Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/gmp/GMPPlatform.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/gmp/GMPPlatform.cpp@@ -211,6 +211,12 @@ aPlatformAPI.getcurrenttime = &GetClock; }+void SendFOGData(ipc::ByteBuf&& buf) {+ if (sChild) {+ sChild->SendFOGData(std::move(buf));+ }+}+ GMPThreadImpl::GMPThreadImpl() : mMutex("GMPThreadImpl"), mThread("GMPThread") { MOZ_COUNT_CTOR(GMPThread); }
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Missing Access Control] [dom/media/gmp/GMPPlatform.cpp] [Lines 211-217]
[Old Code] (No equivalent function existed)
[Fixed Code]
```
void SendFOGData(ipc::ByteBuf&& buf) {
if (sChild) {
sChild->SendFOGData(std::move(buf));
}
}
```
Additional Notes:
- The diff shows a new function `SendFOGData` being added, but without more context about how this function is used or what `sChild` represents, it's difficult to determine if there was a security vulnerability being fixed.
- The function appears to be related to IPC (Inter-Process Communication) data sending, which could potentially have security implications if not properly secured, but we can't confirm this from the given diff.
- The function does include a null check (`if (sChild)`), which is good practice but doesn't necessarily indicate a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.create2.initial.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.create2.initial.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.createImageData(10, 20); _assertSame(imgdata.data.length, imgdata.width*imgdata.height*4, "imgdata.data.length", "imgdata.width*imgdata.height*4");
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- This appears to be a simple variable name change from `offscreenCanvas` to `canvas`
- No security vulnerability is being fixed here, just a code style/consistency change
- The functionality remains exactly the same
- No security-related APIs or patterns are being modified
The change is purely cosmetic and doesn't affect the security posture of the code. It's likely part of a larger effort to standardize variable naming conventions across the codebase.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/nss/cmd/makepqg/makepqg.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/nss/cmd/makepqg/makepqg.c@@ -295,7 +295,9 @@ outFile = stdout; }- NSS_NoDB_Init(NULL);+ if (NSS_NoDB_Init(NULL) != SECSuccess) {+ return 1;+ } if (keySizeInBits > 1024 || qSizeInBits != 0) { rv = PK11_PQG_ParamGenV2((unsigned)keySizeInBits,@@ -340,6 +342,9 @@ PK11_PQG_DestroyParams(pqgParams); PK11_PQG_DestroyVerify(pqgVerify);+ if (NSS_Shutdown() != SECSuccess) {+ return 1;+ } return 0; loser:
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Missing Error Handling for NSS_NoDB_Init [security/nss/cmd/makepqg/makepqg.c] [Lines 295]
Old Code:
`NSS_NoDB_Init(NULL);`
Fixed Code:
`if (NSS_NoDB_Init(NULL) != SECSuccess) { return 1; }`
Additional Details: The original code didn't check the return value of NSS_NoDB_Init(), which could lead to continued execution even if initialization failed.
2. Vulnerability Existed: yes
Missing Error Handling for NSS_Shutdown [security/nss/cmd/makepqg/makepqg.c] [Lines 342]
Old Code:
(No NSS_Shutdown error handling present)
Fixed Code:
`if (NSS_Shutdown() != SECSuccess) { return 1; }`
Additional Details: The fix adds proper error handling for NSS_Shutdown(), preventing potential issues from being ignored during cleanup.
3. Vulnerability Existed: not sure
Potential Resource Leak [security/nss/cmd/makepqg/makepqg.c] [Lines 340-342]
Old Code:
(No explicit NSS_Shutdown call shown)
Fixed Code:
Added NSS_Shutdown with error handling
Additional Details: While not clearly a vulnerability, the addition of proper shutdown handling improves resource management, though it's unclear if this was actually causing leaks before.
