Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/tools/yaml/element/filters.yaml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/tools/yaml/element/filters.yaml@@ -313,3 +313,112 @@ ctx.fillRect(0, 0, 10, 10); _assertPixelApprox(canvas, 5, 5, outputColor[0],outputColor[1],outputColor[2],255, "5,5", `${outputColor[0]},${outputColor[1]},${outputColor[2]}`, 2); }++- name: 2d.filter.canvasFilterObject.turbulence.inputTypes+ desc: Test exceptions on CanvasFilter() turbulence object+ code: |+ const errorTestCases = [+ {baseFrequency: {}},+ {baseFrequency: -1},+ {baseFrequency: [0, -1]},+ {baseFrequency: NaN},+ {baseFrequency: Infinity},+ {baseFrequency: undefined},+ {baseFrequency: -Infinity},+ {baseFrequency: "test"},++ {numOctaves: {}},+ {numOctaves: -1},+ {numOctaves: NaN},+ {numOctaves: Infinity},+ {numOctaves: undefined},+ {numOctaves: -Infinity},+ {numOctaves: [1, 1]},+ {numOctaves: "test"},++ {seed: {}},+ {seed: NaN},+ {seed: Infinity},+ {seed: undefined},+ {seed: -Infinity},+ {seed: [1, 1]},+ {seed: "test"},++ {stitchTiles: {}},+ {stitchTiles: NaN},+ {stitchTiles: Infinity},+ {stitchTiles: undefined},+ {stitchTiles: -Infinity},+ {stitchTiles: [1, 1]},+ {stitchTiles: "test"},+ {stitchTiles: null},+ {stitchTiles: []},+ {stitchTiles: [10]},+ {stitchTiles: 30},+ {stitchTiles: false},+ {stitchTiles: true},+ {stitchTiles: "10"},+ {stitchTiles: -1},++ {type: {}},+ {type: NaN},+ {type: Infinity},+ {type: undefined},+ {type: -Infinity},+ {type: [1, 1]},+ {type: "test"},+ {type: null},+ {type: []},+ {type: [10]},+ {type: 30},+ {type: false},+ {type: true},+ {type: "10"},+ {type: -1},+ ]++ // null and [] = 0 when parsed as number+ const workingTestCases = [+ {baseFrequency: null},+ {baseFrequency: []},+ {baseFrequency: [10]},+ {baseFrequency: [10, 3]},+ {baseFrequency: 30},+ {baseFrequency: false},+ {baseFrequency: true},+ {baseFrequency: "10"},++ {numOctaves: null},+ {numOctaves: []},+ {numOctaves: [10]},+ {numOctaves: 30},+ {numOctaves: false},+ {numOctaves: true},+ {numOctaves: "10"},++ {seed: null},+ {seed: []},+ {seed: [10]},+ {seed: 30},+ {seed: false},+ {seed: true},+ {seed: "10"},+ {seed: -1},++ {stitchTiles: "stitch"},+ {stitchTiles: "noStitch"},++ {type: "fractalNoise"},+ {type: "turbulence"},+ ]++ for (testCase of errorTestCases) {+ const filterOptions = {...{filter: "turbulence"}, ...testCase};+ @assert throws TypeError CanvasFilter(filterOptions);+ }++ for (testCase of workingTestCases) {+ const filterOptions = {...{filter: "turbulence"}, ...testCase};+ @assert new CanvasFilter(filterOptions) != null;+ }+
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: not sure Input Validation for CanvasFilter Turbulence Parameters [File: testing/web-platform/tests/html/canvas/tools/yaml/element/filters.yaml] [Lines: 313-425] Old Code: (No previous test cases for turbulence input validation) Fixed Code: Added extensive test cases for input validation of CanvasFilter turbulence parameters The diff shows the addition of comprehensive input validation tests for the CanvasFilter turbulence object parameters. While this isn't fixing an existing vulnerability per se, it's adding important validation that could prevent potential security issues by: - Testing for invalid input types (objects, negative numbers, NaN, Infinity, undefined, strings, etc.) - Defining clear working cases and error cases - Ensuring proper error throwing for invalid inputs - Covering all turbulence parameters (baseFrequency, numOctaves, seed, stitchTiles, type) This appears to be proactive security hardening rather than fixing a known vulnerability, as it establishes proper input validation boundaries for the CanvasFilter API's turbulence filter. The test cases would help prevent potential issues like: - Type confusion attacks - Invalid numeric inputs causing unexpected behavior - Potential injection vectors through string parameters No specific CVE or vulnerability name is associated with this change, but it improves the overall security posture of the feature.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.lighter.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.lighter.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -32,7 +32,7 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 0, 0);- _assertPixelApprox(offscreenCanvas, 50,25, 191,255,128,255, "50,25", "191,255,128,255", 5);+ _assertPixelApprox(canvas, 50,25, 191,255,128,255, "50,25", "191,255,128,255", 5); }, t_fail); }).then(t_pass, t_fail);
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.image.lighter.worker.js [Lines] 13-32
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
Additional Details:
- The changes appear to be purely variable name refactoring (renaming `offscreenCanvas` to `canvas`)
- No security-related changes were made in this diff
- The functionality remains identical, only the variable name was changed for consistency or readability
- The same variable name change was applied consistently throughout the file (including in the `_assertPixelApprox` call)
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/search/tests/xpcshell/searchconfigs/test_google.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/search/tests/xpcshell/searchconfigs/test_google.js@@ -15,13 +15,6 @@ // just excluding what Yandex and Baidu include. excluded: [ {- regions: ["ru", "tr", "by", "kz"],- locales: {- matches: ["ru", "tr", "be", "kk"],- startsWith: ["en"],- },- },- { regions: ["cn"], locales: { matches: ["zh-CN"],@@ -38,10 +31,8 @@ { included: [{ regions: ["us"] }], domain: "google.com",- telemetryId: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")- ? "google-b-1-e"- : "google-b-1-d",- codes: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")+ telemetryId: AppConstants.IS_ESR ? "google-b-1-e" : "google-b-1-d",+ codes: AppConstants.IS_ESR ? "client=firefox-b-1-e" : "client=firefox-b-1-d", },@@ -49,20 +40,13 @@ excluded: [{ regions: ["us", "by", "kz", "ru", "tr"] }], included: [{}], domain: "google.com",- telemetryId: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")- ? "google-b-e"- : "google-b-d",- codes: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")- ? "client=firefox-b-e"- : "client=firefox-b-d",+ telemetryId: AppConstants.IS_ESR ? "google-b-e" : "google-b-d",+ codes: AppConstants.IS_ESR ? "client=firefox-b-e" : "client=firefox-b-d", }, {- excluded: [{ regions: ["us"] }], included: [{ regions: ["by", "kz", "ru", "tr"] }], domain: "google.com",- codes: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")- ? "client=firefox-b-e"- : "client=firefox-b-d",+ telemetryId: "google-com-nocodes", }, ], });
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potentially Inconsistent Telemetry/Configuration] [File] [Lines 38-49]
[Old Code]
```javascript
telemetryId: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")
? "google-b-1-e"
: "google-b-1-d",
codes: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")
? "client=firefox-b-1-e"
: "client=firefox-b-1-d",
```
[Fixed Code]
```javascript
telemetryId: AppConstants.IS_ESR ? "google-b-1-e" : "google-b-1-d",
codes: AppConstants.IS_ESR
? "client=firefox-b-1-e"
: "client=firefox-b-1-d",
```
2. Vulnerability Existed: not sure
[Configuration Simplification] [File] [Lines 15-21]
[Old Code]
```javascript
excluded: [
{
regions: ["ru", "tr", "by", "kz"],
locales: {
matches: ["ru", "tr", "be", "kk"],
startsWith: ["en"],
},
},
```
[Fixed Code]
```javascript
// This entire block was removed
```
3. Vulnerability Existed: not sure
[Potential Incomplete Configuration] [File] [Lines 49-52]
[Old Code]
```javascript
{
excluded: [{ regions: ["us"] }],
included: [{ regions: ["by", "kz", "ru", "tr"] }],
domain: "google.com",
codes: AppConstants.MOZ_APP_VERSION_DISPLAY.endsWith("esr")
? "client=firefox-b-e"
: "client=firefox-b-d",
```
[Fixed Code]
```javascript
{
included: [{ regions: ["by", "kz", "ru", "tr"] }],
domain: "google.com",
telemetryId: "google-com-nocodes",
}
```
Notes:
1. The changes appear to be more about code simplification and using the more direct `IS_ESR` flag rather than version string checking, rather than fixing specific vulnerabilities.
2. The removal of the region/locale exclusions could potentially affect search behavior in those regions, but it's not clear if this was a security fix.
