextPos), *fm, drawTarget); if (totalWidth + charWidth > aWidth) { break; }- if (UTF16_CODE_UNIT_IS_BIDI(*pos)) {+ if (UTF16_CODE_UNIT_IS_BIDI(mTitle[pos])) { AddStateBits(NS_FRAME_IS_BIDI); }- pos = nextPos;+ pos = *nextPos; totalWidth += charWidth; }- if (pos == dataBegin) {+ if (pos == 0) { return titleWidth; } // insert what character we can in.- nsAutoString title(mTitle);- title.Truncate(pos - dataBegin);- mCroppedTitle.Insert(title, 0);+ mCroppedTitle.Insert(title.To(pos), 0); } break; case CropLeft: {- ClusterReverseIterator iter(mTitle.Data(), mTitle.Length());- const char16_t* dataEnd = iter;- const char16_t* prevPos = dataEnd;- nscoord charWidth;+ const Span title(mTitle);+ GraphemeClusterBreakReverseIteratorUtf16 iter(title);+ uint32_t pos = title.Length(); nscoord totalWidth = 0;- while (!iter.AtEnd()) {- iter.Next();- const char16_t* pos = iter;- ptrdiff_t length = prevPos - pos;- charWidth =- nsLayoutUtils::AppUnitWidthOfString(pos, length, *fm, drawTarget);+ // nextPos is decreasing since we use a reverse iterator.+ while (Maybe<uint32_t> nextPos = iter.Next()) {+ const nscoord charWidth = nsLayoutUtils::AppUnitWidthOfString(+ title.FromTo(*nextPos, pos), *fm, drawTarget); if (totalWidth + charWidth > aWidth) { break; }- if (UTF16_CODE_UNIT_IS_BIDI(*pos)) {+ if (UTF16_CODE_UNIT_IS_BIDI(mTitle[*nextPos])) { AddStateBits(NS_FRAME_IS_BIDI); }- prevPos = pos;+ pos = *nextPos; totalWidth += charWidth; }- if (prevPos == dataEnd) {+ if (pos == title.Length()) { return titleWidth; }- nsAutoString copy;- mTitle.Right(copy, dataEnd - prevPos);- mCroppedTitle += copy;+ mCroppedTitle.Append(title.From(pos)); } break; case CropCenter: {@@ -698,55 +687,48 @@ } // determine how much of the string will fit in the max width- nscoord charWidth = 0;+ const Span title(mTitle); nscoord totalWidth = 0;- ClusterIterator leftIter(mTitle.Data(), mTitle.Length());- ClusterReverseIterator rightIter(mTitle.Data(), mTitle.Length());- const char16_t* dataBegin = leftIter;- const char16_t* dataEnd = rightIter;- const char16_t* leftPos = dataBegin;- const char16_t* rightPos = dataEnd;- const char16_t* pos;- ptrdiff_t length;+ GraphemeClusterBreakIteratorUtf16 leftIter(title);+ GraphemeClusterBreakReverseIteratorUtf16 rightIter(title);+ uint32_t leftPos = 0;+ uint32_t rightPos = title.Length(); nsAutoString leftString, rightString; while (leftPos < rightPos) {- leftIter.Next();- pos = leftIter;- length = pos - leftPos;- charWidth = nsLayoutUtils::AppUnitWidthOfString(leftPos, length, *fm,- drawTarget);+ Maybe<uint32_t> nextPos = leftIter.Next();+ Span chars = title.FromTo(leftPos, *nextPos);+ nscoord charWidth =+ nsLayoutUtils::AppUnitWidthOfString(chars, *fm, drawTarget); if (totalWidth + charWidth > aWidth) { break; }- if (UTF16_CODE_UNIT_IS_BIDI(*leftPos)) {+ if (UTF16_CODE_UNIT_IS_BIDI(mTitle[leftPos])) { AddStateBits(NS_FRAME_IS_BIDI); }- leftString.Append(leftPos, length);- leftPos = pos;+ leftString.Append(chars);+ leftPos = *nextPos; totalWidth += charWidth; if (leftPos >= rightPos) { break; }- rightIter.Next();- pos = rightIter;- length = rightPos - pos;- charWidth =- nsLayoutUtils::AppUnitWidthOfString(pos, length, *fm, drawTarget);+ nextPos = rightIter.Next();+ chars = title.FromTo(*nextPos, rightPos);+ charWidth = nsLayoutUtils::AppUnitWidthOfString(chars, *fm, drawTarget); if (totalWidth + charWidth > aWidth) { break; }- if (UTF16_CODE_UNIT_IS_BIDI(*pos)) {+ if (UTF16_CODE_UNIT_IS_BIDI(mTitle[*nextPos])) { AddStateBits(NS_FRAME_IS_BIDI); }- rightString.Insert(pos, 0, length);- rightPos = pos;+ rightString.Insert(chars, 0);+ rightPos = *nextPos; totalWidth += charWidth; }
I'll analyze the code diff for security fixes following the specified format. Vulnerability Existed: not sure Potential Unicode Handling Vulnerability [File] [Lines 614-687] [Old Code] Using ClusterIterator and ClusterReverseIterator from nsUnicodeProperties.h with direct pointer manipulation and length calculations. [Fixed Code] Using GraphemeClusterBreakIteratorUtf16 and GraphemeClusterBreakReverseIteratorUtf16 from mozilla::intl::Segmenter with safer span-based operations. Additional Details: The change appears to be a refactoring of Unicode text handling, replacing older Unicode cluster iteration methods with newer, more robust grapheme cluster break iterators. While not explicitly a security fix, this type of change often addresses potential edge cases in Unicode handling that could lead to security issues like: - Incorrect boundary detection - Buffer overflows - Character encoding issues The new implementation uses safer span-based operations and more modern Unicode handling, which likely improves security, though the exact vulnerability being fixed isn't specified in the diff. Vulnerability Existed: not sure Potential Bounds Checking Improvement [File] [Lines 614-687] [Old Code] Direct pointer arithmetic and manual length calculations when processing Unicode clusters. [Fixed Code] Using Maybe<uint32_t> for position tracking and span-based operations for safer bounds checking. Additional Details: The change from direct pointer manipulation to span-based operations with explicit bounds checking suggests a potential improvement in memory safety. The old code could potentially have had issues with: - Buffer overreads - Incorrect length calculations - Pointer arithmetic errors The new code's use of Maybe<uint32_t> and span operations provides more robust bounds checking, though again, the exact vulnerability isn't specified in the diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/third_party/CMakeLists.txt+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/third_party/CMakeLists.txt@@ -82,6 +82,9 @@ # Highway set(HWY_SYSTEM_GTEST ON CACHE INTERNAL "")+if((SANITIZER STREQUAL "asan") OR (SANITIZER STREQUAL "msan"))+ set(HWY_EXAMPLES_TESTS_INSTALL OFF CACHE INTERNAL "")+endif() if (EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/highway/CMakeLists.txt" AND NOT JPEGXL_FORCE_SYSTEM_HWY) add_subdirectory(highway)@@ -102,61 +105,11 @@ endif() # JPEGXL_DEP_LICENSE_DIR endif()-# lodepng-if( NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/lodepng/lodepng.h" )- message(FATAL_ERROR "Please run ${PROJECT_SOURCE_DIR}/deps.sh to fetch the "- "build dependencies.")-endif()-include(lodepng.cmake)-configure_file("${CMAKE_CURRENT_SOURCE_DIR}/lodepng/LICENSE"- ${PROJECT_BINARY_DIR}/LICENSE.lodepng COPYONLY)- # brotli if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/brotli/c/include/brotli/decode.h" OR JPEGXL_FORCE_SYSTEM_BROTLI)- # Create the libbrotli* and libbrotli*-static targets.