Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.strokeRect.nonfinite.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.strokeRect.nonfinite.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -43,7 +43,7 @@ ctx.strokeRect(0, Infinity, Infinity, Infinity); ctx.strokeRect(0, Infinity, 100, Infinity); ctx.strokeRect(0, 0, Infinity, Infinity);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/drawing-rectangles-to-the-canvas/2d.strokeRect.nonfinite.worker.js [Lines] 13-14, 43
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` and update the references to it. There are no security implications to this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/platforms/ffmpeg/ffmpeg58/include/libavutil/hwcontext_vaapi.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/platforms/ffmpeg/ffmpeg58/include/libavutil/hwcontext_vaapi.h@@ -19,15 +19,7 @@ #ifndef AVUTIL_HWCONTEXT_VAAPI_H #define AVUTIL_HWCONTEXT_VAAPI_H-//#include <va/va.h>--// We can't use <va/va.h> in Mozilla build roots so forward-declare needed-// structures here.-struct VASurfaceAttrib;-typedef unsigned int VAGenericID;-typedef VAGenericID VAConfigID;-typedef VAGenericID VASurfaceID;-typedef void* VADisplay;+#include "va/va.h" /** * @file
Based on the provided diff, here's the analysis following the required format: Vulnerability Existed: not sure [Potential Header Inclusion Issue] [dom/media/platforms/ffmpeg/ffmpeg58/include/libavutil/hwcontext_vaapi.h] [Lines 19-27] [Old Code] //#include <va/va.h> // We can't use <va/va.h> in Mozilla build roots so forward-declare needed // structures here. struct VASurfaceAttrib; typedef unsigned int VAGenericID; typedef VAGenericID VAConfigID; typedef VAGenericID VASurfaceID; typedef void* VADisplay; [Fixed Code] #include "va/va.h" Additional Details: - The change replaces manual forward declarations with proper header inclusion - This could potentially fix issues related to type mismatches or incomplete type definitions - Without more context about the build environment or specific issues encountered, we can't be certain if this was fixing a security vulnerability or just a build/maintenance improvement - The change suggests the build environment restrictions that previously prevented including va.h directly have been resolved
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-21b.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-21b.xml@@ -7,7 +7,6 @@ <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="author" title="Ian Hickson" href="mailto:[email protected]"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p>This paragraph should be green.</p>
Based on the provided diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/selectors/old-tests/css3-modsel-21b.xml] [Lines 7] [Old Code] <meta name="flags" content="" /> [Fixed Code] [removed line] Additional details: - The change simply removes an empty meta tag with a "flags" attribute - This appears to be test cleanup rather than a security fix - No known vulnerability is associated with this change - The modification is likely related to test configuration rather than security The diff shows no evidence of any security vulnerability being fixed. The change is minor and appears to be test maintenance rather than addressing any security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/bumpalo/CHANGELOG.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/bumpalo/CHANGELOG.md@@ -25,6 +25,30 @@ ### Security * TODO (or remove section if none)++--------------------------------------------------------------------------------++## 3.9.1++Released 2022-01-06.++### Fixed++* Fixed link to logo in docs and README.md++--------------------------------------------------------------------------------++## 3.9.0++Released 2022-01-05.++### Changed++* The minimum supported Rust version (MSRV) has been raised to Rust 1.54.0.++* `bumpalo::collections::Vec<T>` implements relevant traits for all arrays of+ any size `N` via const generics. Previously, it was just arrays up to length+ 32. Similar for `bumpalo::boxed::Box<[T; N]>`. --------------------------------------------------------------------------------
Based on the provided diff content, which only shows changes to a CHANGELOG.md file, I can analyze that:
1. The diff shows updates to version history documentation
2. There are no actual code changes shown
3. The security section remains empty (still shows "TODO")
4. The changes mention documentation fixes and feature updates, not security fixes
Therefore:
Vulnerability Existed: no
No code vulnerabilities shown in CHANGELOG update [third_party/rust/bumpalo/CHANGELOG.md] [Lines 25-30]
[Old Code: * TODO (or remove section if none)]
[Fixed Code: * TODO (or remove section if none)]
Note: The diff doesn't show any actual security fixes or vulnerability patches - it's purely documentation updates and version history. The security section remains unchanged. Without seeing actual code changes, we cannot identify any security vulnerabilities from this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/background-clip-007.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/background-clip-007.html@@ -7,7 +7,6 @@ <link rel="author" title="Gérard Talbot" href="http://www.gtalbot.org/BrowserBugsSection/css21testsuite/" /> <link rel="reviewer" title="Arron Eicholz" href="mailto:[email protected]" /> <!-- 2012-10-27 --> <link rel="help" href="http://www.w3.org/TR/css3-background/#the-background-clip">- <meta name="flags" content=""> <meta name="assert" content="When 'background-clip' is set to 'content-box', then the background-color shines only through the content area; it does not shine through the padding area nor the border area."> <link rel="match" href="reference/ref-if-there-is-no-red.xht"> <style>
Analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/css-backgrounds/background-clip-007.html [Lines] 7 [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications - This seems to be a test file cleanup rather than a security fix - No known vulnerability is associated with this change - The modification doesn't affect any security-sensitive functionality The diff shows only this single change, which doesn't appear to be security-related. The file is a test case for CSS background clipping behavior, and the modification is removing an unused/empty metadata field.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/ipc/SharedSurfacesParent.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/ipc/SharedSurfacesParent.h@@ -9,7 +9,7 @@ #include <stdint.h> // for uint32_t #include "mozilla/Attributes.h" // for override-#include "mozilla/StaticMutex.h" // for StaticMutex+#include "mozilla/StaticMonitor.h" // for StaticMutex #include "mozilla/StaticPtr.h" // for StaticAutoPtr #include "mozilla/RefPtr.h" // for already_AddRefed #include "mozilla/ipc/SharedMemory.h" // for SharedMemory, etc@@ -78,20 +78,20 @@ gfx::SourceSurfaceSharedData* aSurface); static void AddTrackingLocked(gfx::SourceSurfaceSharedDataWrapper* aSurface,- const StaticMutexAutoLock& aAutoLock);+ const StaticMonitorAutoLock& aAutoLock); static void RemoveTrackingLocked( gfx::SourceSurfaceSharedDataWrapper* aSurface,- const StaticMutexAutoLock& aAutoLock);+ const StaticMonitorAutoLock& aAutoLock); static bool AgeOneGenerationLocked( nsTArray<RefPtr<gfx::SourceSurfaceSharedDataWrapper>>& aExpired,- const StaticMutexAutoLock& aAutoLock);+ const StaticMonitorAutoLock& aAutoLock); static void ExpireMap( nsTArray<RefPtr<gfx::SourceSurfaceSharedDataWrapper>>& aExpired);- static StaticMutex sMutex;+ static StaticMonitor sMonitor; static StaticAutoPtr<SharedSurfacesParent> sInstance;@@ -100,28 +100,28 @@ class MappingTracker final : public ExpirationTrackerImpl<gfx::SourceSurfaceSharedDataWrapper, 4,- StaticMutex, StaticMutexAutoLock> {+ StaticMonitor, StaticMonitorAutoLock> { public: explicit MappingTracker(uint32_t aExpirationTimeoutMS, nsIEventTarget* aEventTarget) : ExpirationTrackerImpl<gfx::SourceSurfaceSharedDataWrapper, 4,- StaticMutex, StaticMutexAutoLock>(+ StaticMonitor, StaticMonitorAutoLock>( aExpirationTimeoutMS, "SharedMappingTracker", aEventTarget) {} void TakeExpired( nsTArray<RefPtr<gfx::SourceSurfaceSharedDataWrapper>>& aExpired,- const StaticMutexAutoLock& aAutoLock);+ const StaticMonitorAutoLock& aAutoLock); protected: void NotifyExpiredLocked(gfx::SourceSurfaceSharedDataWrapper* aSurface,- const StaticMutexAutoLock& aAutoLock) override;+ const StaticMonitorAutoLock& aAutoLock) override;- void NotifyHandlerEndLocked(const StaticMutexAutoLock& aAutoLock) override {- }+ void NotifyHandlerEndLocked(+ const StaticMonitorAutoLock& aAutoLock) override {} void NotifyHandlerEnd() override;- StaticMutex& GetMutex() override { return sMutex; }+ StaticMonitor& GetMutex() override { return sMonitor; } nsTArray<RefPtr<gfx::SourceSurfaceSharedDataWrapper>> mExpired; };
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Locking Mechanism Change] [gfx/layers/ipc/SharedSurfacesParent.h] [Lines 9, 78-100]
[Old Code]
`#include "mozilla/StaticMutex.h"`
`StaticMutex sMutex;`
`StaticMutexAutoLock` used throughout
[Fixed Code]
