Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var offscreenCanvas2 = new OffscreenCanvas(100, 50); assert_throws_js(TypeError, function() { offscreenCanvas2.getContext("2d\0"); });
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Vulnerability Existed: no
[Null Byte Injection Test] [testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.unrecognised.nullsuffix.worker.js] [Line 17]
[Old Code]
[No old code - line was added]
[Fixed Code]
assert_throws_js(TypeError, function() { offscreenCanvas2.getContext("2d\0"); });
Analysis:
1. The first change is simply a variable name change from 'offscreenCanvas' to 'canvas', which doesn't represent a security fix but rather a code style/consistency improvement.
2. The second part shows an added test case that verifies proper handling of null bytes in context strings. While this tests for a potential security issue (null byte injection), the change itself doesn't fix a vulnerability - it just adds a test case to ensure the browser properly rejects null bytes in context names. The test would help prevent potential security issues if the browser didn't already handle this case correctly.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsTextFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsTextFrame.cpp@@ -2161,14 +2161,16 @@ auto* fontGroup = fm->GetThebesFontGroup(); auto appPerDev = aTextFrame->PresContext()->AppUnitsPerDevPixel(); const auto& hyphenateChar = aTextFrame->StyleText()->mHyphenateCharacter;+ gfx::ShapedTextFlags flags =+ nsLayoutUtils::GetTextRunOrientFlagsForStyle(aTextFrame->Style()); if (hyphenateChar.IsAuto()) {- return fontGroup->MakeHyphenTextRun(dt, appPerDev);+ return fontGroup->MakeHyphenTextRun(dt, flags, appPerDev); } auto* missingFonts = aTextFrame->PresContext()->MissingFontRecorder(); const NS_ConvertUTF8toUTF16 hyphenStr(hyphenateChar.AsString().AsString()); return fontGroup->MakeTextRun(hyphenStr.BeginReading(), hyphenStr.Length(),- dt, appPerDev, gfx::ShapedTextFlags(),- nsTextFrameUtils::Flags(), missingFonts);+ dt, appPerDev, flags, nsTextFrameUtils::Flags(),+ missingFonts); } already_AddRefed<gfxTextRun> BuildTextRunsScanner::BuildTextRunForFrames(@@ -3302,6 +3304,10 @@ NS_ASSERTION(mTextRun, "Textrun not initialized!"); }+gfx::ShapedTextFlags nsTextFrame::PropertyProvider::GetShapedTextFlags() const {+ return nsLayoutUtils::GetTextRunOrientFlagsForStyle(mFrame->Style());+}+ already_AddRefed<DrawTarget> nsTextFrame::PropertyProvider::GetDrawTarget() const { return CreateReferenceDrawTarget(GetFrame());@@ -3563,7 +3569,8 @@ gfxFloat aMinAdvance) { // Advance aX to the next multiple of aTabWidth. We must advance // by at least aMinAdvance.- return ceil((aX + aMinAdvance) / aTabWidth) * aTabWidth;+ gfxFloat nextPos = aX + aMinAdvance;+ return aTabWidth > 0.0 ? ceil(nextPos / aTabWidth) * aTabWidth : nextPos; } void nsTextFrame::PropertyProvider::CalcTabWidths(Range aRange,@@ -7047,20 +7054,25 @@ if (aParams.drawSoftHyphen) { // Don't use ctx as the context, because we need a reference context here, // ctx may be transformed.+ DrawTextRunParams params = aParams;+ params.provider = nullptr;+ params.advanceWidth = nullptr; RefPtr<gfxTextRun> hyphenTextRun = GetHyphenTextRun(this, nullptr); if (hyphenTextRun) {+ gfx::Point p(aTextBaselinePt);+ bool vertical = GetWritingMode().IsVertical(); // For right-to-left text runs, the soft-hyphen is positioned at the left // of the text, minus its own width- float hyphenBaselineX =- aTextBaselinePt.x ++ float shift = mTextRun->GetDirection() * (*aParams.advanceWidth) - (mTextRun->IsRightToLeft() ? hyphenTextRun->GetAdvanceWidth() : 0);- DrawTextRunParams params = aParams;- params.provider = nullptr;- params.advanceWidth = nullptr;- ::DrawTextRun(hyphenTextRun.get(),- gfx::Point(hyphenBaselineX, aTextBaselinePt.y),- Range(hyphenTextRun.get()), params, this);+ if (vertical) {+ p.y += shift;+ } else {+ p.x += shift;+ }+ ::DrawTextRun(hyphenTextRun.get(), p, Range(hyphenTextRun.get()), params,+ this); } } }@@ -10292,8 +10304,9 @@ return; }- const uint32_t contentLength = AssertedCast<uint32_t>(GetContentLength());- if (0 == contentLength) {+ const int32_t length = GetContentEnd() - mContentOffset;+ if (length <= 0) {+ // Negative lengths are possible during invalidation. return; }@@ -10481,7 +10494,7 @@ nsAutoString content; frag->AppendTo(content, AssertedCast<uint32_t>(GetContentOffset()), AssertedCast<uint32_t>(GetContentLength()));- return unicode::CountGraphemeClusters(content.Data(), content.Length());+ return unicode::CountGraphemeClusters(content); } bool nsTextFrame::HasNonSuppressedText() const {
Here's the security analysis following your requested format:
1. Vulnerability Existed: yes
Integer Overflow Vulnerability [File] [Lines 10292-10304]
[Old Code]
const uint32_t contentLength = AssertedCast<uint32_t>(GetContentLength());
if (0 == contentLength) {
[Fixed Code]
const int32_t length = GetContentEnd() - mContentOffset;
if (length <= 0) {
Additional Details: The fix changes from using unsigned length check to signed length check, preventing potential integer overflow issues when dealing with negative lengths during invalidation.
2. Vulnerability Existed: yes
Division by Zero Vulnerability [File] [Lines 3563-3569]
[Old Code]
return ceil((aX + aMinAdvance) / aTabWidth) * aTabWidth;
[Fixed Code]
gfxFloat nextPos = aX + aMinAdvance;
return aTabWidth > 0.0 ? ceil(nextPos / aTabWidth) * aTabWidth : nextPos;
Additional Details: The fix adds a check for aTabWidth > 0.0 to prevent potential division by zero.
3. Vulnerability Existed: not sure
Potential Text Orientation Handling Issue [File] [Lines 2161-2170]
[Old Code]
return fontGroup->MakeHyphenTextRun(dt, appPerDev);
[Fixed Code]
gfx::ShapedTextFlags flags =
nsLayoutUtils::GetTextRunOrientFlagsForStyle(aTextFrame->Style());
return fontGroup->MakeHyphenTextRun(dt, flags, appPerDev);
Additional Details: The change adds proper text orientation flags handling, which might relate to security if incorrect text rendering could lead to UI confusion or spoofing attacks, but this is uncertain.
4. Vulnerability Existed: not sure
Potential Soft Hyphen Rendering Issue [File] [Lines 7047-7054]
[Old Code]
float hyphenBaselineX =
aTextBaselinePt.x +
mTextRun->GetDirection() * (*aParams.advanceWidth) -
(mTextRun->IsRightToLeft() ? hyphenTextRun->GetAdvanceWidth() : 0);
[Fixed Code]
gfx::Point p(aTextBaselinePt);
bool vertical = GetWritingMode().IsVertical();
Additional Details: The change adds vertical text support for soft hyphen rendering, which might relate to security if incorrect text positioning could lead to UI confusion, but this is uncertain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/dns/TRRService.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/dns/TRRService.h@@ -119,8 +119,6 @@ void AddEtcHosts(const nsTArray<nsCString>&); bool mInitialized{false};- Atomic<uint32_t, Relaxed> mBlocklistDurationSeconds{60};- Mutex mLock{"TRRService"}; nsCString mPrivateCred; // main thread only
Let me analyze the code diff for potential security vulnerabilities.
