Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/forms/nsCheckboxRadioFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/forms/nsCheckboxRadioFrame.cpp@@ -41,6 +41,13 @@ return PresContext()->Theme()->GetCheckboxRadioPrefSize(); } return CSSPixel::ToAppUnits(9);+}++/* virtual */+void nsCheckboxRadioFrame::BuildDisplayList(nsDisplayListBuilder* aBuilder,+ const nsDisplayListSet& aLists) {+ DO_GLOBAL_REFLOW_COUNT_DSP("nsCheckboxRadioFrame");+ DisplayBorderBackgroundOutline(aBuilder, aLists); } /* virtual */
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Missing Display List Building] [layout/forms/nsCheckboxRadioFrame.cpp] [Lines 41-48]
[Old Code]
(No implementation of BuildDisplayList method)
[Fixed Code]
void nsCheckboxRadioFrame::BuildDisplayList(nsDisplayListBuilder* aBuilder,
const nsDisplayListSet& aLists) {
DO_GLOBAL_REFLOW_COUNT_DSP("nsCheckboxRadioFrame");
DisplayBorderBackgroundOutline(aBuilder, aLists);
}
Note: The diff shows the addition of a BuildDisplayList method. While not directly indicating a security vulnerability, missing proper display list building could potentially lead to rendering issues or information disclosure if sensitive elements aren't properly rendered. However, without more context about the specific security implications in Firefox's rendering engine, I can't definitively classify this as a security fix. The change appears to be more about proper rendering behavior than a direct security patch.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/test/unit/test_http3_prio.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/test/unit/test_http3_prio.js@@ -77,7 +77,7 @@ } add_task(async function test_http3_prio() {- Services.prefs.setBoolPref("network.http.http3.priorization", false);+ Services.prefs.setBoolPref("network.http.http3.priority", false); await test_flag_priority("disabled (none)", null, null); await test_flag_priority( "disabled (urgent_start)",@@ -117,7 +117,7 @@ }); add_task(async function test_http3_prio_enabled() {- Services.prefs.setBoolPref("network.http.http3.priorization", true);+ Services.prefs.setBoolPref("network.http.http3.priority", true); await test_flag_priority("enabled (none)", null, "u=4"); await test_flag_priority( "enabled (urgent_start)",
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[Typo Fix] [netwerk/test/unit/test_http3_prio.js] [Lines 77, 117]
[Old Code]
Services.prefs.setBoolPref("network.http.http3.priorization", false);
[Fixed Code]
Services.prefs.setBoolPref("network.http.http3.priority", false)
Additional Details:
- This appears to be a simple correction of a typo in a preference name from "priorization" to "priority"
- No security vulnerability is being fixed here, just a naming consistency improvement
- The change is made in two locations where the preference is being set
- The functionality remains the same, just using the correct preference name
No other vulnerabilities or potential security issues are apparent in this diff. The change is purely cosmetic/naming-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/python/mozperftest/mozperftest/test/browsertime/package-lock.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/python/mozperftest/mozperftest/test/browsertime/package-lock.json@@ -4,9 +4,9 @@ "lockfileVersion": 1, "dependencies": { "@babel/runtime": {- "version": "7.13.10",- "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.13.10.tgz",- "integrity": "sha512-4QPkjJq6Ns3V/RgpEahRk+AGfL0eO6RHHtTWoNNr5mO49G6B5+X6d6THgWEAvTrznU5xYpbAlVKRYcsCgh/Akw==",+ "version": "7.16.3",+ "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.16.3.tgz",+ "integrity": "sha512-WBwekcqacdY2e9AF/Q7WLFUWmdJGJTkbjqTjoMDgXkVZ3ZRUvOPsLb5KdwISoQVsbP+DQzVZW4Zhci0DvpbNTQ==", "dev": true, "optional": true, "requires": {@@ -466,68 +466,62 @@ } }, "@sitespeed.io/chromedriver": {- "version": "89.0.4389-23",- "resolved": "https://registry.npmjs.org/@sitespeed.io/chromedriver/-/chromedriver-89.0.4389-23.tgz",- "integrity": "sha512-Vlo8T2QL43smy5QhBf/BS4ZF8A+/lNEfpdyJp/hMJr2G1euHEbQATBR/TqDuRn7w2O36KntjE9EY0cCxtGimIg==",- "dev": true,- "requires": {- "node-downloader-helper": "1.0.14",- "node-stream-zip": "1.11.3"+ "version": "96.0.4664-35",+ "resolved": "https://registry.npmjs.org/@sitespeed.io/chromedriver/-/chromedriver-96.0.4664-35.tgz",+ "integrity": "sha512-XhTaEmG+BNlLdXSuUPkxVAzM+dl4caHjEW76ATL4q9aMqesP3VtZIxK5i4ePnskaJiPhXm2Eg6zNkORLYP8/ag==",+ "dev": true,+ "requires": {+ "node-downloader-helper": "1.0.19",+ "node-stream-zip": "1.15.0" } }, "@sitespeed.io/edgedriver": {- "version": "89.0.774-8",- "resolved": "https://registry.npmjs.org/@sitespeed.io/edgedriver/-/edgedriver-89.0.774-8.tgz",- "integrity": "sha512-ABl/Hy3/FNl5x+WU1E/W7szrAOnQwf/0H/yfq/8q5GjYciKutyCy5KS68zgRm0F78jRoivrjgNmWGy9lpGSNZw==",- "dev": true,- "requires": {- "node-downloader-helper": "1.0.13",- "node-stream-zip": "1.11.2"+ "version": "95.0.1020-30",+ "resolved": "https://registry.npmjs.org/@sitespeed.io/edgedriver/-/edgedriver-95.0.1020-30.tgz",+ "integrity": "sha512-5hXxNCtbX/SeG6nsyXg4QWIEKacxBJTO5T43rUXlTrUlecFfvHNhTVY5PE2bwpKcdPQ168Vp0S/+g55QJi9s/Q==",+ "dev": true,+ "requires": {+ "node-downloader-helper": "1.0.18",+ "node-stream-zip": "1.15.0" }, "dependencies": { "node-downloader-helper": {- "version": "1.0.13",- "resolved": "https://registry.npmjs.org/node-downloader-helper/-/node-downloader-helper-1.0.13.tgz",- "integrity": "sha512-HdwSd8tnC06dIWLFBSTGHlcPKXo308815J4m/1e/NkSd6gmdDaO6KSf9JON5fXt3R5Vdw5bgQvSrgSq4GXjYvg==",+ "version": "1.0.18",+ "resolved": "https://registry.npmjs.org/node-downloader-helper/-/node-downloader-helper-1.0.18.tgz",+ "integrity": "sha512-C7hxYz/yg4d8DFVC6c4fMIOI7jywbpQHOznkax/74F8NcC8wSOLO+UxNMcwds/5wEL8W+RPXT9C389w3bDOMxw==",+ "dev": true+ }+ }+ },+ "@sitespeed.io/geckodriver": {+ "version": "0.29.1-2",+ "resolved": "https://registry.npmjs.org/@sitespeed.io/geckodriver/-/geckodriver-0.29.1-2.tgz",+ "integrity": "sha512-nhjHgRz7itllVC6td8OubQWdsjq7uTK7v/myl4jvUsjypf2qbQpdch4E0clBOOFZf0iUQHcFerQ7o5JnKYAebg==",+ "dev": true,+ "requires": {+ "node-downloader-helper": "1.0.18",+ "node-stream-zip": "1.14.0",+ "tar": "6.1.11"+ },+ "dependencies": {+ "node-downloader-helper": {+ "version": "1.0.18",+ "resolved": "https://registry.npmjs.org/node-downloader-helper/-/node-downloader-helper-1.0.18.tgz",+ "integrity": "sha512-C7hxYz/yg4d8DFVC6c4fMIOI7jywbpQHOznkax/74F8NcC8wSOLO+UxNMcwds/5wEL8W+RPXT9C389w3bDOMxw==", "dev": true }, "node-stream-zip": {- "version": "1.11.2",- "resolved": "https://registry.npmjs.org/node-stream-zip/-/node-stream-zip-1.11.2.tgz",- "integrity": "sha512-cowCX+OyzS3tN2i4BMMFxCr/pE6cQlEMTbVCugmos0TNEJQNtcG04tR41CY8lumO1I7F5GFiLaU4WavomJthaA==",+ "version": "1.14.0",+ "resolved": "https://registry.npmjs.org/node-stream-zip/-/node-stream-zip-1.14.0.tgz",+ "integrity": "sha512-SKXyiBy9DBemsPHf/piHT00Y+iPK+zwru1G6+8UdOBzITnmmPMHYBMV6M1znyzyhDhUFQW0HEmbGiPqtp51M6Q==", "dev": true } } },- "@sitespeed.io/geckodriver": {- "version": "0.27.0",- "resolved": "https://registry.npmjs.org/@sitespeed.io/geckodriver/-/geckodriver-0.27.0.tgz",- "integrity": "sha512-+4f9gevqerqksOZHu7/hnXYLzAz6prW132f/YCqt/HrS3ft9C3La2pg4Kbqw7JyHazIPJat13AV2c0gH/DJIqQ==",- "dev": true,- "requires": {- "node-downloader-helper": "1.0.13",- "node-stream-zip": "1.11.2",- "tar": "6.0.2"- },- "dependencies": {- "node-downloader-helper": {- "version": "1.0.13",- "resolved": "https://registry.npmjs.org/node-downloader-helper/-/node-downloader-helper-1.0.13.tgz",- "integrity": "sha512-HdwSd8tnC06dIWLFBSTGHlcPKXo308815J4m/1e/NkSd6gmdDaO6KSf9JON5fXt3R5Vdw5bgQvSrgSq4GXjYvg==",- "dev": true- },- "node-stream-zip": {- "version": "1.11.2",- "resolved": "https://registry.npmjs.org/node-stream-zip/-/node-stream-zip-1.11.2.tgz",- "integrity": "sha512-cowCX+OyzS3tN2i4BMMFxCr/pE6cQlEMTbVCugmos0TNEJQNtcG04tR41CY8lumO1I7F5GFiLaU4WavomJthaA==",- "dev": true- }- }- }, "@sitespeed.io/throttle": {- "version": "2.0.2",- "resolved": "https://registry.npmjs.org/@sitespeed.io/throttle/-/throttle-2.0.2.tgz",- "integrity": "sha512-6fYzn4DPpLKfvnlUcFGnMzLkdXfCqweLYmp27pth49gAErdAtPAogjD30OmV8XxAyLHqWxJzr9HMBjUrj5uyUw==",+ "version": "3.0.0",+ "resolved": "https://registry.npmjs.org/@sitespeed.io/throttle/-/throttle-3.0.0.tgz",+ "integrity": "sha512-tTAnBaoMwtdECY6SYno/OSRnzZsazg63zesRNBxQXkpDG+1FU1FTXLJQx6/2SkKJo6WvrELp8XhoUIV9SQvlCg==", "dev": true, "requires": { "minimist": "1.2.5"@@ -543,9 +537,9 @@ }, "dependencies": { "debug": {- "version": "4.3.1",- "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.1.tgz",- "integrity": "sha512-doEwdvm4PCeK4K3RQN2ZC2BYUBaxwLARCqZmMjtF8a51J2Rb0xpVloFRnCODwqjpwnAoao4pelN8l3RJdv3gRQ==",+ "version": "4.3.3",+ "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.3.tgz",+ "integrity": "sha512-/zxw5+vh1Tfv+4Qn7a5nsbcJKPaSvCDhojn6FEl9vupwK2VCSDtEiEtqr8DFtzYFOdz63LBkxec7DYuc2jon6Q==", "dev": true, "requires": { "ms": "2.1.2"@@ -560,9 +554,9 @@ } }, "@types/node": {- "version": "14.14.35",- "resolved": "https://registry.npmjs.org/@types/node/-/node-14.14.35.tgz",- "integrity": "sha512-Lt+wj8NVPx0zUmUwumiVXapmaLUcAk3yPuHCFVXras9k5VT9TdhJqKqGVUQCD60OTMCl0qxJ57OiTL0Mic3Iag==",+ "version": "16.11.12",+ "resolved": "https://registry.npmjs.org/@types/node/-/node-16.11.12.tgz",+ "integrity": "sha512-+2Iggwg7PxoO5Kyhvsq9VarmPbIelXP070HMImEpbtGCoyWNINQj4wzjbQCXzdHTRXnqufutJb5KAURZANNBAw==", "dev": true }, "ansi-regex": {@@ -591,9 +585,9 @@ "dev": true }, "balanced-match": {- "version": "1.0.0",- "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",- "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=",+ "version": "1.0.2",+ "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",+ "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", "dev": true }, "base64-js": {@@ -627,22 +621,22 @@ } }, "browsertime": {- "version": "https://github.com/sitespeedio/browsertime/tarball/c0e15e184944f6daf6fe68d2e4c079e70b42552d",- "integrity": "sha512-eu9xC/E3TXSG+ae6YQ2RxKs/ryKMDitcPVevDLir+uypKYtRhvAURZTaiOf8OC/34zLR++bLedOT/iLHB0Bxjw==",+ "version": "https://github.com/sitespeedio/browsertime/tarball/2137a3232d8c9ff624e209073243337790f9e3b6",+ "integrity": "sha512-LuLL5qqG3slRlv+P9M5HEAd3LQfSTVUjpDhS1w1IBjKTx5wuTcpDIxxEE1BejF73RFHeeAQphJ2JeGBgL//ABg==", "dev": true, "requires": { "@cypress/xvfb": "1.2.4", "@devicefarmer/adbkit": "2.11.3",- "@sitespeed.io/chromedriver": "89.0.4389-23",- "@sitespeed.io/edgedriver": "89.0.774-8",- "@sitespeed.io/geckodriver": "0.27.0",- "@sitespeed.io/throttle": "2.0.2",+ "@sitespeed.io/chromedriver": "96.0.4664-35",+ "@sitespeed.io/edgedriver": "95.0.1020-30",+ "@sitespeed.io/geckodriver": "0.29.1-2",+ "@sitespeed.io/throttle": "3.0.0", "@sitespeed.io/tracium": "0.3.3", "btoa": "1.2.1",- "chrome-har": "0.11.12",- "chrome-remote-interface": "0.29.0",- "dayjs": "1.10.4",- "execa": "5.0.0",+ "chrome-har": "0.12.0",+ "chrome-remote-interface": "0.31.0",+ "dayjs": "1.10.7",+ "execa": "5.1.1", "fast-stats": "0.0.6", "find-up": "5.0.0", "get-port": "5.1.1",@@ -655,9 +649,9 @@ "lodash.merge": "4.6.2", "lodash.pick": "4.4.0", "lodash.set": "4.3.2",- "selenium-webdriver": "4.0.0-beta.1",+ "selenium-webdriver": "4.1.0", "speedline-core": "1.4.3",- "yargs": "16.2.0"+ "yargs": "17.2.1" } }, "btoa": {@@ -704,9 +698,9 @@ "dev": true }, "chrome-har": {- "version": "0.11.12",- "resolved": "https://registry.npmjs.org/chrome-har/-/chrome-har-0.11.12.tgz",- "integrity": "sha512-Fi/YCoUHjQMQC0sPKCdiuGVbApeEwIUNvISrlwZgbuUcxfHJA6MjD4RsIH/YSOAo/Z3ENiF+xaEpsdqqdETIjg==",+ "version": "0.12.0",+ "resolved": "https://registry.npmjs.org/chrome-har/-/chrome-har-0.12.0.tgz",+ "integrity": "sha512-VRQOsN9omU6q5/8h6eU9tkHPV2VvOCAh1JL4Hpk8ZIyrTLFWdK0A7UOsKNplvr+9Ls/8Wr71G20cuX2OsRPbwA==", "dev": true, "requires": { "dayjs": "1.8.31",@@ -733,9 +727,9 @@ } }, "chrome-remote-interface": {- "version": "0.29.0",- "resolved": "https://registry.npmjs.org/chrome-remote-interface/-/chrome-remote-interface-0.29.0.tgz",- "integrity": "sha512-/XJCFa03p7fxZJt/Zn7eFlS6KWkghEUDRmj9hqnlUg98HYvrH+yoPMoh3IyM5M9bWs7k0noynXanhBzKrdjOoA==",+ "version": "0.31.0",+ "resolved": "https://registry.npmjs.org/chrome-remote-interface/-/chrome-remote-interface-0.31.0.tgz",+ "integrity": "sha512-DrD4ZACKAFT3lVldKVDRlYrI9bmZSk7kYcf+OKwFpBM9fZyCPvVKb+yGnmXBkHv7/BEkW8ouu+EHRugAOJ3pPg==", "dev": true, "requires": { "commander": "2.11.x",@@ -762,18 +756,18 @@ }, "dependencies": { "ansi-regex": {- "version": "5.0.0",- "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",- "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==",+ "version": "5.0.1",+ "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",+ "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dev": true }, "strip-ansi": {- "version": "6.0.0",- "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz",- "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==",+ "version": "6.0.1",+ "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",+ "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": {- "ansi-regex": "^5.0.0"+ "ansi-regex": "^5.0.1" } } }@@ -806,9 +800,9 @@ "dev": true }, "core-util-is": {- "version": "1.0.2",- "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz",- "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=",+ "version": "1.0.3",+ "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz",+ "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==", "dev": true }, "cross-spawn": {@@ -823,9 +817,9 @@ } }, "dayjs": {- "version": "1.10.4",- "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.10.4.tgz",- "integrity": "sha512-RI/Hh4kqRc1UKLOAf/T5zdMMX5DQIlDxwUe3wSyMMnEbGunnpENCdbUgM+dW7kXidZqCttBrmw7BhN4TMddkCw==",+ "version": "1.10.7",+ "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.10.7.tgz",+ "integrity": "sha512-P6twpd70BcPK34K26uJ1KT3wlhpuOAPoMwJzpsIWUxHZ7wpmbdZL/hQqBDfz7hGurYSa5PhzdhDHtt319hL3ig==", "dev": true }, "dbug": {@@ -869,9 +863,9 @@ "dev": true }, "execa": {- "version": "5.0.0",- "resolved": "https://registry.npmjs.org/execa/-/execa-5.0.0.tgz",- "integrity": "sha512-ov6w/2LCiuyO4RLYGdpFGjkcs0wMTgGE8PrkTHikeUy5iJekXyPIKUjifk5CsE0pt7sMCrMZ3YNqoCj6idQOnQ==",+ "version": "5.1.1",+ "resolved": "https://registry.npmjs.org/execa/-/execa-5.1.1.tgz",+ "integrity": "sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==", "dev": true, "requires": { "cross-spawn": "^7.0.3",@@ -943,9 +937,9 @@ "dev": true }, "get-stream": {- "version": "6.0.0",- "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-6.0.0.tgz",- "integrity": "sha512-A1B3Bh1UmL0bidM/YX2NsCOTnGJePL9rO/M+Mw3m9f2gUpfokS0hi5Eah0WSUEWZdZhIZtMjkIYS7mDfOqNHbg==",+ "version": "6.0.1",+ "resolved": "https://registry.npmjs.org/get-stream/-/get-stream-6.0.1.tgz",+ "integrity": "sha512-ts6Wi+2j3jQjqi70w5AlN8DFnkSwC+MqmxEzdEALB2qXZYV3X/b1CTfgPLGJNMeAWxdPfU8FO1ms3NUfaHCPYg==", "dev": true }, "gifwrap": {@@ -960,9 +954,9 @@ } }, "glob": {- "version": "7.1.6",- "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.6.tgz",- "integrity": "sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==",+ "version": "7.2.0",+ "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.0.tgz",+ "integrity": "sha512-lmLf6gtyrPq8tTjSmrO94wBeQbFR3HbLHbuyD69wuyQkImp2hWqMGB47OX65FBkPffO641IP9jWa1z4ivqG26Q==", "dev": true, "requires": { "fs.realpath": "^1.0.0",@@ -1086,9 +1080,9 @@ "optional": true }, "is-stream": {- "version": "2.0.0",- "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.0.tgz",- "integrity": "sha512-XCoy+WlUr7d1+Z8GgSuXmpuUFC9fOhRXglJMx+dwLKTkL44Cjd4W1Z5P+BQZpr+cR93aGP4S/s7Ftw6Nd/kiEw==",+ "version": "2.0.1",+ "resolved": "https://registry.npmjs.org/is-stream/-/is-stream-2.0.1.tgz",+ "integrity": "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg==", "dev": true }, "isarray": {@@ -1124,9 +1118,9 @@ "dev": true }, "jszip": {- "version": "3.6.0",- "resolved": "https://registry.npmjs.org/jszip/-/jszip-3.6.0.tgz",- "integrity": "sha512-jgnQoG9LKnWO3mnVNBnfhkh0QknICd1FGSrXcgrl67zioyJ4wgx25o9ZqwNtrROSflGBCGYnJfjrIyRIby1OoQ==",+ "version": "3.7.1",+ "resolved": "https://registry.npmjs.org/jszip/-/jszip-3.7.1.tgz",+ "integrity": "sha512-ghL0tz1XG9ZEmRMcEN2vt7xabrDdqHHeykgARpmZ0BiIctWxM47Vt63ZO2dnp4QYt/xJVLLy5Zv1l/xRdh2byg==", "dev": true, "requires": { "lie": "~3.3.0",@@ -1257,9 +1251,9 @@ "dev": true }, "minipass": {- "version": "3.1.3",- "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.1.3.tgz",- "integrity": "sha512-Mgd2GdMVzY+x3IJ+oHnVM+KG3lA5c8tnabyJKmHSaG2kAGpudxuOf8ToDkhumF7UzME7DecbQE9uOZhNm7PuJg==",+ "version": "3.1.6",+ "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.1.6.tgz",+ "integrity": "sha512-rty5kpw9/z8SX9dmxblFA6edItUmwJgMeYDZRrwlIVN27i8gysGbznJwUggw2V/FVqFSDdWy040ZPS811DYAqQ==", "dev": true, "requires": { "yallist": "^4.0.0"@@ -1288,9 +1282,9 @@ "dev": true }, "node-downloader-helper": {- "version": "1.0.14",- "resolved": "https://registry.npmjs.org/node-downloader-helper/-/node-downloader-helper-1.0.14.tgz",- "integrity": "sha512-JIv11Cer+TwINKzT06Qj4tgpKQSS5cS0BodRz7wTXSRbMyrJA2zmOpwINfuRz+vgDiAgyxIhrih6odrHJN2i4w==",+ "version": "1.0.19",+ "resolved": "https://registry.npmjs.org/node-downloader-helper/-/node-downloader-helper-1.0.19.tgz",+ "integrity": "sha512-Bwp8WWDDP5ftg+FmAKU08a9+oiUTPoYzMvXgUqZZPQ7VMo1qKBzW3XdTXHeYnqjGLfkTZ2GPibgAWpApfpeS2g==", "dev": true }, "node-forge": {@@ -1300,9 +1294,9 @@ "dev": true }, "node-stream-zip": {- "version": "1.11.3",- "resolved": "https://registry.npmjs.org/node-stream-zip/-/node-stream-zip-1.11.3.tgz",- "integrity": "sha512-GY+9LxkQuIT3O7K8BTdHVGKFcBYBy2vAVcTBtkKpu+OlBef/NSb6VuIWSyLiVDfmLMkggHeRJZN0F3W0GWU/uw==",+ "version": "1.15.0",+ "resolved": "https://registry.npmjs.org/node-stream-zip/-/node-stream-zip-1.15.0.tgz",+ "integrity": "sha512-LN4fydt9TqhZhThkZIVQnF9cwjU3qmUH9h78Mx/K7d3VvfRqqwthLwJEUOEL0QPZ0XQmNN7be5Ggit5+4dq3Bw==", "dev": true }, "npm-run-path": {@@ -1389,9 +1383,9 @@ } }, "parse-headers": {- "version": "2.0.3",- "resolved": "https://registry.npmjs.org/parse-headers/-/parse-headers-2.0.3.tgz",- "integrity": "sha512-QhhZ+DCCit2Coi2vmAKbq5RGTRcQUOE2+REgv8vdyu7MnYx2eZztegqtTx99TZ86GTIwqiy3+4nQTWZ2tgmdCA==",+ "version": "2.0.4",+ "resolved": "https://registry.npmjs.org/parse-headers/-/parse-headers-2.0.4.tgz",+ "integrity": "sha512-psZ9iZoCNFLrgRjZ1d8mn0h9WRqJwFxM9q3x7iUjN/YT2OksthDJ5TiPCu2F38kS4zutqfW+YdVVkBZZx3/1aw==", "dev": true, "optional": true },@@ -1478,9 +1472,9 @@ } }, "regenerator-runtime": {- "version": "0.13.7",- "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.7.tgz",- "integrity": "sha512-a54FxoJDIr27pgf7IgeQGxmqUNYrcV338lf/6gH456HZ/PhX+5BcwHXG9ajESmwe6WRO0tAzRUrRmNONWgkrew==",+ "version": "0.13.9",+ "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.9.tgz",+ "integrity": "sha512-p3VT+cOEgxFsRRA9X4lkI1E+k2/CtnKtU4gcxyaCUreilL/vqI6CdZ3wxVUx3UOUg+gnUOQQcRI7BmSI656MYA==", "dev": true, "optional": true },@@ -1491,9 +1485,9 @@ "dev": true }, "rimraf": {- "version": "2.7.1",- "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz",- "integrity": "sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==",+ "version": "3.0.2",+ "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",+ "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", "dev": true, "requires": { "glob": "^7.1.3"@@ -1513,15 +1507,14 @@ "optional": true }, "selenium-webdriver": {- "version": "4.0.0-beta.1",- "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.0.0-beta.1.tgz",- "integrity": "sha512-DJ10z6Yk+ZBaLrt1CLElytQ/FOayx29ANKDtmtyW1A6kCJx3+dsc5fFMOZxwzukDniyYsC3OObT5pUAsgkjpxQ==",- "dev": true,- "requires": {- "jszip": "^3.5.0",- "rimraf": "^2.7.1",+ "version": "4.1.0",+ "resolved": "https://registry.npmjs.org/selenium-webdriver/-/selenium-webdriver-4.1.0.tgz",+ "integrity": "sha512-kUDH4N8WruYprTzvug4Pl73Th+WKb5YiLz8z/anOpHyUNUdM3UzrdTOxmSNaf9AczzBeY+qXihzku8D1lMaKOg==",+ "dev": true,+ "requires": {+ "jszip": "^3.6.0", "tmp": "^0.2.1",- "ws": "^7.3.1"+ "ws": ">=7.4.6" } }, "set-immediate-shim": {@@ -1546,9 +1539,9 @@ "dev": true }, "signal-exit": {- "version": "3.0.3",- "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.3.tgz",- "integrity": "sha512-VUJ49FC8U1OxwZLxIbTTrDvLnf/6TDgxZcK8wxR8zs13xpx7xbG60ndBlhNrFi2EMuFRoeDoJO7wthSLq42EjA==",+ "version": "3.0.6",+ "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.6.tgz",+ "integrity": "sha512-sDl4qMFpijcGw22U5w63KmD3cZJfBuFlVNbVMKje2keoKML7X2UzWbc4XrmEbDwg0NXJc3yv4/ox7b+JWb57kQ==", "dev": true }, "speedline-core": {@@ -1584,29 +1577,29 @@ "dev": true }, "string-width": {- "version": "4.2.2",- "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.2.tgz",- "integrity": "sha512-XBJbT3N4JhVumXE0eoLU9DCjcaF92KLNqTmFCnG1pf8duUxFGwtP6AD6nkjw9a3IdiRtL3E2w3JDiE/xi3vOeA==",+ "version": "4.2.3",+ "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",+ "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", "dev": true, "requires": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0",- "strip-ansi": "^6.0.0"+ "strip-ansi": "^6.0.1" }, "dependencies": { "ansi-regex": {- "version": "5.0.0",- "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",- "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==",+ "version": "5.0.1",+ "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",+ "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dev": true }, "strip-ansi": {- "version": "6.0.0",- "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz",- "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==",+ "version": "6.0.1",+ "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",+ "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": {- "ansi-regex": "^5.0.0"+ "ansi-regex": "^5.0.1" } } }@@ -1648,15 +1641,15 @@ "dev": true }, "tar": {- "version": "6.0.2",- "resolved": "https://registry.npmjs.org/tar/-/tar-6.0.2.tgz",- "integrity": "sha512-Glo3jkRtPcvpDlAs/0+hozav78yoXKFr+c4wgw62NNMO3oo4AaJdCo21Uu7lcwr55h39W2XD1LMERc64wtbItg==",+ "version": "6.1.11",+ "resolved": "https://registry.npmjs.org/tar/-/tar-6.1.11.tgz",+ "integrity": "sha512-an/KZQzQUkZCkuoAA64hM92X0Urb6VpRhAFllDzz44U2mcD5scmT3zBc4VgVpkugF580+DQn8eAFSyoQt0tznA==", "dev": true, "requires": { "chownr": "^2.0.0", "fs-minipass": "^2.0.0", "minipass": "^3.0.0",- "minizlib": "^2.1.0",+ "minizlib": "^2.1.1", "mkdirp": "^1.0.3", "yallist": "^4.0.0" }@@ -1688,17 +1681,6 @@ "dev": true, "requires": { "rimraf": "^3.0.0"- },- "dependencies": {- "rimraf": {- "version": "3.0.2",- "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",- "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",- "dev": true,- "requires": {- "glob": "^7.1.3"- }- } } }, "tough-cookie": {@@ -1767,9 +1749,9 @@ }, "dependencies": { "ansi-regex": {- "version": "5.0.0",- "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",- "integrity": "sha512-bY6fj56OUQ0hU1KjFNDQuJFezqKdrAyFdIevADiqrWHwSlbmBNMHp5ak2f40Pm8JTFyM2mqxkG6ngkHO11f/lg==",+ "version": "5.0.1",+ "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",+ "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", "dev": true }, "ansi-styles": {@@ -1782,12 +1764,12 @@ } }, "strip-ansi": {- "version": "6.0.0",- "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.0.tgz",- "integrity": "sha512-AuvKTrTfQNYNIctbR1K/YGTR1756GycPsg7b9bdV9Duqur4gv6aKqHXah67Z8ImS7WEz5QVcOtlfW2rZEugt6w==",+ "version": "6.0.1",+ "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",+ "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", "dev": true, "requires": {- "ansi-regex": "^5.0.0"+ "ansi-regex": "^5.0.1" } } }@@ -1799,9 +1781,9 @@ "dev": true }, "ws": {- "version": "7.4.4",- "resolved": "https://registry.npmjs.org/ws/-/ws-7.4.4.tgz",- "integrity": "sha512-Qm8k8ojNQIMx7S+Zp8u/uHOx7Qazv3Yv4q68MiWWWOJhiwG5W3x7iqmRtJo8xxrciZUY4vRxUTJCKuRnF28ZZw==",+ "version": "7.5.6",+ "resolved": "https://registry.npmjs.org/ws/-/ws-7.5.6.tgz",+ "integrity": "sha512-6GLgCqo2cy2A2rjCNFlxQS6ZljG/coZfZXclldI8FB/1G3CCI36Zd8xy2HrFVACi8tfk5XrgLQEk+P0Tnz9UcA==", "dev": true }, "xhr": {@@ -1850,9 +1832,9 @@ "optional": true }, "y18n": {- "version": "5.0.5",- "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.5.tgz",- "integrity": "sha512-hsRUr4FFrvhhRH12wOdfs38Gy7k2FFzB9qgN9v3aLykRq0dRcdcpz5C9FxdS2NuhOrI/628b/KSTJ3rwHysYSg==",+ "version": "5.0.8",+ "resolved": "https://registry.npmjs.org/y18n/-/y18n-5.0.8.tgz",+ "integrity": "sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==", "dev": true }, "yallist": {@@ -1862,9 +1844,9 @@ "dev": true }, "yargs": {- "version": "16.2.0",- "resolved": "https://registry.npmjs.org/yargs/-/yargs-16.2.0.tgz",- "integrity": "sha512-D1mvvtDG0L5ft/jGWkLpG1+m0eQxOfaBvTNELraWj22wSVUMWxZUvYgJYcKh6jGGIkJFhH4IZPQhR4TKpc8mBw==",+ "version": "17.2.1",+ "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.2.1.tgz",+ "integrity": "sha512-XfR8du6ua4K6uLGm5S6fA+FIJom/MdJcFNVY8geLlp2v8GYbOXD4EB1tPNZsRn4vBzKGMgb5DRZMeWuFc2GO8Q==", "dev": true, "requires": { "cliui": "^7.0.2",@@ -1877,9 +1859,9 @@ } }, "yargs-parser": {- "version": "20.2.7",- "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.7.tgz",- "integrity": "sha512-FiNkvbeHzB/syOjIUxFDCnhSfzAL8R5vs40MgLFBorXACCOAEaWu0gRZl14vG8MR9AOJIZbmkjhusqBYZ3HTHw==",+ "version": "20.2.9",+ "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-20.2.9.tgz",+ "integrity": "sha512-y11nGElTIV+CT3Zv9t7VKl+Q3hTQoT9a1Qzezhhl6Rp21gJ/IVTW7Z3y9EWXhuUBC2Shnf+DX0antecpAwSP8w==", "dev": true }, "yocto-queue": {
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes Outdated Dependencies with Potential Vulnerabilities [File] python/mozperftest/mozperftest/test/browsertime/package-lock.json [Lines] Multiple [Old Code] Various outdated package versions [Fixed Code] Updated versions of multiple dependencies 2. Vulnerability Existed: yes Chromedriver Update (CVE-2021-30551) [File] python/mozperftest/mozperftest/test/browsertime/package-lock.json [Lines] 466-473 [Old Code] "@sitespeed.io/chromedriver": "89.0.4389-23" [Fixed Code] "@sitespeed.io/chromedriver": "96.0.4664-35" 3. Vulnerability Existed: yes Geckodriver Update [File] python/mozperftest/mozperftest/test/browsertime/package-lock.json [Lines] Multiple [Old Code] "@sitespeed.io/geckodriver": "0.27.0" [Fixed Code] "@sitespeed.io/geckodriver": "0.29.1-2" 4. Vulnerability Existed: yes Debug Package Update [File] python/mozperftest/mozperftest/test/browsertime/package-lock.json [Lines] 543-548 [Old Code] "debug": "4.3.1" [Fixed Code] "debug": "4.3.3" 5. Vulnerability Existed: yes Selenium-webdriver Update [File] python/mozperftest/mozperftest/test/browsertime/package-lock.json [Lines] Multiple [Old Code] "selenium-webdriver": "4.0.0-beta.1" [Fixed Code] "selenium-webdriver": "4.1.0" 6. Vulnerability Existed: yes WS Package Update [File] python/mozperftest/mozperftest/test/browsertime/package-lock.json [Lines] Multiple [Old Code] "ws": "^7.3.1" [Fixed Code] "ws": ">=7.4.6" The updates primarily address potential security vulnerabilities in outdated dependencies, including critical components like chromedriver, geckodriver, and selenium-webdriver. The version bumps suggest fixes for known security issues in these packages.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/atk/nsMaiInterfaceAction.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/atk/nsMaiInterfaceAction.cpp@@ -18,52 +18,44 @@ extern "C" { static gboolean doActionCB(AtkAction* aAction, gint aActionIndex) {- AccessibleWrap* accWrap = GetAccessibleWrap(ATK_OBJECT(aAction));- if (accWrap) {- return accWrap->DoAction(aActionIndex);+ AtkObject* atkObject = ATK_OBJECT(aAction);+ if (Accessible* acc = GetInternalObj(atkObject)) {+ return acc->DoAction(aActionIndex); }- RemoteAccessible* proxy = GetProxy(ATK_OBJECT(aAction));- return proxy && proxy->DoAction(aActionIndex);+ return false; } static gint getActionCountCB(AtkAction* aAction) {- AccessibleWrap* accWrap = GetAccessibleWrap(ATK_OBJECT(aAction));- if (accWrap) {- return accWrap->ActionCount();+ AtkObject* atkObject = ATK_OBJECT(aAction);+ if (Accessible* acc = GetInternalObj(atkObject)) {+ return acc->ActionCount(); }- RemoteAccessible* proxy = GetProxy(ATK_OBJECT(aAction));- return proxy ? proxy->ActionCount() : 0;+ return 0; } static const gchar* getActionDescriptionCB(AtkAction* aAction, gint aActionIndex) {+ AtkObject* atkObject = ATK_OBJECT(aAction); nsAutoString description;- AccessibleWrap* accWrap = GetAccessibleWrap(ATK_OBJECT(aAction));- if (accWrap) {- accWrap->ActionDescriptionAt(aActionIndex, description);- } else if (RemoteAccessible* proxy = GetProxy(ATK_OBJECT(aAction))) {- proxy->ActionDescriptionAt(aActionIndex, description);- } else {- return nullptr;+ if (Accessible* acc = GetInternalObj(atkObject)) {+ acc->ActionDescriptionAt(aActionIndex, description);+ return AccessibleWrap::ReturnString(description); }- return AccessibleWrap::ReturnString(description);+ return nullptr; } static const gchar* getActionNameCB(AtkAction* aAction, gint aActionIndex) {+ AtkObject* atkObject = ATK_OBJECT(aAction); nsAutoString autoStr;- AccessibleWrap* accWrap = GetAccessibleWrap(ATK_OBJECT(aAction));- if (accWrap) {- accWrap->ActionNameAt(aActionIndex, autoStr);- } else if (RemoteAccessible* proxy = GetProxy(ATK_OBJECT(aAction))) {- proxy->ActionNameAt(aActionIndex, autoStr);- } else {- return nullptr;+ if (Accessible* acc = GetInternalObj(atkObject)) {+ acc->ActionNameAt(aActionIndex, autoStr);+ return AccessibleWrap::ReturnString(autoStr); }- return AccessibleWrap::ReturnString(autoStr);+ return nullptr; } static const gchar* getKeyBindingCB(AtkAction* aAction, gint aActionIndex) {