- foreach(brlib IN ITEMS brotlienc brotlidec brotlicommon)- # Use uppercase like "BROTLIENC" for the cmake variables- string(TOUPPER "${brlib}" BRPREFIX)- pkg_check_modules(${BRPREFIX} lib${brlib})- if (${BRPREFIX}_FOUND)- if(${CMAKE_VERSION} VERSION_LESS "3.13.5")- add_library(${brlib} INTERFACE IMPORTED GLOBAL)- set_property(TARGET ${brlib} PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${${BRPREFIX}_INCLUDE_DIR})- target_link_libraries(${brlib} INTERFACE ${${BRPREFIX}_LDFLAGS})- set_property(TARGET ${brlib} PROPERTY INTERFACE_COMPILE_OPTIONS ${${BRPREFIX}_CFLAGS_OTHER})-- add_library(${brlib}-static INTERFACE IMPORTED GLOBAL)- set_property(TARGET ${brlib}-static PROPERTY INTERFACE_INCLUDE_DIRECTORIES ${${BRPREFIX}_INCLUDE_DIR})- target_link_libraries(${brlib}-static INTERFACE ${${BRPREFIX}_LDFLAGS})- set_property(TARGET ${brlib}-static PROPERTY INTERFACE_COMPILE_OPTIONS ${${BRPREFIX}_CFLAGS_OTHER})- else()- add_library(${brlib} INTERFACE IMPORTED GLOBAL)- target_include_directories(${brlib}- INTERFACE ${${BRPREFIX}_INCLUDE_DIRS})- target_link_libraries(${brlib}- INTERFACE ${${BRPREFIX}_LINK_LIBRARIES})- target_link_options(${brlib}- INTERFACE ${${BRPREFIX}_LDFLAGS_OTHER})- target_compile_options(${brlib}- INTERFACE ${${BRPREFIX}_CFLAGS_OTHER})-- # TODO(deymo): Remove the -static library versions, this target is- # currently needed by brunsli.cmake. When importing it this way, the- # brotli*-static target is just an alias.- add_library(${brlib}-static ALIAS ${brlib})- endif()- endif()- unset(BRPREFIX)- endforeach()-- if (BROTLIENC_FOUND AND BROTLIDEC_FOUND AND BROTLICOMMON_FOUND)- set(BROTLI_FOUND 1)- else()- set(BROTLI_FOUND 0)- endif()-- if (NOT BROTLI_FOUND)+ find_package(Brotli)+ if (NOT Brotli_FOUND) message(FATAL_ERROR "Brotli not found, install brotli-dev or download brotli source code to" " third_party/brotli from https://github.com/google/brotli. You can use"@@ -203,6 +156,50 @@ endif() endif()+# libpng+if (JPEGXL_EMSCRIPTEN)+ if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/libpng/CMakeLists.txt")+ message(FATAL_ERROR "Please run ${PROJECT_SOURCE_DIR}/deps.sh to fetch the "+ "build dependencies.")+ endif()+ file(COPY "${CMAKE_CURRENT_SOURCE_DIR}/libpng/scripts/pnglibconf.h.prebuilt" DESTINATION "${CMAKE_CURRENT_SOURCE_DIR}/libpng")+ file(RENAME "${CMAKE_CURRENT_SOURCE_DIR}/libpng/pnglibconf.h.prebuilt" "${CMAKE_CURRENT_SOURCE_DIR}/libpng/pnglibconf.h")+ set(ZLIB_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/zlib/")+ set(ZLIB_LIBRARY "")+ set(PNG_FOUND YES PARENT_SCOPE)+ set(PNG_INCLUDE_DIRS "${CMAKE_CURRENT_SOURCE_DIR}/libpng/" PARENT_SCOPE)+ set(PNG_LIBRARIES "" PARENT_SCOPE)+elseif (JPEGXL_BUNDLE_LIBPNG)+ if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/libpng/CMakeLists.txt")+ message(FATAL_ERROR "Please run ${PROJECT_SOURCE_DIR}/deps.sh to fetch the "+ "build dependencies.")+ endif()+ add_subdirectory(zlib)+ set(PNG_STATIC ON CACHE BOOL "")+ set(PNG_EXECUTABLES OFF CACHE BOOL "")+ set(PNG_BUILD_ZLIB ON CACHE BOOL "")+ set(PNG_TESTS OFF CACHE BOOL "")+ set(SKIP_INSTALL_ALL ON CACHE BOOL "")+ set(ZLIB_INCLUDE_DIR "${CMAKE_CURRENT_SOURCE_DIR}/zlib/")+ set(ZLIB_LIBRARY zlibstatic)+ add_subdirectory(libpng EXCLUDE_FROM_ALL)+ set(PNG_FOUND YES PARENT_SCOPE)+ set(PNG_INCLUDE_DIRS "${CMAKE_CURRENT_SOURCE_DIR}/libpng/" PARENT_SCOPE)+ set(PNG_LIBRARIES png_static PARENT_SCOPE)+ if(JPEGXL_DEP_LICENSE_DIR)+ configure_file("${CMAKE_CURRENT_SOURCE_DIR}/libpng/LICENSE"+ ${PROJECT_BINARY_DIR}/LICENSE.libpng COPYONLY)+ endif()+else()+ find_package(PNG)+ if(PNG_FOUND AND JPEGXL_DEP_LICENSE_DIR)+ configure_file("${JPEGXL_DEP_LICENSE_DIR}/zlib1g-dev/copyright"+ ${PROJECT_BINARY_DIR}/LICENSE.zlib COPYONLY)+ configure_file("${JPEGXL_DEP_LICENSE_DIR}/libpng-dev/copyright"+ ${PROJECT_BINARY_DIR}/LICENSE.libpng COPYONLY)+ endif() # JPEGXL_DEP_LICENSE_DIR+endif()+ # sjpeg if (JPEGXL_ENABLE_SJPEG) if (NOT EXISTS "${CMAKE_CURRENT_SOURCE_DIR}/sjpeg/CMakeLists.txt")
I'll analyze the provided code diff for security fixes following the specified format. 1. Vulnerability Existed: not sure [Potential Build System Issue] [third_party/jpeg-xl/third_party/CMakeLists.txt] [Lines 82-85] [Old Code: No condition for HWY_EXAMPLES_TESTS_INSTALL] [Fixed Code: Added condition to disable HWY_EXAMPLES_TESTS_INSTALL when using asan/msan] 2. Vulnerability Existed: not sure [Potential Dependency Management Issue] [third_party/jpeg-xl/third_party/CMakeLists.txt] [Lines 102-105] [Old Code: Manual brotli library handling] [Fixed Code: Simplified to use find_package(Brotli)] 3. Vulnerability Existed: not sure [Potential Build System Issue] [third_party/jpeg-xl/third_party/CMakeLists.txt] [Lines 156-203] [Old Code: No libpng handling] [Fixed Code: Added comprehensive libpng handling with different build scenarios] Note: While these changes appear to be build system improvements rather than direct security fixes, they could potentially address security concerns by: 1. Better handling of sanitizer builds 2. More robust dependency management 3. Proper handling of libpng dependencies and licensing However, without more context about the specific vulnerabilities being addressed, I can't definitively identify security fixes in these changes. The changes appear to be more about build system improvements and dependency management.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/tests/non262/ReadableStream/constructor-default.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/tests/non262/ReadableStream/constructor-default.js@@ -1,3 +1,5 @@+// |reftest| skip-if(!this.hasOwnProperty('ReadableStream'))+ // The second argument to `new ReadableStream` defaults to `{}`, so it observes // properties hacked onto Object.prototype.
Let me analyze the code diff for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Prototype Pollution] [js/src/tests/non262/ReadableStream/constructor-default.js] [Lines 1-3]
[Old Code]
// The second argument to `new ReadableStream` defaults to `{}`, so it observes
// properties hacked onto Object.prototype.
[Fixed Code]
// |reftest| skip-if(!this.hasOwnProperty('ReadableStream'))
// The second argument to `new ReadableStream` defaults to `{}`, so it observes
// properties hacked onto Object.prototype.
Analysis: The diff adds a test directive to skip the test if ReadableStream isn't available. While this isn't directly fixing a security vulnerability, the comment suggests there might be concerns about prototype pollution (properties hacked onto Object.prototype). However, without seeing the actual test implementation, I can't confirm if this was actually exploitable.