3. The last change modifies the configuration structure significantly, removing the `codes` parameter entirely for certain regions, which might affect how searches are performed in those regions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/core/platform.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/core/platform.cpp@@ -46,7 +46,6 @@ #include "js/ProfilingFrameIterator.h" #include "memory_hooks.h" #include "mozilla/ArrayUtils.h"-#include "mozilla/Atomics.h" #include "mozilla/AutoProfilerLabel.h" #include "mozilla/ExtensionPolicyService.h" #include "mozilla/extensions/WebExtensionPolicy.h"@@ -127,10 +126,11 @@ # define USE_MOZ_STACK_WALK #endif-// Mac builds only have frame pointers when MOZ_PROFILING is specified, so-// FramePointerStackWalk() only works in that case. We don't use MozStackWalk()-// on Mac.-#if defined(GP_OS_darwin) && defined(MOZ_PROFILING)+// Mac builds use FramePointerStackWalk(). Even if we build without+// frame pointers, we'll still get useful stacks in system libraries+// because those always have frame pointers.+// We don't use MozStackWalk() on Mac.+#if defined(GP_OS_darwin) # define HAVE_NATIVE_UNWIND # define USE_FRAME_POINTER_STACK_WALK #endif@@ -186,6 +186,7 @@ #endif using namespace mozilla;+using namespace mozilla::literals::ProportionValue_literals; using mozilla::profiler::detail::RacyFeatures; using ThreadRegistration = mozilla::profiler::ThreadRegistration;@@ -193,6 +194,8 @@ using ThreadRegistry = mozilla::profiler::ThreadRegistry; LazyLogModule gProfilerLog("prof");++mozilla::Atomic<int, mozilla::MemoryOrdering::Relaxed> gSkipSampling; #if defined(GP_OS_android) class GeckoJavaSampler@@ -275,7 +278,7 @@ static constexpr uint32_t DefaultFeatures() { return ProfilerFeature::Java | ProfilerFeature::JS | ProfilerFeature::Leaf | ProfilerFeature::StackWalk | ProfilerFeature::CPUUtilization |- ProfilerFeature::Screenshots;+ ProfilerFeature::Screenshots | ProfilerFeature::ProcessCPU; } // Extra default features when MOZ_PROFILER_STARTUP is set (even if not@@ -569,6 +572,18 @@ return CorePS::CoreBuffer(); }+void locked_profiler_add_sampled_counter(PSLockRef aLock,+ BaseProfilerCount* aCounter) {+ CorePS::AppendCounter(aLock, aCounter);+}++void locked_profiler_remove_sampled_counter(PSLockRef aLock,+ BaseProfilerCount* aCounter) {+ // Note: we don't enforce a final sample, though we could do so if the+ // profiler was active+ CorePS::RemoveCounter(aLock, aCounter);+}+ class SamplerThread; static SamplerThread* NewSamplerThread(PSLockRef aLock, uint32_t aGeneration,@@ -678,6 +693,9 @@ CorePS::CoreBuffer().SetChunkManager(mProfileBufferChunkManager); return CorePS::CoreBuffer(); }()),+ mMaybeProcessCPUCounter(ProfilerFeature::HasProcessCPU(aFeatures)+ ? new ProcessCPUCounter(aLock)+ : nullptr), // The new sampler thread doesn't start sampling immediately because the // main loop within Run() is blocked until this function's caller // unlocks gPSMutex.@@ -689,12 +707,7 @@ ? new ProfilerIOInterposeObserver() : nullptr), mIsPaused(false),- mIsSamplingPaused(false)-#if defined(GP_OS_linux) || defined(GP_OS_freebsd)- ,- mWasSamplingPaused(false)-#endif- {+ mIsSamplingPaused(false) { // Deep copy and lower-case aFilters. MOZ_ALWAYS_TRUE(mFilters.resize(aFilterCount)); MOZ_ALWAYS_TRUE(mFiltersLowered.resize(aFilterCount));@@ -727,6 +740,9 @@ } ~ActivePS() {+ MOZ_ASSERT(+ !mMaybeProcessCPUCounter,+ "mMaybeProcessCPUCounter should have been deleted before ~ActivePS()"); #if !defined(RELEASE_OR_BETA) if (mInterposeObserver) { // We need to unregister the observer on the main thread, because that's@@ -789,6 +805,12 @@ [[nodiscard]] static SamplerThread* Destroy(PSLockRef aLock) { MOZ_ASSERT(sInstance);+ if (sInstance->mMaybeProcessCPUCounter) {+ locked_profiler_remove_sampled_counter(+ aLock, sInstance->mMaybeProcessCPUCounter);+ delete sInstance->mMaybeProcessCPUCounter;+ sInstance->mMaybeProcessCPUCounter = nullptr;+ } auto samplerThread = sInstance->mSamplerThread; delete sInstance; sInstance = nullptr;@@ -1070,6 +1092,26 @@ } }+ // This is a counter to collect process CPU utilization during profiling.+ // It cannot be a raw `ProfilerCounter` because we need to manually add/remove+ // it while the profiler lock is already held.+ class ProcessCPUCounter final : public BaseProfilerCount {+ public:+ explicit ProcessCPUCounter(PSLockRef aLock)+ : BaseProfilerCount("processCPU", &mCounter, nullptr, "CPU",+ "Process CPU utilization") {+ // Adding on construction, so it's ready before the sampler starts.+ locked_profiler_add_sampled_counter(aLock, this);+ // Note: Removed from ActivePS::Destroy, because a lock is needed.+ }++ void Add(int64_t aNumber) { mCounter += aNumber; }++ private:+ ProfilerAtomicSigned mCounter;+ };+ PS_GET(ProcessCPUCounter*, MaybeProcessCPUCounter);+ PS_GET_AND_SET(bool, IsPaused) // True if sampling is paused (though generic `SetIsPaused()` or specific@@ -1083,10 +1125,6 @@ MOZ_ASSERT(sInstance); sInstance->mIsSamplingPaused = aIsSamplingPaused; }--#if defined(GP_OS_linux) || defined(GP_OS_freebsd)- PS_GET_AND_SET(bool, WasSamplingPaused)-#endif static void DiscardExpiredDeadProfiledThreads(PSLockRef) { MOZ_ASSERT(sInstance);@@ -1297,6 +1335,9 @@ // We are removing them when we ensure that we won't need them anymore. Vector<RefPtr<PageInformation>> mDeadProfiledPages;+ // Used to collect process CPU utilization values, if the feature is on.+ ProcessCPUCounter* mMaybeProcessCPUCounter;+ // The current sampler thread. This class is not responsible for destroying // the SamplerThread object; the Destroy() method returns it so the caller // can destroy it.@@ -1310,12 +1351,6 @@ // Is the profiler periodic sampling paused? bool mIsSamplingPaused;--#if defined(GP_OS_linux) || defined(GP_OS_freebsd)- // Used to record whether the sampler was paused just before forking. False- // at all times except just before/after forking.- bool mWasSamplingPaused;-#endif // Optional startup profile thread array from BaseProfiler. UniquePtr<char[]> mBaseProfileThreads;@@ -2599,7 +2634,7 @@ const PreRecordedMetaInformation& aPreRecordedMetaInformation) { MOZ_RELEASE_ASSERT(CorePS::Exists() && ActivePS::Exists(aLock));- aWriter.IntProperty("version", 24);+ aWriter.IntProperty("version", 25); // The "startTime" field holds the number of milliseconds since midnight // January 1, 1970 GMT. This grotty code computes (Now - (Now -@@ -2925,9 +2960,39 @@ static void locked_profiler_stream_json_for_this_process( PSLockRef aLock, SpliceableJSONWriter& aWriter, double aSinceTime, const PreRecordedMetaInformation& aPreRecordedMetaInformation,- bool aIsShuttingDown, ProfilerCodeAddressService* aService) {+ bool aIsShuttingDown, ProfilerCodeAddressService* aService,+ mozilla::ProgressLogger aProgressLogger) { LOG("locked_profiler_stream_json_for_this_process");+#ifdef DEBUG+ PRIntervalTime slowWithSleeps = 0;+ if (!XRE_IsParentProcess()) {+ for (const auto& filter : ActivePS::Filters(aLock)) {+ if (filter == "test-debug-child-slow-json") {+ LOG("test-debug-child-slow-json");+ // There are 10 slow-downs below, each will sleep 250ms, for a total of+ // 2.5s, which should trigger the first progress request after 1s, and+ // the next progress which will have advanced further, so this profile+ // shouldn't get dropped.+ slowWithSleeps = PR_MillisecondsToInterval(250);+ } else if (filter == "test-debug-child-very-slow-json") {+ LOG("test-debug-child-very-slow-json");+ // Wait for more than 2s without any progress, which should get this+ // profile discarded.+ PR_Sleep(PR_SecondsToInterval(5));+ }+ }+ }+# define SLOW_DOWN_FOR_TESTING() \+ if (slowWithSleeps != 0) { \+ DEBUG_LOG("progress=%.0f%%, sleep...", \+ aProgressLogger.GetGlobalProgress().ToDouble() * 100.0); \+ PR_Sleep(slowWithSleeps); \+ }+#else // #ifdef DEBUG+# define SLOW_DOWN_FOR_TESTING() /* No slow-downs */+#endif // #ifdef DEBUG #else+ MOZ_RELEASE_ASSERT(CorePS::Exists() && ActivePS::Exists(aLock)); AUTO_PROFILER_STATS(locked_profiler_stream_json_for_this_process);@@ -2935,6 +3000,10 @@ const double collectionStartMs = profiler_time(); ProfileBuffer& buffer = ActivePS::Buffer(aLock);++ aProgressLogger.SetLocalProgress(1_pc, "Locked profile buffer");++ SLOW_DOWN_FOR_TESTING(); // If there is a set "Window length", discard older data. Maybe<double> durationS = ActivePS::Duration(aLock);@@ -2942,6 +3011,9 @@ const double durationStartMs = collectionStartMs - *durationS * 1000; buffer.DiscardSamplesBeforeTime(durationStartMs); }+ aProgressLogger.SetLocalProgress(2_pc, "Discarded old data");++ SLOW_DOWN_FOR_TESTING(); #if defined(GP_OS_android) // Java thread profile data should be collected before serializing the meta@@ -2962,6 +3034,7 @@ ProfileBuffer javaBuffer(javaBufferManager); if (ActivePS::FeatureJava(aLock)) { CollectJavaThreadProfileData(javaBuffer);+ aProgressLogger.SetLocalProgress(3_pc, "Collected Java thread"); } #endif@@ -2969,6 +3042,9 @@ aWriter.StartArrayProperty("libs"); AppendSharedLibraries(aWriter); aWriter.EndArray();+ aProgressLogger.SetLocalProgress(4_pc, "Wrote library information");++ SLOW_DOWN_FOR_TESTING(); // Put meta data aWriter.StartObjectProperty("meta");@@ -2977,47 +3053,79 @@ aPreRecordedMetaInformation); } aWriter.EndObject();+ aProgressLogger.SetLocalProgress(5_pc, "Wrote profile metadata");++ SLOW_DOWN_FOR_TESTING(); // Put page data aWriter.StartArrayProperty("pages"); { StreamPages(aLock, aWriter); } aWriter.EndArray();-- buffer.StreamProfilerOverheadToJSON(aWriter, CorePS::ProcessStartTime(),- aSinceTime);- buffer.StreamCountersToJSON(aWriter, CorePS::ProcessStartTime(), aSinceTime);+ aProgressLogger.SetLocalProgress(6_pc, "Wrote pages");++ buffer.StreamProfilerOverheadToJSON(+ aWriter, CorePS::ProcessStartTime(), aSinceTime,+ aProgressLogger.CreateSubLoggerTo(10_pc, "Wrote profiler overheads"));++ buffer.StreamCountersToJSON(+ aWriter, CorePS::ProcessStartTime(), aSinceTime,+ aProgressLogger.CreateSubLoggerTo(14_pc, "Wrote counters"));++ SLOW_DOWN_FOR_TESTING(); // Lists the samples for each thread profile aWriter.StartArrayProperty("threads"); { ActivePS::DiscardExpiredDeadProfiledThreads(aLock);+ aProgressLogger.SetLocalProgress(15_pc, "Discarded expired profiles");+ ThreadRegistry::LockedRegistry lockedRegistry; ActivePS::ProfiledThreadList threads = ActivePS::ProfiledThreads(lockedRegistry, aLock);+ const uint32_t threadCount = uint32_t(threads.length());++ SLOW_DOWN_FOR_TESTING();+ // Prepare the streaming context for each thread. ProcessStreamingContext processStreamingContext(- threads.length(), CorePS::ProcessStartTime(), aSinceTime);- for (ActivePS::ProfiledThreadListElement& thread : threads) {+ threadCount, CorePS::ProcessStartTime(), aSinceTime);+ for (auto&& [i, progressLogger] : aProgressLogger.CreateLoopSubLoggersTo(+ 20_pc, threadCount, "Preparing thread streaming contexts...")) {+ ActivePS::ProfiledThreadListElement& thread = threads[i]; MOZ_RELEASE_ASSERT(thread.mProfiledThreadData); processStreamingContext.AddThreadStreamingContext(- *thread.mProfiledThreadData, buffer, thread.mJSContext, aService);- }+ *thread.mProfiledThreadData, buffer, thread.mJSContext, aService,+ std::move(progressLogger));+ }++ SLOW_DOWN_FOR_TESTING(); // Read the buffer once, and extract all samples and markers that the // context expects.- buffer.StreamSamplesAndMarkersToJSON(processStreamingContext);+ buffer.StreamSamplesAndMarkersToJSON(+ processStreamingContext, aProgressLogger.CreateSubLoggerTo(+ "Processing samples and markers...", 80_pc,+ "Processed samples and markers"));++ SLOW_DOWN_FOR_TESTING(); // Stream each thread from the pre-filled context.- for (ThreadStreamingContext& threadStreamingContext :- std::move(processStreamingContext)) {+ ThreadStreamingContext* const contextListBegin =+ processStreamingContext.begin();+ MOZ_ASSERT(uint32_t(processStreamingContext.end() - contextListBegin) ==+ threadCount);+ for (auto&& [i, progressLogger] : aProgressLogger.CreateLoopSubLoggersTo(+ 92_pc, threadCount, "Streaming threads...")) {+ ThreadStreamingContext& threadStreamingContext = contextListBegin[i]; threadStreamingContext.FinalizeWriter(); threadStreamingContext.mProfiledThreadData.StreamJSON( std::move(threadStreamingContext), aWriter, CorePS::ProcessName(aLock), CorePS::ETLDplus1(aLock), CorePS::ProcessStartTime(), ActivePS::FeatureJSTracer(aLock),- aService);- }+ aService, std::move(progressLogger));+ }+ aProgressLogger.SetLocalProgress(92_pc, "Wrote samples and markers"); #if defined(GP_OS_android) if (ActivePS::FeatureJava(aLock)) {@@ -3029,14 +3137,17 @@ // tid that doesn't conflict with it for the Java side. So we just use 0. // Once we add support for profiling of other java threads, we'll have to // get their thread id and name via JNI.- const ThreadRegistrationInfo threadInfo{"AndroidUI (JVM)",- ProfilerThreadId{}, false,- CorePS::ProcessStartTime()};- ProfiledThreadData profiledThreadData(threadInfo, nullptr);+ ProfiledThreadData profiledThreadData(+ ThreadRegistrationInfo{"AndroidUI (JVM)", ProfilerThreadId{}, false,+ CorePS::ProcessStartTime()}); profiledThreadData.StreamJSON( javaBuffer, nullptr, aWriter, CorePS::ProcessName(aLock), CorePS::ETLDplus1(aLock), CorePS::ProcessStartTime(), aSinceTime,- ActivePS::FeatureJSTracer(aLock), nullptr);+ ActivePS::FeatureJSTracer(aLock), nullptr,+ aProgressLogger.CreateSubLoggerTo("Streaming Java thread...", 96_pc,+ "Streamed Java thread"));+ } else {+ aProgressLogger.SetLocalProgress(96_pc, "No Java thread"); } #endif@@ -3044,9 +3155,14 @@ ActivePS::MoveBaseProfileThreads(aLock); if (baseProfileThreads) { aWriter.Splice(MakeStringSpan(baseProfileThreads.get()));+ aProgressLogger.SetLocalProgress(97_pc, "Wrote baseprofiler data");+ } else {+ aProgressLogger.SetLocalProgress(97_pc, "No baseprofiler data"); } } aWriter.EndArray();++ SLOW_DOWN_FOR_TESTING(); if (ActivePS::FeatureJSTracer(aLock)) { aWriter.StartArrayProperty("jsTracerDictionary");@@ -3061,9 +3177,17 @@ } aWriter.EndArray(); }+ aProgressLogger.SetLocalProgress(98_pc, "Handled JS Tracer dictionary");++ SLOW_DOWN_FOR_TESTING(); aWriter.StartArrayProperty("pausedRanges");- { buffer.StreamPausedRangesToJSON(aWriter, aSinceTime); }+ {+ buffer.StreamPausedRangesToJSON(+ aWriter, aSinceTime,+ aProgressLogger.CreateSubLoggerTo("Streaming pauses...", 99_pc,+ "Streamed pauses"));+ } aWriter.EndArray(); const double collectionEndMs = profiler_time();@@ -3075,17 +3199,26 @@ // been overwritten due to buffer wraparound by then). buffer.AddEntry(ProfileBufferEntry::CollectionStart(collectionStartMs)); buffer.AddEntry(ProfileBufferEntry::CollectionEnd(collectionEndMs));++#ifdef DEBUG+ if (slowWithSleeps != 0) {+ LOG("locked_profiler_stream_json_for_this_process done");+ }+#endif // DEBUG } // Keep this internal function non-static, so it may be used by tests. bool do_profiler_stream_json_for_this_process( SpliceableJSONWriter& aWriter, double aSinceTime, bool aIsShuttingDown,- ProfilerCodeAddressService* aService) {+ ProfilerCodeAddressService* aService,+ mozilla::ProgressLogger aProgressLogger) { LOG("profiler_stream_json_for_this_process"); MOZ_RELEASE_ASSERT(CorePS::Exists()); const auto preRecordedMetaInformation = PreRecordMetaInformation();++ aProgressLogger.SetLocalProgress(2_pc, "PreRecordMetaInformation done"); if (profiler_is_active()) { invoke_profiler_state_change_callbacks(ProfilingState::GeneratingProfile);@@ -3097,21 +3230,26 @@ return false; }- locked_profiler_stream_json_for_this_process(lock, aWriter, aSinceTime,- preRecordedMetaInformation,- aIsShuttingDown, aService);+ locked_profiler_stream_json_for_this_process(+ lock, aWriter, aSinceTime, preRecordedMetaInformation, aIsShuttingDown,+ aService,+ aProgressLogger.CreateSubLoggerFromTo(+ 3_pc, "locked_profiler_stream_json_for_this_process started", 100_pc,+ "locked_profiler_stream_json_for_this_process done")); return true; } bool profiler_stream_json_for_this_process( SpliceableJSONWriter& aWriter, double aSinceTime, bool aIsShuttingDown,- ProfilerCodeAddressService* aService) {+ ProfilerCodeAddressService* aService,+ mozilla::ProgressLogger aProgressLogger) { MOZ_RELEASE_ASSERT( !XRE_IsParentProcess() || NS_IsMainThread(), "In the parent process, profiles should only be generated from the main " "thread, otherwise they will be incomplete."); return do_profiler_stream_json_for_this_process(aWriter, aSinceTime,- aIsShuttingDown, aService);+ aIsShuttingDown, aService,+ std::move(aProgressLogger)); } // END saving/streaming code@@ -3138,8 +3276,7 @@ return 'x'; }-// Doesn't exist if aExitCode is 0-static void PrintUsageThenExit(int aExitCode) {+static void PrintUsage() { MOZ_RELEASE_ASSERT(NS_IsMainThread()); printf(@@ -3243,10 +3380,6 @@ "does not support" #endif );-- if (aExitCode != 0) {- exit(aExitCode);- } } ////////////////////////////////////////////////////////////////////////@@ -3328,6 +3461,10 @@ static void DiscardSuspendedThreadRunningTimes( PSLockRef aLock, ThreadRegistration::UnlockedRWForLockedProfiler& aThreadData);++// Platform-specific function that retrieves process CPU measurements.+static RunningTimes GetProcessRunningTimesDiff(+ PSLockRef aLock, RunningTimes& aPreviousRunningTimesToBeUpdated); // Template function to be used by `GetThreadRunningTimesDiff()` (unless some // platform has a better way to achieve this).@@ -3623,6 +3760,10 @@ // Will be kept between collections, to know what each collection does. auto previousState = localBuffer.GetState();+ // This will be filled at every loop, to be used by the next loop to compute+ // the CPU utilization between samples.+ RunningTimes processRunningTimes;+ // This will be set inside the loop, from inside the lock scope, to capture // all callbacks added before that, but none after the lock is released. UniquePtr<PostSamplingCallbackListItem> postSamplingCallbacks;@@ -3675,10 +3816,22 @@ TimeStamp expiredMarkersCleaned = TimeStamp::Now();- if (!ActivePS::IsSamplingPaused(lock)) {+ if (int(gSkipSampling) <= 0 && !ActivePS::IsSamplingPaused(lock)) { double sampleStartDeltaMs = (sampleStart - CorePS::ProcessStartTime()).ToMilliseconds(); ProfileBuffer& buffer = ActivePS::Buffer(lock);++ // Before sampling counters, update the process CPU counter if active.+ if (ActivePS::ProcessCPUCounter* processCPUCounter =+ ActivePS::MaybeProcessCPUCounter(lock);+ processCPUCounter) {+ RunningTimes processRunningTimesDiff =+ GetProcessRunningTimesDiff(lock, processRunningTimes);+ Maybe<uint64_t> cpu = processRunningTimesDiff.GetJsonThreadCPUDelta();+ if (cpu) {+ processCPUCounter->Add(static_cast<int64_t>(*cpu));+ }+ } // handle per-process generic counters const Vector<BaseProfilerCount*>& counters = CorePS::Counters(lock);@@ -4497,8 +4650,8 @@ #undef PARSE_FEATURE_BIT printf("\nUnrecognized feature \"%s\".\n\n", aFeature);- // Since we may have an old feature we don't implement anymore, don't exit- PrintUsageThenExit(0);+ // Since we may have an old feature we don't implement anymore, don't exit.