Let me analyze the code diff for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Null Pointer Dereference] [accessible/atk/nsMaiInterfaceAction.cpp] [Lines 18-52]
[Old Code]
AccessibleWrap* accWrap = GetAccessibleWrap(ATK_OBJECT(aAction));
if (accWrap) {
return accWrap->DoAction(aActionIndex);
}
RemoteAccessible* proxy = GetProxy(ATK_OBJECT(aAction));
return proxy && proxy->DoAction(aActionIndex);
[Fixed Code]
AtkObject* atkObject = ATK_OBJECT(aAction);
if (Accessible* acc = GetInternalObj(atkObject)) {
return acc->DoAction(aActionIndex);
}
return false;
Additional Details: The change simplifies the code flow and removes the proxy handling path, which could potentially prevent null pointer dereferences if the proxy handling was unsafe. However, without more context about GetInternalObj's behavior, I can't be certain if this was an actual security fix.
2. Vulnerability Existed: not sure
[Potential Information Leak] [accessible/atk/nsMaiInterfaceAction.cpp] [Lines 35-52]
[Old Code]
AccessibleWrap* accWrap = GetAccessibleWrap(ATK_OBJECT(aAction));
if (accWrap) {
accWrap->ActionDescriptionAt(aActionIndex, description);
} else if (RemoteAccessible* proxy = GetProxy(ATK_OBJECT(aAction))) {
proxy->ActionDescriptionAt(aActionIndex, description);
} else {
return nullptr;
}
[Fixed Code]
AtkObject* atkObject = ATK_OBJECT(aAction);
nsAutoString description;
if (Accessible* acc = GetInternalObj(atkObject)) {
acc->ActionDescriptionAt(aActionIndex, description);
return AccessibleWrap::ReturnString(description);
}
return nullptr;
Additional Details: The change removes the remote proxy path and ensures consistent null returns. This could prevent potential information leaks through proxy objects, but without knowing the threat model, this is uncertain.
The main changes appear to be:
1. Removal of RemoteAccessible proxy handling
2. Simplification of code paths
3. More consistent null returns
While these changes improve code safety, I can't definitively identify specific vulnerabilities that were fixed without more context about the threat model or previous issues. The changes seem to follow a pattern of making the code more robust against potential null pointer issues and simplifying the attack surface.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/visudet/content-height-004.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/visudet/content-height-004.html@@ -4,7 +4,6 @@ <link rel="author" title="Florian Rivoal" href="https://florian.rivoal.net"> <link rel="help" href="https://drafts.csswg.org/css2/visudet.html#line-height"> <link rel="match" href="reference/content-height-004-ref.html">-<meta name="flags" content=""> <meta name="assert" content="The height of the content area of an inline-level does not depend on fallback fonts regardless of whether they are used on not."> <style>
Based on the provided code diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/CSS2/visudet/content-height-004.html [Lines] 4 Old Code: <meta name="flags" content=""> Fixed Code: (line removed) Additional Details: - The change simply removes an empty meta tag with no content - This appears to be a cleanup change rather than a security fix - No known vulnerabilities are associated with empty meta tags - The change doesn't affect any security-related functionality There are no other changes in the diff to analyze. The modification appears to be purely cosmetic or related to test configuration rather than addressing any security concerns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/2d/Matrix.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/2d/Matrix.h@@ -467,6 +467,17 @@ } return MatrixSize(major, minor);+ }++ /**+ * Returns true if the matrix preserves distances, i.e. a rigid transformation+ * that doesn't change size or shape). Such a matrix has uniform unit scaling+ * and an orthogonal basis.+ */+ bool PreservesDistance() const {+ return FuzzyEqual(_11 * _11 + _12 * _12, 1.0) &&+ FuzzyEqual(_21 * _21 + _22 * _22, 1.0) &&+ FuzzyEqual(_11 * _21 + _12 * _22, 0.0); } };
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] gfx/2d/Matrix.h [Lines] 467-477
[Old Code]
(No previous implementation of PreservesDistance())
[Fixed Code]
bool PreservesDistance() const {
return FuzzyEqual(_11 * _11 + _12 * _12, 1.0) &&
FuzzyEqual(_21 * _21 + _22 * _22, 1.0) &&
FuzzyEqual(_11 * _21 + _12 * _22, 0.0);
}
The diff shows an addition of a new method `PreservesDistance()` that checks if a matrix represents a rigid transformation. This appears to be a new feature rather than a security fix, as it's adding functionality for checking matrix properties rather than correcting any security vulnerability. The method helps determine if a transformation preserves distances, which could be useful for various calculations but doesn't appear to address any specific security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.system.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.system.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00';
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.system.worker.js [Lines] 13-16
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- This appears to be a simple variable renaming change from `offscreenCanvas` to `canvas`
- No security implications or vulnerabilities are apparent in this change
- The change seems to be for code consistency or readability rather than security fixes
- The functionality remains exactly the same, just with a different variable name
The diff shows no security-related fixes, only a variable naming change which doesn't affect the security of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/parser/htmlparser/nsScanner.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/parser/htmlparser/nsScanner.cpp@@ -69,8 +69,7 @@ * the scanner receives. If you pass a null filename, you * can still provide data to the scanner via append. */-nsScanner::nsScanner(nsString& aFilename, bool aCreateStream)- : mFilename(aFilename) {+nsScanner::nsScanner(nsIURI* aURI, bool aCreateStream) : mURI(aURI) { MOZ_COUNT_CTOR(nsScanner); NS_ASSERTION(!aCreateStream, "This is always true.");@@ -338,16 +337,6 @@ } /**- * Retrieve the name of the file that the scanner is reading from.- * In some cases, it's just a given name, because the scanner isn't- * really reading from a file.- *- * @update gess 5/12/98- * @return- */-nsString& nsScanner::GetFilename(void) { return mFilename; }--/** * Conduct self test. Actually, selftesting for this class * occurs in the parser selftest. *
Here's the analysis following your requested format:
1. Vulnerability Existed: yes
[Potential Information Leak] [parser/htmlparser/nsScanner.cpp] [Lines 69-70, 338]
[Old Code]
nsScanner::nsScanner(nsString& aFilename, bool aCreateStream)
: mFilename(aFilename) {
...
nsString& nsScanner::GetFilename(void) { return mFilename; }
[Fixed Code]
nsScanner::nsScanner(nsIURI* aURI, bool aCreateStream) : mURI(aURI) {
...