Note: The third entry is marked "not sure" as it's more of a resource management improvement than a clear vulnerability, but included for completeness following the instructions.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/reducers/exceptions.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/reducers/exceptions.js@@ -6,9 +6,6 @@ * Exceptions reducer * @module reducers/exceptionss */--import { createSelector } from "reselect";-import { getSelectedSource, getSourceActorsForSource } from "../selectors"; export function initialExceptionsState() { return {@@ -47,52 +44,4 @@ }; }-// Selectors-export function getExceptionsMap(state) {- return state.exceptions.exceptions;-}--export const getSelectedSourceExceptions = createSelector(- getSelectedSourceActors,- getExceptionsMap,- (sourceActors, exceptions) => {- const sourceExceptions = [];-- sourceActors.forEach(sourceActor => {- const actorId = sourceActor.id;-- if (exceptions[actorId]) {- sourceExceptions.push(...exceptions[actorId]);- }- });-- return sourceExceptions;- }-);--function getSelectedSourceActors(state) {- const selectedSource = getSelectedSource(state);- if (!selectedSource) {- return [];- }- return getSourceActorsForSource(state, selectedSource.id);-}--export function hasException(state, line, column) {- return !!getSelectedException(state, line, column);-}--export function getSelectedException(state, line, column) {- const sourceExceptions = getSelectedSourceExceptions(state);-- if (!sourceExceptions) {- return;- }-- return sourceExceptions.find(- sourceExc =>- sourceExc.lineNumber === line && sourceExc.columnNumber === column- );-}- export default update;
Based on the provided code diff, here's the analysis: 1. Vulnerability Existed: no The diff shows removal of selector functions and imports, but no security vulnerability is apparent in the removed code. This appears to be a code cleanup/refactoring rather than a security fix. 2. Vulnerability Existed: not sure The removal of exception handling selectors might impact error handling, but there's no clear vulnerability in the removed code. The change appears to be moving exception handling logic elsewhere rather than fixing a security issue. Additional notes: - The diff shows significant code removal (selector functions and related imports) but doesn't show any security vulnerabilities being fixed - The removed code appears to be standard selector functions for managing exceptions in the debugger - No specific vulnerability patterns (like XSS, injection, etc.) are present in the removed code - The changes seem focused on architectural restructuring rather than security fixes Since no clear vulnerabilities are being addressed, the primary answer is that no security vulnerabilities were fixed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit-test/tests/stream/proper-realm-cancel.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit-test/tests/stream/proper-realm-cancel.js@@ -1,3 +1,5 @@+// |jit-test| skip-if: !this.hasOwnProperty("ReadableStream")+ ignoreUnhandledRejections(); var g = newGlobal({ newCompartment: true });
Let me analyze the code diff according to the provided format:
Vulnerability Existed: not sure
[Potential Test Reliability Issue] [js/src/jit-test/tests/stream/proper-realm-cancel.js] [Lines 1]
[Old Code]
ignoreUnhandledRejections();
[Fixed Code]
// |jit-test| skip-if: !this.hasOwnProperty("ReadableStream")
ignoreUnhandledRejections();
Additional Details:
The change adds a conditional skip directive for the test case. While this isn't a direct security fix, it improves test reliability by ensuring the test only runs in environments where ReadableStream is available. This could potentially prevent test failures or false negatives in environments without ReadableStream support, but I can't definitively say this was fixing a security vulnerability.
Note: The diff shows a test file modification rather than production code, so security vulnerabilities are less likely to be present here. The change appears to be more about test robustness than security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/aboutconfig/test/browser/browser_basic.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/aboutconfig/test/browser/browser_basic.js@@ -37,10 +37,6 @@ // here or point to a different preference in the same file. Assert.equal(this.getRow("font.language.group").value, "x-western"); Assert.equal(this.getRow("intl.ellipsis").value, "\u2026");- Assert.equal(- this.getRow("gecko.handlerService.schemes.mailto.1.uriTemplate").value,- "https://mail.google.com/mail/?extsrc=mailto&url=%s"- ); // Test to see if user created value is not empty string when it matches // /^chrome:\/\/.+\/locale\/.+\.properties/.
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Information Disclosure] [toolkit/components/aboutconfig/test/browser/browser_basic.js] [Lines 37-40]
[Old Code]
```
Assert.equal(
this.getRow("gecko.handlerService.schemes.mailto.1.uriTemplate").value,
"https://mail.google.com/mail/?extsrc=mailto&url=%s"
);
```
[Fixed Code]
(removed assertion)
Additional Details: The removed code was testing a specific mailto handler configuration pointing to Google Mail. While not clearly a security vulnerability, exposing specific service configurations in tests could potentially reveal implementation details. The removal might be for privacy/configuration flexibility rather than a direct security fix.
2. Vulnerability Existed: no
[No vulnerability found] [toolkit/components/aboutconfig/test/browser/browser_basic.js] [Lines 37-40]
[Old Code]
(same as above)
[Fixed Code]
(removed assertion)
Additional Details: The change appears to be a test cleanup rather than a security fix. The removed test was verifying a specific mailto handler configuration which might have been deemed too specific or unnecessary for the test suite.