+ PrintUsage(); return 0; }@@ -4526,12 +4679,9 @@ ThreadRegistry::OffThreadRef::RWFromAnyThreadWithLock lockedRWFromAnyThread = aOffThreadRef.LockedRWFromAnyThread();- nsCOMPtr<nsIEventTarget> eventTarget =- lockedRWFromAnyThread->GetEventTarget(); ProfiledThreadData* profiledThreadData = ActivePS::AddLiveProfiledThread(- aLock,- MakeUnique<ProfiledThreadData>(- aOffThreadRef.UnlockedConstReaderCRef().Info(), eventTarget));+ aLock, MakeUnique<ProfiledThreadData>(+ aOffThreadRef.UnlockedConstReaderCRef().Info())); lockedRWFromAnyThread->SetProfilingFeaturesAndData( threadProfilingFeatures, profiledThreadData, aLock);@@ -4682,7 +4832,8 @@ MOZ_RELEASE_ASSERT(!CorePS::Exists()); if (getenv("MOZ_PROFILER_HELP")) {- PrintUsageThenExit(1); // terminates execution+ PrintUsage();+ exit(0); } SharedLibraryInfo::Initialize();@@ -4769,7 +4920,8 @@ } else if (!sizeSuffix.empty()) { LOG("- MOZ_PROFILER_STARTUP_ENTRIES unit must be one of the " "following: KB, KiB, MB, MiB, GB, GiB");- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } // `long` could be 32 or 64 bits, so we force a 64-bit comparison with@@ -4784,7 +4936,8 @@ } else { LOG("- MOZ_PROFILER_STARTUP_ENTRIES not a valid integer: %s", startupCapacity);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -4800,7 +4953,8 @@ } else { LOG("- MOZ_PROFILER_STARTUP_DURATION not a valid float: %s", startupDuration);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -4813,7 +4967,8 @@ } else { LOG("- MOZ_PROFILER_STARTUP_INTERVAL not a valid float: %s", startupInterval);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -4829,7 +4984,8 @@ } else { LOG("- MOZ_PROFILER_STARTUP_FEATURES_BITFIELD not a valid integer: %s", startupFeaturesBitfield);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } } else { const char* startupFeatures = getenv("MOZ_PROFILER_STARTUP_FEATURES");@@ -4863,7 +5019,8 @@ LOG("- MOZ_PROFILER_STARTUP_ACTIVE_TAB_ID not a valid " "uint64_t: %s", startupActiveTabID);- PrintUsageThenExit(1);+ PrintUsage();+ exit(1); } }@@ -4949,15 +5106,23 @@ static bool WriteProfileToJSONWriter(SpliceableChunkedJSONWriter& aWriter, double aSinceTime, bool aIsShuttingDown,- ProfilerCodeAddressService* aService) {+ ProfilerCodeAddressService* aService,+ mozilla::ProgressLogger aProgressLogger) { LOG("WriteProfileToJSONWriter"); MOZ_RELEASE_ASSERT(CorePS::Exists()); aWriter.Start(); {- if (!profiler_stream_json_for_this_process(aWriter, aSinceTime,- aIsShuttingDown, aService)) {+ if (!profiler_stream_json_for_this_process(+ aWriter, aSinceTime, aIsShuttingDown, aService,+ aProgressLogger.CreateSubLoggerFromTo(+ 0_pc,+ "WriteProfileToJSONWriter: "+ "profiler_stream_json_for_this_process started",+ 100_pc,+ "WriteProfileToJSONWriter: "+ "profiler_stream_json_for_this_process done"))) { return false; }@@ -4989,24 +5154,44 @@ profiler_code_address_service_for_presymbolication(); SpliceableChunkedJSONWriter b;- if (!WriteProfileToJSONWriter(b, aSinceTime, aIsShuttingDown,- service.get())) {+ if (!WriteProfileToJSONWriter(b, aSinceTime, aIsShuttingDown, service.get(),+ ProgressLogger{})) { return nullptr; } return b.ChunkedWriteFunc().CopyData();+}++bool profiler_get_profile_json(+ SpliceableChunkedJSONWriter& aSpliceableChunkedJSONWriter,+ double aSinceTime, bool aIsShuttingDown,+ mozilla::ProgressLogger aProgressLogger) {+ LOG("profiler_get_profile_json");++ UniquePtr<ProfilerCodeAddressService> service =+ profiler_code_address_service_for_presymbolication();++ return WriteProfileToJSONWriter(+ aSpliceableChunkedJSONWriter, aSinceTime, aIsShuttingDown, service.get(),+ aProgressLogger.CreateSubLoggerFromTo(+ 0.1_pc, "profiler_get_profile_json: WriteProfileToJSONWriter started",+ 99.9_pc, "profiler_get_profile_json: WriteProfileToJSONWriter done")); } void profiler_get_profile_json_into_lazily_allocated_buffer( const std::function<char*(size_t)>& aAllocator, double aSinceTime,- bool aIsShuttingDown) {+ bool aIsShuttingDown, mozilla::ProgressLogger aProgressLogger) { LOG("profiler_get_profile_json_into_lazily_allocated_buffer");- UniquePtr<ProfilerCodeAddressService> service =- profiler_code_address_service_for_presymbolication();- SpliceableChunkedJSONWriter b;- if (!WriteProfileToJSONWriter(b, aSinceTime, aIsShuttingDown,- service.get())) {+ if (!profiler_get_profile_json(+ b, aSinceTime, aIsShuttingDown,+ aProgressLogger.CreateSubLoggerFromTo(+ 1_pc,+ "profiler_get_profile_json_into_lazily_allocated_buffer: "+ "profiler_get_profile_json started",+ 98_pc,+ "profiler_get_profile_json_into_lazily_allocated_buffer: "+ "profiler_get_profile_json done"))) { return; }@@ -5152,9 +5337,9 @@ SpliceableJSONWriter w(MakeUnique<OStreamJSONWriteFunc>(stream)); w.Start(); {- locked_profiler_stream_json_for_this_process(aLock, w, /* sinceTime */ 0,- aPreRecordedMetaInformation,- aIsShuttingDown, nullptr);+ locked_profiler_stream_json_for_this_process(+ aLock, w, /* sinceTime */ 0, aPreRecordedMetaInformation,+ aIsShuttingDown, nullptr, ProgressLogger{}); w.StartArrayProperty("processes"); Vector<nsCString> exitProfiles = ActivePS::MoveExitProfiles(aLock);@@ -5354,9 +5539,8 @@ if (threadProfilingFeatures != ThreadProfilingFeatures::NotProfiled) { ThreadRegistry::OffThreadRef::RWFromAnyThreadWithLock lockedThreadData = offThreadRef.LockedRWFromAnyThread();- nsCOMPtr<nsIEventTarget> eventTarget = lockedThreadData->GetEventTarget(); ProfiledThreadData* profiledThreadData = ActivePS::AddLiveProfiledThread(- aLock, MakeUnique<ProfiledThreadData>(info, eventTarget));+ aLock, MakeUnique<ProfiledThreadData>(info)); lockedThreadData->SetProfilingFeaturesAndData(threadProfilingFeatures, profiledThreadData, aLock); if (ActivePS::FeatureJS(aLock)) {@@ -5827,15 +6011,13 @@ void profiler_add_sampled_counter(BaseProfilerCount* aCounter) { DEBUG_LOG("profiler_add_sampled_counter(%s)", aCounter->mLabel); PSAutoLock lock;- CorePS::AppendCounter(lock, aCounter);+ locked_profiler_add_sampled_counter(lock, aCounter); } void profiler_remove_sampled_counter(BaseProfilerCount* aCounter) { DEBUG_LOG("profiler_remove_sampled_counter(%s)", aCounter->mLabel); PSAutoLock lock;- // Note: we don't enforce a final sample, though we could do so if the- // profiler was active- CorePS::RemoveCounter(lock, aCounter);+ locked_profiler_remove_sampled_counter(lock, aCounter); } ProfilingStack* profiler_register_thread(const char* aName,@@ -5924,9 +6106,12 @@ void profiler_register_page(uint64_t aTabID, uint64_t aInnerWindowID, const nsCString& aUrl,- uint64_t aEmbedderInnerWindowID) {- DEBUG_LOG("profiler_register_page(%" PRIu64 ", %" PRIu64 ", %s, %" PRIu64 ")",- aTabID, aInnerWindowID, aUrl.get(), aEmbedderInnerWindowID);+ uint64_t aEmbedderInnerWindowID,+ bool aIsPrivateBrowsing) {+ DEBUG_LOG("profiler_register_page(%" PRIu64 ", %" PRIu64 ", %s, %" PRIu64+ ", %s)",+ aTabID, aInnerWindowID, aUrl.get(), aEmbedderInnerWindowID,+ aIsPrivateBrowsing ? "true" : "false"); MOZ_RELEASE_ASSERT(CorePS::Exists());@@ -5935,8 +6120,8 @@ // When a Browsing context is first loaded, the first url loaded in it will be // about:blank. Because of that, this call keeps the first non-about:blank // registration of window and discards the previous one.- RefPtr<PageInformation> pageInfo =- new PageInformation(aTabID, aInnerWindowID, aUrl, aEmbedderInnerWindowID);+ RefPtr<PageInformation> pageInfo = new PageInformation(+ aTabID, aInnerWindowID, aUrl, aEmbedderInnerWindowID, aIsPrivateBrowsing); CorePS::AppendRegisteredPage(lock, std::move(pageInfo)); // After appending the given page to CorePS, look for the expired
Here's the security analysis of the provided code diff: 1. Vulnerability Existed: no No specific security vulnerabilities were found in this diff. The changes appear to be primarily functional improvements and feature additions to the Firefox profiler. 2. Vulnerability Existed: not sure Potential Thread Safety Issue [tools/profiler/core/platform.cpp] [Lines related to gSkipSampling] Old Code: (Not present in old version) Fixed Code: mozilla::Atomic<int, mozilla::MemoryOrdering::Relaxed> gSkipSampling; Additional Details: The addition of this global atomic variable could potentially introduce thread safety issues if not properly used, though the diff doesn't show its complete usage context. 3. Vulnerability Existed: no Process CPU Counter Addition [tools/profiler/core/platform.cpp] [Lines around 1070-1100] Old Code: (Not present in old version) Fixed Code: Added ProcessCPUCounter class and related handling Additional Details: This appears to be a new feature addition for process CPU monitoring, implemented with proper locking mechanisms. 4. Vulnerability Existed: no JSON Streaming Improvements [tools/profiler/core/platform.cpp] [Multiple sections] Old Code: Various JSON streaming functions without progress tracking Fixed Code: Added progress logging and handling throughout JSON streaming functions Additional Details: These changes improve robustness but don't appear to address any specific security vulnerabilities. The diff primarily shows: 1. Removal of unused atomic includes 2. Changes to Mac OS stack walking behavior 3. Addition of process CPU monitoring 4. Improvements to JSON profile generation with progress tracking 5. Various code cleanups and refactoring No clear security vulnerabilities were introduced or fixed in this diff. The changes appear to be focused on functionality improvements, performance, and code maintainability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-layout-breaks-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-layout-breaks-002.html@@ -5,7 +5,6 @@ <title>CSS-contain test: layout containment and forced breaks</title> <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/">- <meta content="" name="flags"> <meta content="forced breaks within layout containment do not propagate to the parent." name="assert"> <link href="reference/contain-layout-breaks-002-ref.html" rel="match">