Vulnerability Existed: yes
Information Leak / Hardcoded Credential Timeout [netwerk/dns/TRRService.h] [Lines 119-120]
[Old Code]
bool mInitialized{false};
Atomic<uint32_t, Relaxed> mBlocklistDurationSeconds{60};
Mutex mLock{"TRRService"};
[Fixed Code]
bool mInitialized{false};
Mutex mLock{"TRRService"};
Additional Details:
1. The vulnerability appears to be related to a hardcoded timeout value (60 seconds) for blocklist duration being removed.
2. While not a classic security vulnerability, hardcoded timeout values can sometimes lead to security issues if they're too short (allowing brute force attacks) or too long (extending exposure to compromised systems).
3. The removal suggests this value should be configurable rather than hardcoded, which is generally better security practice.
4. The variable was atomic and relaxed, suggesting it might have been accessed across threads, making the hardcoded value potentially problematic.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.transparent.source-in.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.transparent.source-in.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 0, 0.5)';@@ -26,7 +26,7 @@ ctx.globalCompositeOperation = 'source-in'; ctx.fillStyle = 'rgba(0, 0, 255, 0.75)'; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,255,96, "50,25", "0,0,255,96", 5);+_assertPixelApprox(canvas, 50,25, 0,0,255,96, "50,25", "0,0,255,96", 5); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. This appears to be a simple variable renaming change for better code clarity. Here's the analysis:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.transparent.source-in.html] [Lines 17-18, 26]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,255,96, "50,25", "0,0,255,96", 5);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 0,0,255,96, "50,25", "0,0,255,96", 5);
The change simply renames the variable `offscreenCanvas` to `canvas` for consistency or brevity, but doesn't address any security issues. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.globalCompositeOperation.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.globalCompositeOperation.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Test that restore() undoes any modifications var old = ctx.globalCompositeOperation;
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.globalCompositeOperation.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Analysis:
The changes in this diff appear to be purely cosmetic, renaming the variable 'offscreenCanvas' to 'canvas'. There are no security-related changes visible in this diff. The functionality remains exactly the same, only the variable name has been simplified. No security vulnerabilities are being addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/base/nsPresContext.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/base/nsPresContext.cpp@@ -20,10 +20,9 @@ #include "mozilla/EventStateManager.h" #include "mozilla/PresShell.h" #include "mozilla/PresShellInlines.h"-#include "mozilla/dom/ContentParent.h" #include "base/basictypes.h"-+#include "nsCRT.h" #include "nsCOMPtr.h" #include "nsCSSFrameConstructor.h" #include "nsDocShell.h"@@ -47,7 +46,6 @@ #include "nsLayoutUtils.h" #include "nsViewManager.h" #include "mozilla/RestyleManager.h"-#include "SurfaceCacheUtils.h" #include "gfxPlatform.h" #include "nsFontFaceLoader.h" #include "mozilla/AnimationEventDispatcher.h"@@ -411,62 +409,8 @@ tmp->Destroy(); NS_IMPL_CYCLE_COLLECTION_UNLINK_END-// Set to true when ThemeChanged needs to be called on mTheme. This is used-// because mTheme is a service, so there's no need to notify it from more than-// one prescontext.-static bool sPendingThemeChange = false;-static widget::ThemeChangeKind sPendingThemeChangeKind{0};- bool nsPresContext::IsChrome() const { return Document()->IsInChromeDocShell();-}--static void HandleGlobalThemeChange() {- if (!sPendingThemeChange) {- MOZ_ASSERT(uint8_t(sPendingThemeChangeKind) == 0);- return;- }- sPendingThemeChange = false;- auto kind =- std::exchange(sPendingThemeChangeKind, widget::ThemeChangeKind(0));-- // Tell the theme that it changed, so it can flush any handles to stale theme- // data.- //- // We can use the *DoNotUseDirectly functions directly here, because we want- // to notify all possible themes in a given process (but just once).- if (XRE_IsParentProcess() ||- !StaticPrefs::widget_non_native_theme_enabled()) {- if (nsCOMPtr<nsITheme> theme = do_GetNativeThemeDoNotUseDirectly()) {- theme->ThemeChanged();- }- }- if (nsCOMPtr<nsITheme> theme = do_GetBasicNativeThemeDoNotUseDirectly()) {- theme->ThemeChanged();- }-- // Clear all cached LookAndFeel colors.- LookAndFeel::Refresh();-- // Reset default background and foreground colors for the document since they- // may be using system colors.- PreferenceSheet::Refresh();-- // Vector images (SVG) may be using theme colors so we discard all cached- // surfaces. (We could add a vector image only version of DiscardAll, but- // in bug 940625 we decided theme changes are rare enough not to bother.)- image::SurfaceCacheUtils::DiscardAll();-- if (XRE_IsParentProcess()) {- ContentParent::BroadcastThemeUpdate(kind);- }-- nsContentUtils::AddScriptRunner(- NS_NewRunnableFunction("HandleGlobalThemeChange", [] {- if (nsCOMPtr<nsIObserverService> obs = services::GetObserverService()) {- obs->NotifyObservers(nullptr, "look-and-feel-changed", nullptr);- }- })); } void nsPresContext::GetUserPreferences() {@@ -906,7 +850,7 @@ // Have to update PresContext's mDocument before calling any other methods. mDocument = doc;- HandleGlobalThemeChange();+ LookAndFeel::HandleGlobalThemeChange(); // Initialize our state from the user preferences, now that we // have a presshell, and hence a document.@@ -1004,6 +948,8 @@ } mPresShell = nullptr;++ CancelManagedPostRefreshObservers(); if (mAnimationEventDispatcher) { mAnimationEventDispatcher->Disconnect();@@ -1585,7 +1531,6 @@ PROFILER_MARKER_TEXT("ThemeChanged", LAYOUT, MarkerStack::Capture(), ""_ns); mPendingThemeChangeKind |= unsigned(aKind);- sPendingThemeChangeKind |= aKind; if (!mPendingThemeChanged) { nsCOMPtr<nsIRunnable> ev =@@ -1594,9 +1539,7 @@ RefreshDriver()->AddEarlyRunner(ev); mPendingThemeChanged = true; }-- sPendingThemeChange = true;- sPendingThemeChangeKind |= aKind;+ MOZ_ASSERT(LookAndFeel::HasPendingGlobalThemeChange()); } void nsPresContext::ThemeChangedInternal() {@@ -1607,7 +1550,7 @@ const auto kind = widget::ThemeChangeKind(mPendingThemeChangeKind); mPendingThemeChangeKind = 0;- HandleGlobalThemeChange();+ LookAndFeel::HandleGlobalThemeChange(); // Changes to system metrics and other look and feel values can change media // queries on them.@@ -2399,7 +2342,7 @@ char* ev = PR_GetEnv("GECKO_REFLOW_INTERRUPT_MODE"); if (ev) { #ifndef XP_WIN- if (PL_strcasecmp(ev, "random") == 0) {+ if (nsCRT::strcasecmp(ev, "random") == 0) { ev = PR_GetEnv("GECKO_REFLOW_INTERRUPT_SEED"); if (ev) { sInterruptSeed = atoi(ev);
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Static Variable Security Issue] [layout/base/nsPresContext.cpp] [Lines 411-409]
[Old Code]
static bool sPendingThemeChange = false;
static widget::ThemeChangeKind sPendingThemeChangeKind{0};
[Fixed Code]
(Removed static variables and moved functionality to LookAndFeel class)
2. Vulnerability Existed: yes
[Insecure String Comparison] [layout/base/nsPresContext.cpp] [Lines 2342]
[Old Code]
if (PL_strcasecmp(ev, "random") == 0) {
[Fixed Code]
if (nsCRT::strcasecmp(ev, "random") == 0) {
Additional Details:
- The first change involves removing static variables that were used for theme change tracking. While not clearly a security vulnerability, static variables can sometimes lead to security issues in multi-threaded contexts or when they maintain sensitive state.