Note: The diff shows only test code changes, which typically don't contain security vulnerabilities themselves but might reflect security-related changes in the production code. Without seeing the corresponding production code changes, we can't determine if this test modification relates to an actual security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-032.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-032.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes"> <link rel="match" href="reference/shape-outside-ellipse-032-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the left float shape defined by the basic shape ellipse(40px 60px at left top) value."> <style> .container {
Based on the provided code diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] [Lines 9] [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - This appears to be a simple test file modification where a meta tag with empty flags was removed - The change doesn't relate to any security vulnerability patterns - The modification seems to be cleanup of test metadata rather than a security fix - No known vulnerability patterns (XSS, injection, etc.) are present in this change The diff shows only the removal of an empty meta tag which doesn't appear to have any security implications. This is likely just test file maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js@@ -1,6 +1,12 @@ "use strict"; Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);+// Since we're not using AOM, and MV3 forces event pages, bypass+// delayed-startup for MV3 test. These tests do not rely on startup events.+Services.prefs.setBoolPref(+ "extensions.webextensions.background-delayed-startup",+ false+); const server = createHttpServer({ hosts: ["example.com"] });
Analyzing the provided code diff, here's the security analysis:
Vulnerability Existed: no
[No specific vulnerability] [toolkit/components/extensions/test/xpcshell/test_ext_content_security_policy.js] [Lines 1-6]
[Old Code]
"use strict";
Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);
[Fixed Code]
"use strict";
Services.prefs.setBoolPref("extensions.manifestV3.enabled", true);
// Since we're not using AOM, and MV3 forces event pages, bypass
// delayed-startup for MV3 test. These tests do not rely on startup events.
Services.prefs.setBoolPref(
"extensions.webextensions.background-delayed-startup",
false
);
Additional Details:
The change appears to be a test configuration modification rather than a security fix. It adds a preference to disable delayed startup for MV3 extension tests, which is a testing optimization rather than a security-related change. The comment explains this is because MV3 forces event pages and these tests don't rely on startup events. No security vulnerability is being addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-ui/text-overflow-027.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-ui/text-overflow-027.html@@ -5,7 +5,6 @@ <link rel="help" href="http://www.w3.org/TR/css-ui-3/#text-overflow"> <link rel="help" href="http://www.w3.org/TR/css-ui-4/#text-overflow"> <link rel="match" href="reference/text-overflow-027-ref.html">-<meta name="flags" content=""> <meta name="assert" content="text-overflow is a visual operation that occurs after layout, and therfore ellides text from the visual end of the line, even in bidi situations"> <style> div {
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-ui/text-overflow-027.html [Lines] 5 [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - The diff shows only the removal of an empty meta "flags" tag, which doesn't appear to be security-related - This appears to be a test file cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification doesn't affect any security-sensitive functionality Note: The change is more likely related to test suite maintenance or cleanup rather than addressing a security issue. The empty flags meta tag served no purpose and was likely removed for code hygiene.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/modules/libpref/Preferences.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/modules/libpref/Preferences.cpp@@ -14,6 +14,7 @@ #include "base/basictypes.h" #include "MainThreadUtils.h"+#include "mozilla/AppShutdown.h" #include "mozilla/ArenaAllocatorExtensions.h" #include "mozilla/ArenaAllocator.h" #include "mozilla/ArrayUtils.h"@@ -1584,6 +1585,10 @@ MOZ_ASSERT(XRE_IsParentProcess()); MOZ_ASSERT(NS_IsMainThread());+ if (AppShutdown::IsInOrBeyond(ShutdownPhase::XPCOMShutdownThreads)) {+ return NS_ERROR_ILLEGAL_DURING_SHUTDOWN;+ }+ if (!HashTable()) { return NS_ERROR_OUT_OF_MEMORY; }@@ -4156,10 +4161,10 @@ // Increment sPendingWriteCount, even though it's redundant to track this // in the case of a sync runnable; it just makes it easier to simply- // decrement this inside PWRunnable. We could alternatively increment- // sPendingWriteCount in PWRunnable's constructor, but if for any reason- // in future code we create a PWRunnable without dispatching it, we would- // get stuck in an infinite SpinEventLoopUntil inside+ // decrement this inside PWRunnable. We cannot use the constructor /+ // destructor for increment/decrement, as on dispatch failure we might+ // leak the runnable in order to not destroy it on the wrong thread, which+ // would make us get stuck in an infinite SpinEventLoopUntil inside // PreferencesWriter::Flush. Better that in future code we miss an // increment of sPendingWriteCount and cause a simple crash due to it // ending up negative.@@ -4168,8 +4173,13 @@ rv = target->Dispatch(new PWRunnable(aFile), nsIEventTarget::DISPATCH_NORMAL); } else {- // Note that we don't get the nsresult return value here.- SyncRunnable::DispatchToThread(target, new PWRunnable(aFile), true);+ rv =+ SyncRunnable::DispatchToThread(target, new PWRunnable(aFile), true);+ }+ if (NS_FAILED(rv)) {+ // If our dispatch failed, we should correct our bookkeeping to+ // avoid shutdown hangs.+ PreferencesWriter::sPendingWriteCount--; } return rv; }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Shutdown Phase Vulnerability [File] [Lines 1584-1586]
[Old Code]
MOZ_ASSERT(XRE_IsParentProcess());
MOZ_ASSERT(NS_IsMainThread());
if (!HashTable()) {
[Fixed Code]
MOZ_ASSERT(XRE_IsParentProcess());
MOZ_ASSERT(NS_IsMainThread());
if (AppShutdown::IsInOrBeyond(ShutdownPhase::XPCOMShutdownThreads)) {
return NS_ERROR_ILLEGAL_DURING_SHUTDOWN;
}
if (!HashTable()) {
2. Vulnerability Existed: yes
Race Condition During Shutdown [File] [Lines 4161-4173]
[Old Code]
// Note that we don't get the nsresult return value here.