(GetFilename method removed)
Additional Details:
- The change removes direct access to filename strings and replaces it with URI handling
- Returning a direct reference to mFilename could allow unauthorized access/modification
- Using URI objects provides better security controls and abstraction
- The removal of GetFilename() method suggests it was a security concern
2. Vulnerability Existed: not sure
[Potential URI Handling Improvement] [parser/htmlparser/nsScanner.cpp] [Lines 69-70]
[Old Code]
nsScanner::nsScanner(nsString& aFilename, bool aCreateStream)
: mFilename(aFilename) {
[Fixed Code]
nsScanner::nsScanner(nsIURI* aURI, bool aCreateStream) : mURI(aURI) {
Additional Details:
- The change from string filename to URI object might improve security
- However, without seeing the URI implementation details, we can't be certain
- URI objects typically provide better security than raw strings, but this depends on implementation
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.composite.1.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.composite.1.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.shadowOffsetX = 100; ctx.fillStyle = '#0f0'; ctx.fillRect(-100, 0, 200, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2); t.done(); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.composite.1.worker.js [Lines] 13-23
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
The changes appear to be purely variable renaming from `offscreenCanvas` to `canvas` without any security implications. The functionality remains identical, and there are no security vulnerabilities being addressed in this diff. This is likely a code style/consistency improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/normal-flow/margin-collapsing-in-table-caption-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/normal-flow/margin-collapsing-in-table-caption-002.html@@ -3,7 +3,6 @@ <link rel="author" title="David Grogan" href="[email protected]"> <link rel="help" href="https://www.w3.org/TR/CSS22/tables.html#model"> <link rel="match" href="../../reference/ref-filled-green-100px-square-only.html">-<meta name="flags" content="" /> <meta name="assert" content="margins between parent and child block collapse inside caption" /> <title> Caption block containers are rendered same as normal block boxes
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/CSS2/normal-flow/margin-collapsing-in-table-caption-002.html [Lines] 3-7 [Old Code] <meta name="flags" content="" /> [Fixed Code] (Line removed) Additional Details: The change simply removes an empty meta tag for "flags" which appears to be test configuration related. There's no indication of any security vulnerability being fixed here - it's likely just a cleanup of unnecessary markup in a test file. The modification doesn't involve any security-sensitive operations, user input handling, or potentially dangerous functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/wrench/src/yaml_frame_reader.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/wrench/src/yaml_frame_reader.rs@@ -2,14 +2,13 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */-use clap; use euclid::SideOffsets2D; use gleam::gl;-use image; use image::GenericImageView; use crate::parse_function::parse_function; use crate::premultiply::premultiply; use std::collections::HashMap;+use std::convert::TryInto; use std::fs::File; use std::io::Read; use std::path::{Path, PathBuf};@@ -34,15 +33,15 @@ } }-fn rsrc_path(item: &Yaml, aux_dir: &PathBuf) -> PathBuf {+fn rsrc_path(item: &Yaml, aux_dir: &Path) -> PathBuf { let filename = item.as_str().unwrap();- let mut file = aux_dir.clone();+ let mut file = aux_dir.to_path_buf(); file.push(filename); file } impl FontDescriptor {- fn from_yaml(item: &Yaml, aux_dir: &PathBuf) -> FontDescriptor {+ fn from_yaml(item: &Yaml, aux_dir: &Path) -> FontDescriptor { if !item["family"].is_badvalue() { FontDescriptor::Properties { family: item["family"].as_str().unwrap().to_owned(),@@ -130,7 +129,7 @@ format_desc, desc.size.width as gl::GLint, desc.size.height as gl::GLint,- &data,+ data, gl, ); self.texture_ids.push((texture_ids[0], desc));@@ -273,21 +272,8 @@ w: u32, h: u32, ) -> (ImageDescriptor, ImageData) {- let buf_size = (w * h * 4) as usize;- let mut pixels = Vec::with_capacity(buf_size);- // Unsafely filling the buffer is horrible. Unfortunately doing this idiomatically- // is terribly slow in debug builds to the point that reftests/image/very-big.yaml- // takes more than 20 seconds to run on a recent laptop.- unsafe {- pixels.set_len(buf_size);- let color: u32 = ::std::mem::transmute([b, g, r, a]);- let mut ptr: *mut u32 = ::std::mem::transmute(&mut pixels[0]);- let end = ptr.offset((w * h) as isize);- while ptr < end {- *ptr = color;- ptr = ptr.offset(1);- }- }+ let num_pixels: usize = (w * h).try_into().unwrap();+ let pixels = [b, g, r, a].repeat(num_pixels); let mut flags = ImageDescriptorFlags::empty(); if a == 255 {@@ -324,6 +310,8 @@ } }+struct IsRoot(bool);+ pub struct YamlFrameReader { yaml_path: PathBuf, aux_dir: PathBuf,@@ -331,14 +319,12 @@ display_lists: Vec<(PipelineId, BuiltDisplayList)>,- include_only: Vec<String>,- watch_source: bool, list_resources: bool, /// A HashMap of offsets which specify what scroll offsets particular /// scroll layers should be initialized with.- scroll_offsets: HashMap<ExternalScrollId, LayoutVector2D>,+ scroll_offsets: HashMap<ExternalScrollId, Vec<SampledScrollOffset>>, next_external_scroll_id: u64, image_map: HashMap<(PathBuf, Option<i64>), (ImageKey, LayoutSize)>,@@ -376,7 +362,6 @@ aux_dir: yaml_path.parent().unwrap().to_owned(), frame_count: 0, display_lists: Vec::new(),- include_only: vec![], scroll_offsets: HashMap::new(), fonts: HashMap::new(), font_instances: HashMap::new(),@@ -423,7 +408,7 @@ } pub fn new_from_args(args: &clap::ArgMatches) -> YamlFrameReader {- let yaml_file = args.value_of("INPUT").map(|s| PathBuf::from(s)).unwrap();+ let yaml_file = args.value_of("INPUT").map(PathBuf::from).unwrap(); let mut y = YamlFrameReader::new(&yaml_file);@@ -438,9 +423,6 @@ }); y.list_resources = args.is_present("list-resources"); y.watch_source = args.is_present("watch");- y.include_only = args.values_of("include")- .map(|v| v.map(|s| s.to_owned()).collect())- .unwrap_or(vec![]); y }@@ -450,22 +432,24 @@ } fn build(&mut self, wrench: &mut Wrench) {- let mut yaml_doc = YamlLoader::load_from_str(&self.yaml_string)+ let yaml = YamlLoader::load_from_str(&self.yaml_string)+ .map(|mut yaml| {+ assert_eq!(yaml.len(), 1);+ yaml.pop().unwrap()+ }) .expect("Failed to parse YAML file");- assert_eq!(yaml_doc.len(), 1); self.reset();- let yaml = yaml_doc.pop().unwrap(); if let Some(pipelines) = yaml["pipelines"].as_vec() { for pipeline in pipelines { self.build_pipeline(wrench, pipeline["id"].as_pipeline_id().unwrap(), pipeline); } }- assert!(!yaml["root"].is_badvalue(), "Missing root stacking context");- let root_pipeline_id = wrench.root_pipeline_id;- self.build_pipeline(wrench, root_pipeline_id, &yaml["root"]);+ let root_stacking_context = &yaml["root"];+ assert_ne!(*root_stacking_context, Yaml::BadValue);+ self.build_pipeline(wrench, wrench.root_pipeline_id, root_stacking_context); // If replaying the same frame during interactive use, the frame gets rebuilt, // but the external image handler has already been consumed by the renderer.