- The second change is clearly a security fix, replacing the potentially unsafe PL_strcasecmp with nsCRT::strcasecmp, which is Mozilla's safer string comparison function. This helps prevent potential buffer overflows or other string comparison vulnerabilities.
- The theme handling functionality appears to have been refactored into the LookAndFeel class, which may improve security by better encapsulating the theme change state.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-core/src/resource.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-core/src/resource.rs@@ -8,6 +8,7 @@ Label, LifeGuard, RefCount, Stored, };+use smallvec::SmallVec; use thiserror::Error; use std::{borrow::Borrow, num::NonZeroU8, ops::Range, ptr::NonNull};@@ -179,6 +180,19 @@ } #[derive(Debug)]+pub enum TextureClearMode<A: hal::Api> {+ BufferCopy,+ // View for clear via RenderPass for every subsurface (mip/layer/slice)+ RenderPass {+ clear_views: SmallVec<[A::TextureView; 1]>,+ is_color: bool,+ },+ // Texture can't be cleared, attempting to do so will cause panic.+ // (either because it is impossible for the type of texture or it is being destroyed)+ None,+}++#[derive(Debug)] pub struct Texture<A: hal::Api> { pub(crate) inner: TextureInner<A>, pub(crate) device_id: Stored<DeviceId>,@@ -188,6 +202,32 @@ pub(crate) initialization_status: TextureInitTracker, pub(crate) full_range: TextureSelector, pub(crate) life_guard: LifeGuard,+ pub(crate) clear_mode: TextureClearMode<A>,+}++impl<A: hal::Api> Texture<A> {+ pub(crate) fn get_clear_view(&self, mip_level: u32, depth_or_layer: u32) -> &A::TextureView {+ match self.clear_mode {+ TextureClearMode::BufferCopy => {+ panic!("Given texture is cleared with buffer copies, not render passes")+ }+ TextureClearMode::None => {+ panic!("Given texture can't be cleared")+ }+ TextureClearMode::RenderPass {+ ref clear_views, ..+ } => {+ let index = if self.desc.dimension == wgt::TextureDimension::D3 {+ (0..mip_level).fold(0, |acc, mip| {+ acc + (self.desc.size.depth_or_array_layers >> mip).max(1)+ })+ } else {+ mip_level * self.desc.size.depth_or_array_layers+ } + depth_or_layer;+ &clear_views[index as usize]+ }+ }+ } } impl<G: GlobalIdentityHandlerFactory> Global<G> {@@ -259,9 +299,13 @@ EmptyUsage, #[error(transparent)] InvalidDimension(#[from] TextureDimensionError),- #[error("texture descriptor mip level count ({0}) is invalid")]- InvalidMipLevelCount(u32),- #[error("The texture usages {0:?} are not allowed on a texture of type {1:?}")]+ #[error("Depth texture kind {0:?} of format {0:?} can't be created")]+ InvalidDepthKind(wgt::TextureDimension, wgt::TextureFormat),+ #[error(+ "Texture descriptor mip level count {requested} is invalid, maximum allowed is {maximum}"+ )]+ InvalidMipLevelCount { requested: u32, maximum: u32 },+ #[error("Texture usages {0:?} are not allowed on a texture of type {1:?}")] InvalidUsages(wgt::TextureUsages, wgt::TextureFormat), #[error("Texture format {0:?} can't be used")] MissingFeatures(wgt::TextureFormat, #[source] MissingFeatures),@@ -340,6 +384,8 @@ view: wgt::TextureViewDimension, texture: wgt::TextureDimension, },+ #[error("Invalid texture view dimension `{0:?}` of a multisampled texture")]+ InvalidMultisampledTextureViewDimension(wgt::TextureViewDimension), #[error("Invalid texture depth `{depth}` for texture view of dimension `Cubemap`. Cubemap views must use images of size 6.")] InvalidCubemapTextureDepth { depth: u32 }, #[error("Invalid texture depth `{depth}` for texture view of dimension `CubemapArray`. Cubemap views must use images with sizes which are a multiple of 6.")]
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Panic Vulnerability] [third_party/rust/wgpu-core/src/resource.rs] [Lines 206-232]
[Old Code]
(No equivalent code existed before)
[Fixed Code]
```rust
pub(crate) fn get_clear_view(&self, mip_level: u32, depth_or_layer: u32) -> &A::TextureView {
match self.clear_mode {
TextureClearMode::BufferCopy => {
panic!("Given texture is cleared with buffer copies, not render passes")
}
TextureClearMode::None => {
panic!("Given texture can't be cleared")
}
TextureClearMode::RenderPass {
ref clear_views, ..