The main change appears to be test-related rather than a direct security fix, but the comment suggests there might have been prototype pollution concerns that were addressed elsewhere in the codebase.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/num_cpus/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/num_cpus/.cargo-checksum.json@@ -1 +1 @@-{"files":{"CHANGELOG.md":"648196d9fad2d62618f5778dab9127cf6bb801e3a432d72179f118350d36ff23","CONTRIBUTING.md":"2390961aab1bba026135338da1216b6cc828dfaeed9357d9c155c55a252d3efb","Cargo.lock":"a7cbc6156b3b0ed9e8afdaae9668067e86aaeafc237f99c87e7fda76d8032c24","Cargo.toml":"08fed4ec7fac699f408ef1abdd39b1a6294b2c015cfe859eedbbb4c286bb7912","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"0593d22d122d4bfec6407115e3907546312976f75473417aaa4c57ecd2095ae6","README.md":"12451d6905fe9cdac206410de8071b562e5ea936b6e55a19ac97982831a0fcdb","ci/cgroups/Dockerfile":"b018cda01776cabe033af06a22c5ad337c90c07fdb8093e94857f2fc5a0b2bdb","examples/values.rs":"46c833324b7339d359054c4f8e8284259e860df206c552c63b5893ade59c16a6","fixtures/cgroups/cgroups/ceil/cpu.cfs_period_us":"d2ace393dc9388863d75d8de140df516d7ffe4aa7ed2f9a545aa71c9930d6638","fixtures/cgroups/cgroups/ceil/cpu.cfs_quota_us":"7ccd86cde0b22ffc2318f2509726d2a13053f6973e96dc5ca6965a56497e485e","fixtures/cgroups/cgroups/good/cpu.cfs_period_us":"d2ace393dc9388863d75d8de140df516d7ffe4aa7ed2f9a545aa71c9930d6638","fixtures/cgroups/cgroups/good/cpu.cfs_quota_us":"cdc3397c35d915e5fe61f8d2bdedcae00a225d55cc6b090580cde1b71c63463b","fixtures/cgroups/cgroups/zero-period/cpu.cfs_period_us":"74d01a0c051c963d9a9b8ab9dbeab1723f0ad8534ea9fa6a942f358d7fa011b4","fixtures/cgroups/cgroups/zero-period/cpu.cfs_quota_us":"1e6ffd8a95fab538ddd645a767e8cc505722d5c8aaf008969f2ed8ab753ff61e","fixtures/cgroups/proc/cgroups/cgroup":"6812299a4409bfd831ed751fdbbfdd9c5749f69acd7b14c5b0a704271a1f74c6","fixtures/cgroups/proc/cgroups/mountinfo":"3187b0b1c0fa192790abced7d435190e8979059186055688e4c3c2ca013398c6","src/lib.rs":"e1ce45ba3b2655fabb49ea0af50080808fd305c884d79cb4b9527198dab828ac","src/linux.rs":"c10382e85a4b196d6fd9a481d9b3d5978b8bb18eaeb7670716ced7d71b919f5e"},"package":"05499f3756671c15885fee9034446956fff3f243d6077b91e5767df161f766b3"}+{"files":{"CHANGELOG.md":"1b01434272c7e464f187eedc95522d9f5668f7f423459572fd33cd8eb5c4c5cf","CONTRIBUTING.md":"2390961aab1bba026135338da1216b6cc828dfaeed9357d9c155c55a252d3efb","Cargo.lock":"dabfb21d5ed9cefaf28e1fcbcaf253de08807ca3be33d0de4b06bb7a377d7b60","Cargo.toml":"885f8ecc8197bec06e151fde7769dc7c267d2f25a4b573240463e8a40a5be298","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"0593d22d122d4bfec6407115e3907546312976f75473417aaa4c57ecd2095ae6","README.md":"7760d315d3efd2306affa4c8e4dcdb3a245ae30b3c9cfb9cffed2f1116c86362","ci/cgroups/Dockerfile":"567f00918a6422b363e2c21e57bd47cef9dcc03d0ab109c9605e052f83af7e89","examples/values.rs":"46c833324b7339d359054c4f8e8284259e860df206c552c63b5893ade59c16a6","fixtures/cgroups/cgroups/ceil/cpu.cfs_period_us":"d2ace393dc9388863d75d8de140df516d7ffe4aa7ed2f9a545aa71c9930d6638","fixtures/cgroups/cgroups/ceil/cpu.cfs_quota_us":"7ccd86cde0b22ffc2318f2509726d2a13053f6973e96dc5ca6965a56497e485e","fixtures/cgroups/cgroups/good/cpu.cfs_period_us":"d2ace393dc9388863d75d8de140df516d7ffe4aa7ed2f9a545aa71c9930d6638","fixtures/cgroups/cgroups/good/cpu.cfs_quota_us":"cdc3397c35d915e5fe61f8d2bdedcae00a225d55cc6b090580cde1b71c63463b","fixtures/cgroups/cgroups/zero-period/cpu.cfs_period_us":"74d01a0c051c963d9a9b8ab9dbeab1723f0ad8534ea9fa6a942f358d7fa011b4","fixtures/cgroups/cgroups/zero-period/cpu.cfs_quota_us":"1e6ffd8a95fab538ddd645a767e8cc505722d5c8aaf008969f2ed8ab753ff61e","fixtures/cgroups/proc/cgroups/cgroup":"6812299a4409bfd831ed751fdbbfdd9c5749f69acd7b14c5b0a704271a1f74c6","fixtures/cgroups/proc/cgroups/mountinfo":"3187b0b1c0fa192790abced7d435190e8979059186055688e4c3c2ca013398c6","fixtures/cgroups/proc/cgroups/mountinfo_multi_opt":"d1e397752bc5c4558a3230ad847e89c6885362eab68a53b08dbf219de2e0138a","fixtures/cgroups/proc/cgroups/mountinfo_zero_opt":"91b03b270c76460bc19225aa4b743f893c7d32173e9609ef77e5a04814ab81ff","src/lib.rs":"81fc237964757a53689db848b1df4fed75bbd6a6e7a9063b6bb008161f8c22af","src/linux.rs":"a453e1056c130beaa7e2338222d04b5d3786f6325f5ca314ce9f4130079add2f"},"package":"19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1"}=========editor/libeditor/HTMLTableEditor.cpp========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/editor/libeditor/HTMLTableEditor.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/editor/libeditor/HTMLTableEditor.cpp@@ -49,8 +49,8 @@ */ class MOZ_STACK_CLASS AutoSelectionSetterAfterTableEdit final { private:- RefPtr<HTMLEditor> mHTMLEditor;- RefPtr<Element> mTable;+ MOZ_KNOWN_LIVE RefPtr<HTMLEditor> mHTMLEditor;+ MOZ_KNOWN_LIVE RefPtr<Element> mTable; int32_t mCol, mRow, mDirection, mSelected; public:@@ -66,9 +66,8 @@ MOZ_CAN_RUN_SCRIPT ~AutoSelectionSetterAfterTableEdit() { if (mHTMLEditor) {- MOZ_KnownLive(mHTMLEditor)- ->SetSelectionAfterTableEdit(MOZ_KnownLive(mTable), mRow, mCol,- mDirection, mSelected);+ mHTMLEditor->SetSelectionAfterTableEdit(mTable, mRow, mCol, mDirection,+ mSelected); } }@@ -511,7 +510,7 @@ // Thus we set the colspan to its true value. if (!cellDataAtSelection.mColSpan) { DebugOnly<nsresult> rvIgnored =- SetColSpan(MOZ_KnownLive(cellDataAtSelection.mElement),+ SetColSpan(cellDataAtSelection.mElement, cellDataAtSelection.mEffectiveColSpan); NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored), "HTMLEditor::SetColSpan() failed, but ignored");@@ -565,9 +564,8 @@ // Note: we do nothing if colsspan=0, since it should automatically // span the new column. if (cellData.mColSpan > 0) {- DebugOnly<nsresult> rvIgnored =- SetColSpan(MOZ_KnownLive(cellData.mElement),- cellData.mColSpan + aNumberOfColumnsToInsert);+ DebugOnly<nsresult> rvIgnored = SetColSpan(+ cellData.mElement, cellData.mColSpan + aNumberOfColumnsToInsert); NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored), "HTMLEditor::SetColSpan() failed, but ignored"); }@@ -577,8 +575,7 @@ // Simply set selection to the current cell. So, we can let // InsertTableCellsWithTransaction() do the work. Insert a new cell // before current one.