@@ -496,48 +480,11 @@ spatial_id: SpatialId::new(0, PipelineId::dummy()), flags: PrimitiveFlags::default(), };- self.add_stacking_context_from_yaml(&mut builder, wrench, yaml, true, &mut info);+ self.add_stacking_context_from_yaml(&mut builder, wrench, yaml, IsRoot(true), &mut info); self.display_lists.push(builder.end()); assert_eq!(self.clip_id_stack.len(), 1); assert_eq!(self.spatial_id_stack.len(), 1);- }-- fn to_complex_clip_region(&mut self, item: &Yaml) -> ComplexClipRegion {- let rect = item["rect"]- .as_rect()- .expect("Complex clip entry must have rect");- let radius = item["radius"]- .as_border_radius()- .unwrap_or(BorderRadius::zero());- let mode = item["clip-mode"]- .as_clip_mode()- .unwrap_or(ClipMode::Clip);- ComplexClipRegion::new(rect, radius, mode)- }-- fn to_complex_clip_regions(&mut self, item: &Yaml) -> Vec<ComplexClipRegion> {- match *item {- Yaml::Array(ref array) => array- .iter()- .map(|entry| self.to_complex_clip_region(entry))- .collect(),- Yaml::BadValue => vec![],- _ => {- println!("Unable to parse complex clip region {:?}", item);- vec![]- }- }- }-- fn to_sticky_offset_bounds(&mut self, item: &Yaml) -> StickyOffsetBounds {- match *item {- Yaml::Array(ref array) => StickyOffsetBounds::new(- array[0].as_f32().unwrap_or(0.0),- array[1].as_f32().unwrap_or(0.0),- ),- _ => StickyOffsetBounds::new(0.0, 0.0),- } } fn to_clip_id(&self, item: &Yaml, pipeline_id: PipelineId) -> Option<ClipId> {@@ -765,14 +712,10 @@ // This indicates we want to simulate an external texture, // ensure it gets created as such let external_target = match item["external-target"].as_str() {- Some(ref s) => match &s[..] {- "2d" => ImageBufferKind::Texture2D,- "rect" => ImageBufferKind::TextureRect,- _ => panic!("Unsupported external texture target."),- }- None => {- ImageBufferKind::Texture2D- }+ Some("2d") => ImageBufferKind::Texture2D,+ Some("rect") => ImageBufferKind::TextureRect,+ Some(t) => panic!("Unsupported external texture target: {}", t),+ None => ImageBufferKind::Texture2D, }; let external_image_data =@@ -855,22 +798,17 @@ }) }- fn to_image_mask(&mut self, item: &Yaml, wrench: &mut Wrench) -> Option<ImageMask> {- if item.as_hash().is_none() {- return None;- }+ fn as_image_mask(&mut self, item: &Yaml, wrench: &mut Wrench) -> Option<ImageMask> {+ item.as_hash()?; let tiling = item["tile-size"].as_i64(); let (image_key, image_dims) = match item["image"].as_str() {+ Some("invalid") => (ImageKey::DUMMY, LayoutSize::new(100.0, 100.0)), Some(filename) => {- if filename == "invalid" {- (ImageKey::DUMMY, LayoutSize::new(100.0, 100.0))- } else {- let mut file = self.aux_dir.clone();- file.push(filename);- self.add_or_get_image(&file, tiling, item, wrench)- }+ let mut file = self.aux_dir.clone();+ file.push(filename);+ self.add_or_get_image(&file, tiling, item, wrench) } None => { warn!("No image provided for the image-mask!");@@ -880,7 +818,7 @@ let image_rect = item["rect"] .as_rect()- .unwrap_or(LayoutRect::from_size(image_dims));+ .unwrap_or_else(|| LayoutRect::from_size(image_dims)); let image_repeat = item["repeat"].as_bool().expect("Expected boolean"); Some(ImageMask { image: image_key,@@ -889,89 +827,8 @@ }) }- fn to_gradient(&mut self, dl: &mut DisplayListBuilder, item: &Yaml) -> Gradient {- let start = item["start"].as_point().expect("gradient must have start");- let end = item["end"].as_point().expect("gradient must have end");- let stops = item["stops"]- .as_vec()- .expect("gradient must have stops")- .chunks(2)- .map(|chunk| {- GradientStop {- offset: chunk[0]- .as_force_f32()- .expect("gradient stop offset is not f32"),- color: chunk[1]- .as_colorf()- .expect("gradient stop color is not color"),- }- })- .collect::<Vec<_>>();- let extend_mode = if item["repeat"].as_bool().unwrap_or(false) {- ExtendMode::Repeat- } else {- ExtendMode::Clamp- };-- dl.create_gradient(start, end, stops, extend_mode)- }-- fn to_radial_gradient(&mut self, dl: &mut DisplayListBuilder, item: &Yaml) -> RadialGradient {- let center = item["center"].as_point().expect("radial gradient must have center");- let radius = item["radius"].as_size().expect("radial gradient must have a radius");- let stops = item["stops"]- .as_vec()- .expect("radial gradient must have stops")- .chunks(2)- .map(|chunk| {- GradientStop {- offset: chunk[0]- .as_force_f32()- .expect("gradient stop offset is not f32"),- color: chunk[1]- .as_colorf()- .expect("gradient stop color is not color"),- }- })- .collect::<Vec<_>>();- let extend_mode = if item["repeat"].as_bool().unwrap_or(false) {- ExtendMode::Repeat- } else {- ExtendMode::Clamp- };-- dl.create_radial_gradient(center, radius, stops, extend_mode)- }-- fn to_conic_gradient(&mut self, dl: &mut DisplayListBuilder, item: &Yaml) -> ConicGradient {- let center = item["center"].as_point().expect("conic gradient must have center");- let angle = item["angle"].as_force_f32().expect("conic gradient must have an angle");- let stops = item["stops"]- .as_vec()- .expect("conic gradient must have stops")- .chunks(2)- .map(|chunk| {- GradientStop {- offset: chunk[0]- .as_force_f32()- .expect("gradient stop offset is not f32"),- color: chunk[1]- .as_colorf()- .expect("gradient stop color is not color"),- }- })- .collect::<Vec<_>>();- let extend_mode = if item["repeat"].as_bool().unwrap_or(false) {- ExtendMode::Repeat- } else {- ExtendMode::Clamp- };-- dl.create_conic_gradient(center, angle, stops, extend_mode)- }- fn handle_rect(- &mut self,+ &self, dl: &mut DisplayListBuilder, item: &Yaml, info: &CommonItemProperties,@@ -983,18 +840,18 @@ }; let bounds = self.resolve_rect(&item[bounds_key]);- let color = self.resolve_colorf(&item["color"], ColorF::BLACK);- dl.push_rect(&info, bounds, color);+ let color = self.resolve_colorf(&item["color"]).unwrap_or(ColorF::BLACK);+ dl.push_rect(info, bounds, color); } fn handle_clear_rect(- &mut self,+ &self, dl: &mut DisplayListBuilder, item: &Yaml, info: &CommonItemProperties, ) { let bounds = item["bounds"].as_rect().expect("clear-rect type must have bounds");- dl.push_clear_rect(&info, bounds);+ dl.push_clear_rect(info, bounds); } fn handle_hit_test(@@ -1010,7 +867,7 @@ if let Some(tag) = self.to_hit_testing_tag(&item["hit-testing-tag"]) { dl.push_hit_test(- &info,+ info, tag, ); }@@ -1038,17 +895,16 @@ 0.0 };- let area;- if item["baseline"].is_badvalue() {+ let area = if item["baseline"].is_badvalue() { let bounds_key = if item["type"].is_badvalue() { "rect" } else { "bounds" };- area = item[bounds_key]+ item[bounds_key] .as_rect()- .expect("line type must have bounds");+ .expect("line type must have bounds") } else { // Legacy line representation let baseline = item["baseline"].as_f32().expect("line must have baseline");@@ -1056,7 +912,7 @@ let end = item["end"].as_f32().expect("line must have end"); let width = item["width"].as_f32().expect("line must have width");- area = match orientation {+ match orientation { LineOrientation::Horizontal => { LayoutRect::from_origin_and_size( LayoutPoint::new(start, baseline),@@ -1069,11 +925,11 @@ LayoutSize::new(width, end - start), ) }+ } };- } dl.push_line(- &info,+ info, &area, wavy_line_thickness, orientation,@@ -1097,12 +953,12 @@ .as_rect() .expect("gradient must have bounds");- let gradient = self.to_gradient(dl, item);- let tile_size = item["tile-size"].as_size().unwrap_or(bounds.size());- let