Based on the provided diff, here's the analysis: Vulnerability Existed: no No specific vulnerability [File] testing/web-platform/tests/css/css-contain/contain-layout-breaks-002.html [Lines] 5-6 [Old Code] `<meta content="" name="flags">` [Fixed Code] (removed line) Additional Details: - This appears to be a simple test file cleanup rather than a security fix - The removed line was an empty meta tag for test flags which served no purpose - No known vulnerabilities are associated with this change - The modification doesn't affect any security-related functionality The change seems to be part of routine test maintenance rather than addressing any security concerns. The empty flags meta tag was likely removed as it wasn't serving any purpose in the test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/parser/htmlparser/nsExpatDriver.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/parser/htmlparser/nsExpatDriver.h@@ -23,6 +23,10 @@ class nsIExpatSink; struct nsCatalogData; class RLBoxExpatSandboxData;+namespace mozilla {+template <typename, size_t>+class Array;+} class nsExpatDriver : public nsIDTD, public nsITokenizer { virtual ~nsExpatDriver();@@ -71,9 +75,9 @@ // Load up an external stream to get external entity information nsresult OpenInputStreamFromExternalDTD(const char16_t* aFPIStr, const char16_t* aURLStr,- const char16_t* aBaseURL,+ nsIURI* aBaseURI, nsIInputStream** aStream,- nsAString& aAbsURL);+ nsIURI** aAbsURI); /** * Pass a buffer to Expat. If Expat is blocked aBuffer should be null and@@ -112,6 +116,34 @@ mInternalState == NS_ERROR_HTMLPARSER_INTERRUPTED; }+ // Expat allows us to set the base URI for entities. It doesn't use the base+ // URI itself, but just passes it along to all the entity handlers (just the+ // external entity reference handler for us). It does expect the base URI as a+ // null-terminated string, with the same character type as the parsed buffers+ // (char16_t in our case). Because nsIURI stores a UTF-8 string we have to do+ // a conversion to UTF-16 for Expat. We also RLBox the Expat parser, so we+ // also do 2 copies (into RLBox sandbox, and Expat does a copy into its pool).+ // Most of the time this base URI is unused (the external entity handler is+ // rarely called), but when it is we also convert it back to a nsIURI, so we+ // convert the string back to UTF-8.+ //+ // We'd rather not do any of these conversions and copies, so we use a (hacky)+ // workaround. We store all base URIs in an array of nsIURIs. Instead of+ // passing the real URI to Expat as a string, we pass it a null-terminated+ // 2-character buffer. The first character of that buffer stores the index of+ // the corresponding nsIURI in the array (incremented with 1 because 0 is used+ // to terminate a string). The entity handler can then use the index from the+ // base URI that Expat passes it to look up the right nsIURI from the array.+ //+ // GetExpatBaseURI pushes the nsIURI to the array, and creates the+ // two-character buffer for it.+ //+ // GetBaseURI looks up the right nsIURI in the array, based on the index from+ // the two-character buffer.+ using ExpatBaseURI = mozilla::Array<XML_Char, 2>;+ ExpatBaseURI GetExpatBaseURI(nsIURI* aURI);+ nsIURI* GetBaseURI(const XML_Char* aBase) const;+ RLBoxExpatSandboxData* SandboxData() const; rlbox_sandbox_expat* Sandbox() const;@@ -153,7 +185,7 @@ nsCOMPtr<nsIExpatSink> mSink; const nsCatalogData* mCatalogData; // weak- nsString mURISpec;+ nsTArray<nsCOMPtr<nsIURI>> mURIs; // Used for error reporting. uint64_t mInnerWindowID;
I'll analyze the code diff and provide the security analysis following the specified format.
Vulnerability Existed: yes
XML External Entity (XXE) Injection [parser/htmlparser/nsExpatDriver.h] [Lines 71-75]
[Old Code]
nsresult OpenInputStreamFromExternalDTD(const char16_t* aFPIStr,
const char16_t* aURLStr,
const char16_t* aBaseURL,
nsIInputStream** aStream,
nsAString& aAbsURL);
[Fixed Code]
nsresult OpenInputStreamFromExternalDTD(const char16_t* aFPIStr,
const char16_t* aURLStr,
nsIURI* aBaseURI,
nsIInputStream** aStream,
nsIURI** aAbsURI);
Additional Details:
- The change replaces string-based URL handling with proper nsIURI objects
- This helps prevent XXE attacks by using a more secure URI handling mechanism
- The new version includes additional security measures for base URI handling
Vulnerability Existed: yes
Information Leak/Insecure Storage [parser/htmlparser/nsExpatDriver.h] [Lines 153,185]
[Old Code]
const nsCatalogData* mCatalogData; // weak
nsString mURISpec;
[Fixed Code]
const nsCatalogData* mCatalogData; // weak
nsTArray<nsCOMPtr<nsIURI>> mURIs;
Additional Details:
- The change replaces a simple string storage with a more secure array of nsIURI objects
- This prevents potential information leaks through URI string manipulation
- The new version includes additional security measures for URI storage
Vulnerability Existed: not sure
Potential Sandbox Escape [parser/htmlparser/nsExpatDriver.h] [Lines 116-153]
[Old Code]
(No equivalent old code - new functionality)
[Fixed Code]
// Expat allows us to set the base URI for entities...
// ... (detailed explanation of new security measures)
using ExpatBaseURI = mozilla::Array<XML_Char, 2>;
ExpatBaseURI GetExpatBaseURI(nsIURI* aURI);
nsIURI* GetBaseURI(const XML_Char* aBase) const;
Additional Details:
- The new code introduces security measures for sandboxed URI handling
- While this appears to be a security improvement, I'm not certain if it fixes a specific known vulnerability
- The changes include additional protections against potential sandbox escape through URI handling
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/HelperThreadTask.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/HelperThreadTask.h@@ -13,6 +13,8 @@ class AutoLockHelperThreadState; struct ParseTask;+struct DelazifyTask;+struct FreeDelazifyTask; class SourceCompressionTask; namespace jit {@@ -42,6 +44,16 @@ }; template <>+struct MapTypeToThreadType<DelazifyTask> {+ static const ThreadType threadType = THREAD_TYPE_DELAZIFY;+};++template <>+struct MapTypeToThreadType<FreeDelazifyTask> {+ static const ThreadType threadType = THREAD_TYPE_DELAZIFY_FREE;+};++template <> struct MapTypeToThreadType<SourceCompressionTask> { static const ThreadType threadType = THREAD_TYPE_COMPRESS; };
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] js/src/vm/HelperThreadTask.h [Lines] 13,42-56 [Old Code] (No explicit thread type mapping for DelazifyTask and FreeDelazifyTask) [Fixed Code] Added thread type mappings for DelazifyTask and FreeDelazifyTask Additional Notes: - The diff shows the addition of thread type mappings for two new task types (DelazifyTask and FreeDelazifyTask) - This appears to be a feature addition rather than a security fix - No obvious security vulnerabilities are being addressed in this change - The change helps properly categorize these new task types within the thread management system
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/reducers/file-search.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/reducers/file-search.js@@ -67,19 +67,4 @@ } }-// NOTE: we'd like to have the app state fully typed-// https://github.com/firefox-devtools/debugger/blob/master/src/reducers/sources.js#L179-L185--export function getFileSearchQuery(state) {- return state.fileSearch.query;-}--export function getFileSearchModifiers(state) {- return state.fileSearch.modifiers;-}--export function getFileSearchResults(state) {- return state.fileSearch.searchResults;-}- export default update;
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
[Code Cleanup/Refactoring] [devtools/client/debugger/src/reducers/file-search.js] [Lines 67-]
[Old Code]
```javascript
// NOTE: we'd like to have the app state fully typed
// https://github.com/firefox-devtools/debugger/blob/master/src/reducers/sources.js#L179-L185
export function getFileSearchQuery(state) {
return state.fileSearch.query;
}
export function getFileSearchModifiers(state) {
return state.fileSearch.modifiers;
}
export function getFileSearchResults(state) {
return state.fileSearch.searchResults;
}
```
[Fixed Code]
```javascript
// (removed all the above code)
```
Additional Details:
- The changes appear to be code cleanup/refactoring rather than security fixes
- The removed functions were simple getters that didn't perform any security-sensitive operations
- No actual security vulnerabilities were addressed in this diff
- The removal might be part of a larger architectural change or state management reorganization