} => {
let index = if self.desc.dimension == wgt::TextureDimension::D3 {
(0..mip_level).fold(0, |acc, mip| {
acc + (self.desc.size.depth_or_array_layers >> mip).max(1)
})
} else {
mip_level * self.desc.size.depth_or_array_layers
} + depth_or_layer;
&clear_views[index as usize]
}
}
}
```
2. Vulnerability Existed: not sure
[Error Message Improvement] [third_party/rust/wgpu-core/src/resource.rs] [Lines 259-264]
[Old Code]
```rust
#[error("texture descriptor mip level count ({0}) is invalid")]
InvalidMipLevelCount(u32),
```
[Fixed Code]
```rust
#[error(
"Texture descriptor mip level count {requested} is invalid, maximum allowed is {maximum}"
)]
InvalidMipLevelCount { requested: u32, maximum: u32 },
```
3. Vulnerability Existed: not sure
[New Error Case Added] [third_party/rust/wgpu-core/src/resource.rs] [Lines 340-342]
[Old Code]
(No equivalent code existed before)
[Fixed Code]
```rust
#[error("Invalid texture view dimension `{0:?}` of a multisampled texture")]
InvalidMultisampledTextureViewDimension(wgt::TextureViewDimension),
```
Note: While none of these changes clearly indicate security vulnerabilities, they do represent improvements in error handling and validation. The first change introduces potential panic conditions that should be properly handled by callers, while the other changes improve error reporting which could help with debugging and potentially prevent security issues through better error visibility.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.lineTo.ensuresubpath.2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.lineTo.ensuresubpath.2.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -24,7 +24,7 @@ ctx.lineTo(0, 25); ctx.lineTo(100, 25); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 24]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications. The functionality remains exactly the same, just with a different variable name. This is likely a code style/consistency improvement rather than a security fix. No known vulnerabilities are addressed by this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-core/src/hub.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-core/src/hub.rs@@ -5,7 +5,7 @@ id, instance::{Adapter, HalSurface, Instance, Surface}, pipeline::{ComputePipeline, RenderPipeline, ShaderModule},- resource::{Buffer, QuerySet, Sampler, Texture, TextureView},+ resource::{Buffer, QuerySet, Sampler, Texture, TextureClearMode, TextureView}, Epoch, Index, };@@ -649,6 +649,13 @@ device.raw.destroy_texture(raw); } }+ if let TextureClearMode::RenderPass { clear_views, .. } = texture.clear_mode {+ for view in clear_views {+ unsafe {+ device.raw.destroy_texture_view(view);+ }+ }+ } } } for element in self.buffers.data.write().map.drain(..) {
Let me analyze the code diff for security fixes:
1. Vulnerability Existed: yes
Memory Leak Vulnerability [third_party/rust/wgpu-core/src/hub.rs] [Lines 649-656]
[Old Code]
No code handling TextureClearMode's clear_views cleanup
[Fixed Code]
if let TextureClearMode::RenderPass { clear_views, .. } = texture.clear_mode {
for view in clear_views {
unsafe {
device.raw.destroy_texture_view(view);
}
}
}
2. Vulnerability Existed: not sure
Resource Cleanup Vulnerability [third_party/rust/wgpu-core/src/hub.rs] [Lines 5]
[Old Code]
resource::{Buffer, QuerySet, Sampler, Texture, TextureView},
[Fixed Code]
resource::{Buffer, QuerySet, Sampler, Texture, TextureClearMode, TextureView},
The first vulnerability is clearly a memory leak fix where texture view resources weren't being properly cleaned up when textures were destroyed. The second change adds TextureClearMode to the imports, which might indicate additional resource management changes, but without more context, I can't be certain if this relates to a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-88.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-88.xml@@ -7,7 +7,6 @@ <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <blockquote><div>This text should be unstyled.</div></blockquote>
Based on the provided diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-88.xml] [Lines 7] [Old Code: <meta name="flags" content="" />] [Fixed Code: (removed line)] Additional Details: 1. The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to have any security implications. 2. There's no evidence of any security vulnerability being fixed here - this appears to be a minor cleanup change. 3. The "flags" meta tag doesn't seem to be related to any known security issues in web standards or browser implementations. 4. The modification is in a test file, not production code, making security vulnerabilities even less likely.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.create2.large.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.create2.large.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.createImageData(1000, 2000); _assertSame(imgdata.data.length, imgdata.width*imgdata.height*4, "imgdata.data.length", "imgdata.width*imgdata.height*4");
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes in the diff appear to be purely a variable name change from `offscreenCanvas` to `canvas`. This is a code style/readability improvement rather than a security fix. No security vulnerabilities are addressed or introduced by this change. The functionality remains exactly the same, just with a more concise variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-content-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-content-001.html@@ -8,7 +8,6 @@ <link rel="help" href="https://www.w3.org/TR/css-contain-1/#contain-property"> <link rel="match" href="reference/contain-layout-ifc-022-ref.html">- <meta content="" name="flags"> <style> div
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability [File] testing/web-platform/tests/css/css-contain/contain-content-001.html [Lines] 8
Old Code: <meta content="" name="flags">
Fixed Code: (line removed)
Additional Notes:
- The diff shows removal of an empty meta tag with a "flags" attribute, which doesn't appear to be security-related
- This change seems to be cleanup of unnecessary markup rather than a security fix
- No known vulnerability patterns (XSS, injection, etc.) are present in this change
- The modification is in a test file, which typically doesn't contain production security fixes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoProcessManager.java+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoProcessManager.java@@ -26,6 +26,8 @@ import org.mozilla.gecko.TelemetryUtils; import org.mozilla.gecko.annotation.WrapForJNI; import org.mozilla.gecko.gfx.CompositorSurfaceManager;+import org.mozilla.gecko.gfx.ISurfaceAllocator;+import org.mozilla.gecko.gfx.RemoteSurfaceAllocator; import org.mozilla.gecko.mozglue.JNIObject; import org.mozilla.gecko.process.ServiceAllocator.PriorityLevel; import org.mozilla.gecko.util.ThreadUtils;@@ -62,6 +64,37 @@ public void getEditableParent( final IGeckoEditableChild child, final long contentId, final long tabId) { nativeGetEditableParent(child, contentId, tabId);+ }++ /**+ * Returns the surface allocator interface to be used by child processes to allocate Surfaces. The+ * service bound to the returned interface may live in either the GPU process or parent process.+ */+ @Override // IProcessManager+ public ISurfaceAllocator getSurfaceAllocator() {+ final GeckoResult<Boolean> gpuReady = GeckoAppShell.ensureGpuProcessReady();++ try {+ final GeckoResult<ISurfaceAllocator> allocator = new GeckoResult<>();+ if (gpuReady.poll(1000)) {+ // The GPU process is enabled and ready, so ask it for its surface allocator.+ XPCOMEventTarget.runOnLauncherThread(+ () -> {+ final Selector selector = new Selector(GeckoProcessType.GPU);+ final GpuProcessConnection conn =+ (GpuProcessConnection) INSTANCE.mConnections.getExistingConnection(selector);++ allocator.complete(conn.getSurfaceAllocator());+ });+ } else {+ // The GPU process is disabled, so return the parent process allocator instance.+ allocator.complete(RemoteSurfaceAllocator.getInstance());+ }+ return allocator.poll(100);+ } catch (final Throwable e) {+ Log.e(LOGTAG, "Error in getSurfaceAllocator", e);+ return null;+ } } @WrapForJNI@@ -280,6 +313,7 @@ private static final class GpuProcessConnection extends NonContentConnection { private CompositorSurfaceManager mCompositorSurfaceManager;+ private ISurfaceAllocator mSurfaceAllocator; public GpuProcessConnection(@NonNull final ServiceAllocator allocator) { super(allocator, GeckoProcessType.GPU);@@ -288,10 +322,15 @@ @Override protected void onBinderConnected(@NonNull final IChildProcess child) throws RemoteException { mCompositorSurfaceManager = new CompositorSurfaceManager(child.getCompositorSurfaceManager());+ mSurfaceAllocator = child.getSurfaceAllocator(); } public CompositorSurfaceManager getCompositorSurfaceManager() { return mCompositorSurfaceManager;+ }++ public ISurfaceAllocator getSurfaceAllocator() {+ return mSurfaceAllocator; } }
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: not sure [Potential Resource Leak] [mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoProcessManager.java] [Lines 26-64, 280-313] [Old Code] No explicit handling of surface allocator resources [Fixed Code] Added ISurfaceAllocator interface handling with proper connection management and fallback to RemoteSurfaceAllocator 2. Vulnerability Existed: not sure [Potential Null Pointer Exception] [mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoProcessManager.java] [Lines 62-97] [Old Code] No surface allocator implementation [Fixed Code] Added null check and error handling in getSurfaceAllocator() method 3. Vulnerability Existed: not sure [Potential Timing Attack] [mobile/android/geckoview/src/main/java/org/mozilla/gecko/process/GeckoProcessManager.java] [Lines 62-97] [Old Code] No surface allocation security measures [Fixed Code] Added timeout checks (poll(1000) and poll(100)) for process readiness checks Note: While the changes introduce security-conscious patterns (timeouts, error handling, resource management), I couldn't identify any specific, well-known vulnerabilities being fixed. The changes appear to be more about adding new functionality (surface allocator support) with proper safety measures rather than fixing existing vulnerabilities. The "not sure" assessments reflect that these could potentially prevent certain classes of vulnerabilities but aren't clearly fixing known, specific vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-6.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-6.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(+120, +100%, +50%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security fixes.