- CollapseSelectionToStartOf(MOZ_KnownLive(*cellData.mElement),- ignoredError);+ CollapseSelectionToStartOf(*cellData.mElement, ignoredError); if (NS_WARN_IF(ignoredError.ErrorCodeIs(NS_ERROR_EDITOR_DESTROYED))) { return NS_ERROR_EDITOR_DESTROYED; }@@ -745,7 +742,7 @@ // Thus we set the rowspan to its true value. if (!cellDataAtSelection.mRowSpan) { DebugOnly<nsresult> rvIgnored =- SetRowSpan(MOZ_KnownLive(cellDataAtSelection.mElement),+ SetRowSpan(cellDataAtSelection.mElement, cellDataAtSelection.mEffectiveRowSpan); NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored), "HTMLEditor::SetRowSpan() failed, but ignored");@@ -786,9 +783,8 @@ // Note that if rowspan is 0, we do nothing since that cell should // automatically extend into the new row. if (cellData.mRowSpan > 0) {- DebugOnly<nsresult> rvIgnored =- SetRowSpan(MOZ_KnownLive(cellData.mElement),- cellData.mRowSpan + aNumberOfRowsToInsert);+ DebugOnly<nsresult> rvIgnored = SetRowSpan(+ cellData.mElement, cellData.mRowSpan + aNumberOfRowsToInsert); NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored), "HTMLEditor::SetRowSpan() failed, but ignored"); }@@ -1549,7 +1545,7 @@ NS_WARNING_ASSERTION(cellData.mColSpan > 1, "colspan should be 2 or larger"); DebugOnly<nsresult> rvIgnored =- SetColSpan(MOZ_KnownLive(cellData.mElement), cellData.mColSpan - 1);+ SetColSpan(cellData.mElement, cellData.mColSpan - 1); NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored), "HTMLEditor::SetColSpan() failed, but ignored"); }@@ -1558,7 +1554,7 @@ // so delete contents of cell instead of cell itself (We must have // reset colspan above). DebugOnly<nsresult> rvIgnored =- DeleteAllChildrenWithTransaction(MOZ_KnownLive(*cellData.mElement));+ DeleteAllChildrenWithTransaction(*cellData.mElement); NS_WARNING_ASSERTION(NS_SUCCEEDED(rvIgnored), "HTMLEditor::DeleteAllChildrenWithTransaction() " "failed, but ignored");@@ -1577,8 +1573,7 @@ if (numberOfCellsInRow != 1) { // If removing cell is not the last cell of the row, we can just remove // it.- nsresult rv =- DeleteNodeWithTransaction(MOZ_KnownLive(*cellData.mElement));+ nsresult rv = DeleteNodeWithTransaction(*cellData.mElement); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::DeleteNodeWithTransaction() failed"); return rv;@@ -2044,8 +2039,7 @@ // XXX So, we should distinguish whether CellData returns error or just // not found later. if (cellData.mElement && !cellData.IsSpannedFromOtherRowOrColumn()) {- nsresult rv =- AppendContentToSelectionAsRange(MOZ_KnownLive(*cellData.mElement));+ nsresult rv = AppendContentToSelectionAsRange(*cellData.mElement); if (rv == NS_ERROR_EDITOR_DESTROYED) { NS_WARNING( "HTMLEditor::AppendContentToSelectionAsRange() caused destroying "@@ -2159,7 +2153,7 @@ // XXX So, we should distinguish whether CellData returns error or just // not found later. if (cellData.mElement && !cellData.IsSpannedFromOtherRowOrColumn()) {- rv = AppendContentToSelectionAsRange(MOZ_KnownLive(*cellData.mElement));+ rv = AppendContentToSelectionAsRange(*cellData.mElement); if (rv == NS_ERROR_EDITOR_DESTROYED) { NS_WARNING( "HTMLEditor::AppendContentToSelectionAsRange() caused destroying "@@ -2268,7 +2262,7 @@ // XXX So, we should distinguish whether CellData returns error or just // not found later. if (cellData.mElement && !cellData.IsSpannedFromOtherRowOrColumn()) {- rv = AppendContentToSelectionAsRange(MOZ_KnownLive(*cellData.mElement));+ rv = AppendContentToSelectionAsRange(*cellData.mElement); if (rv == NS_ERROR_EDITOR_DESTROYED) { NS_WARNING( "HTMLEditor::AppendContentToSelectionAsRange() caused destroying "@@ -2447,7 +2441,7 @@ } // Reduce colspan of cell to split- nsresult rv = SetColSpan(MOZ_KnownLive(cellData.mElement), aColSpanLeft);+ nsresult rv = SetColSpan(cellData.mElement, aColSpanLeft); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::SetColSpan() failed"); return rv;@@ -2456,8 +2450,8 @@ // Insert new cell after using the remaining span // and always get the new cell so we can copy the background color; RefPtr<Element> newCellElement;- rv = InsertCell(MOZ_KnownLive(cellData.mElement), cellData.mEffectiveRowSpan,- aColSpanRight, true, false, getter_AddRefs(newCellElement));+ rv = InsertCell(cellData.mElement, cellData.mEffectiveRowSpan, aColSpanRight,+ true, false, getter_AddRefs(newCellElement)); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::InsertCell() failed"); return rv;@@ -2468,8 +2462,7 @@ if (aNewCell) { *aNewCell = do_AddRef(newCellElement).take(); }- rv =- CopyCellBackgroundColor(newCellElement, MOZ_KnownLive(cellData.mElement));+ rv = CopyCellBackgroundColor(newCellElement, cellData.mElement); NS_WARNING_ASSERTION(NS_SUCCEEDED(rv), "HTMLEditor::CopyCellBackgroundColor() failed"); return rv;@@ -2573,7 +2566,7 @@ } // Reduce rowspan of cell to split- nsresult rv = SetRowSpan(MOZ_KnownLive(cellData.mElement), aRowSpanAbove);+ nsresult rv = SetRowSpan(cellData.mElement, aRowSpanAbove); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::SetRowSpan() failed"); return rv;@@ -3047,8 +3040,7 @@ if (spanAboveMergedCell > 0) { // Cell we merged started in a row above the target cell // Reduce rowspan to give room where target cell will extend its colspan- nsresult rv = SetRowSpan(MOZ_KnownLive(rightCellData.mElement),- spanAboveMergedCell);+ nsresult rv = SetRowSpan(rightCellData.mElement, spanAboveMergedCell); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::SetRowSpan() failed"); return EditorBase::ToGenericNSResult(rv);@@ -3056,9 +3048,8 @@ } // Reset target cell's colspan to encompass cell to the right- rv = SetColSpan(- MOZ_KnownLive(leftCellData.mElement),- leftCellData.mEffectiveColSpan + rightCellData.mEffectiveColSpan);+ rv = SetColSpan(leftCellData.mElement, leftCellData.mEffectiveColSpan ++ rightCellData.mEffectiveColSpan); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::SetColSpan() failed"); return EditorBase::ToGenericNSResult(rv);@@ -3205,8 +3196,8 @@ // not found a cell. Fix this later. if (cellData.mElement && cellData.mRowSpan > 0 && !cellData.IsSpannedFromOtherRowOrColumn()) {- nsresult rv = SetRowSpan(MOZ_KnownLive(cellData.mElement),- cellData.mRowSpan - rowsReduced);+ nsresult rv =+ SetRowSpan(cellData.mElement, cellData.mRowSpan - rowsReduced); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::SetRawSpan() failed"); return rv;@@ -3285,8 +3276,8 @@ // not found a cell. Fix this later. if (cellData.mElement && cellData.mColSpan > 0 && !cellData.IsSpannedFromOtherRowOrColumn()) {- nsresult rv = SetColSpan(MOZ_KnownLive(cellData.mElement),- cellData.mColSpan - colsReduced);+ nsresult rv =+ SetColSpan(cellData.mElement, cellData.mColSpan - colsReduced); if (NS_FAILED(rv)) { NS_WARNING("HTMLEditor::SetColSpan() failed"); return rv;
Based on the provided diff, I'll analyze the changes for security fixes:
1. First vulnerability analysis (rust/num_cpus/.cargo-checksum.json):
Vulnerability Existed: not sure
[No specific vulnerability identified] [third_party/rust/num_cpus/.cargo-checksum.json] [Entire file]
[Old checksums and package hash]
[New checksums and package hash]
Note: This appears to be a dependency version update with new checksums, but without more context about the vulnerabilities fixed in the new version, I can't be certain.
2. Second vulnerability analysis (HTMLTableEditor.cpp):
Vulnerability Existed: yes
[Potential Use-After-Free] [editor/libeditor/HTMLTableEditor.cpp] [Multiple locations]
[Old Code using MOZ_KnownLive wrapper]
[Fixed Code removing MOZ_KnownLive wrapper]
Note: The changes involve removing MOZ_KnownLive wrappers around RefPtr usage, suggesting potential fixes for use-after-free vulnerabilities by ensuring proper reference counting. The changes are widespread throughout the file, affecting many method calls.
3. Third vulnerability analysis (HTMLTableEditor.cpp):
Vulnerability Existed: yes
[Lifetime Management Improvement] [editor/libeditor/HTMLTableEditor.cpp] [49-66]
[Old Code: Plain RefPtr members]
[Fixed Code: MOZ_KNOWN_LIVE RefPtr members]
Note: The class member variables were changed to explicitly mark their lifetimes, suggesting fixes for potential lifetime management issues.