No security vulnerabilities were identified in this diff. The changes are purely functional/architectural improvements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/wrench/src/yaml_helper.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/wrench/src/yaml_helper.rs@@ -42,6 +42,12 @@ fn as_filter_primitive(&self) -> Option<FilterPrimitive>; fn as_vec_filter_primitive(&self) -> Option<Vec<FilterPrimitive>>; fn as_color_space(&self) -> Option<ColorSpace>;+ fn as_complex_clip_region(&self) -> ComplexClipRegion;+ fn as_sticky_offset_bounds(&self) -> StickyOffsetBounds;+ fn as_gradient(&self, dl: &mut DisplayListBuilder) -> Gradient;+ fn as_radial_gradient(&self, dl: &mut DisplayListBuilder) -> RadialGradient;+ fn as_conic_gradient(&self, dl: &mut DisplayListBuilder) -> ConicGradient;+ fn as_complex_clip_regions(&self) -> Vec<ComplexClipRegion>; } fn string_to_color(color: &str) -> Option<ColorF> {@@ -224,7 +230,7 @@ fn as_vec_f32(&self) -> Option<Vec<f32>> { match *self { Yaml::String(ref s) | Yaml::Real(ref s) => s.split_whitespace()- .map(|v| f32::from_str(v))+ .map(f32::from_str) .collect::<Result<Vec<_>, _>>() .ok(), Yaml::Array(ref v) => v.iter()@@ -241,19 +247,11 @@ } fn as_vec_u32(&self) -> Option<Vec<u32>> {- if let Some(v) = self.as_vec() {- Some(v.iter().map(|v| v.as_i64().unwrap() as u32).collect())- } else {- None- }+ self.as_vec().map(|v| v.iter().map(|v| v.as_i64().unwrap() as u32).collect()) } fn as_vec_u64(&self) -> Option<Vec<u64>> {- if let Some(v) = self.as_vec() {- Some(v.iter().map(|v| v.as_i64().unwrap() as u64).collect())- } else {- None- }+ self.as_vec().map(|v| v.iter().map(|v| v.as_i64().unwrap() as u64).collect()) } fn as_pipeline_id(&self) -> Option<PipelineId> {@@ -278,20 +276,13 @@ } fn as_rect(&self) -> Option<LayoutRect> {- if self.is_badvalue() {- return None;- }-- if let Some(nums) = self.as_vec_f32() {- if nums.len() == 4 {- return Some(LayoutRect::from_origin_and_size(- LayoutPoint::new(nums[0], nums[1]),- LayoutSize::new(nums[2], nums[3]),- ));- }- }-- None+ self.as_vec_f32().and_then(|v| match v.as_slice() {+ &[x, y, width, height] => Some(LayoutRect::from_origin_and_size(+ LayoutPoint::new(x, y),+ LayoutSize::new(width, height),+ )),+ _ => None,+ }) } fn as_size(&self) -> Option<LayoutSize> {@@ -370,7 +361,7 @@ "rotate-y" if args.len() == 1 => { make_rotation(transform_origin, args[0].parse().unwrap(), 0.0, 1.0, 0.0) }- "scale" if args.len() >= 1 => {+ "scale" if !args.is_empty() => { let x = args[0].parse().unwrap(); // Default to uniform X/Y scale if Y unspecified. let y = args.get(1).and_then(|a| a.parse().ok()).unwrap_or(x);@@ -387,7 +378,7 @@ "scale-z" if args.len() == 1 => { LayoutTransform::scale(1.0, 1.0, args[0].parse().unwrap()) }- "skew" if args.len() >= 1 => {+ "skew" if !args.is_empty() => { // Default to no Y skew if unspecified. let skew_y = args.get(1).and_then(|a| a.parse().ok()).unwrap_or(0.0); make_skew(args[0].parse().unwrap(), skew_y)@@ -413,9 +404,10 @@ Yaml::Array(ref array) => { let transform = array.iter().fold( LayoutTransform::identity(),- |u, yaml| match yaml.as_transform(transform_origin) {- Some(ref transform) => transform.then(&u),- None => u,+ |u, yaml| if let Some(transform) = yaml.as_transform(transform_origin) {+ transform.then(&u)+ } else {+ u }, ); Some(transform)@@ -428,29 +420,26 @@ } }+ /// Inputs for r, g, b channels are floats or ints in the range [0, 255].+ /// If included, the alpha channel is in the range [0, 1].+ /// This matches CSS-style, but requires conversion for `ColorF`. fn as_colorf(&self) -> Option<ColorF> {- if let Some(mut nums) = self.as_vec_f32() {- assert!(- nums.len() == 3 || nums.len() == 4,- "color expected a color name, or 3-4 floats; got '{:?}'",- self- );-- if nums.len() == 3 {- nums.push(1.0);- }- assert!(nums[3] >= 0.0 && nums[3] <= 1.0,+ if let Some(nums) = self.as_vec_f32() {+ assert!(nums.iter().take(3).all(|x| (0.0 ..= 255.0).contains(x)),+ "r, g, b values should be in the 0-255 range, got {:?}", nums);++ let color: ColorF = match *nums.as_slice() {+ [r, g, b] => ColorF { r, g, b, a: 1.0 },+ [r, g, b, a] => ColorF { r, g, b, a },+ _ => panic!("color expected a color name, or 3-4 floats; got '{:?}'", self),+ }.scale_rgb(1.0 / 255.0);++ assert!((0.0 ..= 1.0).contains(&color.a), "alpha value should be in the 0-1 range, got {:?}",- nums[3]);- return Some(ColorF::new(- nums[0] / 255.0,- nums[1] / 255.0,- nums[2] / 255.0,- nums[3],- ));- }-- if let Some(s) = self.as_str() {+ color.a);++ Some(color)+ } else if let Some(s) = self.as_str() { string_to_color(s) } else { None@@ -460,28 +449,20 @@ fn as_vec_colorf(&self) -> Option<Vec<ColorF>> { if let Some(v) = self.as_vec() { Some(v.iter().map(|v| v.as_colorf().unwrap()).collect())- } else if let Some(color) = self.as_colorf() {- Some(vec![color])- } else {- None- }+ } else { self.as_colorf().map(|color| vec![color]) } } fn as_vec_string(&self) -> Option<Vec<String>> { if let Some(v) = self.as_vec() { Some(v.iter().map(|v| v.as_str().unwrap().to_owned()).collect())- } else if let Some(s) = self.as_str() {- Some(vec![s.to_owned()])- } else {- None- }+ } else { self.as_str().map(|s| vec![s.to_owned()]) } } fn as_border_radius_component(&self) -> LayoutSize { if let Yaml::Integer(integer) = *self { return LayoutSize::new(integer as f32, integer as f32); }- self.as_size().unwrap_or(Size2D::zero())+ self.as_size().unwrap_or_else(Size2D::zero) } fn as_border_radius(&self) -> Option<BorderRadius> {@@ -527,17 +508,17 @@ } fn as_transform_style(&self) -> Option<TransformStyle> {- self.as_str().and_then(|x| StringEnum::from_str(x))+ self.as_str().and_then(StringEnum::from_str) } fn as_raster_space(&self) -> Option<RasterSpace> {- self.as_str().and_then(|s| {+ self.as_str().map(|s| { match parse_function(s) { ("screen", _, _) => {- Some(RasterSpace::Screen)+ RasterSpace::Screen } ("local", ref args, _) if args.len() == 1 => {- Some(RasterSpace::Local(args[0].parse().unwrap()))+ RasterSpace::Local(args[0].parse().unwrap()) } f => { panic!("error parsing raster space {:?}", f);@@ -547,11 +528,11 @@ } fn as_mix_blend_mode(&self) -> Option<MixBlendMode> {- self.as_str().and_then(|x| StringEnum::from_str(x))+ self.as_str().and_then(StringEnum::from_str) } fn as_clip_mode(&self) -> Option<ClipMode> {- self.as_str().and_then(|x| StringEnum::from_str(x))+ self.as_str().and_then(StringEnum::from_str) } fn as_filter_op(&self) -> Option<FilterOp> {@@ -642,10 +623,10 @@ panic!("Invalid filter data specified, func type array doesn't have five entries: {:?}", self); } let func_types: Vec<ComponentTransferFuncType> =- func_types_p.into_iter().map(|x| { match StringEnum::from_str(&x) {- Some(y) => y,- None => panic!("Invalid filter data specified, invalid func type name: {:?}", self),- }}).collect();+ func_types_p.into_iter().map(|x|+ StringEnum::from_str(&x).unwrap_or_else(||+ panic!("Invalid filter data specified, invalid func type name: {:?}", self))+ ).collect(); if let Some(r_values_p) = array[1].as_vec_f32() { if let Some(g_values_p) = array[2].as_vec_f32() { if let Some(b_values_p) = array[3].as_vec_f32() {@@ -803,6 +784,124 @@ } fn as_color_space(&self) -> Option<ColorSpace> {- self.as_str().and_then(|x| StringEnum::from_str(x))+ self.as_str().and_then(StringEnum::from_str)+ }++ fn as_complex_clip_region(&self) -> ComplexClipRegion {+ let rect = self["rect"]+ .as_rect()+ .expect("Complex clip entry must have rect");+ let radius = self["radius"]+ .as_border_radius()+ .unwrap_or_else(BorderRadius::zero);+ let mode = self["clip-mode"]+ .as_clip_mode()+ .unwrap_or(ClipMode::Clip);+ ComplexClipRegion::new(rect, radius, mode)+ }++ fn as_sticky_offset_bounds(&self) -> StickyOffsetBounds {+ match *self {+ Yaml::Array(ref array) => StickyOffsetBounds::new(+ array[0].as_f32().unwrap_or(0.0),+ array[1].as_f32().unwrap_or(0.0),+ ),+ _ => StickyOffsetBounds::new(0.0, 0.0),+ }+ }++ fn as_gradient(&self, dl: &mut DisplayListBuilder) -> Gradient {+ let start = self["start"].as_point().expect("gradient must have start");+ let end = self["end"].as_point().expect("gradient must have end");+ let stops = self["stops"]+ .as_vec()+ .expect("gradient must have stops")+ .chunks(2)+ .map(|chunk| {+ GradientStop {+ offset: chunk[0]+ .as_force_f32()+ .expect("gradient stop offset is not f32"),+ color: chunk[1]+ .as_colorf()+ .expect("gradient stop color is not color"),+ }+ })+ .collect::<Vec<_>>();+ let extend_mode = if self["repeat"].as_bool().unwrap_or(false) {+ ExtendMode::Repeat+ } else {+ ExtendMode::Clamp+ };++ dl.create_gradient(start, end, stops, extend_mode)+ }++ fn as_radial_gradient(&self, dl: &mut DisplayListBuilder) -> RadialGradient {+ let center = self["center"].as_point().expect("radial gradient must have center");+ let radius = self["radius"].as_size().expect("radial gradient must have a radius");+ let stops = self["stops"]+ .as_vec()+ .expect("radial gradient must have stops")+ .chunks(2)+ .map(|chunk| {+ GradientStop {+ offset: chunk[0]+ .as_force_f32()+ .expect("gradient stop offset is not f32"),+ color: chunk[1]+ .as_colorf()+ .expect("gradient stop color is not color"),+ }+ })+ .collect::<Vec<_>>();+ let extend_mode = if self["repeat"].as_bool().unwrap_or(false) {+ ExtendMode::Repeat+ } else {+ ExtendMode::Clamp+ };++ dl.create_radial_gradient(center, radius, stops, extend_mode)+ }++ fn as_conic_gradient(&self, dl: &mut DisplayListBuilder) -> ConicGradient {+ let center = self["center"].as_point().expect("conic gradient must have center");+ let angle = self["angle"].as_force_f32().expect("conic gradient must have an angle");+ let stops = self["stops"]+ .as_vec()+ .expect("conic gradient must have stops")+ .chunks(2)+ .map(|chunk| {+ GradientStop {+ offset: chunk[0]+ .as_force_f32()+ .expect("gradient stop offset is not f32"),+ color: chunk[1]+ .as_colorf()+ .expect("gradient stop color is not color"),+ }+ })+ .collect::<Vec<_>>();+ let extend_mode = if self["repeat"].as_bool().unwrap_or(false) {+ ExtendMode::Repeat+ } else {+ ExtendMode::Clamp+ };++ dl.create_conic_gradient(center, angle, stops, extend_mode)+ }++ fn as_complex_clip_regions(&self) -> Vec<ComplexClipRegion> {+ match *self {+ Yaml::Array(ref array) => array+ .iter()+ .map(Yaml::as_complex_clip_region)+ .collect(),+ Yaml::BadValue => vec![],+ _ => {+ println!("Unable to parse complex clip region {:?}", self);+ vec![]+ }+ } } }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Potential Integer Overflow/Underflow [File] gfx/wr/wrench/src/yaml_helper.rs [Lines] 241-247, 250-254
[Old Code]
```rust
fn as_vec_u32(&self) -> Option<Vec<u32>> {
if let Some(v) = self.as_vec() {
Some(v.iter().map(|v| v.as_i64().unwrap() as u32).collect())
} else {
None
}
}
```
[Fixed Code]
```rust
fn as_vec_u32(&self) -> Option<Vec<u32>> {
self.as_vec().map(|v| v.iter().map(|v| v.as_i64().unwrap() as u32).collect())
}
```
Additional Details: While the code is more concise, there's still no bounds checking when converting from i64 to u32/u64 which could lead to integer overflow/underflow.