SyncRunnable::DispatchToThread(target, new PWRunnable(aFile), true);
[Fixed Code]
rv =
SyncRunnable::DispatchToThread(target, new PWRunnable(aFile), true);
}
if (NS_FAILED(rv)) {
// If our dispatch failed, we should correct our bookkeeping to
// avoid shutdown hangs.
PreferencesWriter::sPendingWriteCount--;
}
Additional Details:
1. The first fix addresses a potential shutdown phase vulnerability by adding a check to prevent operations during XPCOM shutdown threads phase, which could lead to undefined behavior or crashes during shutdown.
2. The second fix addresses a race condition during shutdown where failed dispatch operations could lead to incorrect bookkeeping of pending write counts, potentially causing shutdown hangs. The fix ensures proper cleanup when dispatch fails.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/readable-streams/garbage-collection.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/readable-streams/garbage-collection.any.js@@ -1,8 +1,8 @@-// META: global=window,worker,jsshell+// META: global=window,worker // META: script=../resources/test-utils.js 'use strict';-promise_test(() => {+promise_test(async () => { let controller; new ReadableStream({@@ -11,7 +11,7 @@ } });- garbageCollect();+ await garbageCollect(); return delay(50).then(() => { controller.close();@@ -22,7 +22,7 @@ }, 'ReadableStreamController methods should continue working properly when scripts lose their reference to the ' + 'readable stream');-promise_test(() => {+promise_test(async () => { let controller;@@ -32,13 +32,13 @@ } }).getReader().closed;- garbageCollect();+ await garbageCollect(); return delay(50).then(() => controller.close()).then(() => closedPromise); }, 'ReadableStream closed promise should fulfill even if the stream and reader JS references are lost');-promise_test(t => {+promise_test(async t => { const theError = new Error('boo'); let controller;@@ -49,20 +49,20 @@ } }).getReader().closed;- garbageCollect();+ await garbageCollect(); return delay(50).then(() => controller.error(theError)) .then(() => promise_rejects_exactly(t, theError, closedPromise)); }, 'ReadableStream closed promise should reject even if stream and reader JS references are lost');-promise_test(() => {+promise_test(async () => { const rs = new ReadableStream({}); rs.getReader();- garbageCollect();+ await garbageCollect(); return delay(50).then(() => assert_throws_js(TypeError, () => rs.getReader(), 'old reader should still be locking the stream even after garbage collection'));
After analyzing the provided code diff, here are the potential security vulnerabilities identified: 1. Vulnerability Existed: not sure Potential Timing Vulnerability [File] [Lines 11, 32, 49, 64] [Old Code] ```javascript garbageCollect(); ``` [Fixed Code] ```javascript await garbageCollect(); ``` Additional Details: The change adds `await` to garbage collection calls, which might indicate a fix for potential race conditions where operations were being performed before garbage collection completed. However, without more context about the `garbageCollect()` implementation, this is uncertain. 2. Vulnerability Existed: not sure Potential Resource Management Issue [File] [Lines 1] [Old Code] ```javascript // META: global=window,worker,jsshell ``` [Fixed Code] ```javascript // META: global=window,worker ``` Additional Details: The removal of 'jsshell' from the test environments might indicate a security-related change, possibly to prevent testing in less secure environments, but this is speculative without more context. Note: The changes primarily appear to be test improvements rather than direct security fixes. The main modifications involve adding proper async/await patterns to ensure garbage collection completes before subsequent operations, which could prevent race conditions but isn't clearly a security vulnerability. The removal of 'jsshell' environment might be security-related but isn't definitively so based on the given information.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/server/actors/inspector/node.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/server/actors/inspector/node.js@@ -21,16 +21,17 @@ loader.lazyRequireGetter( this, [+ "getShadowRootMode", "isAfterPseudoElement", "isAnonymous", "isBeforePseudoElement", "isDirectShadowHostChild",+ "isFrameBlockedByCSP",+ "isFrameWithChildTarget", "isMarkerPseudoElement", "isNativeAnonymous", "isShadowHost", "isShadowRoot",- "getShadowRootMode",- "isFrameWithChildTarget", ], "devtools/shared/layout/utils", true@@ -95,6 +96,9 @@ this.walker = walker; this.rawNode = node; this._eventCollector = new EventCollector(this.walker.targetActor);+ // Map<id -> nsIEventListenerInfo> that we maintain to be able to disable/re-enable event listeners+ // The id is generated from getEventListenerInfo+ this._nsIEventListenersInfo = new Map(); // Store the original display type and scrollable state and whether or not the node is // displayed to track changes when reflows occur.