Answer for Each Vulnerability:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-6.html
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` and update the references accordingly. There are no security implications to these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-79.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-79.xml@@ -8,7 +8,6 @@ ]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <div>This div contains 3 addresses :
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/css/selectors/old-tests/css3-modsel-79.xml [Lines] 8
Old Code: <meta name="flags" content="" />
Fixed Code: (line removed)
Additional Details:
- The diff shows only the removal of an empty meta tag with name="flags". This appears to be a cleanup change rather than a security fix.
- No actual security vulnerability is being addressed here, just removal of unnecessary markup.
- The change is part of test file maintenance rather than a security-related modification.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/nsClipboard.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/nsClipboard.cpp@@ -1,5 +1,5 @@-/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */-/* vim:expandtab:shiftwidth=4:tabstop=4:+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */+/* vim:expandtab:shiftwidth=2:tabstop=2: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this@@ -12,7 +12,6 @@ #include "nsClipboardX11.h" #if defined(MOZ_WAYLAND) # include "nsClipboardWayland.h"-# include "nsClipboardWaylandAsync.h" #endif #include "nsIURI.h" #include "nsIFile.h"@@ -67,12 +66,41 @@ // Callback when someone asks us to clear a clipboard void clipboard_clear_cb(GtkClipboard* aGtkClipboard, gpointer user_data);-static bool ConvertHTMLtoUCS2(const char* data, int32_t dataLength,- nsCString& charset, char16_t** unicodeData,- int32_t& outUnicodeLen);--static bool GetHTMLCharset(const char* data, int32_t dataLength,- nsCString& str);+static bool ConvertHTMLtoUCS2(Span<const char> aData, nsCString& charset,+ char16_t** unicodeData, int32_t& outUnicodeLen);++static bool GetHTMLCharset(Span<const char> aData, nsCString& str);++void ClipboardData::SetData(Span<const uint8_t> aData) {+ mData = nullptr;+ mLength = aData.Length();+ if (mLength) {+ mData.reset(reinterpret_cast<char*>(g_malloc(sizeof(char) * mLength)));+ memcpy(mData.get(), aData.data(), sizeof(char) * mLength);+ }+}++void ClipboardData::SetText(Span<const char> aData) {+ mData = nullptr;+ mLength = aData.Length();+ if (mLength) {+ mData.reset(+ reinterpret_cast<char*>(g_malloc(sizeof(char) * (mLength + 1))));+ memcpy(mData.get(), aData.data(), sizeof(char) * mLength);+ mData.get()[mLength] = '\0';+ }+}++void ClipboardData::SetTargets(ClipboardTargets aTargets) {+ mLength = aTargets.mCount;+ mData.reset(reinterpret_cast<char*>(aTargets.mTargets.release()));+}++ClipboardTargets ClipboardData::ExtractTargets() {+ GUniquePtr<GdkAtom> targets(reinterpret_cast<GdkAtom*>(mData.release()));+ uint32_t length = std::exchange(mLength, 0);+ return ClipboardTargets{std::move(targets), length};+} GdkAtom GetSelectionAtom(int32_t aWhichClipboard) { if (aWhichClipboard == nsIClipboard::kGlobalClipboard)@@ -110,11 +138,7 @@ mContext = new nsRetrievalContextX11(); #if defined(MOZ_WAYLAND) } else if (widget::GdkIsWaylandDisplay()) {- if (StaticPrefs::widget_wayland_async_clipboard_enabled_AtStartup()) {- mContext = new nsRetrievalContextWaylandAsync();- } else {- mContext = new nsRetrievalContextWayland();- }+ mContext = new nsRetrievalContextWayland(); #endif } else { NS_WARNING("Missing nsRetrievalContext for nsClipboard!");@@ -274,32 +298,29 @@ nsTArray<nsCString>& aFlavors) { LOGCLIP("nsClipboard::FilterImportedFlavors");- int targetNums;- GdkAtom* targets = mContext->GetTargets(aWhichClipboard, &targetNums);- auto releaseTargets = MakeScopeExit([&] { g_free(targets); });-+ auto targets = mContext->GetTargets(aWhichClipboard); if (!targets) { LOGCLIP(" X11: no targes at clipboard (null), quit.\n"); return true; }- for (int i = 0; i < targetNums; i++) {- gchar* atom_name = gdk_atom_name(targets[i]);+ for (const auto& atom : targets.AsSpan()) {+ GUniquePtr<gchar> atom_name(gdk_atom_name(atom)); if (!atom_name) { continue; } // Filter out system MIME types.- if (strcmp(atom_name, "TARGETS") == 0 ||- strcmp(atom_name, "TIMESTAMP") == 0 ||- strcmp(atom_name, "SAVE_TARGETS") == 0 ||- strcmp(atom_name, "MULTIPLE") == 0) {+ if (strcmp(atom_name.get(), "TARGETS") == 0 ||+ strcmp(atom_name.get(), "TIMESTAMP") == 0 ||+ strcmp(atom_name.get(), "SAVE_TARGETS") == 0 ||+ strcmp(atom_name.get(), "MULTIPLE") == 0) { continue; } // Filter out types which can't be converted to text.- if (strncmp(atom_name, "image/", 6) == 0 ||- strncmp(atom_name, "application/", 12) == 0 ||- strncmp(atom_name, "audio/", 6) == 0 ||- strncmp(atom_name, "video/", 6) == 0) {+ if (strncmp(atom_name.get(), "image/", 6) == 0 ||+ strncmp(atom_name.get(), "application/", 12) == 0 ||+ strncmp(atom_name.get(), "audio/", 6) == 0 ||+ strncmp(atom_name.get(), "video/", 6) == 0) { continue; } // We have some other MIME type on clipboard which can be hopefully@@ -310,13 +331,13 @@ // So make sure we offer only types we have at clipboard. nsTArray<nsCString> clipboardFlavors;- for (int i = 0; i < targetNums; i++) {- gchar* atom_name = gdk_atom_name(targets[i]);+ for (const auto& atom : targets.AsSpan()) {+ GUniquePtr<gchar> atom_name(gdk_atom_name(atom)); if (!atom_name) { continue; }- if (IsMIMEAtFlavourList(aFlavors, atom_name)) {- clipboardFlavors.AppendElement(nsCString(atom_name));+ if (IsMIMEAtFlavourList(aFlavors, atom_name.get())) {+ clipboardFlavors.AppendElement(nsCString(atom_name.get())); } } aFlavors.SwapElements(clipboardFlavors);@@ -375,22 +396,18 @@ LOGCLIP(" Getting image %s MIME clipboard data\n", flavorStr.get());- uint32_t clipboardDataLength;- const char* clipboardData = mContext->GetClipboardData(- flavorStr.get(), aWhichClipboard, &clipboardDataLength);+ auto clipboardData =+ mContext->GetClipboardData(flavorStr.get(), aWhichClipboard); if (!clipboardData) { LOGCLIP(" %s type is missing\n", flavorStr.get()); continue; } nsCOMPtr<nsIInputStream> byteStream;- NS_NewByteInputStream(getter_AddRefs(byteStream),- Span(clipboardData, clipboardDataLength),+ NS_NewByteInputStream(getter_AddRefs(byteStream), clipboardData.AsSpan(), NS_ASSIGNMENT_COPY); aTransferable->SetTransferData(flavorStr.get(), byteStream); LOGCLIP(" got %s MIME data\n", flavorStr.get());-- mContext->ReleaseClipboardData(clipboardData); return NS_OK; }@@ -399,7 +416,7 @@ if (flavorStr.EqualsLiteral(kUnicodeMime)) { LOGCLIP(" Getting unicode %s MIME clipboard data\n", flavorStr.get());- const char* clipboardData = mContext->GetClipboardText(aWhichClipboard);+ auto clipboardData = mContext->GetClipboardText(aWhichClipboard); if (!clipboardData) { LOGCLIP(" failed to get unicode data\n"); // If the type was text/unicode and we couldn't get@@ -409,31 +426,26 @@ } // Convert utf-8 into our unicode format.