`#include "mozilla/StaticMonitor.h"`
`StaticMonitor sMonitor;`
`StaticMonitorAutoLock` used throughout
Additional Details:
- The change replaces StaticMutex with StaticMonitor throughout the file
- While this could indicate a fix for potential deadlock issues or performance improvements, there's no clear evidence of a specific security vulnerability being fixed
- The change appears to be more about synchronization mechanism improvement than fixing a known vulnerability
2. Vulnerability Existed: not sure
[Potential Synchronization Issue] [gfx/layers/ipc/SharedSurfacesParent.h] [Lines 100-122]
[Old Code]
`class MappingTracker : public ExpirationTrackerImpl<..., StaticMutex, StaticMutexAutoLock>`
`StaticMutex& GetMutex() override { return sMutex; }`
[Fixed Code]
`class MappingTracker : public ExpirationTrackerImpl<..., StaticMonitor, StaticMonitorAutoLock>`
`StaticMonitor& GetMutex() override { return sMonitor; }`
Additional Details:
- The change updates the base class template parameters and override method to use StaticMonitor instead of StaticMutex
- This could relate to fixing potential race conditions or improving thread safety, but without more context, we can't confirm if this fixed a specific vulnerability
Note: The diff shows a systematic replacement of mutex-related code with monitor-related code, which typically provides more sophisticated synchronization capabilities. However, without additional context about specific security issues that were addressed, we can only speculate about the security implications of this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/test/mochitest.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/test/mochitest.yml@@ -12,7 +12,7 @@ default: null tier: by-variant:- fission(-xorigin)?:+ fission-xorigin: by-test-platform: linux.*64.*-qr/debug: 1 default: 2@@ -50,49 +50,90 @@ virtualization: virtual variants: - aab+ - dynamic-first-party-isolation+fission+ - dynamic-first-party-isolation+fission-xorigin - fission - fission-xorigin - socketprocess_networking- - wayland- - webrender-sw- run-on-projects:- by-variant:+ - socketprocess_networking+fission+ - wayland+ - webrender-sw+ - webrender-sw+fission+ - headless+fission+ - headless+socketprocess_networking+ - headless+socketprocess_networking+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: []+ dynamic-first-party-isolation+fission-xorigin:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- (linux.*64|macosx.*64|windows10-64-2004)-qr/debug: ['autoland', 'mozilla-central']- (linux.*64|macosx.*64|windows10-64-2004)-qr/opt: ['autoland']- (linux.*64|macosx.*64|windows10-64-2004)-shippable-qr/opt: ['autoland', 'mozilla-central']- linux.*64(-asan|-tsan)-qr/opt: ['autoland', 'mozilla-central']+ android.*: []+ .*-tsan-qr/opt: ['trunk']+ default: built-projects+ fission-xorigin:+ by-test-platform:+ (linux.*64|macosx.*64|windows10.*2004)(-shippable)?-qr/(opt|debug|asan|tsan): ['trunk']+ windows.*64-ccov-qr/opt: ['mozilla-central'] linux.*64-ccov-qr/opt: ['mozilla-central'] default: []- fission-xorigin:- by-test-platform:- (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['trunk']- linux.*64-ccov-qr/opt: ['mozilla-central']- default: [] socketprocess_networking: by-test-platform:+ linux.*asan.*: ['trunk']+ linux.*64(-shippable)?-qr/(opt|debug): ['trunk']+ default: []+ socketprocess_networking+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central']+ default: []+ wayland:+ by-test-platform: linux1804-64-qr/debug: built-projects default: []- wayland:+ webrender-sw:+ by-test-platform:+ android-em-7.0-x86_64-qr/debug: built-projects+ linux.*asan.*: ['trunk']+ linux.*64(-shippable)?-qr/(opt|debug): ['trunk']+ default: []+ webrender-sw+fission: by-test-platform: linux1804-64-qr/debug: built-projects default: []- webrender-sw:+ aab: by-test-platform: android-em-7.0-x86_64-qr/debug: built-projects- linux1804-64-qr/debug: built-projects- default: []- aab:- by-test-platform:- android-em-7.0-x86_64-qr/debug: built-projects- default: []- default:- by-test-platform:- .*-tsan-qr/opt: ['trunk']+ default: []+ headless:+ by-test-platform:+ linux.*64(-shippable)?-qr/opt: ['mozilla-central']+ default: []+ headless+fission:+ by-test-platform:+ linux.*64(-shippable)?-qr/opt: ['mozilla-central']+ default: []+ headless+socketprocess_networking:+ by-test-platform:+ linux.*64(-shippable)?-qr/opt: ['mozilla-central']+ default: []+ headless+socketprocess_networking+fission:+ by-test-platform:+ linux.*64(-shippable)?-qr/opt: ['mozilla-central']+ default: []+ default:+ by-test-platform: android-em-7.0-x86_64-qr/debug-isolated-process: []- linux.*64-ccov-qr/opt: []- default: built-projects+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ android.*: built-projects+ default: []+ chunks: by-test-platform: android-em-7.*: 4@@ -137,7 +178,7 @@ by-variant: socketprocess_networking+1proc: by-test-platform:- linux.*64-qr/debug: built-projects+ linux.*64-qr/debug: ['autoland', 'mozilla-central'] default: [] wayland+1proc: by-test-platform:@@ -162,19 +203,34 @@ treeherder-symbol: M(bc) schedules-component: mochitest-browser-chrome loopback-video: true- variants:- - fission- - webrender-sw+ run-without-variant: false+ variants:+ - dynamic-first-party-isolation+fission+ - fission+ - webrender-sw+ - webrender-sw+fission - webrender-sw+a11y-checks- - webrender-sw+fission+ - webrender-sw+a11y-checks+fission - webrender-sw+wayland- run-on-projects:- by-variant:+ - socketprocess_networking+ - socketprocess_networking+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- (windows10-64-2004|macosx.*64)(-shippable)?-qr/(opt|debug): ['trunk']- default: []- webrender-sw:+ android.*: []+ linux.*: [] # linux runs M-swr(bc), not M(bc)+ default: built-projects+ webrender-sw:+ by-test-platform:+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: []+ webrender-sw+fission: by-test-platform: linux.*64(-asan)?-qr/(opt|debug): ['all'] linux.*64-tsan-qr/opt: ['trunk']@@ -187,31 +243,28 @@ by-test-platform: linux.*64(-shippable)?-qr/opt: ['trunk'] default: []- webrender-sw+fission:- by-test-platform:- linux.*64(-asan|-shippable)?-qr/(opt|debug): ['trunk']- linux.*64-ccov-qr/opt: ['mozilla-central']+ webrender-sw+a11y-checks+fission:+ by-test-platform:+ linux.*64(-shippable)?-qr/opt: ['trunk']+ default: []+ socketprocess_networking:+ by-test-platform:+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable)?-qr/opt: ['trunk']+ default: []+ socketprocess_networking+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): built-projects default: [] webrender-sw+wayland: []- default:- by-test-platform:- linux.*-qr/.*: []- linux.*64-ccov-qr/opt: []- default: built-projects+ default: [] # we don't run linux opt/debug/asan only with M-swr, now with fission this isn't needed tier: by-variant:- fission(-xorigin)?:- by-test-platform:- linux.*64-qr/debug: 1- default: 2+ fission(-xorigin)?: default webrender-sw: by-test-platform: linux.*64(-asan|-shippable)?-qr/(opt|debug): 1 default: default- webrender-sw-fission:- by-test-platform:- linux.*64-qr/debug: 1- default: 2 default: default chunks: by-test-platform:@@ -260,10 +313,7 @@ - webrender-sw run-on-projects: by-variant:- socketprocess_networking:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []+ socketprocess_networking: [] wayland: by-test-platform: linux.*64-qr/debug: built-projects@@ -299,34 +349,11 @@ treeherder-symbol: M(ss) loopback-video: true test-manifest-loader: null # don't load tests in the taskgraph- variants:- - fission- - socketprocess_networking- - wayland- - webrender-sw- run-on-projects:- by-variant:- fission: []- socketprocess_networking:- by-test-platform:- linux.*64/debug: ['mozilla-central']- default: []- wayland:- by-test-platform:- linux.*64/debug: ['mozilla-central']- default: []- webrender-sw:- by-test-platform:- linux.*64/debug: ['mozilla-central']- default: []- default:- by-test-platform:- windows7-32(?:-shippable)(?:-qr)?/opt: ['mozilla-central']- windows10-64(?:-shippable)(?:-qr)?/opt: ['mozilla-central']- (?:windows10-64|windows7-32|linux1804-64|macosx1014-64)(?:-qr)?/opt: ['autoland']- linux1804-64-(?:shippable)(?:-qr)?/opt: ['mozilla-central']- macosx.*64-shippable/opt: ['mozilla-central']- default: []+ variants: ["fission"]+ run-on-projects:+ by-test-platform:+ linux1804-64.*/opt: ['trunk']+ default: [] max-run-time: 3600 mozharness: mochitest-flavor: browser@@ -339,15 +366,20 @@ loopback-video: true run-without-variant: false variants:+ - dynamic-first-party-isolation - 1proc - socketprocess_networking+1proc - wayland+1proc - webrender-sw+1proc run-on-projects: by-variant:+ dynamic-first-party-isolation:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] socketprocess_networking+1proc: by-test-platform:- linux.*64-qr/debug: built-projects+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central'] default: [] wayland+1proc: by-test-platform:@@ -388,10 +420,14 @@ loopback-video: true variants: - a11y-checks+ - a11y-checks+fission+ - dynamic-first-party-isolation+fission - fission - socketprocess_networking- - wayland- - webrender-sw+ - socketprocess_networking+fission+ - wayland+ - webrender-sw+ - webrender-sw+fission - devtools-no-eft-no-fission run-on-projects: by-variant:@@ -399,42 +435,52 @@ by-test-platform: linux.