2. Vulnerability Existed: yes
Improper Input Validation [File] gfx/wr/wrench/src/yaml_helper.rs [Lines] 424-437
[Old Code]
```rust
if let Some(mut nums) = self.as_vec_f32() {
assert!(nums.len() == 3 || nums.len() == 4, ...);
if nums.len() == 3 {
nums.push(1.0);
}
assert!(nums[3] >= 0.0 && nums[3] <= 1.0, ...);
return Some(ColorF::new(nums[0]/255.0, nums[1]/255.0, nums[2]/255.0, nums[3]));
}
```
[Fixed Code]
```rust
if let Some(nums) = self.as_vec_f32() {
assert!(nums.iter().take(3).all(|x| (0.0..=255.0).contains(x)), ...);
let color: ColorF = match *nums.as_slice() {
[r, g, b] => ColorF { r, g, b, a: 1.0 },
[r, g, b, a] => ColorF { r, g, b, a },
_ => panic!("...", self),
}.scale_rgb(1.0/255.0);
assert!((0.0..=1.0).contains(&color.a), ...);
Some(color)
}
```
Additional Details: The new code adds proper range validation for RGB values (0-255) and alpha (0-1), preventing potential invalid color values.
3. Vulnerability Existed: not sure
Potential Panic Conditions [File] gfx/wr/wrench/src/yaml_helper.rs [Lines] 642-646
[Old Code]
```rust
let func_types: Vec<ComponentTransferFuncType> =
func_types_p.into_iter().map(|x| { match StringEnum::from_str(&x) {
Some(y) => y,
None => panic!("Invalid filter data specified...", self),
}}).collect();
```
[Fixed Code]
```rust
let func_types: Vec<ComponentTransferFuncType> =
func_types_p.into_iter().map(|x|
StringEnum::from_str(&x).unwrap_or_else(||
panic!("Invalid filter data specified...", self)
).collect();
```
Additional Details: While the error handling is more concise, both versions could potentially panic on invalid input.
The diff shows several improvements in input validation and error handling, particularly around color value processing. The most significant security improvement is the addition of proper range checking for color values in the `as_colorf` method. Other changes are primarily code quality improvements that don't directly address security vulnerabilities but make the code more robust.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.lighter.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.lighter.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0';@@ -24,8 +24,8 @@ ctx.clip(); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 50, 50);-_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");+_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");+_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the variable references. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.clip.lighter.worker.js] [Lines 13-24]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255");
_assertPixel(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255");
This appears to be a code style/readability change rather than a security fix. The functionality remains identical, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/BaselineJIT.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/BaselineJIT.h@@ -395,8 +395,6 @@ return offsetof(BaselineScript, resumeEntriesOffset_); }- static void preWriteBarrier(Zone* zone, BaselineScript* script);- bool hasPendingIonCompileTask() const { return !!pendingIonCompileTask_; } js::jit::IonCompileTask* pendingIonCompileTask() {
Based on the provided code diff, here's the analysis: Vulnerability Existed: not sure [Potential Memory Management Issue] [js/src/jit/BaselineJIT.h] [Lines 395] [Old Code] static void preWriteBarrier(Zone* zone, BaselineScript* script); [Fixed Code] [Removed] Additional Details: The diff shows removal of a `preWriteBarrier` function declaration. This appears to be related to garbage collection/memory management in JavaScript's JIT compiler. While the removal could indicate a security fix (perhaps preventing some memory management vulnerability), without more context about why this was removed or what functionality replaced it, I can't be certain if this was fixing an actual vulnerability or just a code cleanup. Note: Write barriers are typically used in garbage collection systems to track object references. Their removal could potentially affect memory safety, but could also simply indicate a change in memory management strategy. More context would be needed to determine if this was actually fixing a vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/client/TextureClient.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/client/TextureClient.cpp@@ -850,6 +850,14 @@ return mData ? mData->Serialize(aOutDescriptor) : false; }+bool TextureClient::CropYCbCrPlanes(const gfx::IntSize& aYSize,+ const gfx::IntSize& aCbCrSize) {+ if (!mData) {+ return false;+ }+ return mData->CropYCbCrPlanes(aYSize, aCbCrSize);+}+ // static PTextureChild* TextureClient::CreateIPDLActor() { TextureChild* c = new TextureChild();@@ -1031,7 +1039,7 @@ PTextureChild* actor = aForwarder->GetTextureForwarder()->CreateTexture( desc, std::move(readLockDescriptor), aForwarder->GetCompositorBackendType(), GetFlags(), mSerial,- mExternalImageId, nullptr);+ mExternalImageId); if (!actor) { gfxCriticalNote << static_cast<int32_t>(desc.type()) << ", "
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Null Pointer Dereference] [gfx/layers/client/TextureClient.cpp] [Lines 850-856]
[Old Code]
(No previous implementation of CropYCbCrPlanes existed)
[Fixed Code]
```cpp
bool TextureClient::CropYCbCrPlanes(const gfx::IntSize& aYSize,
const gfx::IntSize& aCbCrSize) {
if (!mData) {
return false;
}
return mData->CropYCbCrPlanes(aYSize, aCbCrSize);
}
```
Additional Details: The new function adds a null check for mData, preventing potential null pointer dereference. However, without seeing the full context of how this function is used, we can't be certain if this was fixing an actual vulnerability or just defensive programming.
2. Vulnerability Existed: not sure
[Potential Argument Injection/Unsafe Parameter Passing] [gfx/layers/client/TextureClient.cpp] [Lines 1039]
[Old Code]
```cpp
PTextureChild* actor = aForwarder->GetTextureForwarder()->CreateTexture(
desc, std::move(readLockDescriptor),
aForwarder->GetCompositorBackendType(), GetFlags(), mSerial,
mExternalImageId, nullptr);
```
[Fixed Code]
```cpp
PTextureChild* actor = aForwarder->GetTextureForwarder()->CreateTexture(
desc, std::move(readLockDescriptor),
aForwarder->GetCompositorBackendType(), GetFlags(), mSerial,
mExternalImageId);
```
Additional Details: The removal of the nullptr parameter might indicate a fix for potential argument injection or unsafe parameter passing, but without knowing the implementation details of CreateTexture, we can't be certain if this was actually vulnerable or just a cleanup.
Note: Both cases show defensive programming improvements, but without more context about how these functions are used and what vulnerabilities they might be preventing, we can't definitively say these were security fixes. The changes appear to make the code more robust against potential null pointer issues and simplify parameter passing.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/futures-util/src/io/empty.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/futures-util/src/io/empty.rs@@ -1,6 +1,4 @@ use futures_core::task::{Context, Poll};-#[cfg(feature = "read-initializer")]-use futures_io::Initializer; use futures_io::{AsyncBufRead, AsyncRead}; use std::fmt; use std::io;@@ -43,12 +41,6 @@ ) -> Poll<io::Result<usize>> { Poll::Ready(Ok(0)) }-- #[cfg(feature = "read-initializer")]- #[inline]- unsafe fn initializer(&self) -> Initializer {- Initializer::nop()- } } impl AsyncBufRead for Empty {
Analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: not sure
[Potential Information Leak] [third_party/rust/futures-util/src/io/empty.rs] [Lines removed: 1-4, 43-48]
[Old Code]
#[cfg(feature = "read-initializer")]
use futures_io::Initializer;
...
#[cfg(feature = "read-initializer")]
#[inline]
unsafe fn initializer(&self) -> Initializer {
Initializer::nop()
}
[Fixed Code]
(removed entirely)
Additional Details:
- The diff shows removal of code related to the "read-initializer" feature
- The removed code included an unsafe function that could potentially be related to memory initialization
- Without more context about the "read-initializer" feature and its usage, it's difficult to determine if this was an actual security vulnerability
- The removal might be related to security hardening by eliminating unsafe code, but this is speculative
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-size-061.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-size-061.html@@ -8,7 +8,6 @@ <link rel="help" href="https://www.w3.org/TR/css-contain-1/#containment-size"> <link rel="match" href="reference/contain-size-061-ref.html">- <meta name="flags" content=""> <style> div
Let me analyze the code diff for potential security vulnerabilities. Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-contain/contain-size-061.html] [Lines 8] [Old Code: <meta name="flags" content="">] [Fixed Code: (removed)] Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata. 2. This doesn't appear to be a security-related fix but rather a cleanup of test code. 3. The empty meta tag didn't pose any security risk, and its removal doesn't indicate any vulnerability was fixed. No security vulnerabilities were identified in this diff. The change appears to be a minor cleanup of test code rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-background-position-1-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-background-position-1-ref.html@@ -3,7 +3,6 @@ <head> <title>CSS Reference: Test for calc() on background-position</title> <link rel="author" title="L. David Baron" href="https://bugzilla.mozilla.org/show_bug.cgi?id=594934">- <meta name="flags" content=""> <style type="text/css"> p {
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/css/css-values/calc-background-position-1-ref.html] [Lines 3-6] [Old Code] <link rel="author" title="L. David Baron" href="https://bugzilla.mozilla.org/show_bug.cgi?id=594934"> <meta name="flags" content=""> <style type="text/css"> [Fixed Code] <link rel="author" title="L. David Baron" href="https://bugzilla.mozilla.org/show_bug.cgi?id=594934"> <style type="text/css"> The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to be security-related. This seems to be a minor cleanup rather than a security fix. The modification doesn't introduce or fix any apparent security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/src/gles/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/src/gles/mod.rs@@ -230,6 +230,7 @@ Renderbuffer { raw: glow::Renderbuffer, },+ DefaultRenderbuffer, Texture { raw: glow::Texture, target: BindTarget,@@ -239,7 +240,7 @@ impl TextureInner { fn as_native(&self) -> (glow::Texture, BindTarget) { match *self {- Self::Renderbuffer { .. } => {+ Self::Renderbuffer { .. } | Self::DefaultRenderbuffer => { panic!("Unexpected renderbuffer"); } Self::Texture { raw, target } => (raw, target),@@ -256,6 +257,27 @@ #[allow(unused)] format_desc: TextureFormatDesc, copy_size: crate::CopyExtent,+}++impl Texture {+ pub fn default_framebuffer(format: wgt::TextureFormat) -> Self {+ Self {+ inner: TextureInner::DefaultRenderbuffer,+ mip_level_count: 1,+ array_layer_count: 1,+ format,+ format_desc: TextureFormatDesc {+ internal: 0,+ external: 0,+ data_type: 0,+ },+ copy_size: crate::CopyExtent {+ width: 0,+ height: 0,+ depth: 0,+ },+ }+ } } #[derive(Clone, Debug)]@@ -612,7 +634,9 @@ dst_target: BindTarget, dst_offset: wgt::BufferAddress, },- ResetFramebuffer,+ ResetFramebuffer {+ is_default: bool,+ }, BindAttachment { attachment: u32, view: TextureView,
Analyzing the provided code diff, I can identify the following potential security-related changes:
1. Vulnerability Existed: not sure
[Potential Uninitialized Memory Usage] [third_party/rust/wgpu-hal/src/gles/mod.rs] [Lines 230-240, 256-279]
[Old Code]
enum TextureInner {
Renderbuffer {
raw: glow::Renderbuffer,
},
Texture {
raw: glow::Texture,
target: BindTarget,
},
}
[Fixed Code]
enum TextureInner {
Renderbuffer {
raw: glow::Renderbuffer,
},
DefaultRenderbuffer,
Texture {
raw: glow::Texture,
target: BindTarget,
},
}
The addition of DefaultRenderbuffer variant and associated handling might be related to preventing potential uninitialized memory usage, though this is not certain.