The main security focus appears to be on fixing potential use-after-free vulnerabilities and improving lifetime management of RefPtr objects in the HTML table editor. The changes involve both adding and removing MOZ_KnownLive annotations in appropriate places to ensure proper reference counting.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.5arg.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.5arg.html@@ -18,8 +18,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -49,10 +49,10 @@ ctx.drawImage(bitmap1, 0, 0, 50, 50); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 50, 50);- _assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` for consistency or clarity. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found File: testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.5arg.html Lines: Changed variable name throughout the file Old Code: `var offscreenCanvas = new OffscreenCanvas(100, 50);` Fixed Code: `var canvas = new OffscreenCanvas(100, 50);` 2. Vulnerability Existed: no No security vulnerability found File: testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.5arg.html Lines: Changed references to the renamed variable Old Code: `_assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);` Fixed Code: `_assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);` The changes are purely variable name refactoring and don't appear to address any security issues. No known vulnerabilities are being patched in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/gc/AtomMarking-inl.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/gc/AtomMarking-inl.h@@ -36,7 +36,7 @@ js::gc::TenuredCell* cell = &thing->asTenured(); MOZ_ASSERT(cell->zoneFromAnyThread()->isAtomsZone());- // The context's zone will be null during initialization of the runtime.+ // The embedding is allowed to atomize during initialization. if (!cx->zone()) { return true; }
Analysis of the code diff:
1. Vulnerability Existed: not sure
[Potential Initialization Race Condition] [js/src/gc/AtomMarking-inl.h] [Lines 36-39]
[Old Code]
```cpp
// The context's zone will be null during initialization of the runtime.
if (!cx->zone()) {
return true;
}
```
[Fixed Code]
```cpp
// The embedding is allowed to atomize during initialization.
if (!cx->zone()) {
return true;
}
```
Additional Details:
- The change appears to be more of a comment/clarification update rather than a security fix
- The actual logic remains the same, only the explanatory comment changed
- The old comment suggested this was only for runtime initialization, while the new comment broadens the scope to embedding initialization
- Without more context about the initialization process and potential race conditions, it's hard to determine if this was fixing an actual vulnerability
- The change might be related to making the behavior more clearly documented rather than fixing a specific vulnerability
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/mips64/Trampoline-mips64.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/mips64/Trampoline-mips64.cpp@@ -873,12 +873,7 @@ break; case Type_Double:- if (JitOptions.supportsFloatingPoint) {- masm.as_ldc1(ReturnDoubleReg, StackPointer, 0);- } else {- masm.assumeUnreachable(- "Unable to load into float reg, with no FP support.");- }+ masm.as_ldc1(ReturnDoubleReg, StackPointer, 0); masm.freeStack(sizeof(double)); break;@@ -919,13 +914,8 @@ masm.pop(temp1); LiveRegisterSet save;- if (JitOptions.supportsFloatingPoint) {- save.set() = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),- FloatRegisterSet(FloatRegisters::VolatileMask));- } else {- save.set() = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),- FloatRegisterSet());- }+ save.set() = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),+ FloatRegisterSet(FloatRegisters::VolatileMask)); save.add(ra); masm.PushRegsInMask(save);
I'll analyze the provided code diff for security fixes following the specified format.
1. First change analysis:
Vulnerability Existed: not sure
[Potential FPU Handling Issue] [js/src/jit/mips64/Trampoline-mips64.cpp] [Lines 873-880]
[Old Code]
case Type_Double:
if (JitOptions.supportsFloatingPoint) {
masm.as_ldc1(ReturnDoubleReg, StackPointer, 0);
} else {
masm.assumeUnreachable(
"Unable to load into float reg, with no FP support.");
}
[Fixed Code]
case Type_Double:
masm.as_ldc1(ReturnDoubleReg, StackPointer, 0);
2. Second change analysis:
Vulnerability Existed: not sure
[Potential Register Set Initialization Issue] [js/src/jit/mips64/Trampoline-mips64.cpp] [Lines 919-926]
[Old Code]
if (JitOptions.supportsFloatingPoint) {
save.set() = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),
FloatRegisterSet(FloatRegisters::VolatileMask));
} else {
save.set() = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),
FloatRegisterSet());
}
[Fixed Code]
save.set() = RegisterSet(GeneralRegisterSet(Registers::VolatileMask),
FloatRegisterSet(FloatRegisters::VolatileMask));
Notes:
- The changes remove conditional checks for floating-point support (JitOptions.supportsFloatingPoint)
- This suggests the code now assumes FPU support is always available
- Without more context about the build configuration or platform requirements, it's hard to determine if this was a security fix or just a simplification
- If FPU support wasn't guaranteed on all target platforms, this could potentially lead to crashes or undefined behavior, but not necessarily a security vulnerability
- No specific vulnerability names can be identified from these changes alone
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/BodyStream.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/BodyStream.h@@ -9,6 +9,10 @@ #include "jsapi.h" #include "js/Stream.h"+#include "mozilla/AlreadyAddRefed.h"+#ifdef MOZ_DOM_STREAMS+# include "mozilla/dom/BindingDeclarations.h"+#endif #include "nsIAsyncInputStream.h" #include "nsCycleCollectionParticipant.h" #include "nsIObserver.h"@@ -28,9 +32,20 @@ class BodyStream; class WeakWorkerRef;+class ReadableStream;+#ifdef MOZ_DOM_STREAMS+class ReadableStreamController;+#endif++class BodyStreamUnderlyingSourcePullCallbackHelper;+class BodyStreamUnderlyingSourceCancelCallbackHelper;+class BodyStreamUnderlyingSourceErrorCallbackHelper; class BodyStreamHolder : public nsISupports { friend class BodyStream;+ friend class BodyStreamUnderlyingSourcePullCallbackHelper;+ friend class BodyStreamUnderlyingSourceCancelCallbackHelper;+ friend class BodyStreamUnderlyingSourceErrorCallbackHelper; public: NS_DECL_CYCLE_COLLECTING_ISUPPORTS@@ -42,20 +57,36 @@ virtual void MarkAsRead() = 0;+#ifndef MOZ_DOM_STREAMS virtual void SetReadableStreamBody(JSObject* aBody) = 0;- virtual JSObject* GetReadableStreamBody() = 0;+#else+ virtual void SetReadableStreamBody(ReadableStream* aBody) = 0;+ virtual ReadableStream* GetReadableStreamBody() = 0;+#endif protected: virtual ~BodyStreamHolder() = default; private: void StoreBodyStream(BodyStream* aBodyStream);+#ifdef MOZ_DOM_STREAMS+ already_AddRefed<BodyStream> TakeBodyStream() {+ MOZ_ASSERT_IF(mStreamCreated, mBodyStream);+ return mBodyStream.forget();+ }+#else void ForgetBodyStream();-+#endif+ BodyStream* GetBodyStream() { return mBodyStream; }++#ifdef MOZ_DOM_STREAMS+ RefPtr<BodyStream> mBodyStream;+#else // Raw pointer because BodyStream keeps BodyStreamHolder alive and it // nullifies this stream before being released. BodyStream* mBodyStream;+#endif #ifdef DEBUG bool mStreamCreated = false;@@ -64,8 +95,12 @@ class BodyStream final : public nsIInputStreamCallback, public nsIObserver,- public nsSupportsWeakReference,- private JS::ReadableStreamUnderlyingSource {+ public nsSupportsWeakReference+#ifndef MOZ_DOM_STREAMS+ ,+ private JS::ReadableStreamUnderlyingSource+#endif+{ friend class BodyStreamHolder; public:@@ -75,20 +110,26 @@ // This method creates a JS ReadableStream object and it assigns it to the // aStreamHolder calling SetReadableStreamBody().+ MOZ_CAN_RUN_SCRIPT_BOUNDARY static void Create(JSContext* aCx, BodyStreamHolder* aStreamHolder, nsIGlobalObject* aGlobal, nsIInputStream* aInputStream, ErrorResult& aRv); void Close();+#ifdef MOZ_DOM_STREAMS+ static nsresult RetrieveInputStream(BodyStreamHolder* aStream,+ nsIInputStream** aInputStream);+#else static nsresult RetrieveInputStream( JS::ReadableStreamUnderlyingSource* aUnderlyingReadableStreamSource, nsIInputStream** aInputStream);+#endif private: BodyStream(nsIGlobalObject* aGlobal, BodyStreamHolder* aStreamHolder, nsIInputStream* aInputStream);- ~BodyStream();+ ~BodyStream() = default; #ifdef DEBUG void AssertIsOnOwningThread();@@ -96,6 +137,40 @@ void AssertIsOnOwningThread() {} #endif+#ifdef MOZ_DOM_STREAMS+ public:+ // Cancel Callback+ already_AddRefed<Promise> CancelCallback(+ JSContext* aCx, const Optional<JS::Handle<JS::Value>>& aReason,+ ErrorResult& aRv);++ // Pull Callback+ already_AddRefed<Promise> PullCallback(JSContext* aCx,+ ReadableStreamController& aController,+ ErrorResult& aRv);++ void ErrorCallback();++ private:+ // Fills a buffer with bytes from the stream.+ void WriteIntoReadRequestBuffer(JSContext* aCx, ReadableStream* aStream,+ void* aBuffer, size_t aLength,+ size_t* aByteWritten);++ // This is a script boundary until Bug 1750605 is resolved and allows us+ // to replace this with MOZ_CAN_RUN_SCRIPT.+ MOZ_CAN_RUN_SCRIPT_BOUNDARY void EnqueueChunkWithSizeIntoStream(+ JSContext* aCx, ReadableStream* aStream, uint64_t bytes,+ ErrorResult& aRv);++ void ErrorPropagation(JSContext* aCx, const MutexAutoLock& aProofOfLock,+ ReadableStream* aStream, nsresult aRv);++ // TODO: convert this to MOZ_CAN_RUN_SCRIPT (bug 1750605)+ MOZ_CAN_RUN_SCRIPT_BOUNDARY void CloseAndReleaseObjects(+ JSContext* aCx, const MutexAutoLock& aProofOfLock,+ ReadableStream* aStream);+#else void requestData(JSContext* aCx, JS::HandleObject aStream, size_t aDesiredSize) override;@@ -117,7 +192,8 @@ JS::HandleObject aStream, nsresult aRv); void CloseAndReleaseObjects(JSContext* aCx, const MutexAutoLock& aProofOfLock,- JS::HandleObject aSteam);+ JS::HandleObject aStream);+#endif class WorkerShutdown;
I'll analyze the provided code diff for security fixes following the specified format.