*64(-shippable)?-qr/opt: ['trunk'] default: []+ a11y-checks+fission:+ by-test-platform:+ linux.*64(-shippable)?-qr/opt: ['trunk']+ default: [] devtools-no-eft-no-fission: by-test-platform: linux.*64(-shippable)?-qr/opt: ['trunk'] default: []+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- linux.*64(-shippable)?-qr/(opt|debug): ['trunk']- windows10-64-2004(-shippable)?-qr/(opt|debug): ['trunk']- linux.*64-ccov-qr/opt: ["mozilla-central"]- default: []- socketprocess_networking:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []- wayland:- by-test-platform:- linux.*64-ccov-qr/opt: []- linux.*64(-shippable)?-qr/(opt|debug): built-projects- default: []- webrender-sw:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []- default:- by-test-platform:+ android.*: [] .*-tsan-qr/opt: ['trunk'] linux.*64-ccov-qr/opt: [] default: built-projects- tier:- by-variant:- fission:- by-test-platform:- linux.*64(-shippable)?-qr/(opt|debug): 1- windows10-64-2004(-shippable)?-qr/(opt|debug): 1- default: 2- default: default+ socketprocess_networking:+ by-test-platform:+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable)?-qr/opt: ['trunk']+ default: []+ socketprocess_networking+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central']+ default: []+ wayland:+ by-test-platform:+ linux.*64-ccov-qr/opt: []+ linux.*64(-shippable)?-qr/(opt|debug): built-projects+ default: []+ webrender-sw:+ by-test-platform:+ linux.*64-qr/debug: built-projects+ default: []+ webrender-sw+fission:+ by-test-platform:+ linux.*64-qr/debug: built-projects+ default: []+ default:+ by-test-platform:+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: []+ tier: default max-run-time: by-test-platform: windows10-64-2004-ccov.*/.*: 10800@@ -468,17 +514,21 @@ schedules-component: mochitest-plain loopback-video: true variants:- - fission- - socketprocess_networking- - wayland- - webrender-sw- run-on-projects:- by-variant:- fission: []- socketprocess_networking:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []+ - dynamic-first-party-isolation+fission+ - fission+ - wayland+ - webrender-sw+ - webrender-sw+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: []+ fission:+ by-test-platform:+ android.*/.*: []+ default: built-projects wayland: by-test-platform: linux.*64-qr/debug: built-projects@@ -486,21 +536,27 @@ webrender-sw: by-test-platform: android-em-7.0-x86_64-qr/debug: built-projects- linux.*64-qr/debug: built-projects- default: []- default:- by-test-platform:- .*-tsan-qr/opt: ['trunk']+ linux.*asan.*: ['trunk']+ linux.*64(-shippable)?-qr/(opt|debug): ['trunk']+ default: []+ webrender-sw+fission:+ by-test-platform:+ linux.*64-qr/debug: built-projects+ default: []+ default:+ by-test-platform: android-em-7.0-x86_64-qr/debug-isolated-process: []- default: built-projects+ linux.*64-ccov-qr/opt: []+ linux1804-32.*: []+ .*-tsan-qr/opt: []+ linux.*: ['trunk'] # linux opt/debug/asan+ android.*: built-projects+ default: [] virtualization: virtual-with-gpu tier:- by-variant:- fission: 2- default:- by-test-platform:- android-em-7.0-x86_64-qr/debug-isolated-process: 3- default: default+ by-test-platform:+ android-em-7.0-x86_64-qr/debug-isolated-process: 3+ default: default mozharness: mochitest-flavor: plain extra-options:@@ -523,17 +579,19 @@ loopback-video: true virtualization: virtual-with-gpu variants:+ - dynamic-first-party-isolation+fission - fission - socketprocess_networking - wayland - webrender-sw run-on-projects: by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: []- socketprocess_networking:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []+ socketprocess_networking: [] wayland: by-test-platform: linux.*64-qr/debug: built-projects@@ -577,66 +635,77 @@ linux.*64-tsan-qr/opt: 7200 default: 5400 variants:- - fission- - fission-webgl-ipc+ - dynamic-first-party-isolation+fission+ - fission - socketprocess- - wayland- - webgl-ipc- - webrender-sw- run-on-projects:- by-variant:+ - socketprocess+fission+ - wayland+ - webgl-ipc+fission+ - webrender-sw+ - webrender-sw+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- (linux.*64|windows10-64-2004)-qr/debug: ['autoland', 'mozilla-central']- (linux.*64|windows10-64-2004)-qr/opt: ['autoland']- (linux.*64|windows10-64-2004)-shippable-qr/opt: ['mozilla-central']- linux.*64(-asan|-tsan)-qr/opt: ['autoland', 'mozilla-central']- default: []- fission-webgl-ipc:- by-test-platform:- (linux.*64|windows10-64-2004)-qr/debug: ['autoland', 'mozilla-central']- (linux.*64|windows10-64-2004)-qr/opt: ['autoland']- (linux.*64|windows10-64-2004)-shippable-qr/opt: ['mozilla-central']- linux.*64(-asan|-tsan)-qr/opt: ['autoland', 'mozilla-central']- (linux|windows10-64-2004|macos)(?!.*-qr).*: []- default: []- socketprocess:- by-test-platform:- android-em-7.0-x86_64-qr/debug: ['autoland', 'mozilla-central']- android-hw-.*-aarch64-qr/debug: built-projects- linux.*64(-asan|-devedition|-shippable)?-qr/(opt|debug): built-projects- linux.*64-tsan-qr/opt: ['autoland', 'mozilla-central']- macosx.*-64(-devedition|-shippable)?-qr/(opt|debug): built-projects- windows10-(32|64)-2004(-devedition|-shippable)?-qr/(opt|debug): built-projects- windows10-64-2004-asan-qr/opt: ['autoland', 'mozilla-central']- default: []- wayland:- by-test-platform:- linux.*64-qr/debug: ['autoland', 'mozilla-central']- default: []- webgl-ipc:- by-test-platform:- linux.*64(-shippable|-asan|-tsan)?-qr/opt: ['autoland', 'mozilla-central']- macosx.*64(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central']- windows10-(32|64)-2004(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central']- windows10-64-2004-asan-qr/opt: ['autoland', 'mozilla-central']- default: []- webrender-sw:- by-test-platform:- android-em-7.0-x86_64-qr/debug: ['autoland', 'mozilla-central']- linux1804-64-qr/debug: ['autoland', 'mozilla-central']- default: []- default:- by-test-platform:- android-hw-.*/opt: []- android-hw-.*-arm7.*/(?:debug)?: ['trunk', 'mozilla-beta', 'mozilla-release']- android-em-7.0-x86_64-qr/debug-isolated-process: []+ android.*: [] .*-tsan-qr/opt: ['trunk'] linux.*(asan|ccov)/opt: [] .*(ccov/|asan/|-32).*: built-projects (android|linux|windows10-64-2004|macos)(?!.*-qr).*: [] windows10-aarch64-qr/.*: ['mozilla-central', 'mozilla-beta', 'mozilla-release'] default: built-projects+ webgl-ipc+fission:+ by-test-platform:+ android.*: []+ linux.*64(-shippable|-asan|-tsan)?-qr/opt: ['autoland', 'mozilla-central']+ macosx.*64(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central']+ windows10-(32|64)-2004(-shippable)?-qr/(opt|debug): ['autoland', 'mozilla-central']+ windows10-64-2004-asan-qr/opt: ['autoland', 'mozilla-central']+ default: []+ socketprocess:+ by-test-platform:+ android-em-7.0-x86_64-qr/debug: ['autoland', 'mozilla-central']+ android-hw-.*-aarch64-qr/debug: built-projects+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: []+ socketprocess+fission:+ by-test-platform:+ android.*: []+ linux.*64(-asan|-devedition|-shippable)?-qr/(opt|debug): built-projects+ linux.*64-tsan-qr/opt: ['autoland', 'mozilla-central']+ macosx.*-64(-devedition|-shippable)?-qr/(opt|debug): built-projects+ windows10-(32|64)-2004(-devedition|-shippable)?-qr/(opt|debug): built-projects+ windows10-64-2004-asan-qr/opt: ['autoland', 'mozilla-central']+ default: []+ wayland:+ by-test-platform:+ linux.*64-qr/debug: ['autoland', 'mozilla-central']+ default: []+ webrender-sw:+ by-test-platform:+ android-em-7.0-x86_64-qr/debug: ['autoland', 'mozilla-central']+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: []+ webrender-sw+fission:+ by-test-platform:+ android.*: []+ linux1804-64-qr/debug: ['autoland', 'mozilla-central']+ default: []+ default:+ by-test-platform:+ android-hw-.*/opt: []+ android-hw-.*-arm7.*/(?:debug)?: ['trunk', 'mozilla-beta', 'mozilla-release']+ android-em-7.0-x86_64-qr/debug-isolated-process: []+ android.*: built-projects+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: [] loopback-video: true instance-size: by-test-platform:@@ -663,19 +732,13 @@ extra-options: - --setpref=webgl.out-of-process=false tier:- by-variant:- fission:- by-test-platform:- linux.*64.*-qr/debug: 1- default: 2- fission-webgl-ipc: 2- default:- by-test-platform:- android-em.*: 1- android-em-7.0-x86_64-qr/debug-isolated-process: 3- windows10-aarch64-qr.*: 2- android-hw.*: 1- default: default+ by-test-platform:+ .*ccov.*: 2+ android-em.*: 1+ android-em-7.0-x86_64-qr/debug-isolated-process: 3+ windows10-aarch64-qr.*: 2+ android-hw.*: 1+ default: default mochitest-media-failures: description: "Mochitest failures for mochitest media run"@@ -692,10 +755,7 @@ - webrender-sw run-on-projects: by-variant:- socketprocess_networking:- by-test-platform:- linux.*64-qr/debug: ['mozilla-central']- default: []+ socketprocess_networking: [] wayland: by-test-platform: linux.*64-qr/debug: ['mozilla-central']@@ -728,55 +788,6 @@ - --timeout-as-pass - --crash-as-pass--mochitest-plain-headless:- description: "Mochitest plain headless run"- suite:- name: mochitest-plain- treeherder-symbol: M(h)- loopback-video: true- chunks:- by-test-platform:- linux.