2. Vulnerability Existed: not sure
[Potential State Confusion] [third_party/rust/wgpu-hal/src/gles/mod.rs] [Lines 612-614]
[Old Code]
ResetFramebuffer,
[Fixed Code]
ResetFramebuffer {
is_default: bool,
}
The change from a simple variant to one with a boolean field suggests better tracking of framebuffer state, possibly preventing state confusion attacks, though the exact security impact is unclear.
3. Vulnerability Existed: not sure
[Potential Information Leak] [third_party/rust/wgpu-hal/src/gles/mod.rs] [Lines 256-279]
[Old Code]
(No default_framebuffer implementation)
[Fixed Code]
pub fn default_framebuffer(format: wgt::TextureFormat) -> Self {
Self {
inner: TextureInner::DefaultRenderbuffer,
mip_level_count: 1,
array_layer_count: 1,
format,
format_desc: TextureFormatDesc {
internal: 0,
external: 0,
data_type: 0,
},
copy_size: crate::CopyExtent {
width: 0,
height: 0,
depth: 0,
},
}
}
The addition of explicit default framebuffer handling with zero-initialized fields might be related to preventing information leaks from uninitialized memory, though this is speculative.
Note: While these changes appear to be security-related improvements, without more context about the specific vulnerabilities being addressed, we can't definitively name the vulnerabilities. The changes suggest improvements in state tracking and initialization which are generally good security practices.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/reftests/css-grid/grid-fragmentation-006-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/reftests/css-grid/grid-fragmentation-006-ref.html@@ -21,7 +21,7 @@ -ms-column-fill: auto; -webkit-column-fill: auto; column-fill: auto;- border: 2px dashed;+ border: 2px solid salmon; margin-bottom: 5px; }
Based on the provided code diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no [No security vulnerability found] [layout/reftests/css-grid/grid-fragmentation-006-ref.html] [Lines 21] [Old Code: border: 2px dashed;] [Fixed Code: border: 2px solid salmon;] Additional details: - This appears to be a purely visual/style change in a test file - The change modifies the border style from dashed to solid and adds a color (salmon) - There are no security implications in this change as it doesn't affect any security-sensitive functionality - The file is a reference test for CSS grid fragmentation, not production code
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-175c.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-175c.xml@@ -9,7 +9,6 @@ <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found --> <link rel="match" href="reference/this-line-green-color.xht"/>- <meta name="flags" content="" /> </head> <body> <p class="13">This line should be green.</p>
Analyzing the provided code diff, here's the security analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-175c.xml] [Lines 9] [Old Code: <meta name="flags" content="" />] [Fixed Code: (line removed)] Additional details: 1. The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to have any security implications. 2. The "flags" meta tag was likely used for test configuration and its removal doesn't indicate a security fix. 3. There's no evidence of XSS, injection, or other common web vulnerabilities in this change. 4. The modification appears to be a test cleanup rather than a security-related fix. No known vulnerability names apply to this change. The modification is more likely related to test maintenance or code cleanup.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/serviceworkers/ServiceWorkerRegistrar.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/serviceworkers/ServiceWorkerRegistrar.cpp@@ -352,7 +352,12 @@ void ServiceWorkerRegistrar::LoadData() { MOZ_ASSERT(!NS_IsMainThread());- MOZ_ASSERT(!mDataLoaded);+#ifdef DEBUG+ {+ MonitorAutoLock lock(mMonitor);+ MOZ_ASSERT(!mDataLoaded);+ }+#endif nsresult rv = ReadData();@@ -373,10 +378,9 @@ } MOZ_ASSERT(NS_IsMainThread());+ MonitorAutoLock lock(mMonitor); mData.Clear(); mDataLoaded = false;-- MonitorAutoLock lock(mMonitor); nsCOMPtr<nsIEventTarget> target = do_GetService(NS_STREAMTRANSPORTSERVICE_CONTRACTID);@@ -826,47 +830,48 @@ stream->Close();- // XXX: The following code is writing to mData without holding a- // monitor lock. This might be ok since this is currently- // only called at startup where we block the main thread- // preventing further operation until it completes. We should- // consider better locking here in the future.-- // Copy data over to mData.- for (uint32_t i = 0; i < tmpData.Length(); ++i) {- // Older versions could sometimes write out empty, useless entries.- // Prune those here.- if (!ServiceWorkerRegistrationDataIsValid(tmpData[i])) {- continue;- }-- bool match = false;- if (dedupe) {- MOZ_ASSERT(overwrite);- // If this is an old profile, then we might need to deduplicate. In- // theory this can be removed in the future (Bug 1248449)- for (uint32_t j = 0; j < mData.Length(); ++j) {- // Use same comparison as RegisterServiceWorker. Scope contains- // basic origin information. Combine with any principal attributes.- if (Equivalent(tmpData[i], mData[j])) {- // Last match wins, just like legacy loading used to do in- // the ServiceWorkerManager.- mData[j] = tmpData[i];- // Dupe found, so overwrite file with reduced list.- match = true;- break;+ // We currently only call this at startup where we block the main thread+ // preventing further operation until it completes, however take the lock+ // in case that changes++ {+ MonitorAutoLock lock(mMonitor);+ // Copy data over to mData.+ for (uint32_t i = 0; i < tmpData.Length(); ++i) {+ // Older versions could sometimes write out empty, useless entries.+ // Prune those here.+ if (!ServiceWorkerRegistrationDataIsValid(tmpData[i])) {+ continue;+ }++ bool match = false;+ if (dedupe) {+ MOZ_ASSERT(overwrite);+ // If this is an old profile, then we might need to deduplicate. In+ // theory this can be removed in the future (Bug 1248449)+ for (uint32_t j = 0; j < mData.Length(); ++j) {+ // Use same comparison as RegisterServiceWorker. Scope contains+ // basic origin information. Combine with any principal attributes.+ if (Equivalent(tmpData[i], mData[j])) {+ // Last match wins, just like legacy loading used to do in+ // the ServiceWorkerManager.+ mData[j] = tmpData[i];+ // Dupe found, so overwrite file with reduced list.+ match = true;+ break;+ } }- }- } else {+ } else { #ifdef DEBUG- // Otherwise assert no duplications in debug builds.- for (uint32_t j = 0; j < mData.Length(); ++j) {- MOZ_ASSERT(!Equivalent(tmpData[i], mData[j]));- }+ // Otherwise assert no duplications in debug builds.+ for (uint32_t j = 0; j < mData.Length(); ++j) {+ MOZ_ASSERT(!Equivalent(tmpData[i], mData[j]));+ } #endif- }- if (!match) {- mData.AppendElement(tmpData[i]);+ }+ if (!match) {+ mData.AppendElement(tmpData[i]);+ } } }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Race Condition / Improper Synchronization [File] dom/serviceworkers/ServiceWorkerRegistrar.cpp [Lines 352-373]
[Old Code]
```cpp
void ServiceWorkerRegistrar::LoadData() {
MOZ_ASSERT(!NS_IsMainThread());
MOZ_ASSERT(!mDataLoaded);
```
[Fixed Code]
```cpp
void ServiceWorkerRegistrar::LoadData() {
MOZ_ASSERT(!NS_IsMainThread());
#ifdef DEBUG
{
MonitorAutoLock lock(mMonitor);
MOZ_ASSERT(!mDataLoaded);
}
#endif
```
2. Vulnerability Existed: yes
Race Condition / Improper Synchronization [File] dom/serviceworkers/ServiceWorkerRegistrar.cpp [Lines 826-873]
[Old Code]
```cpp
// XXX: The following code is writing to mData without holding a
// monitor lock. This might be ok since this is currently
// only called at startup where we block the main thread
// preventing further operation until it completes. We should
// consider better locking here in the future.
```
[Fixed Code]
```cpp
// We currently only call this at startup where we block the main thread
// preventing further operation until it completes, however take the lock
// in case that changes
{
MonitorAutoLock lock(mMonitor);
// Copy data over to mData.
[...]
}
```
The changes address potential race conditions by:
1. Adding proper lock protection around the mDataLoaded assertion check
2. Adding proper lock protection around the mData modification operations that were previously unprotected
The vulnerabilities were related to improper synchronization that could lead to race conditions when accessing shared data structures. The fixes ensure thread-safe access to these shared resources by properly acquiring the monitor lock before accessing them.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-transforms/rotate_y_45deg.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-transforms/rotate_y_45deg.html@@ -5,8 +5,7 @@ <link rel="author" title="Ebay Inc." href="mailto:[email protected]"/> <link rel="help" href="http://www.w3.org/TR/css-transforms-2/#3d-transform-rendering"/> <link rel="match" href="rotate_y_45deg-ref.html"/>- <meta name="fuzzy" content="maxDifference=159-255;totalPixels=100-200">- <meta name="flags" content="" />+ <meta name="fuzzy" content="maxDifference=159-255;totalPixels=50-200"> <meta name="assert" content="Rotate 45 degree in y axis"/> <style type="text/css"> .container {
Based on the provided code diff, I don't see any security-related changes. The modifications appear to be test configuration adjustments rather than security fixes. Here's the analysis: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/css/css-transforms/rotate_y_45deg.html] [Lines 5-7] [Old Code] <meta name="fuzzy" content="maxDifference=159-255;totalPixels=100-200"> <meta name="flags" content="" /> [Fixed Code] <meta name="fuzzy" content="maxDifference=159-255;totalPixels=50-200"> The changes made are: 1. Removed an empty "flags" meta tag 2. Adjusted the fuzzy matching parameters for the test (changed totalPixels range from 100-200 to 50-200) These changes appear to be related to test tolerance settings rather than security fixes. No security vulnerabilities were addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.