1. First vulnerability analysis:
Vulnerability Existed: not sure
Potential Memory Management Issue [File] dom/base/BodyStream.h [Lines 28-32, 42-47, 71-83]
[Old Code]
BodyStream* mBodyStream; // Raw pointer
void ForgetBodyStream();
[Fixed Code]
RefPtr<BodyStream> mBodyStream; // With MOZ_DOM_STREAMS
already_AddRefed<BodyStream> TakeBodyStream();
Additional Details: The change from raw pointer to RefPtr suggests possible memory management improvements, but without more context about the usage patterns, it's unclear if this was fixing an actual vulnerability or just improving code safety.
2. Second vulnerability analysis:
Vulnerability Existed: not sure
Potential Stream Handling Issue [File] dom/base/BodyStream.h [Lines 64-68, 137-192]
[Old Code]
Single implementation using JS::ReadableStreamUnderlyingSource
[Fixed Code]
Dual implementation with MOZ_DOM_STREAMS conditional compilation
Added new callback helper classes and methods
Additional Details: The extensive changes to stream handling suggest possible security improvements in stream processing, but the diff doesn't show specific vulnerabilities being fixed. The addition of explicit callback handlers and error propagation methods suggests more robust error handling.
3. Third vulnerability analysis:
Vulnerability Existed: not sure
Potential Resource Cleanup Issue [File] dom/base/BodyStream.h [Lines 129-130]
[Old Code]
~BodyStream();
[Fixed Code]
~BodyStream() = default;
Additional Details: The change in destructor behavior could indicate fixes for resource cleanup issues, but without seeing the original destructor implementation, it's impossible to determine if this was fixing a vulnerability.
Note: While there are significant architectural changes in the code, the diff doesn't provide enough context to identify specific vulnerabilities that were fixed. The changes appear to be more about improving code structure and safety rather than fixing identified security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.cone.front.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.cone.front.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,15 +27,15 @@ g.addColorStop(1, '#0f0'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely cosmetic, renaming a variable for better consistency or readability. Here's the analysis following your requested format:
Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18, 27-35]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, ...);
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, ...);
Additional Details:
- The changes only involve renaming the variable from `offscreenCanvas` to `canvas`
- All functionality remains exactly the same
- No security implications in this change
- This appears to be part of code standardization rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.maxWidth.bound.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.maxWidth.bound.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);@@ -26,10 +26,10 @@ ctx.fillRect(0, 0, 100, 50); ctx.fillStyle = '#0f0'; ctx.fillText('DD', 0, 37.5, 100);- _assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2); }).then(t_pass, t_fail); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-26]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-core/src/command/memory_init.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-core/src/command/memory_init.rs@@ -3,17 +3,16 @@ use hal::CommandEncoder; use crate::{- command::collect_zero_buffer_copies_for_clear_texture, device::Device, hub::Storage, id::{self, TextureId}, init_tracker::*, resource::{Buffer, Texture},- track::{ResourceTracker, TextureSelector, TextureState, TrackerSet},+ track::{ResourceTracker, TextureState, TrackerSet}, FastHashMap, };-use super::{BakedCommands, DestroyedBufferError, DestroyedTextureError};+use super::{clear::clear_texture, BakedCommands, DestroyedBufferError, DestroyedTextureError}; /// Surface that was discarded by `StoreOp::Discard` of a preceding renderpass. /// Any read access to this surface needs to be preceded by a texture initialization.@@ -103,13 +102,13 @@ // Shortcut for register_init_action when it is known that the action is an implicit init, not requiring any immediate resource init. pub(crate) fn register_implicit_init<A: hal::Api>( &mut self,- id: TextureId,+ id: id::Valid<TextureId>, range: TextureInitRange, texture_guard: &Storage<Texture<A>, TextureId>, ) { let must_be_empty = self.register_init_action( &TextureInitTrackerAction {- id,+ id: id.0, range, kind: MemoryInitKind::ImplicitlyInitialized, },@@ -119,7 +118,7 @@ } }-// Utility function that takes discarded surfaces from register_init_action and initializes them on the spot.+// Utility function that takes discarded surfaces from (several calls to) register_init_action and initializes them on the spot. // Takes care of barriers as well! pub(crate) fn fixup_discarded_surfaces< A: hal::Api,@@ -131,43 +130,19 @@ texture_tracker: &mut ResourceTracker<TextureState>, device: &Device<A>, ) {- let mut zero_buffer_copy_regions = Vec::new(); for init in inits {- let mip_range = init.mip_level..(init.mip_level + 1);- let layer_range = init.layer..(init.layer + 1);-- let (texture, pending) = texture_tracker- .use_replace(- &*texture_guard,- init.texture,- TextureSelector {- levels: mip_range.clone(),- layers: layer_range.clone(),- },- hal::TextureUses::COPY_DST,- )- .unwrap();-- collect_zero_buffer_copies_for_clear_texture(- &texture.desc,- device.alignments.buffer_copy_pitch.get() as u32,- mip_range,- layer_range,- &mut zero_buffer_copy_regions,- );-- let barriers = pending.map(|pending| pending.into_hal(texture));- let raw_texture = texture.inner.as_raw().unwrap();-- unsafe {- // TODO: Should first gather all barriers, do a single transition_textures call, and then send off copy_buffer_to_texture commands.- encoder.transition_textures(barriers);- encoder.copy_buffer_to_texture(- &device.zero_buffer,- raw_texture,- zero_buffer_copy_regions.drain(..),- );- }+ clear_texture(+ id::Valid(init.texture),+ texture_guard.get(init.texture).unwrap(),+ TextureInitRange {+ mip_range: init.mip_level..(init.mip_level + 1),+ layer_range: init.layer..(init.layer + 1),+ },+ encoder,+ texture_tracker,+ device,+ )+ .unwrap(); } }@@ -285,65 +260,28 @@ } } MemoryInitKind::NeedsInitializedMemory => {- ranges.clear(); for (mip_level, mip_tracker) in affected_mip_trackers { for layer_range in mip_tracker.drain(use_range.layer_range.clone()) { ranges.push(TextureInitRange {- mip_range: mip_level as u32..(mip_level as u32 + 1),+ mip_range: (mip_level as u32)..(mip_level as u32 + 1), layer_range,- })+ }); } }-- let raw_texture = texture- .inner- .as_raw()- .ok_or(DestroyedTextureError(texture_use.id))?;-- let mut texture_barriers = Vec::new();- let mut zero_buffer_copy_regions = Vec::new();- for range in &ranges {- // Don't do use_replace since the texture may already no longer have a ref_count.- // However, we *know* that it is currently in use, so the tracker must already know about it.