*/debug: 16- default: 5- max-run-time: 5400- allow-software-gl-layers: false- tier: 2- variants:- - fission- - socketprocess_networking- - wayland- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- linux.*64-qr/debug: ['trunk']- linux.*64-shippable-qr/opt: ['mozilla-central']- linux.*64-shippable/.*: ['mozilla-central']- linux.*64/debug: ['mozilla-central']- windows10-64-shippable(-qr)?/opt: ['mozilla-central']- default: []- socketprocess_networking:- by-test-platform:- linux.*64-qr/debug: ['mozilla-central']- default: []- wayland:- by-test-platform:- linux.*64-qr/debug: ['mozilla-central']- default: []- webrender-sw:- by-test-platform:- android-em-7.0-x86_64-qr/debug: ['mozilla-central']- linux.*64-qr/debug: ['mozilla-central']- default: []- default: ['mozilla-central']- mozharness:- mochitest-flavor: plain- chunked: true- extra-options:- - --headless- mochitest-valgrind: description: "Mochitest plain Valgrind run" suite:@@ -807,44 +818,57 @@ macosx.*64-ccov.*/.*: 7200 default: 1800 variants:- - fission- - fission-webgl-ipc+ - dynamic-first-party-isolation+fission+ - fission - wayland - webgl-ipc- - webrender-sw- run-on-projects:- by-variant:+ - webgl-ipc+fission+ - webrender-sw+ - webrender-sw+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- linux.*64-asan-qr/opt: built-projects- (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(debug|opt): built-projects- default: []- fission-webgl-ipc:- by-test-platform:- linux.*64-asan-qr/opt: built-projects- (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(debug|opt): built-projects- default: []- webgl-ipc:+ .*-tsan-qr/opt: ['trunk']+ android.*: []+ default: built-projects+ webgl-ipc+fission: by-test-platform: .*-ccov.*: [] linux.*-64.*: ["trunk"] mac.*: ["trunk"] win.*: ["trunk"] default: []+ webgl-ipc:+ by-test-platform:+ .*-ccov.*: []+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: [] wayland: by-test-platform: linux.*64-qr/debug: built-projects default: [] webrender-sw: by-test-platform:- linux.*64-qr/debug: built-projects- default: []- default:- by-test-platform:- .*-tsan-qr/opt: ['trunk']+ linux.*64-qr/debug: ['trunk']+ default: []+ webrender-sw+fission:+ by-test-platform:+ linux.*64-qr/debug: built-projects+ default: []+ default:+ by-test-platform: android-hw-.*(?<!-shippable)(-qr)?/opt: ['mozilla-central', 'mozilla-beta', 'mozilla-release'] android-hw.*aarch.*-shippable-qr/opt: ['mozilla-central']- default: built-projects+ android-hw.*aarch.*-qr/debug: ['mozilla-central']+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: [] # Bug 1296733: llvmpipe with mesa 9.2.1 lacks thread safety allow-software-gl-layers: false mozharness:@@ -865,45 +889,57 @@ loopback-video: true max-run-time: 2700 variants:- - fission- - fission-webgl-ipc+ - dynamic-first-party-isolation+fission+ - fission+ - webgl-ipc+fission - wayland - webgl-ipc - webrender-sw- run-on-projects:- by-variant:+ - webrender-sw+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:+ .*-tsan-qr/opt: ['trunk']+ android.*: []+ default: built-projects+ webgl-ipc+fission:+ by-test-platform:+ .*-ccov.*: []+ linux.*-64.*: built-projects+ mac.*: ["trunk"]+ windows10-64-2004.*: built-projects+ default: []+ wayland:+ by-test-platform: linux.*64(-shippable)?-qr/(opt|debug): built-projects- windows10-64-2004(-shippable)?-qr/(opt|debug): built-projects- default: []- fission-webgl-ipc:- by-test-platform:- linux.*64(-shippable)?-qr/(opt|debug): built-projects- windows10-64-2004(-shippable)?-qr/(opt|debug): built-projects- default: []- wayland:- by-test-platform:- linux.*64(-shippable)?-qr/(opt|debug): built-projects default: [] webgl-ipc: by-test-platform: .*-ccov.*: []- linux.*-64.*: ["trunk"]- mac.*: ["trunk"]- windows10-64-2004-qr/(opt|debug): []- win.*: ["trunk"]- default: []- webrender-sw:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []- default:- by-test-platform:- .*-tsan-qr/opt: ['trunk']+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: []+ webrender-sw:+ by-test-platform:+ linux.*64-qr/debug: ['trunk']+ default: []+ webrender-sw+fission:+ by-test-platform:+ linux.*64-qr/debug: built-projects+ default: []+ default:+ by-test-platform: android-hw-.*(?<!-shippable)(-qr)?/opt: ['mozilla-central', 'mozilla-beta', 'mozilla-release'] android-hw.*aarch.*-shippable-qr/opt: ['mozilla-central']- default: built-projects+ android-hw.*aarch.*-qr/debug: ['mozilla-central']+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: [] # Bug 1296733: llvmpipe with mesa 9.2.1 lacks thread safety allow-software-gl-layers: false mozharness:@@ -925,44 +961,58 @@ loopback-video: true max-run-time: 1800 variants:- - fission- - fission-webgl-ipc+ - dynamic-first-party-isolation+fission+ - fission+ - webgl-ipc+fission - wayland - webgl-ipc - webrender-sw- run-on-projects:- by-variant:+ - webrender-sw+fission+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- linux.*64(-shippable|-asan)?-qr/(opt|debug): built-projects- windows10-64-2004(-shippable)?-qr/(opt|debug): built-projects- default: []- fission-webgl-ipc:- by-test-platform:- linux.*64(-shippable|-asan)?-qr/(opt|debug): built-projects- windows10-64-2004(-shippable)?-qr/(opt|debug): built-projects- default: []- wayland:- by-test-platform:- linux.*64(-shippable|-asan)?-qr/(opt|debug): built-projects- default: []- webgl-ipc:+ .*-tsan-qr/opt: ['trunk']+ android.*: []+ default: built-projects+ webgl-ipc+fission: by-test-platform: .*-ccov.*/.*: []+ android.*: [] linux.*-64.*: ["trunk"] mac.*: ["trunk"] win.*: ["trunk"] default: []- webrender-sw:- by-test-platform:- linux.*64-qr/debug: built-projects- default: []- default:- by-test-platform:- .*-tsan-qr/opt: ['trunk']+ wayland:+ by-test-platform:+ linux.*64(-shippable|-asan)?-qr/(opt|debug): built-projects+ default: []+ webgl-ipc:+ by-test-platform:+ .*-ccov.*/.*: []+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: []+ webrender-sw:+ by-test-platform:+ linux.*64-qr/debug: ['trunk']+ default: []+ webrender-sw+fission:+ by-test-platform:+ linux.*64-qr/debug: built-projects+ default: []+ default:+ by-test-platform: android-hw-.*(?<!-shippable)(-qr)?/opt: ['mozilla-central', 'mozilla-beta', 'mozilla-release'] android-hw.*aarch.*-shippable-qr/opt: ['mozilla-central']- default: built-projects+ android-hw.*aarch.*-qr/debug: ['mozilla-central']+ linux1804-64-qr/debug: ['trunk']+ linux1804-64(-shippable|-asan)?-qr/opt: ['trunk']+ default: [] # Bug 1296733: llvmpipe with mesa 9.2.1 lacks thread safety allow-software-gl-layers: false mozharness:@@ -975,39 +1025,54 @@ schedules-component: mochitest-plain virtualization: virtual-with-gpu variants:- - fission- - fission-webgl-ipc+ - dynamic-first-party-isolation+fission+ - fission+ - webgl-ipc+fission - webgl-ipc - webrender-sw- - wayland- run-on-projects:- by-variant:+ - webrender-sw+fission+ - wayland+ run-on-projects:+ by-variant:+ dynamic-first-party-isolation+fission:+ by-test-platform:+ (linux.*64|macosx.*64|windows10-64-2004)(-shippable)?-qr/(opt|debug): ['mozilla-central']+ default: [] fission: by-test-platform:- linux.*64(-shippable)?-qr/(opt|debug): built-projects- windows10-64-2004(-shippable)?-qr/(opt|debug): built-projects- default: []- fission-webgl-ipc:- by-test-platform:- linux.*64(-shippable)?-qr/(opt|debug): built-projects- windows10-64-2004(-shippable)?-qr/(opt|debug): built-projects- default: []- wayland:- by-test-platform:- linux.*64(-shippable|-asan)?-qr/(opt|debug): built-projects- default: []
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be primarily configuration updates for test variants, platforms, and project runs in the Firefox testing infrastructure. Here's my analysis: 1. Vulnerability Existed: no No specific security vulnerability found in the diff. The changes are related to test configuration updates. 2. The main changes observed are: - Addition of new test variants like "dynamic-first-party-isolation+fission" - Updates to test platform configurations - Modifications to project run configurations - Tier and chunk configuration updates - Removal of some test configurations (like mochitest-plain-headless) 3. The changes appear to be: - Adding support for new test combinations - Adjusting which tests run on which platforms/projects - Cleaning up old test configurations - No security-related fixes are evident in the diff 4. The modifications are focused on: - Test infrastructure configuration - Test variant management - Platform-specific test runs - No security patches or vulnerability fixes are visible Since this is primarily a configuration file for test runs and doesn't contain any security fixes, I can't identify any specific vulnerabilities that were addressed in this diff. The changes seem to be routine updates to the testing infrastructure configuration.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-clamp-4.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-clamp-4.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(120, 100%, -200%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,0,0,255, "50,25", "0,0,0,255");+_assertPixel(canvas, 50,25, 0,0,0,255, "50,25", "0,0,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security-related fixes.
Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-clamp-4.html] [17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,0,0,255, "50,25", "0,0,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,0,0,255, "50,25", "0,0,0,255");
The changes only involve:
1. Renaming the variable `offscreenCanvas` to `canvas`
2. Updating the references to this variable in the subsequent lines
No security implications are present in these changes. The functionality remains exactly the same, only the variable name has been changed for consistency or readability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/encode_internal.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/encode_internal.h@@ -19,14 +19,17 @@ namespace jxl {-// Options per-frame, this is not used for codestream-wide settings or global-// encoder settings.-typedef struct JxlEncoderOptionsValuesStruct {+// The encoder options (such as quality, compression speed, ...) for a single+// frame, but not encoder-wide options such as box-related options.+typedef struct JxlEncoderFrameSettingsValuesStruct { // lossless is a separate setting from cparams because it is a combination // setting that overrides multiple settings inside of cparams. bool lossless; CompressParams cparams;-} JxlEncoderOptionsValues;+ JxlFrameHeader header;+ std::vector<JxlBlendInfo> extra_channel_blend_info;+ std::string frame_name;+} JxlEncoderFrameSettingsValues; typedef std::array<uint8_t, 4> BoxType;@@ -46,7 +49,7 @@ constexpr unsigned char kLevelBoxHeader[] = {0, 0, 0, 0x9, 'j', 'x', 'l', 'l'}; struct JxlEncoderQueuedFrame {- JxlEncoderOptionsValues option_values;+ JxlEncoderFrameSettingsValues option_values; ImageBundle frame; };@@ -106,7 +109,9 @@ JxlMemoryManager memory_manager; jxl::MemoryManagerUniquePtr<jxl::ThreadPool> thread_pool{ nullptr, jxl::MemoryManagerDeleteHelper(&memory_manager)};- std::vector<jxl::MemoryManagerUniquePtr<JxlEncoderOptions>> encoder_options;+ JxlCmsInterface cms;+ std::vector<jxl::MemoryManagerUniquePtr<JxlEncoderFrameSettings>>+ encoder_options; size_t num_queued_frames; size_t num_queued_boxes;@@ -157,9 +162,9 @@ void AppendBoxHeader(const jxl::BoxType& type, size_t size, bool unbounded); };-struct JxlEncoderOptionsStruct {+struct JxlEncoderFrameSettingsStruct { JxlEncoder* enc;- jxl::JxlEncoderOptionsValues values;+ jxl::JxlEncoderFrameSettingsValues values; }; #endif // LIB_JXL_ENCODE_INTERNAL_H_
Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily structural/renaming changes and additions of new fields rather than security fixes. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability found File: third_party/jpeg-xl/lib/jxl/encode_internal.h Changes are primarily renaming from JxlEncoderOptions* to JxlEncoderFrameSettings* and adding new fields (JxlFrameHeader, extra_channel_blend_info, frame_name, JxlCmsInterface) The main changes are: 1. Renaming JxlEncoderOptionsValuesStruct to JxlEncoderFrameSettingsValuesStruct 2. Adding new fields to the struct (header, extra_channel_blend_info, frame_name) 3. Adding a cms field to JxlEncoderStruct 4. Updating related type names throughout the file These appear to be architectural improvements rather than security fixes. No specific vulnerabilities are being addressed in this diff. The changes seem focused on: - Better organization of frame settings - Adding support for additional frame metadata - Improving type naming clarity - Adding color management system support No CVEs or common vulnerability patterns are evident in these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.closed.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.closed.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.lineJoin = 'miter'; ctx.rect(100, 50, 100, 100); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security fixes. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 23]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
Variable Renaming [File] [Line 23]
Old Code:
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't appear to address any security vulnerability. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/ssl/tests/unit/test_crlite_filters.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/ssl/tests/unit/test_crlite_filters.js@@ -8,9 +8,6 @@ "use strict"; do_get_profile(); // must be called before getting nsIX509CertDB-const { RemoteSettings } = ChromeUtils.import(- "resource://services-settings/remote-settings.js"-); const { RemoteSecuritySettings } = ChromeUtils.import( "resource://gre/modules/psm/RemoteSecuritySettings.jsm" );@@ -100,6 +97,7 @@ effectiveTimestamp: new Date(filter.timestamp).getTime(), parent: filter.type == "diff" ? filter.parent : undefined, id: filter.id,+ coverage: filter.type == "full" ? filter.coverage : undefined, }; await localDB.create(record);@@ -118,7 +116,18 @@ Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, false); let result = await syncAndDownload([- { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },+ {+ timestamp: "2019-01-01T00:00:00Z",+ type: "full",+ id: "0000",+ coverage: [+ {+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",+ minTimestamp: 0,+ maxTimestamp: 9999999999999,+ },+ ],+ }, ]); equal(result, "disabled", "CRLite filter download should not have run"); });@@ -388,7 +397,23 @@ }); let result = await syncAndDownload([- { timestamp: "2020-10-17T00:00:00Z", type: "full", id: "0000" },+ {+ timestamp: "2020-10-17T00:00:00Z",+ type: "full",+ id: "0000",+ coverage: [+ {+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",+ minTimestamp: 0,+ maxTimestamp: 9999999999999,+ },+ {+ logID: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=",+ minTimestamp: 0,+ maxTimestamp: 9999999999999,+ },+ ],+ }, ]); equal( result,@@ -573,20 +598,36 @@ Services.prefs.clearUserPref("security.OCSP.require"); Services.prefs.clearUserPref("security.OCSP.enabled");- // If the earliest certificate timestamp is within the merge delay of the- // logs for the filter we have, it won't be looked up, and thus won't be- // revoked.- // The earliest timestamp in this certificate is in August 2020, whereas- // the filter timestamp is in October 2020, so setting the merge delay to- // this large value simluates the situation being tested.- Services.prefs.setIntPref(- "security.pki.crlite_ct_merge_delay_seconds",- 60 * 60 * 24 * 60- );- // Since setting the merge delay parameter this way effectively makes this- // certificate "too new" to be covered by the filter, the implementation- // would fall back to OCSP fetching. Since this would result in a crash and- // test failure, the Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used.+ // The revoked certificate example has one SCT from the log with ID "9ly...="+ // at time 1598140096613 and another from the log with ID "XNx...=" at time+ // 1598140096917. The filter we construct here fails to cover it by one+ // millisecond in each case. The implementation will fall back to OCSP+ // fetching. Since this would result in a crash and test failure, the+ // Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used.+ result = await syncAndDownload([+ {+ timestamp: "2020-10-17T00:00:00Z",+ type: "full",+ id: "0000",+ coverage: [+ {+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",+ minTimestamp: 0,+ maxTimestamp: 1598140096612,+ },+ {+ logID: "XNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDso=",+ minTimestamp: 1598140096917,+ maxTimestamp: 9999999999999,+ },+ ],+ },+ ]);+ equal(+ result,+ "finished;2020-10-17T00:00:00Z-full",+ "CRLite filter download should have run"+ ); await checkCertErrorGenericAtTime( certdb, revokedCert,@@ -597,14 +638,24 @@ "us-datarecovery.com", Ci.nsIX509CertDB.FLAG_LOCAL_ONLY );- Services.prefs.clearUserPref("security.pki.crlite_ct_merge_delay_seconds"); }); add_task(async function test_crlite_filters_avoid_reprocessing_filters() { Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true); let result = await syncAndDownload([- { timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },+ {+ timestamp: "2019-01-01T00:00:00Z",+ type: "full",+ id: "0000",+ coverage: [+ {+ logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",+ minTimestamp: 0,+ maxTimestamp: 9999999999999,+ },+ ],+ }, { timestamp: "2019-01-01T06:00:00Z", type: "diff",
Analyzing the provided code diff, here are the security-related findings:
1. Vulnerability Existed: not sure
[Potential Incomplete Certificate Revocation Check] [security/manager/ssl/tests/unit/test_crlite_filters.js] [Lines 100-101]
[Old Code]
{
effectiveTimestamp: new Date(filter.timestamp).getTime(),
parent: filter.type == "diff" ? filter.parent : undefined,
id: filter.id,
}
[Fixed Code]
{
effectiveTimestamp: new Date(filter.timestamp).getTime(),
parent: filter.type == "diff" ? filter.parent : undefined,
id: filter.id,
coverage: filter.type == "full" ? filter.coverage : undefined,
}
2. Vulnerability Existed: not sure
[Potential Certificate Transparency Log Coverage Issue] [security/manager/ssl/tests/unit/test_crlite_filters.js] [Lines 118-121]
[Old Code]
let result = await syncAndDownload([
{ timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" },
]);
[Fixed Code]
let result = await syncAndDownload([
{
timestamp: "2019-01-01T00:00:00Z",
type: "full",
id: "0000",
coverage: [
{
logID: "9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOM=",
minTimestamp: 0,
maxTimestamp: 9999999999999,
},
],
},
]);
3. Vulnerability Existed: not sure
[Potential Certificate Revocation Bypass] [security/manager/ssl/tests/unit/test_crlite_filters.js] [Lines 573-588]
[Old Code]
// If the earliest certificate timestamp is within the merge delay of the
// logs for the filter we have, it won't be looked up, and thus won't be
// revoked.