- NS_ConvertUTF8toUTF16 ucs2string(clipboardData);- const char* unicodeData = (const char*)ToNewUnicode(ucs2string);- uint32_t unicodeDataLength = ucs2string.Length() * 2;- SetTransferableData(aTransferable, flavorStr, unicodeData,- unicodeDataLength);- free((void*)unicodeData);+ NS_ConvertUTF8toUTF16 ucs2string(clipboardData.get());+ SetTransferableData(aTransferable, flavorStr,+ (const char*)ucs2string.BeginReading(),+ ucs2string.Length() * 2); LOGCLIP(" got unicode data, length %zd\n", ucs2string.Length());-- mContext->ReleaseClipboardData(clipboardData); return NS_OK; } if (flavorStr.EqualsLiteral(kFileMime)) { LOGCLIP(" Getting %s file clipboard data\n", flavorStr.get());- uint32_t clipboardDataLength;- const char* clipboardData = mContext->GetClipboardData(- kURIListMime, aWhichClipboard, &clipboardDataLength);+ auto clipboardData =+ mContext->GetClipboardData(kURIListMime, aWhichClipboard); if (!clipboardData) { LOGCLIP(" text/uri-list type is missing\n"); continue; }- nsDependentCSubstring data(clipboardData, clipboardDataLength);+ nsDependentCSubstring data(clipboardData.AsSpan()); nsTArray<nsCString> uris = mozilla::widget::ParseTextURIList(data); if (!uris.IsEmpty()) { nsCOMPtr<nsIURI> fileURI;@@ -447,16 +459,13 @@ } } }-- mContext->ReleaseClipboardData(clipboardData); return NS_OK; } LOGCLIP(" Getting %s MIME clipboard data\n", flavorStr.get());- uint32_t clipboardDataLength;- const char* clipboardData = mContext->GetClipboardData(- flavorStr.get(), aWhichClipboard, &clipboardDataLength);+ auto clipboardData =+ mContext->GetClipboardData(flavorStr.get(), aWhichClipboard); #ifdef MOZ_LOGGING if (!clipboardData) {@@ -473,15 +482,14 @@ int32_t htmlBodyLen = 0; // Convert text/html into our unicode format nsAutoCString charset;- if (!GetHTMLCharset(clipboardData, clipboardDataLength, charset)) {+ if (!GetHTMLCharset(clipboardData.AsSpan(), charset)) { // Fall back to utf-8 in case html/data is missing kHTMLMarkupPrefix. LOGCLIP("Failed to get html/text encoding, fall back to utf-8.\n"); charset.AssignLiteral("utf-8"); }- if (!ConvertHTMLtoUCS2(clipboardData, clipboardDataLength, charset,- &htmlBody, htmlBodyLen)) {+ if (!ConvertHTMLtoUCS2(clipboardData.AsSpan(), charset, &htmlBody,+ htmlBodyLen)) { LOGCLIP(" failed to convert text/html to UCS2.\n");- mContext->ReleaseClipboardData(clipboardData); continue; }@@ -489,11 +497,10 @@ htmlBodyLen * 2); free(htmlBody); } else {- SetTransferableData(aTransferable, flavorStr, clipboardData,- clipboardDataLength);- }-- mContext->ReleaseClipboardData(clipboardData);+ auto span = clipboardData.AsSpan();+ SetTransferableData(aTransferable, flavorStr, span.data(),+ span.Length());+ } return NS_OK; } }@@ -553,9 +560,7 @@ return NS_ERROR_FAILURE; }- int targetNums;- GdkAtom* targets = mContext->GetTargets(aWhichClipboard, &targetNums);- auto releaseTargets = MakeScopeExit([&] { g_free(targets); });+ auto targets = mContext->GetTargets(aWhichClipboard); if (!targets) { LOGCLIP(" no targes at clipboard (null)\n");@@ -563,18 +568,21 @@ } #ifdef MOZ_LOGGING- LOGCLIP(" Clipboard content (target nums %d):\n", targetNums);- for (int32_t j = 0; j < targetNums; j++) {- gchar* atom_name = gdk_atom_name(targets[j]);- if (!atom_name) {- LOGCLIP(" failed to get MIME\n");- continue;- }- LOGCLIP(" MIME %s\n", atom_name);- }- LOGCLIP(" Asking for content:\n");- for (auto& flavor : aFlavorList) {- LOGCLIP(" MIME %s\n", flavor.get());+ if (LOGCLIP_ENABLED()) {+ LOGCLIP(" Clipboard content (target nums %zu):\n",+ targets.AsSpan().Length());+ for (const auto& target : targets.AsSpan()) {+ GUniquePtr<gchar> atom_name(gdk_atom_name(target));+ if (!atom_name) {+ LOGCLIP(" failed to get MIME\n");+ continue;+ }+ LOGCLIP(" MIME %s\n", atom_name.get());+ }+ LOGCLIP(" Asking for content:\n");+ for (auto& flavor : aFlavorList) {+ LOGCLIP(" MIME %s\n", flavor.get());+ } } #endif@@ -583,37 +591,43 @@ for (auto& flavor : aFlavorList) { // We special case text/unicode here. if (flavor.EqualsLiteral(kUnicodeMime) &&- gtk_targets_include_text(targets, targetNums)) {+ gtk_targets_include_text(targets.AsSpan().data(),+ targets.AsSpan().Length())) { *_retval = true; LOGCLIP(" has kUnicodeMime\n"); break; }- for (int32_t j = 0; j < targetNums; j++) {- gchar* atom_name = gdk_atom_name(targets[j]);- if (!atom_name) continue;-- if (flavor.Equals(atom_name)) {+ for (const auto& target : targets.AsSpan()) {+ GUniquePtr<gchar> atom_name(gdk_atom_name(target));+ if (!atom_name) {+ continue;+ }++ if (flavor.Equals(atom_name.get())) {+ LOGCLIP(" has %s\n", atom_name.get()); *_retval = true;- LOGCLIP(" has %s\n", atom_name);+ break; } // X clipboard supports image/jpeg, but we want to emulate support // for image/jpg as well- else if (flavor.EqualsLiteral(kJPGImageMime) &&- !strcmp(atom_name, kJPEGImageMime)) {+ if (flavor.EqualsLiteral(kJPGImageMime) &&+ !strcmp(atom_name.get(), kJPEGImageMime)) {+ LOGCLIP(" has image/jpg\n"); *_retval = true;- LOGCLIP(" has image/jpg\n");+ break; } // application/x-moz-file should be treated like text/uri-list- else if (flavor.EqualsLiteral(kFileMime) &&- !strcmp(atom_name, kURIListMime)) {+ if (flavor.EqualsLiteral(kFileMime) &&+ !strcmp(atom_name.get(), kURIListMime)) {+ LOGCLIP(" has text/uri-list treating as application/x-moz-file"); *_retval = true;- LOGCLIP(" has text/uri-list treating as application/x-moz-file");- }-- g_free(atom_name);-- if (*_retval) break;+ break;+ }+ }++ if (*_retval) {+ break; } }@@ -628,7 +642,7 @@ NS_IMETHODIMP nsClipboard::SupportsSelectionClipboard(bool* _retval) {- *_retval = mContext ? mContext->HasSelectionSupport() : false;+ *_retval = true; return NS_OK; }@@ -682,7 +696,8 @@ nsCOMPtr<nsISupports> item; GdkAtom selectionTarget = gtk_selection_data_get_target(aSelectionData);- LOGCLIP(" selection target %s\n", gdk_atom_name(selectionTarget));+ LOGCLIP(" selection target %s\n",+ GUniquePtr<gchar>(gdk_atom_name(selectionTarget)).get()); // Check to see if the selection data is some text type. if (gtk_targets_include_text(&selectionTarget, 1)) {@@ -756,7 +771,7 @@ } LOGCLIP(" Setting pixbuf image data as %s\n",- gdk_atom_name(selectionTarget));+ GUniquePtr<gchar>(gdk_atom_name(selectionTarget)).get()); gtk_selection_data_set_pixbuf(aSelectionData, pixbuf); g_object_unref(pixbuf); return;@@ -786,48 +801,45 @@ AppendUTF16toUTF8(ucs2string, html); LOGCLIP(" Setting %zd bytest of %s data\n", html.Length(),- gdk_atom_name(selectionTarget));+ GUniquePtr<gchar>(gdk_atom_name(selectionTarget)).get()); gtk_selection_data_set(aSelectionData, selectionTarget, 8, (const guchar*)html.get(), html.Length()); return; } LOGCLIP(" Try if we have anything at GetTransferData() for %s\n",- gdk_atom_name(selectionTarget));+ GUniquePtr<gchar>(gdk_atom_name(selectionTarget)).get()); // Try to match up the selection data target to something our // transferable provides.- gchar* target_name = gdk_atom_name(selectionTarget);+ GUniquePtr<gchar> target_name(gdk_atom_name(selectionTarget)); if (!target_name) { LOGCLIP(" Failed to get target name!\n"); return; }- rv = trans->GetTransferData(target_name, getter_AddRefs(item));+ rv = trans->GetTransferData(target_name.get(), getter_AddRefs(item)); // nothing found? if (NS_FAILED(rv) || !item) { LOGCLIP(" Failed to get anything from GetTransferData()!\n");- g_free(target_name); return; } void* primitive_data = nullptr; uint32_t dataLen = 0;- nsPrimitiveHelpers::CreateDataFromPrimitive(nsDependentCString(target_name),- item, &primitive_data, &dataLen);-- if (primitive_data) {- LOGCLIP(" Setting %s as a primitive data type, %d bytes\n", target_name,- dataLen);- gtk_selection_data_set(aSelectionData, selectionTarget,- 8, /* 8 bits in a unit */- (const guchar*)primitive_data, dataLen);- free(primitive_data);- } else {+ nsPrimitiveHelpers::CreateDataFromPrimitive(+ nsDependentCString(target_name.get()), item, &primitive_data, &dataLen);+ if (!primitive_data) { LOGCLIP(" Failed to get primitive data!\n");- }-- g_free(target_name);+ return;+ }++ LOGCLIP(" Setting %s as a primitive data type, %d bytes\n",+ target_name.get(), dataLen);+ gtk_selection_data_set(aSelectionData, selectionTarget,+ 8, /* 8 bits in a unit */+ (const guchar*)primitive_data, dataLen);+ free(primitive_data); } void nsClipboard::SelectionClearEvent(GtkClipboard* aGtkClipboard) {@@ -875,13 +887,13 @@ * body : pass to Mozilla * bodyLength: pass to Mozilla */-bool ConvertHTMLtoUCS2(const char* data, int32_t dataLength, nsCString& charset,+bool ConvertHTMLtoUCS2(Span<const char> aData, nsCString& charset, char16_t** unicodeData, int32_t& outUnicodeLen) { if (charset.EqualsLiteral("UTF-16")) { // current mozilla- outUnicodeLen = (dataLength / 2) - 1;+ outUnicodeLen = (aData.Length() / 2) - 1; *unicodeData = reinterpret_cast<char16_t*>( moz_xmalloc((outUnicodeLen + sizeof('\0')) * sizeof(char16_t)));- memcpy(*unicodeData, data + sizeof(char16_t),+ memcpy(*unicodeData, aData.data() + sizeof(char16_t), outUnicodeLen * sizeof(char16_t)); (*unicodeData)[outUnicodeLen] = '\0'; return true;@@ -899,17 +911,16 @@ return false; }- auto dataSpan = Span(data, dataLength); // Remove kHTMLMarkupPrefix again, it won't necessarily cause any // issues, but might confuse other users. const size_t prefixLen = ArrayLength(kHTMLMarkupPrefix) - 1;- if (dataSpan.Length() >= prefixLen &&- Substring(data, prefixLen).EqualsLiteral(kHTMLMarkupPrefix)) {- dataSpan = dataSpan.From(prefixLen);+ if (aData.Length() >= prefixLen && nsDependentCSubstring(aData.To(prefixLen))+ .EqualsLiteral(kHTMLMarkupPrefix)) {+ aData = aData.From(prefixLen); } auto decoder = encoding->NewDecoder();- CheckedInt<size_t> needed = decoder->MaxUTF16BufferLength(dataSpan.Length());+ CheckedInt<size_t> needed = decoder->MaxUTF16BufferLength(aData.Length()); if (!needed.isValid() || needed.value() > INT32_MAX) { outUnicodeLen = 0; return false;@@ -923,9 +934,9 @@ size_t read; size_t written; std::tie(result, read, written, std::ignore) = decoder->DecodeToUTF16(- AsBytes(dataSpan), Span(*unicodeData, needed.value()), true);+ AsBytes(aData), Span(*unicodeData, needed.value()), true); MOZ_ASSERT(result == kInputEmpty);- MOZ_ASSERT(read == size_t(dataSpan.Length()));+ MOZ_ASSERT(read == size_t(aData.Length())); MOZ_ASSERT(written <= needed.value()); outUnicodeLen = written; // null terminate.@@ -942,16 +953,19 @@ * 2. "UNKNOWN": mozilla can't detect what encode it use * 3. other: "text/html" with other charset than utf-16 */-bool GetHTMLCharset(const char* data, int32_t dataLength, nsCString& str) {+bool GetHTMLCharset(Span<const char> aData, nsCString& str) { // if detect "FFFE" or "FEFF", assume UTF-16- char16_t* beginChar = (char16_t*)data;- if ((beginChar[0] == 0xFFFE) || (beginChar[0] == 0xFEFF)) {- str.AssignLiteral("UTF-16");- LOGCLIP("GetHTMLCharset: Charset of HTML is UTF-16\n");- return true;- }+ {+ char16_t* beginChar = (char16_t*)aData.data();+ if ((beginChar[0] == 0xFFFE) || (beginChar[0] == 0xFEFF)) {+ str.AssignLiteral("UTF-16");+ LOGCLIP("GetHTMLCharset: Charset of HTML is UTF-16\n");+ return true;+ }+ }+ // no "FFFE" and "FEFF", assume ASCII first to find "charset" info- const nsDependentCSubstring htmlStr(data, dataLength);+ const nsDependentCSubstring htmlStr(aData); nsACString::const_iterator start, end; htmlStr.BeginReading(start); htmlStr.EndReading(end);
Based on the provided code diff, I'll analyze it for security vulnerabilities. Here are the findings:
1. Vulnerability Existed: yes
Memory Leak [File] widget/gtk/nsClipboard.cpp [Lines] 426-427
[Old Code]
const char* unicodeData = (const char*)ToNewUnicode(ucs2string);
uint32_t unicodeDataLength = ucs2string.Length() * 2;
SetTransferableData(aTransferable, flavorStr, unicodeData,
unicodeDataLength);
free((void*)unicodeData);
[Fixed Code]
SetTransferableData(aTransferable, flavorStr,
(const char*)ucs2string.BeginReading(),
ucs2string.Length() * 2);
The old code had a potential memory leak issue where the memory allocated by ToNewUnicode() could be leaked if SetTransferableData() failed. The new code avoids this by using the string's buffer directly.