@@ -157,6 +161,22 @@ if (this._waitForFrameLoadIntervalId) { clearInterval(this._waitForFrameLoadIntervalId); this._waitForFrameLoadIntervalId = null;+ }++ if (this._nsIEventListenersInfo) {+ // Re-enable all event listeners that we might have disabled+ for (const nsIEventListenerInfo of this._nsIEventListenersInfo.values()) {+ // If event listeners/node don't exist anymore, accessing nsIEventListenerInfo.enabled+ // will throw.+ try {+ if (!nsIEventListenerInfo.enabled) {+ nsIEventListenerInfo.enabled = true;+ }+ } catch (e) {+ // ignore+ }+ }+ this._nsIEventListenersInfo = null; } this._eventCollector.destroy();@@ -222,6 +242,10 @@ form.isDocumentElement = true; }+ if (isFrameBlockedByCSP(this.rawNode)) {+ form.numChildren = 0;+ }+ // Flag the node if a different walker is needed to retrieve its children (i.e. if // this is a remote frame, or if it's an iframe and we're creating targets for every iframes) if (this.useChildTargetToFetchChildren) {@@ -560,7 +584,56 @@ * Get all event listeners that are listening on this node. */ getEventListenerInfo: function() {- return this._eventCollector.getEventListeners(this.rawNode);+ this._nsIEventListenersInfo.clear();++ const eventListenersData = this._eventCollector.getEventListeners(+ this.rawNode+ );+ let counter = 0;+ for (const eventListenerData of eventListenersData) {+ if (eventListenerData.nsIEventListenerInfo) {+ const id = `event-listener-info-${++counter}`;+ this._nsIEventListenersInfo.set(+ id,+ eventListenerData.nsIEventListenerInfo+ );++ eventListenerData.eventListenerInfoId = id;+ // remove the nsIEventListenerInfo since we don't want to send it to the client.+ delete eventListenerData.nsIEventListenerInfo;+ }+ }+ return eventListenersData;+ },++ /**+ * Disable a specific event listener given its associated id+ *+ * @param {String} eventListenerInfoId+ */+ disableEventListener: function(eventListenerInfoId) {+ const nsEventListenerInfo = this._nsIEventListenersInfo.get(+ eventListenerInfoId+ );+ if (!nsEventListenerInfo) {+ throw new Error("Unkown nsEventListenerInfo");+ }+ nsEventListenerInfo.enabled = false;+ },++ /**+ * (Re-)enable a specific event listener given its associated id+ *+ * @param {String} eventListenerInfoId+ */+ enableEventListener: function(eventListenerInfoId) {+ const nsEventListenerInfo = this._nsIEventListenersInfo.get(+ eventListenerInfoId+ );+ if (!nsEventListenerInfo) {+ throw new Error("Unkown nsEventListenerInfo");+ }+ nsEventListenerInfo.enabled = true; }, /**
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes Event Listener Manipulation Security Issue [File] [Lines 95-98, 157-176, 560-618] [Old Code] No explicit handling of event listener state management [Fixed Code] Added proper management of event listeners with `_nsIEventListenersInfo` map, including cleanup and re-enabling of listeners during destruction. Added methods to properly enable/disable specific listeners with validation. 2. Vulnerability Existed: yes CSP Frame Blocking Bypass [File] [Lines 242-244] [Old Code] No handling of frames blocked by CSP [Fixed Code] Added check for `isFrameBlockedByCSP()` and sets `numChildren = 0` for blocked frames to prevent potential bypass attempts. 3. Vulnerability Existed: not sure Import Ordering Security Implication [File] [Lines 21-33] [Old Code] Different import order of layout utilities [Fixed Code] Reordered imports (including adding `getShadowRootMode` and `isFrameBlockedByCSP` at top). While this might have security implications, it's not clear if this was specifically for security reasons. The most significant security fixes appear to be: 1. Proper management of event listeners to prevent potential manipulation issues 2. Explicit handling of CSP-blocked frames to prevent bypass attempts The import reordering might be related to security (since security-related utilities were moved up), but without more context this is uncertain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-041.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-041.html@@ -8,7 +8,6 @@ <link rel="help" href="https://www.w3.org/TR/css-backgrounds-3/#the-box-shadow"> <link rel="match" href="reference/box-shadow-041-ref.html">- <meta content="" name="flags"> <!--
Analyzing the provided code diff, here's the security analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-backgrounds/box-shadow-041.html] [Lines 8] [Old Code: <meta content="" name="flags">] [Fixed Code: [line removed]] Additional Details: - This appears to be a simple cleanup of an empty meta tag rather than a security fix - The removed meta tag wasn't serving any security-relevant purpose - No known vulnerabilities are associated with empty meta tags in this context - The change is more likely related to test cleanup than security hardening No other vulnerabilities were identified in this small diff. The modification doesn't appear to address any security issues but rather removes an unnecessary HTML element from a test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/nsContentPermissionHelper.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/nsContentPermissionHelper.cpp@@ -291,9 +291,6 @@ &isRequestDelegatedToUnsafeThirdParty); NS_ENSURE_SUCCESS(rv, rv);- ContentChild::GetSingleton()->SetEventTargetForActor(- req, aWindow->EventTargetFor(TaskCategory::Other));- req->IPDLAddRef(); ContentChild::GetSingleton()->SendPContentPermissionRequestConstructor( req, permArray, IPC::Principal(principal),