// The earliest timestamp in this certificate is in August 2020, whereas
// the filter timestamp is in October 2020, so setting the merge delay to
// this large value simluates the situation being tested.
Services.prefs.setIntPref(
"security.pki.crlite_ct_merge_delay_seconds",
60 * 60 * 24 * 60
);
[Fixed Code]
// The revoked certificate example has one SCT from the log with ID "9ly...="
// at time 1598140096613 and another from the log with ID "XNx...=" at time
// 1598140096917. The filter we construct here fails to cover it by one
// millisecond in each case. The implementation will fall back to OCSP
// fetching. Since this would result in a crash and test failure, the
// Ci.nsIX509CertDB.FLAG_LOCAL_ONLY is used.
The changes appear to be related to improving the handling of certificate revocation checks using CRLite filters, particularly around:
1. Adding coverage information for full filters
2. More precise specification of certificate transparency log coverage
3. More accurate testing of edge cases in certificate timestamp coverage
While these changes improve the robustness of the certificate revocation checking system, I cannot definitively identify specific named vulnerabilities being fixed. The changes appear to be preventative improvements rather than fixes for known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/ipc/other/DocAccessibleChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/ipc/other/DocAccessibleChild.cpp@@ -419,7 +419,7 @@ mozilla::ipc::IPCResult DocAccessibleChild::RecvTextBounds( const uint64_t& aID, const int32_t& aStartOffset, const int32_t& aEndOffset,- const uint32_t& aCoordType, nsIntRect* aRetVal) {+ const uint32_t& aCoordType, LayoutDeviceIntRect* aRetVal) { HyperTextAccessible* acc = IdToHyperTextAccessible(aID); if (acc && acc->IsTextRole()) { *aRetVal = acc->TextBounds(aStartOffset, aEndOffset, aCoordType);@@ -430,7 +430,7 @@ mozilla::ipc::IPCResult DocAccessibleChild::RecvCharBounds( const uint64_t& aID, const int32_t& aOffset, const uint32_t& aCoordType,- nsIntRect* aRetVal) {+ LayoutDeviceIntRect* aRetVal) { HyperTextAccessible* acc = IdToHyperTextAccessible(aID); if (acc && acc->IsTextRole()) { *aRetVal = acc->CharBounds(aOffset, aCoordType);@@ -606,7 +606,8 @@ } mozilla::ipc::IPCResult DocAccessibleChild::RecvImagePosition(- const uint64_t& aID, const uint32_t& aCoordType, nsIntPoint* aRetVal) {+ const uint64_t& aID, const uint32_t& aCoordType,+ LayoutDeviceIntPoint* aRetVal) { ImageAccessible* acc = IdToImageAccessible(aID); if (acc) { *aRetVal = acc->Position(aCoordType);@@ -615,8 +616,8 @@ return IPC_OK(); }-mozilla::ipc::IPCResult DocAccessibleChild::RecvImageSize(const uint64_t& aID,- nsIntSize* aRetVal) {+mozilla::ipc::IPCResult DocAccessibleChild::RecvImageSize(+ const uint64_t& aID, LayoutDeviceIntSize* aRetVal) { ImageAccessible* acc = IdToImageAccessible(aID); if (acc) { *aRetVal = acc->Size();@@ -1372,16 +1373,6 @@ LocalAccessible* acc = IdToAccessible(aID); if (acc) { *aCount = acc->ActionCount();- }-- return IPC_OK();-}--mozilla::ipc::IPCResult DocAccessibleChild::RecvActionDescriptionAt(- const uint64_t& aID, const uint8_t& aIndex, nsString* aDescription) {- LocalAccessible* acc = IdToAccessible(aID);- if (acc) {- acc->ActionDescriptionAt(aIndex, *aDescription); } return IPC_OK();@@ -1643,10 +1634,10 @@ *aHeight = 0; LocalAccessible* acc = IdToAccessible(aID); if (acc && !acc->IsDefunct()) {- nsIntRect screenRect = acc->Bounds();+ LayoutDeviceIntRect screenRect = acc->Bounds(); if (!screenRect.IsEmpty()) { if (aNeedsScreenCoords) {- nsIntPoint winCoords =+ LayoutDeviceIntPoint winCoords = nsCoreUtils::GetScreenCoordsForWindow(acc->GetNode()); screenRect.x -= winCoords.x; screenRect.y -= winCoords.y;
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: not sure Type Conversion Vulnerability [accessible/ipc/other/DocAccessibleChild.cpp] [Lines 419-430, 606-616] Old Code: Using nsIntRect/nsIntPoint/nsIntSize Fixed Code: Using LayoutDeviceIntRect/LayoutDeviceIntPoint/LayoutDeviceIntSize Note: The change appears to be about using more appropriate types for device coordinates, but it's unclear if this was fixing a specific security vulnerability. 2. Vulnerability Existed: not sure Potential Information Leak [accessible/ipc/other/DocAccessibleChild.cpp] [Lines 1372-1383] Old Code: Included RecvActionDescriptionAt method Fixed Code: Removed RecvActionDescriptionAt method Note: The removal of this method might be related to security hardening, but without more context it's unclear if this was fixing a specific vulnerability. 3. Vulnerability Existed: not sure Coordinate System Vulnerability [accessible/ipc/other/DocAccessibleChild.cpp] [Lines 1643-1654] Old Code: Using nsIntRect/nsIntPoint Fixed Code: Using LayoutDeviceIntRect/LayoutDeviceIntPoint Note: Similar to the first item, this appears to be about using more appropriate coordinate types, but it's unclear if this was fixing a security vulnerability. The changes primarily involve type conversions from nsInt* types to LayoutDeviceInt* types, which suggests improvements in coordinate system handling, but without more context about the specific security implications, it's difficult to identify specific vulnerabilities being fixed. The removal of the RecvActionDescriptionAt method might be security-related, but again, more context would be needed to confirm.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/platforms/ffmpeg/FFmpegVideoFramePool.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/platforms/ffmpeg/FFmpegVideoFramePool.h@@ -16,22 +16,21 @@ namespace mozilla {+class VideoFramePool;+class VideoFrameSurfaceVAAPI;+ class VideoFrameSurface { public: NS_INLINE_DECL_THREADSAFE_REFCOUNTING(VideoFrameSurface)- VideoFrameSurface(){};+ VideoFrameSurface() = default;- virtual void LockVAAPIData(AVCodecContext* aAVCodecContext, AVFrame* aAVFrame,- FFmpegLibWrapper* aLib){};- virtual void ReleaseVAAPIData(bool aForFrameRecycle = true){};- virtual bool IsUsed() const = 0;+ virtual VideoFrameSurfaceVAAPI* AsVideoFrameSurfaceVAAPI() { return nullptr; }- virtual void SetYUVColorSpace(mozilla::gfx::YUVColorSpace aColorSpace) = 0;- virtual void SetColorRange(mozilla::gfx::ColorRange aColorRange) = 0;+ virtual void SetYUVColorSpace(gfx::YUVColorSpace aColorSpace) = 0;+ virtual void SetColorRange(gfx::ColorRange aColorRange) = 0; virtual RefPtr<DMABufSurfaceYUV> GetDMABufSurface() { return nullptr; };- virtual RefPtr<layers::Image> GetAsImage() = 0; // Don't allow VideoFrameSurface plain copy as it leads to@@ -42,37 +41,6 @@ protected: virtual ~VideoFrameSurface(){};-};--// VideoFrameSurfaceDMABuf is YUV dmabuf surface used for SW video decoding.-// Stores decoded video data in GPU memory.-class VideoFrameSurfaceDMABuf : public VideoFrameSurface {- public:- explicit VideoFrameSurfaceDMABuf(DMABufSurface* aSurface);-- // Check if DMABufSurface is used by any gecko rendering process- // (WebRender or GL compositor) or by DMABUFSurfaceImage/VideoData.- bool IsUsed() const { return mSurface->IsGlobalRefSet(); }-- void SetYUVColorSpace(mozilla::gfx::YUVColorSpace aColorSpace) {- mSurface->GetAsDMABufSurfaceYUV()->SetYUVColorSpace(aColorSpace);- }-- void SetColorRange(mozilla::gfx::ColorRange aColorRange) {- mSurface->GetAsDMABufSurfaceYUV()->SetColorRange(aColorRange);- }-- RefPtr<DMABufSurfaceYUV> GetDMABufSurface() {- return mSurface->GetAsDMABufSurfaceYUV();- };-- RefPtr<layers::Image> GetAsImage();-- protected:- const RefPtr<DMABufSurface> mSurface;-- protected:- ~VideoFrameSurfaceDMABuf(){}; }; // VideoFrameSurfaceVAAPI holds a reference to GPU data with a video frame.