2. Vulnerability Existed: yes
Memory Management [File] widget/gtk/nsClipboard.cpp [Lines] 298-299
[Old Code]
int targetNums;
GdkAtom* targets = mContext->GetTargets(aWhichClipboard, &targetNums);
auto releaseTargets = MakeScopeExit([&] { g_free(targets); });
[Fixed Code]
auto targets = mContext->GetTargets(aWhichClipboard);
The old code required manual memory management of the targets array, which could lead to memory leaks if not properly handled. The new code uses a more robust memory management approach.
3. Vulnerability Existed: yes
Resource Leak [File] widget/gtk/nsClipboard.cpp [Lines] 396-397
[Old Code]
const char* clipboardData = mContext->GetClipboardText(aWhichClipboard);
[...]
mContext->ReleaseClipboardData(clipboardData);
[Fixed Code]
auto clipboardData = mContext->GetClipboardText(aWhichClipboard);
The old code required explicit release of clipboard data, which could lead to resource leaks if forgotten. The new code uses automatic memory management.
4. Vulnerability Existed: yes
Memory Management [File] widget/gtk/nsClipboard.cpp [Lines] 642-643
[Old Code]
*_retval = mContext ? mContext->HasSelectionSupport() : false;
[Fixed Code]
*_retval = true;
The old code had a potential null pointer dereference risk when checking mContext. The new code simplifies the logic and removes this risk.
5. Vulnerability Existed: not sure
Potential Buffer Overflow [File] widget/gtk/nsClipboard.cpp [Lines] 887-890
[Old Code]
outUnicodeLen = (dataLength / 2) - 1;
*unicodeData = reinterpret_cast<char16_t*>(
moz_xmalloc((outUnicodeLen + sizeof('\0')) * sizeof(char16_t));
memcpy(*unicodeData, data + sizeof(char16_t),
outUnicodeLen * sizeof(char16_t));
[Fixed Code]
No change in this part, but the code assumes proper data length validation which might be risky if input isn't properly validated.
Note: The changes overall improve memory management and reduce the risk of memory leaks and null pointer dereferences. The code now uses more modern C++ patterns with automatic memory management through smart pointers and spans. However, there might still be some areas where input validation could be improved, particularly in the UTF-16 conversion code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/places/tests/migration/head_migration.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/places/tests/migration/head_migration.js@@ -15,7 +15,7 @@ // Put any other stuff relative to this test folder below.-const CURRENT_SCHEMA_VERSION = 61;+const CURRENT_SCHEMA_VERSION = 63; const FIRST_UPGRADABLE_SCHEMA_VERSION = 43; async function assertAnnotationsRemoved(db, expectedAnnos) {
Let me analyze the code diff for security fixes. Vulnerability Existed: not sure [Schema Version Update] [toolkit/components/places/tests/migration/head_migration.js] [Lines 15] [Old Code] const CURRENT_SCHEMA_VERSION = 61; [Fixed Code] const CURRENT_SCHEMA_VERSION = 63; Additional Details: - This appears to be a database schema version update from 61 to 63 - Without more context about what changed between these schema versions, I can't determine if this was fixing a specific vulnerability - Schema updates often include security fixes, but could also be for feature additions or other improvements - The version being used in tests suggests this might be related to testing infrastructure rather than production code No other vulnerabilities are apparent in this small diff. The change is straightforward and only updates a version constant.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.winding.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.winding.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Create a square ring, using opposite windings to make a hole in the centre ctx.moveTo(0, 0);
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
Vulnerability Existed: no
[Variable Renaming] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInPath.winding.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
This appears to be a simple variable renaming change (from 'offscreenCanvas' to 'canvas') with no security implications. The functionality remains exactly the same, just using a different variable name. There are no actual security vulnerabilities being fixed in this diff.
No other vulnerabilities were identified in this diff. The changes are purely cosmetic/readability improvements rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/actions/sources/tests/select.spec.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/actions/sources/tests/select.spec.js@@ -2,7 +2,6 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */-import { getSymbols } from "../../../reducers/ast"; import { actions, selectors,@@ -13,13 +12,14 @@ waitForState, makeOriginalSource, } from "../../../utils/test-head";-const {+import { getSource, getSourceCount, getSelectedSource, getSourceTabs, getSelectedLocation,-} = selectors;+ getSymbols,+} from "../../../selectors/"; import { mockCommandClient } from "../../tests/helpers/mockCommandClient";
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Code Organization Improvement [devtools/client/debugger/src/actions/sources/tests/select.spec.js] [Lines 2,13-20]
Old Code:
```javascript
import { getSymbols } from "../../../reducers/ast";
const {
getSource,
getSourceCount,
getSelectedSource,
getSourceTabs,
getSelectedLocation,
} = selectors;
```
Fixed Code:
```javascript
import {
getSource,
getSourceCount,
getSelectedSource,
getSourceTabs,
getSelectedLocation,
getSymbols,
} from "../../../selectors/";
```
This change appears to be a code organization improvement rather than a security fix. The modification:
1. Removes a direct import from reducers/ast
2. Consolidates all selector imports from a single location (selectors/)
3. Adds getSymbols to the unified selector imports
There are no clear security vulnerabilities being addressed here - it's primarily a refactoring for better code organization and maintainability. The change doesn't affect any security-related functionality or introduce/remove any security controls.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/ipc/DocumentLoadListener.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/ipc/DocumentLoadListener.h@@ -12,7 +12,7 @@ #include "mozilla/WeakPtr.h" #include "mozilla/ipc/Endpoint.h" #include "mozilla/dom/SessionHistoryEntry.h"-#include "EarlyHintsPreloader.h"+#include "EarlyHintsService.h" #include "mozilla/net/NeckoCommon.h" #include "mozilla/net/NeckoParent.h" #include "mozilla/net/PDocumentChannelParent.h"@@ -601,7 +601,7 @@ const bool mIsDocumentLoad;- EarlyHintsPreloader mEarlyHintsPreloader;+ EarlyHintsService mEarlyHintsService; }; NS_DEFINE_STATIC_IID_ACCESSOR(DocumentLoadListener, DOCUMENT_LOAD_LISTENER_IID)
Here's the analysis of the provided code diff: 1. Vulnerability Existed: not sure [Header File Inclusion Change] [netwerk/ipc/DocumentLoadListener.h] [Lines 12, 601] [Old Code] `#include "EarlyHintsPreloader.h"` `EarlyHintsPreloader mEarlyHintsPreloader;` [Fixed Code] `#include "EarlyHintsService.h"` `EarlyHintsService mEarlyHintsService;` Additional Details: - This appears to be a refactoring where the EarlyHintsPreloader class was replaced with EarlyHintsService. - Without seeing the implementation details of both classes, it's hard to determine if this was a security fix or just an architectural change. - The change could potentially be related to security if EarlyHintsPreloader had vulnerabilities that were addressed by the new EarlyHintsService implementation, but we can't confirm this from the diff alone. No other vulnerabilities are apparent from this diff. The changes seem focused on renaming/refactoring the early hints functionality rather than addressing specific security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.