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: not sure
Potential Race Condition or Actor Management Issue [dom/base/nsContentPermissionHelper.cpp] [Lines 291-293]
[Old Code]
ContentChild::GetSingleton()->SetEventTargetForActor(
req, aWindow->EventTargetFor(TaskCategory::Other));
[Fixed Code]
(removed)
Additional Details:
The removed code was setting an event target for an actor before sending a permission request. While the exact vulnerability isn't clear from this diff alone, the removal suggests there might have been:
1. A potential race condition in actor initialization
2. A possible incorrect event target assignment that could lead to thread safety issues
3. Redundant or problematic actor management code
However, without more context about the surrounding code or the specific security issue being addressed, I can't definitively identify the vulnerability. The change appears to be related to how IPC (Inter-Process Communication) actors are managed in Firefox's permission system.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/dist/vendors.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/dist/vendors.js@@ -1287,8 +1287,6 @@ var _classnames = _interopRequireDefault(__webpack_require__(943));-var _lodashMove = _interopRequireDefault(__webpack_require__(948));- function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }@@ -1319,7 +1317,6 @@ classnames: _classnames.default, "devtools-utils": devtoolsUtils, "fuzzaldrin-plus": fuzzaldrinPlus,- "lodash-move": _lodashMove.default, "react-aria-components/src/tabs": reactAriaComponentsTabs, "react-transition-group/Transition": transition };@@ -2770,44 +2767,6 @@ /***/ }),-/***/ 948:-/***/ (function(module, exports, __webpack_require__) {--"use strict";---Object.defineProperty(exports, "__esModule", {- value: true-});-exports.default = move;--function _toConsumableArray(arr) { if (Array.isArray(arr)) { for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) { arr2[i] = arr[i]; } return arr2; } else { return Array.from(arr); } }--function move(array, moveIndex, toIndex) {- /* #move - Moves an array item from one position in an array to another.- Note: This is a pure function so a new array will be returned, instead- of altering the array argument.- Arguments:- 1. array (String) : Array in which to move an item. (required)- 2. moveIndex (Object) : The index of the item to move. (required)- 3. toIndex (Object) : The index to move item at moveIndex to. (required)- */- var item = array[moveIndex];- var length = array.length;- var diff = moveIndex - toIndex;-- if (diff > 0) {- // move left- return [].concat(_toConsumableArray(array.slice(0, toIndex)), [item], _toConsumableArray(array.slice(toIndex, moveIndex)), _toConsumableArray(array.slice(moveIndex + 1, length)));- } else if (diff < 0) {- // move right- return [].concat(_toConsumableArray(array.slice(0, moveIndex)), _toConsumableArray(array.slice(moveIndex + 1, toIndex + 1)), [item], _toConsumableArray(array.slice(toIndex + 1, length)));- }- return array;-}--/***/ }),- /***/ 957: /***/ (function(module, exports) {
Here's the analysis of the provided code diff: 1. Vulnerability Existed: not sure [Removal of lodash-move dependency] [devtools/client/debugger/dist/vendors.js] [Lines 1287, 1319, 2770-2767] [Old Code] ``` var _lodashMove = _interopRequireDefault(__webpack_require__(948)); ... "lodash-move": _lodashMove.default, ... /***/ 948: (function with move implementation) ``` [Fixed Code] ``` (removed entirely) ``` Additional Details: - The diff shows removal of the `lodash-move` dependency and its implementation - While this appears to be a dependency cleanup, I can't determine if there was a specific security vulnerability being fixed - The removal could be related to security concerns about the dependency itself or its implementation, but without more context, this is uncertain - The move function implementation that was removed appears to be a standard array manipulation utility without obvious security issues in its implementation
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-fonts/first-available-font-003.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-fonts/first-available-font-003.html@@ -5,7 +5,6 @@ <link rel="help" href="https://drafts.csswg.org/css-fonts-3/#first-available-font"> <link rel="help" href="https://drafts.csswg.org/css-fonts-4/#first-available-font"> <link rel="match" href="first-available-font-003-ref.html">-<meta name="flags" content=""> <meta name="assert" content="The strut, which impacts the line height, is taken from the primary font, which is the first font to include the U+0020 character."> <style> /* Two arbitrary fonts with different metrics */
Let me analyze the provided code diff for security fixes. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-fonts/first-available-font-003.html [Lines] 5 [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: 1. The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications. 2. This appears to be a test file cleanup rather than a security fix. 3. No actual security vulnerabilities are being addressed in this diff. 4. The modification doesn't affect any security-sensitive functionality or introduce any security controls.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/piping/error-propagation-backward.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/piping/error-propagation-backward.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker // META: script=../resources/test-utils.js // META: script=../resources/recording-streams.js 'use strict';