@@ -104,44 +72,70 @@ // Unfortunately there isn't any obvious way how to mark particular VASurface // as used. The best we can do is to hold a reference to particular AVBuffer // from decoded AVFrame and AVHWFramesContext which owns the AVBuffer.+class VideoFrameSurfaceVAAPI final : public VideoFrameSurface {+ friend class VideoFramePool;-class VideoFrameSurfaceVAAPI : public VideoFrameSurfaceDMABuf { public: explicit VideoFrameSurfaceVAAPI(DMABufSurface* aSurface);+ VideoFrameSurfaceVAAPI* AsVideoFrameSurfaceVAAPI() final { return this; }++ void SetYUVColorSpace(mozilla::gfx::YUVColorSpace aColorSpace) {+ mSurface->GetAsDMABufSurfaceYUV()->SetYUVColorSpace(aColorSpace);+ }+ void SetColorRange(mozilla::gfx::ColorRange aColorRange) {+ mSurface->GetAsDMABufSurfaceYUV()->SetColorRange(aColorRange);+ }++ RefPtr<DMABufSurfaceYUV> GetDMABufSurface() {+ return mSurface->GetAsDMABufSurfaceYUV();+ };++ RefPtr<layers::Image> GetAsImage();++ protected: // Lock VAAPI related data void LockVAAPIData(AVCodecContext* aAVCodecContext, AVFrame* aAVFrame, FFmpegLibWrapper* aLib);- // Release VAAPI related data, DMABufSurface can be reused // for another frame.- void ReleaseVAAPIData(bool aForFrameRecycle);+ void ReleaseVAAPIData(bool aForFrameRecycle = true);++ // Check if DMABufSurface is used by any gecko rendering process+ // (WebRender or GL compositor) or by DMABUFSurfaceImage/VideoData.+ bool IsUsed() const { return mSurface->IsGlobalRefSet(); }+ void MarkAsUsed() { mSurface->GlobalRefAdd(); } private:- ~VideoFrameSurfaceVAAPI();+ virtual ~VideoFrameSurfaceVAAPI();+ const RefPtr<DMABufSurface> mSurface; const FFmpegLibWrapper* mLib; AVBufferRef* mAVHWFramesContext; AVBufferRef* mHWAVBuffer; };+// VideoFramePool class is thread-safe. class VideoFramePool final { public:- explicit VideoFramePool(bool aUseVAAPI);+ VideoFramePool(); ~VideoFramePool(); RefPtr<VideoFrameSurface> GetVideoFrameSurface(- VADRMPRIMESurfaceDescriptor& aVaDesc);- RefPtr<VideoFrameSurface> GetVideoFrameSurface(AVPixelFormat aPixelFormat,- AVFrame* aFrame);+ VADRMPRIMESurfaceDescriptor& aVaDesc, AVCodecContext* aAVCodecContext,+ AVFrame* aAVFrame, FFmpegLibWrapper* aLib); void ReleaseUnusedVAAPIFrames(); private: RefPtr<VideoFrameSurface> GetFreeVideoFrameSurface(); private:- const bool mUseVAAPI;- nsTArray<RefPtr<VideoFrameSurface>> mDMABufSurfaces;+ // Protect mDMABufSurfaces pool access+ Mutex mSurfaceLock;+ nsTArray<RefPtr<VideoFrameSurfaceVAAPI>> mDMABufSurfaces;+ // We may fail to create texture over DMABuf memory due to driver bugs so+ // check that before we export first DMABuf video frame.+ Maybe<bool> mTextureCreationWorks; }; } // namespace mozilla
I'll analyze the code diff for security fixes following the specified format.
Vulnerability Existed: not sure
Potential Thread Safety Issue [File] dom/media/platforms/ffmpeg/FFmpegVideoFramePool.h [Lines: 115-118]
[Old Code]
private:
const bool mUseVAAPI;
nsTArray<RefPtr<VideoFrameSurface>> mDMABufSurfaces;
[Fixed Code]
private:
// Protect mDMABufSurfaces pool access
Mutex mSurfaceLock;
nsTArray<RefPtr<VideoFrameSurfaceVAAPI>> mDMABufSurfaces;
// We may fail to create texture over DMABuf memory due to driver bugs so
// check that before we export first DMABuf video frame.
Maybe<bool> mTextureCreationWorks;
Vulnerability Existed: not sure
Potential Resource Management Issue [File] dom/media/platforms/ffmpeg/FFmpegVideoFramePool.h [Lines: 72-118]
[Old Code]
class VideoFramePool final {
public:
explicit VideoFramePool(bool aUseVAAPI);
~VideoFramePool();
RefPtr<VideoFrameSurface> GetVideoFrameSurface(
VADRMPRIMESurfaceDescriptor& aVaDesc);
RefPtr<VideoFrameSurface> GetVideoFrameSurface(AVPixelFormat aPixelFormat,
AVFrame* aFrame);
void ReleaseUnusedVAAPIFrames();
[Fixed Code]
class VideoFramePool final {
public:
VideoFramePool();
~VideoFramePool();
RefPtr<VideoFrameSurface> GetVideoFrameSurface(
VADRMPRIMESurfaceDescriptor& aVaDesc, AVCodecContext* aAVCodecContext,
AVFrame* aAVFrame, FFmpegLibWrapper* aLib);
void ReleaseUnusedVAAPIFrames();
The changes show significant refactoring of the video frame handling code, with:
1. Addition of thread safety mechanisms (Mutex)
2. Removal of the VAAPI-specific inheritance hierarchy
3. More explicit management of VAAPI-related resources
4. Better encapsulation of surface handling
While these changes improve the robustness of the code, I can't definitively identify specific security vulnerabilities that were fixed, as the changes appear to be more architectural in nature. The addition of mutex protection suggests potential thread safety concerns were addressed, but without more context about previous behavior, I can't be certain about specific vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/base/nsContentUtils.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/base/nsContentUtils.h@@ -44,7 +44,6 @@ #include "nsCOMPtr.h" #include "nsHashtablesFwd.h" #include "nsIContentPolicy.h"-#include "nsID.h" #include "nsINode.h" #include "nsIScriptError.h" #include "nsIThread.h"@@ -110,7 +109,6 @@ class nsISupports; class nsITransferable; class nsIURI;-class nsIUUIDGenerator; class nsIWidget; class nsIXPConnect; class nsNodeInfoManager;@@ -1270,16 +1268,6 @@ */ static void SandboxFlagsToString(uint32_t aFlags, nsAString& aString);- /**- * Helper function that generates a UUID.- */- static nsresult GenerateUUIDInPlace(nsID& aUUID);-- /**- * Infallable (with an assertion) helper function that generates a UUID.- */- static nsID GenerateUUID();- static bool PrefetchPreloadEnabled(nsIDocShell* aDocShell); static void ExtractErrorValues(JSContext* aCx, JS::Handle<JS::Value> aValue,@@ -2117,15 +2105,6 @@ static bool OfflineAppAllowed(nsIPrincipal* aPrincipal); /**- * Determine whether the principal or document is allowed access to the- * localization system. We don't want the web to ever see this but all our UI- * including in content pages should pass this test. aDocumentURI may be- * null.- */- static bool PrincipalAllowsL10n(nsIPrincipal& aPrincipal,- nsIURI* aDocumentURI);-- /** * Increases the count of blockers preventing scripts from running. * NOTE: You might want to use nsAutoScriptBlocker rather than calling * this directly@@ -3311,16 +3290,12 @@ bool mMustRevalidate = false; };- enum class SubresourceKind {- Style,- Image,- }; /** * Gets cache validation info for subresources such as images or CSS * stylesheets. */ static SubresourceCacheValidationInfo GetSubresourceCacheValidationInfo(- nsIRequest*, nsIURI*, SubresourceKind);+ nsIRequest*, nsIURI*); static uint32_t SecondsFromPRTime(PRTime aTime) { return uint32_t(int64_t(aTime) / int64_t(PR_USEC_PER_SEC));@@ -3393,7 +3368,6 @@ static nsIPrincipal* sNullSubjectPrincipal; static nsIIOService* sIOService;- static nsIUUIDGenerator* sUUIDGenerator; static nsIConsoleService* sConsoleService;
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Removed UUID generation functionality] [dom/base/nsContentUtils.h] [Lines 1270-1280, 3393]
[Old Code]
```cpp
static nsresult GenerateUUIDInPlace(nsID& aUUID);
static nsID GenerateUUID();
static nsIUUIDGenerator* sUUIDGenerator;
```
[Fixed Code]
```cpp
// Removed UUID generation functions and member variable
```
Additional Details: The removal of UUID generation functionality could be security-related, but without more context it's unclear if this was fixing a specific vulnerability or just refactoring.