- texture_barriers.extend(- device_tracker- .textures- .change_replace_tracked(- id::Valid(texture_use.id),- TextureSelector {- levels: range.mip_range.clone(),- layers: range.layer_range.clone(),- },- hal::TextureUses::COPY_DST,- )- .map(|pending| pending.into_hal(texture)),- );-- collect_zero_buffer_copies_for_clear_texture(- &texture.desc,- device.alignments.buffer_copy_pitch.get() as u32,- range.mip_range.clone(),- range.layer_range.clone(),- &mut zero_buffer_copy_regions,- );- }-- if !zero_buffer_copy_regions.is_empty() {- debug_assert!(texture.hal_usage.contains(hal::TextureUses::COPY_DST),- "Texture needs to have the COPY_DST flag. Otherwise we can't ensure initialized memory!");- unsafe {- // TODO: Could safe on transition_textures calls by bundling barriers from *all* textures.- // (a bbit more tricky because a naive approach would have to borrow same texture several times then)- self.encoder- .transition_textures(texture_barriers.into_iter());- self.encoder.copy_buffer_to_texture(- &device.zero_buffer,- raw_texture,- zero_buffer_copy_regions.into_iter(),- );- }- }- }+ }+ }++ // TODO: Could we attempt some range collapsing here?+ for range in ranges.drain(..) {+ clear_texture(+ id::Valid(texture_use.id),+ &*texture,+ range,+ &mut self.encoder,+ &mut device_tracker.textures,+ device,+ )+ .unwrap(); } }
Here's the security analysis following the requested format:
1. Vulnerability Existed: yes
Improper Resource Validation [third_party/rust/wgpu-core/src/command/memory_init.rs] [Lines 103-118]
[Old Code]
```rust
pub(crate) fn register_implicit_init<A: hal::Api>(
&mut self,
id: TextureId,
range: TextureInitRange,
texture_guard: &Storage<Texture<A>, TextureId>,
) {
let must_be_empty = self.register_init_action(
&TextureInitTrackerAction {
id,
range,
kind: MemoryInitKind::ImplicitlyInitialized,
},
texture_guard,
);
debug_assert!(must_be_empty);
}
```
[Fixed Code]
```rust
pub(crate) fn register_implicit_init<A: hal::Api>(
&mut self,
id: id::Valid<TextureId>,
range: TextureInitRange,
texture_guard: &Storage<Texture<A>, TextureId>,
) {
let must_be_empty = self.register_init_action(
&TextureInitTrackerAction {
id: id.0,
range,
kind: MemoryInitKind::ImplicitlyInitialized,
},
texture_guard,
);
debug_assert!(must_be_empty);
}
```
The fix adds validation by using `id::Valid<TextureId>` instead of raw `TextureId`, ensuring the texture ID is valid before use.
2. Vulnerability Existed: yes
Potential Memory Safety Issue [third_party/rust/wgpu-core/src/command/memory_init.rs] [Lines 131-190]
[Old Code]
```rust
let mut zero_buffer_copy_regions = Vec::new();
for init in inits {
let mip_range = init.mip_level..(init.mip_level + 1);
let layer_range = init.layer..(init.layer + 1);
let (texture, pending) = texture_tracker
.use_replace(
&*texture_guard,
init.texture,
TextureSelector {
levels: mip_range.clone(),
layers: layer_range.clone(),
},
hal::TextureUses::COPY_DST,
)
.unwrap();
collect_zero_buffer_copies_for_clear_texture(
&texture.desc,
device.alignments.buffer_copy_pitch.get() as u32,
mip_range,
layer_range,
&mut zero_buffer_copy_regions,
);
let barriers = pending.map(|pending| pending.into_hal(texture));
let raw_texture = texture.inner.as_raw().unwrap();
unsafe {
encoder.transition_textures(barriers);
encoder.copy_buffer_to_texture(
&device.zero_buffer,
raw_texture,
zero_buffer_copy_regions.drain(..),
);
}
}
```
[Fixed Code]
```rust
for init in inits {
clear_texture(
id::Valid(init.texture),
texture_guard.get(init.texture).unwrap(),
TextureInitRange {
mip_range: init.mip_level..(init.mip_level + 1),
layer_range: init.layer..(init.layer + 1),
},
encoder,
texture_tracker,
device,
)
.unwrap();
}
```
The fix replaces unsafe manual texture clearing operations with a safer `clear_texture` function that properly validates and handles the operation.
3. Vulnerability Existed: yes
Potential Use-After-Free [third_party/rust/wgpu-core/src/command/memory_init.rs] [Lines 285-343]
[Old Code]
```rust
MemoryInitKind::NeedsInitializedMemory => {
ranges.clear();
for (mip_level, mip_tracker) in affected_mip_trackers {
for layer_range in mip_tracker.drain(use_range.layer_range.clone()) {
ranges.push(TextureInitRange {
mip_range: mip_level as u32..(mip_level as u32 + 1),
layer_range,
})
}
}
let raw_texture = texture
.inner
.as_raw()
.ok_or(DestroyedTextureError(texture_use.id))?;
let mut texture_barriers = Vec::new();
let mut zero_buffer_copy_regions = Vec::new();
for range in &ranges {
texture_barriers.extend(
device_tracker
.textures
.change_replace_tracked(
id::Valid(texture_use.id),
TextureSelector {
levels: range.mip_range.clone(),
layers: range.layer_range.clone(),
},
hal::TextureUses::COPY_DST,
)
.map(|pending| pending.into_hal(texture)),
);
collect_zero_buffer_copies_for_clear_texture(
&texture.desc,
device.alignments.buffer_copy_pitch.get() as u32,
range.mip_range.clone(),
range.layer_range.clone(),
&mut zero_buffer_copy_regions,
);
}
if !zero_buffer_copy_regions.is_empty() {
unsafe {
self.encoder
.transition_textures(texture_barriers.into_iter());
self.encoder.copy_buffer_to_texture(
&device.zero_buffer,
raw_texture,
zero_buffer_copy_regions.into_iter(),
);
}
}
}
```
[Fixed Code]
```rust
MemoryInitKind::NeedsInitializedMemory => {
for (mip_level, mip_tracker) in affected_mip_trackers {
for layer_range in mip_tracker.drain(use_range.layer_range.clone()) {
ranges.push(TextureInitRange {
mip_range: (mip_level as u32)..(mip_level as u32 + 1),
layer_range,
});
}
}
}
for range in ranges.drain(..) {
clear_texture(
id::Valid(texture_use.id),
&*texture,
range,
&mut self.encoder,
&mut device_tracker.textures,
device,
)
.unwrap();
}
```
The fix replaces unsafe manual texture operations with a validated `clear_texture` function, reducing the risk of use-after-free and other memory safety issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.scale1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.scale1.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -32,15 +32,15 @@ ctx.strokeStyle = '#f00'; ctx.stroke(); ctx.restore();-_assertPixel(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,0, 0,255,0,255, "50,0", "0,255,0,255");-_assertPixel(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255");-_assertPixel(offscreenCanvas, 0,25, 0,255,0,255, "0,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 99,25, 0,255,0,255, "99,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,49, 0,255,0,255, "50,49", "0,255,0,255");-_assertPixel(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255");+_assertPixel(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255");+_assertPixel(canvas, 50,0, 0,255,0,255, "50,0", "0,255,0,255");+_assertPixel(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255");+_assertPixel(canvas, 0,25, 0,255,0,255, "0,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 99,25, 0,255,0,255, "99,25", "0,255,0,255");+_assertPixel(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255");+_assertPixel(canvas, 50,49, 0,255,0,255, "50,49", "0,255,0,255");+_assertPixel(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding references in the `_assertPixel` calls. Here's the analysis:
Vulnerability Existed: no
No Security Vulnerability Found [File] [Lines 13-32]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255");
...
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255");
...