Let me analyze the provided code diff for security fixes. Vulnerability Existed: not sure [Removal of jsshell global context] [testing/web-platform/tests/streams/piping/error-propagation-backward.any.js] [Lines 1] [Old Code] // META: global=window,worker,jsshell [Fixed Code] // META: global=window,worker Additional Details: The change removes 'jsshell' from the list of global contexts where this test should run. This could be related to security if the jsshell environment had specific vulnerabilities that needed to be isolated from these tests. However, without more context about why this change was made, I can't be certain if this was specifically for security reasons or just a test scope adjustment. The removal could potentially limit the attack surface by reducing the contexts where the code runs.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/mediaqueries/device-aspect-ratio-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/mediaqueries/device-aspect-ratio-001.html@@ -5,7 +5,6 @@ <link rel="author" title="Xin Liu" href="mailto:[email protected]"> <link rel="help" title="4.7. device-aspect-ratio" href="http://www.w3.org/TR/css3-mediaqueries/#device-aspect-ratio"> <link rel="match" href="../reference/ref-filled-green-100px-square.xht">-<meta name="flags" content=""> <meta name="assert" content="The 'device-aspect-ratio' property with prefix 'max' set '1281/1024' means that the maximum of ratio is '1281/1024', only and only if the device value of 'width' to value of 'height' is lower than value of 'max-device-aspect-ratio', the style sheet will be applied."> <style> div {
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/mediaqueries/device-aspect-ratio-001.html [Lines 5] [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: The change simply removes an empty meta tag for "flags" which appears to be test-related metadata. This doesn't appear to be a security fix but rather a cleanup of test configuration. There's no indication of any vulnerability being addressed here - no sensitive data exposure, no injection vectors, no security-related functionality being modified. The change is purely removing an unused or unnecessary test configuration element.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-049.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-049.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes"> <link rel="match" href="reference/shape-outside-ellipse-049-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the right float shape defined by the basic shape ellipse(closest-side farthest-side at left 40px top 60px) border-box"> <style> .container {
Based on the provided code diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] [Lines 9] [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: The diff shows only the removal of an empty meta "flags" tag, which appears to be a test configuration or metadata cleanup rather than a security fix. There are no apparent security vulnerabilities being addressed in this change. The modification is likely related to test suite maintenance or standardization.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/WritableStreamDefaultController.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/WritableStreamDefaultController.cpp@@ -139,8 +139,9 @@ WritableStreamDefaultController* aController) : PromiseNativeHandler(), mController(aController) {}- MOZ_CAN_RUN_SCRIPT void ResolvedCallback(- JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ MOZ_CAN_RUN_SCRIPT void ResolvedCallback(JSContext* aCx,+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#set-up-writable-stream-default-controller // Step 17. Upon fulfillment of startPromise, // Step 17.1. Assert: stream.[[state]] is "writable" or "erroring".@@ -152,16 +153,13 @@ mController->SetStarted(true); // Step 17.3 Perform // ! WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller).- IgnoredErrorResult rv; WritableStreamDefaultControllerAdvanceQueueIfNeeded(- aCx, MOZ_KnownLive(mController), rv);- if (rv.MaybeSetPendingException(aCx)) {- return;- }- }-- MOZ_CAN_RUN_SCRIPT void RejectedCallback(- JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ aCx, MOZ_KnownLive(mController), aRv);+ }++ MOZ_CAN_RUN_SCRIPT void RejectedCallback(JSContext* aCx,+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#set-up-writable-stream-default-controller RefPtr<WritableStream> stream = mController->Stream(); // Step 18. Upon rejection of startPromise with reason r,@@ -171,11 +169,7 @@ // Step 18.2. Set controller.[[started]] to true. mController->SetStarted(true); // Step 18.3. Perform ! WritableStreamDealWithRejection(stream, r).