2. Vulnerability Existed: not sure
[Removed PrincipalAllowsL10n function] [dom/base/nsContentUtils.h] [Lines 2117-2123]
[Old Code]
```cpp
static bool PrincipalAllowsL10n(nsIPrincipal& aPrincipal,
nsIURI* aDocumentURI);
```
[Fixed Code]
```cpp
// Function removed
```
Additional Details: The removal of the localization access control function might be security-related, but without more context about its usage, we can't be certain.
3. Vulnerability Existed: not sure
[Simplified subresource cache validation] [dom/base/nsContentUtils.h] [Lines 3311-3316, 3290-3292]
[Old Code]
```cpp
enum class SubresourceKind {
Style,
Image,
};
static SubresourceCacheValidationInfo GetSubresourceCacheValidationInfo(
nsIRequest*, nsIURI*, SubresourceKind);
```
[Fixed Code]
```cpp
static SubresourceCacheValidationInfo GetSubresourceCacheValidationInfo(
nsIRequest*, nsIURI*);
```
Additional Details: The simplification of the cache validation API might be security-related, possibly removing a potential information leak vector by not distinguishing between resource types, but this is speculative.
Note: While these changes could potentially be security-related, the diff doesn't provide enough context to definitively identify specific vulnerabilities. The removals might be part of security hardening, code cleanup, or architectural changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hex1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.hex1.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = '#f'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = '#f'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = '#f'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring (variable name change from 'offscreenCanvas' to 'canvas') and don't indicate any security fixes. The test logic remains the same, just with a different variable name. There's no evidence of any security vulnerability being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch3.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -27,15 +27,15 @@ g.addColorStop(1, '#f00'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 50,1, 0,255,0,255, "50,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,25, 0,255,0,255, "1,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 98,25, 0,255,0,255, "98,25", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 50,48, 0,255,0,255, "50,48", "0,255,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding references in the `_assertPixel` calls. There's no indication of security fixes or vulnerability patching in this diff. Here's the structured response: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.radial.touch3.html] [17-48] [Old variable name: offscreenCanvas] [New variable name: canvas] The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.scale.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.scale.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -32,9 +32,9 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 0, 0, 100, 50, -10, -50, 240, 50);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 32-34]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);
_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
_assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);
_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
_assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);
The changes simply rename the variable 'offscreenCanvas' to 'canvas' for consistency or clarity, without any security implications. No actual functionality or security-related behavior was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/transport/ipc/WebrtcTCPSocketChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/transport/ipc/WebrtcTCPSocketChild.cpp@@ -82,12 +82,9 @@ if (IsNeckoChild()) { // We're on a content process- gNeckoChild->SetEventTargetForActor(this, GetMainThreadSerialEventTarget()); gNeckoChild->SendPWebrtcTCPSocketConstructor(this, tabId); } else if (IsSocketProcessChild()) { // We're on a socket process- SocketProcessChild::GetSingleton()->SetEventTargetForActor(- this, GetMainThreadSerialEventTarget()); SocketProcessChild::GetSingleton()->SendPWebrtcTCPSocketConstructor(this, tabId); }
Here's the analysis following the requested format:
Vulnerability Existed: not sure
[Potential Race Condition] [dom/media/webrtc/transport/ipc/WebrtcTCPSocketChild.cpp] [Lines 82-89]
[Old Code]
if (IsNeckoChild()) {
// We're on a content process
gNeckoChild->SetEventTargetForActor(this, GetMainThreadSerialEventTarget());
gNeckoChild->SendPWebrtcTCPSocketConstructor(this, tabId);
} else if (IsSocketProcessChild()) {
// We're on a socket process
SocketProcessChild::GetSingleton()->SetEventTargetForActor(
this, GetMainThreadSerialEventTarget());
SocketProcessChild::GetSingleton()->SendPWebrtcTCPSocketConstructor(this,
tabId);
[Fixed Code]
if (IsNeckoChild()) {
// We're on a content process
gNeckoChild->SendPWebrtcTCPSocketConstructor(this, tabId);
} else if (IsSocketProcessChild()) {
// We're on a socket process
SocketProcessChild::GetSingleton()->SendPWebrtcTCPSocketConstructor(this,
tabId);
Additional Details:
The diff shows removal of SetEventTargetForActor calls before sending the constructor message. While it's not clear if this was fixing a specific vulnerability, removing these calls might be related to preventing potential race conditions or ensuring proper thread synchronization. The change suggests the event target setting might have been redundant or potentially problematic if done separately from the constructor call. However, without more context about the actor initialization process, I can't definitively identify a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/newtab/test/unit/lib/DiscoveryStreamFeed.test.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/newtab/test/unit/lib/DiscoveryStreamFeed.test.js@@ -2781,8 +2781,10 @@ const fakeDiscoveryStream = { Prefs: { values: {- "discoverystream.spocs.personalized": true,- "discoverystream.recs.personalized": true,+ pocketConfig: {+ recsPersonalized: true,+ spocsPersonalized: true,+ }, "discoverystream.personalization.enabled": true, }, },@@ -2791,6 +2793,7 @@ spocs: { loaded: false }, }, };+ sandbox.stub(feed, "scoreFeeds").resolves(); sandbox.stub(feed, "scoreSpocs").resolves(); sandbox.stub(feed, "refreshContent").resolves();@@ -2821,8 +2824,10 @@ feed.store.getState = () => ({ Prefs: { values: {- "discoverystream.spocs.personalized": true,- "discoverystream.recs.personalized": true,+ pocketConfig: {+ recsPersonalized: true,+ spocsPersonalized: true,+ }, "discoverystream.personalization.enabled": true, }, },@@ -2851,8 +2856,10 @@ feed.store.getState = () => ({ Prefs: { values: {- "discoverystream.spocs.personalized": true,- "discoverystream.recs.personalized": true,+ pocketConfig: {+ recsPersonalized: true,+ spocsPersonalized: true,+ }, "discoverystream.personalization.enabled": true, }, },@@ -2889,8 +2896,10 @@ feed.store.getState = () => ({ Prefs: { values: {- "discoverystream.spocs.personalized": true,- "discoverystream.recs.personalized": true,+ pocketConfig: {+ recsPersonalized: true,+ spocsPersonalized: true,+ }, "discoverystream.personalization.enabled": true, }, },
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be structural/architectural modifications to how preferences are organized rather than security fixes.
Here's the analysis following your requested format:
1. Vulnerability Existed: no
No security vulnerability found browser/components/newtab/test/unit/lib/DiscoveryStreamFeed.test.js Lines 2781-2896
Old Code: Direct preference values in Prefs.values
Fixed Code: Preferences nested under pocketConfig object
The changes show:
1. A restructuring of preference storage from flat keys to a nested structure under `pocketConfig`
2. Renaming of preference keys (e.g., `discoverystream.spocs.personalized` → `spocsPersonalized`)
3. No changes to actual functionality or security-related behavior
This appears to be a code organization/refactoring change rather than a security fix. The test file modifications reflect changes to match the new preference structure in the main code.
No security vulnerabilities were identified in this diff. The changes are purely architectural, improving code organization by grouping related preferences together under a `pocketConfig` namespace.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.scale.nonfinite.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/transformations/2d.transformation.scale.nonfinite.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -28,7 +28,7 @@ ctx.scale(Infinity, Infinity); ctx.fillStyle = '#0f0'; ctx.fillRect(-100, -10, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 28]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
- This appears to be a simple variable renaming change from 'offscreenCanvas' to 'canvas' for consistency or readability.
- No security vulnerability is being fixed here.
- The functionality remains exactly the same, only the variable name has changed.
- The test case continues to check the same pixel assertion with the same expected values.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.