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.gradient.alpha.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.gradient.alpha.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var gradient = ctx.createLinearGradient(0, 0, 100, 0); gradient.addColorStop(0, 'rgba(255,0,0,0.5)');@@ -29,7 +29,7 @@ ctx.shadowColor = '#00f'; ctx.fillStyle = gradient; ctx.fillRect(0, -50, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);+_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas` for consistency or clarity. Here's the analysis following your format:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.gradient.alpha.html] [Lines 17-29]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 127,0,127,255, "50,25", "127,0,127,255", 2);
The changes don't affect security, functionality, or introduce any security-related fixes. It's simply a variable name change that doesn't impact the behavior of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsla-3.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsla-3.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'hsla(0, 100% 50%)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-hsla-3.worker.js [Lines] 13-21
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable renaming (from 'offscreenCanvas' to 'canvas') and don't indicate any security fixes. The functionality remains the same, and there are no security-related patterns being modified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-paint-cell-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-paint-cell-002.html@@ -9,7 +9,6 @@ <link rel="match" href="reference/contain-paint-047-ref.html"> <meta content="This test checks that the paint containment applies to table-cell elements. Therefore the content of the table-cell element should be clipped to the padding edge of its principal box." name="assert">- <meta name="flags" content=""> <style> table
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability] [testing/web-platform/tests/css/css-contain/contain-paint-cell-002.html] [Lines 9] [Old Code] `<meta name="flags" content="">` [Fixed Code] [Removed line] Additional Details: The change simply removes an empty meta tag that wasn't serving any purpose. There's no security vulnerability being fixed here - this appears to be a minor cleanup of test file metadata. The "flags" meta tag was empty and likely unnecessary for the test's operation. This doesn't represent a security fix but rather a minor code improvement.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/components/Editor/menus/editor.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/components/Editor/menus/editor.js@@ -9,6 +9,7 @@ getRawSourceURL, getFilename, shouldBlackbox,+ findBlackBoxRange, } from "../../../utils/source"; import { toSourceLine } from "../../../utils/editor"; import { downloadFile } from "../../../utils/utils";@@ -90,27 +91,75 @@ disabled: !shouldBlackbox(selectedSource), click: () => editorActions.toggleBlackBox(cx, selectedSource), });-/**- * Checks if a blackbox range exist for the line range.- * That is if any start and end lines overlap any of the- * blackbox ranges- *- * @param {Object} source - The current selected source- * @param {Object} blackboxedRanges - the store of blackboxedRanges- * @param {Object} line - The start and end line range- */-function findBlackBoxRange(source, blackboxedRanges, line) {- const ranges = blackboxedRanges[source.url];- if (!ranges || !ranges.length) {- return null;- }-- return ranges.find(- range =>- (line.start >= range.start.line && line.start <= range.end.line) ||- (line.end >= range.start.line && line.end <= range.end.line)- );-}++export const blackBoxLineMenuItem = (+ cx,+ selectedSource,+ editorActions,+ editor,+ blackboxedRanges,+ // the clickedLine is passed when the context menu+ // is opened from the gutter, it is not available when the+ // the context menu is opened from the editor.+ clickedLine = null+) => {+ const { codeMirror } = editor;+ const from = codeMirror.getCursor("from");+ const to = codeMirror.getCursor("to");++ const startLine = clickedLine ?? toSourceLine(selectedSource.id, from.line);+ const endLine = clickedLine ?? toSourceLine(selectedSource.id, to.line);++ const blackboxRange = findBlackBoxRange(selectedSource, blackboxedRanges, {+ start: startLine,+ end: endLine,+ });++ const selectedLineIsBlackBoxed = !!blackboxRange;++ const isSingleLine = selectedLineIsBlackBoxed+ ? blackboxRange.start.line == blackboxRange.end.line+ : startLine == endLine;++ // The ignore/unignore line context menu item should be disabled when+ // 1) The whole source is blackboxed or+ // 2) Multiple lines are blackboxed or+ // 3) Multiple lines are selected in the editor+ const shouldDisable =+ (selectedSource.isBlackBoxed &&+ !blackboxedRanges[selectedSource.url].length) ||+ !isSingleLine;++ return {+ id: "node-menu-blackbox-line",+ label: !selectedLineIsBlackBoxed+ ? L10N.getStr("ignoreContextItem.ignoreLine")+ : L10N.getStr("ignoreContextItem.unignoreLine"),+ accesskey: !selectedLineIsBlackBoxed+ ? L10N.getStr("ignoreContextItem.ignoreLine.accesskey")+ : L10N.getStr("ignoreContextItem.unignoreLine.accesskey"),+ disabled: shouldDisable,+ click: () => {+ const selectionRange = {+ start: {+ line: startLine,+ column: clickedLine == null ? from.ch : 0,+ },+ end: {+ line: endLine,+ column: clickedLine == null ? to.ch : 0,+ },+ };++ editorActions.toggleBlackBox(+ cx,+ selectedSource,+ !selectedLineIsBlackBoxed,+ selectedLineIsBlackBoxed ? [blackboxRange] : [selectionRange]+ );+ },+ };+}; const blackBoxLinesMenuItem = ( cx,@@ -126,23 +175,22 @@ const startLine = toSourceLine(selectedSource.id, from.line); const endLine = toSourceLine(selectedSource.id, to.line);- const shouldDisable =- selectedSource.isBlackBoxed && !blackboxedRanges[selectedSource.url].length;- const blackboxRange = findBlackBoxRange(selectedSource, blackboxedRanges, { start: startLine, end: endLine, });+ const selectedLinesAreBlackBoxed = !!blackboxRange;+ return { id: "node-menu-blackbox-lines",- label: !blackboxRange+ label: !selectedLinesAreBlackBoxed ? L10N.getStr("ignoreContextItem.ignoreLines") : L10N.getStr("ignoreContextItem.unignoreLines"),- accesskey: !blackboxRange+ accesskey: !selectedLinesAreBlackBoxed ? L10N.getStr("ignoreContextItem.ignoreLines.accesskey") : L10N.getStr("ignoreContextItem.unignoreLines.accesskey"),- disabled: shouldDisable,+ disabled: false, click: () => { const selectionRange = { start: {@@ -156,15 +204,13 @@ }; // removes the current selection- editor.codeMirror.replaceSelection(- editor.codeMirror.getSelection(),- "start"- );+ codeMirror.replaceSelection(codeMirror.getSelection(), "start");+ editorActions.toggleBlackBox( cx, selectedSource,- !blackboxRange,- blackboxRange ? [blackboxRange] : [selectionRange]+ !selectedLinesAreBlackBoxed,+ selectedLinesAreBlackBoxed ? [blackboxRange] : [selectionRange] ); }, };@@ -262,15 +308,44 @@ ); if (features.blackboxLines) {- items.push(- blackBoxLinesMenuItem(- cx,- selectedSource,- editorActions,- editor,- blackboxedRanges- )+ const startLine = toSourceLine(+ selectedSource.id,+ editor.codeMirror.getCursor("from").line );+ const endLine = toSourceLine(+ selectedSource.id,+ editor.codeMirror.getCursor("to").line+ );++ // Find any blackbox ranges that exist for the selected lines+ const blackboxRange = findBlackBoxRange(selectedSource, blackboxedRanges, {+ start: startLine,+ end: endLine,+ });++ const isMultiLineSelection = blackboxRange+ ? blackboxRange.start.line !== blackboxRange.end.line+ : startLine !== endLine;++ const theWholeSourceIsBlackBoxed =+ selectedSource.isBlackBoxed &&+ !blackboxedRanges[selectedSource.url].length;++ if (!theWholeSourceIsBlackBoxed) {+ const blackBoxSourceLinesMenuItem = isMultiLineSelection+ ? blackBoxLinesMenuItem+ : blackBoxLineMenuItem;++ items.push(+ blackBoxSourceLinesMenuItem(+ cx,+ selectedSource,+ editorActions,+ editor,+ blackboxedRanges+ )+ );+ } } if (isTextSelected) {
Based on the provided code diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no No specific security vulnerabilities were introduced or fixed in this diff. The changes appear to be functional improvements to the blackboxing feature in the debugger's editor menu. 2. Vulnerability Existed: not sure Potential Information Exposure [File] editor.js [Lines] Various The changes involve better handling of blackboxed ranges in the debugger, which could potentially relate to how debug information is exposed. However, this appears to be a functional improvement rather than a security fix. The main changes in this diff are: 1. Moving the `findBlackBoxRange` function to be imported from utils/source 2. Adding a new `blackBoxLineMenuItem` function for handling single-line blackboxing 3. Modifying `blackBoxLinesMenuItem` to handle multi-line blackboxing 4. Updating the menu item creation logic to properly handle both single and multi-line cases These changes appear to be feature improvements and bug fixes rather than security vulnerability patches. The code maintains proper checks for blackboxed ranges and source validity throughout.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.