- IgnoredErrorResult rv;- stream->DealWithRejection(aCx, aValue, rv);- if (rv.MaybeSetPendingException(aCx)) {- return;- }+ stream->DealWithRejection(aCx, aValue, aRv); } };@@ -326,7 +320,8 @@ WritableStreamDefaultController* aController) : PromiseNativeHandler(), mController(aController) {}- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#writable-stream-default-controller-process-close RefPtr<WritableStream> stream = mController->Stream(); // Step 7. Upon fulfillment of sinkClosePromise,@@ -334,16 +329,16 @@ stream->FinishInFlightClose(); }- MOZ_CAN_RUN_SCRIPT void RejectedCallback(- JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ MOZ_CAN_RUN_SCRIPT void RejectedCallback(JSContext* aCx,+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#writable-stream-default-controller-process-close RefPtr<WritableStream> stream = mController->Stream(); // Step 8. Upon rejection of sinkClosePromise with reason reason, // Step 8.1. Perform ! WritableStreamFinishInFlightCloseWithError(stream, // reason).- IgnoredErrorResult rv;- stream->FinishInFlightCloseWithError(aCx, aValue, rv);- NS_WARNING_ASSERTION(!rv.Failed(), "FinishInFlightCloseWithError failed");++ stream->FinishInFlightCloseWithError(aCx, aValue, aRv); } private:@@ -385,6 +380,10 @@ : Promise::CreateResolvedWithUndefined( aController->GetParentObject(), aRv);+ if (aRv.Failed()) {+ return;+ }+ // Step 6. Perform ! // WritableStreamDefaultControllerClearAlgorithms(controller). aController->ClearAlgorithms();@@ -410,8 +409,9 @@ WritableStreamDefaultController* aController) : PromiseNativeHandler(), mController(aController) {}- MOZ_CAN_RUN_SCRIPT void ResolvedCallback(- JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ MOZ_CAN_RUN_SCRIPT void ResolvedCallback(JSContext* aCx,+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#writable-stream-default-controller-process-write RefPtr<WritableStream> stream = mController->Stream();@@ -438,25 +438,21 @@ bool backpressure = mController->GetBackpressure(); // Step 4.5.2. Perform ! WritableStreamUpdateBackpressure(stream, // backpressure).- IgnoredErrorResult rv;- stream->UpdateBackpressure(backpressure, rv);- // XXX Not Sure How To Handle Errors Inside Native Callbacks,- NS_WARNING_ASSERTION(!rv.Failed(), "UpdateBackpressure failed");+ stream->UpdateBackpressure(backpressure, aRv);+ if (aRv.Failed()) {+ return;+ } } // Step 4.6. Perform ! // WritableStreamDefaultControllerAdvanceQueueIfNeeded(controller).- IgnoredErrorResult rv; WritableStreamDefaultControllerAdvanceQueueIfNeeded(- aCx, MOZ_KnownLive(mController), rv);- // XXX Not Sure How To Handle Errors Inside Native Callbacks,- NS_WARNING_ASSERTION(- !rv.Failed(),- "WritableStreamDefaultControllerAdvanceQueueIfNeeded failed");- }-- MOZ_CAN_RUN_SCRIPT void RejectedCallback(- JSContext* aCx, JS::Handle<JS::Value> aValue) override {+ aCx, MOZ_KnownLive(mController), aRv);+ }++ MOZ_CAN_RUN_SCRIPT void RejectedCallback(JSContext* aCx,+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override { // https://streams.spec.whatwg.org/#writable-stream-default-controller-process-write RefPtr<WritableStream> stream = mController->Stream();@@ -468,10 +464,8 @@ // Step 5.2. Perform ! WritableStreamFinishInFlightWriteWithError(stream, // reason)- IgnoredErrorResult rv;- stream->FinishInFlightWriteWithError(aCx, aValue, rv);- // XXX Not Sure How To Handle Errors Inside Native Callbacks,- NS_WARNING_ASSERTION(!rv.Failed(), "FinishInFlightWriteWithError failed");++ stream->FinishInFlightWriteWithError(aCx, aValue, aRv); } };
I'll analyze the code diff and provide the security findings following the specified format. 1. Vulnerability Existed: yes Error Handling Vulnerability [dom/streams/WritableStreamDefaultController.cpp] [Lines 139-171, 326-340, 385-389, 409-471] [Old Code] - Uses IgnoredErrorResult locally and doesn't properly propagate errors - Has NS_WARNING_ASSERTION for error cases but continues execution - Missing early returns on error conditions [Fixed Code] - Added ErrorResult& parameter to propagate errors properly - Removed IgnoredErrorResult in favor of passed ErrorResult - Added early returns when aRv.Failed() is true - More consistent error handling throughout callbacks 2. Vulnerability Existed: not sure Potential Memory Safety Issue [dom/streams/WritableStreamDefaultController.cpp] [Lines 139-171] [Old Code] - Uses MOZ_KnownLive without clear lifetime guarantees - Error conditions might lead to unsafe continuation [Fixed Code] - Still uses MOZ_KnownLive but with better error handling - More controlled flow when errors occur - Still not entirely clear about object lifetime guarantees The main security improvement is in the error handling changes. The old code was ignoring errors in many cases (using IgnoredErrorResult) and continuing execution despite potential failures. The new code properly propagates errors through the ErrorResult parameter and handles them more consistently, which prevents potential security issues that could arise from continuing execution in an inconsistent state. The memory safety aspect is less clear - while the changes improve error handling, it's not certain whether there were actual memory safety vulnerabilities being fixed or if this was just defensive programming.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.