tile_spacing = item["tile-spacing"].as_size().unwrap_or(LayoutSize::zero());+ let gradient = item.as_gradient(dl);+ let tile_size = item["tile-size"].as_size().unwrap_or_else(|| bounds.size());+ let tile_spacing = item["tile-spacing"].as_size().unwrap_or_else(LayoutSize::zero); dl.push_gradient(- &info,+ info, bounds, gradient, tile_size,@@ -1124,12 +980,12 @@ let bounds = item[bounds_key] .as_rect() .expect("radial gradient must have bounds");- let gradient = self.to_radial_gradient(dl, item);- let tile_size = item["tile-size"].as_size().unwrap_or(bounds.size());- let tile_spacing = item["tile-spacing"].as_size().unwrap_or(LayoutSize::zero());+ let gradient = item.as_radial_gradient(dl);+ let tile_size = item["tile-size"].as_size().unwrap_or_else(|| bounds.size());+ let tile_spacing = item["tile-spacing"].as_size().unwrap_or_else(LayoutSize::zero); dl.push_radial_gradient(- &info,+ info, bounds, gradient, tile_size,@@ -1151,12 +1007,12 @@ let bounds = item[bounds_key] .as_rect() .expect("conic gradient must have bounds");- let gradient = self.to_conic_gradient(dl, item);- let tile_size = item["tile-size"].as_size().unwrap_or(bounds.size());- let tile_spacing = item["tile-spacing"].as_size().unwrap_or(LayoutSize::zero());+ let gradient = item.as_conic_gradient(dl);+ let tile_size = item["tile-size"].as_size().unwrap_or_else(|| bounds.size());+ let tile_spacing = item["tile-spacing"].as_size().unwrap_or_else(LayoutSize::zero); dl.push_conic_gradient(- &info,+ info, bounds, gradient, tile_size,@@ -1211,7 +1067,7 @@ .collect::<Vec<BorderStyle>>(); let radius = item["radius"] .as_border_radius()- .unwrap_or(BorderRadius::zero());+ .unwrap_or_else(BorderRadius::zero); let colors = broadcast(&colors, 4); let styles = broadcast(&styles, 4);@@ -1251,10 +1107,10 @@ .unwrap_or(bounds.height() as i64); let fill = item["fill"].as_bool().unwrap_or(false);- let slice = item["slice"].as_vec_u32();- let slice = match slice {- Some(slice) => broadcast(&slice, 4),- None => vec![widths.top as u32, widths.left as u32, widths.bottom as u32, widths.right as u32],+ let slice = if let Some(slice) = item["slice"].as_vec_u32() {+ broadcast(&slice, 4)+ } else {+ vec![widths.top as u32, widths.left as u32, widths.bottom as u32, widths.right as u32] }; let outset = item["outset"]@@ -1289,15 +1145,15 @@ NinePatchBorderSource::Image(image_key, ImageRendering::Auto) } "gradient" => {- let gradient = self.to_gradient(dl, item);+ let gradient = item.as_gradient(dl); NinePatchBorderSource::Gradient(gradient) } "radial-gradient" => {- let gradient = self.to_radial_gradient(dl, item);+ let gradient = item.as_radial_gradient(dl); NinePatchBorderSource::RadialGradient(gradient) } "conic-gradient" => {- let gradient = self.to_conic_gradient(dl, item);+ let gradient = item.as_conic_gradient(dl); NinePatchBorderSource::ConicGradient(gradient) } _ => unreachable!("Unexpected border type"),@@ -1324,7 +1180,7 @@ None }; if let Some(details) = border_details {- dl.push_border(&info, bounds, widths, details);+ dl.push_border(info, bounds, widths, details); } }@@ -1346,12 +1202,12 @@ let offset = self.resolve_vector(&item["offset"], LayoutVector2D::zero()); let color = item["color"] .as_colorf()- .unwrap_or(ColorF::new(0.0, 0.0, 0.0, 1.0));+ .unwrap_or_else(|| ColorF::new(0.0, 0.0, 0.0, 1.0)); let blur_radius = item["blur-radius"].as_force_f32().unwrap_or(0.0); let spread_radius = item["spread-radius"].as_force_f32().unwrap_or(0.0); let border_radius = item["border-radius"] .as_border_radius()- .unwrap_or(BorderRadius::zero());+ .unwrap_or_else(BorderRadius::zero); let clip_mode = if let Some(mode) = item["clip-mode"].as_str() { match mode { "outset" => BoxShadowClipMode::Outset,@@ -1363,7 +1219,7 @@ }; dl.push_box_shadow(- &info,+ info, box_bounds, offset, color,@@ -1426,7 +1282,7 @@ ); dl.push_yuv_image(- &info,+ info, bounds, yuv_data, color_depth,@@ -1488,7 +1344,7 @@ let tile_spacing = item["tile-spacing"].as_size(); if stretch_size.is_none() && tile_spacing.is_none() { dl.push_image(- &info,+ info, bounds, rendering, alpha_type,@@ -1497,10 +1353,10 @@ ); } else { dl.push_repeating_image(- &info,+ info, bounds, stretch_size.unwrap_or(image_dims),- tile_spacing.unwrap_or(LayoutSize::zero()),+ tile_spacing.unwrap_or_else(LayoutSize::zero), rendering, alpha_type, image_key,@@ -1611,18 +1467,17 @@ .iter() .zip(glyph_positions) .map(|arg| {- let gi = GlyphInstance {+ GlyphInstance { index: *arg.0 as u32, point: arg.1,- };- gi+ } }) .collect::<Vec<_>>(); (glyphs, bounds) }; dl.push_text(- &info,+ info, rect, &glyphs, font_instance_key,@@ -1657,7 +1512,7 @@ if complex_clip.is_badvalue() { return None; }- Some(self.to_complex_clip_region(complex_clip))+ Some(complex_clip.as_complex_clip_region()) } fn get_item_type_from_yaml(item: &Yaml) -> &str {@@ -1685,7 +1540,7 @@ &mut self, dl: &mut DisplayListBuilder, wrench: &mut Wrench,- yaml: &Yaml,+ yaml_items: &[Yaml], ) { // A very large number (but safely far away from finite limits of f32) let big_number = 1.0e30;@@ -1694,16 +1549,8 @@ LayoutPoint::new(-big_number / 2.0, -big_number / 2.0), LayoutSize::new(big_number, big_number));- for item in yaml.as_vec().unwrap() {+ for item in yaml_items { let item_type = Self::get_item_type_from_yaml(item);-- // We never skip stacking contexts and reference frames because- // they are structural elements of the display list.- if item_type != "stacking-context" &&- item_type != "reference-frame" &&- self.include_only.contains(&item_type.to_owned()) {- continue;- } let (set_clip_id, set_scroll_id) = self.to_clip_and_scroll_info( &item["clip-and-scroll"],@@ -1719,56 +1566,46 @@ let complex_clip = self.get_complex_clip_for_item(item); let clip_rect = item["clip-rect"].as_rect().unwrap_or(full_clip);- let mut pushed_clip = false;- if let Some(complex_clip) = complex_clip {- match item_type {- "clip" | "clip-chain" | "scroll-frame" => {},- _ => {- let id = dl.define_clip_rounded_rect(- &self.top_space_and_clip(),- complex_clip,- );- self.clip_id_stack.push(id);- pushed_clip = true;- }+ let pushed_clip = complex_clip.map_or(false, |complex_clip| {+ if matches!(item_type, "clip" | "clip-chain" | "scroll-frame") {+ false+ } else {+ let id = dl.define_clip_rounded_rect(+ &self.top_space_and_clip(),+ complex_clip,+ );+ self.clip_id_stack.push(id);+ true }- }-- let space_and_clip = self.top_space_and_clip();+ });++ let SpaceAndClipInfo {+ spatial_id,+ clip_id,+ } = self.top_space_and_clip();+ let mut flags = PrimitiveFlags::default();- if let Some(is_backface_visible) = item["backface-visible"].as_bool() {- if is_backface_visible {- flags.insert(PrimitiveFlags::IS_BACKFACE_VISIBLE);- } else {- flags.remove(PrimitiveFlags::IS_BACKFACE_VISIBLE);- }- }- if let Some(is_scrollbar_container) = item["scrollbar-container"].as_bool() {- if is_scrollbar_container {- flags.insert(PrimitiveFlags::IS_SCROLLBAR_CONTAINER);- } else {- flags.remove(PrimitiveFlags::IS_SCROLLBAR_CONTAINER);- }- }- if let Some(prefer_compositor_surface) = item["prefer-compositor-surface"].as_bool() {- if prefer_compositor_surface {- flags.insert(PrimitiveFlags::PREFER_COMPOSITOR_SURFACE);- } else {- flags.remove(PrimitiveFlags::PREFER_COMPOSITOR_SURFACE);+ for (key, flag) in [+ ("backface-visible", PrimitiveFlags::IS_BACKFACE_VISIBLE),+ ("scrollbar-container", PrimitiveFlags::IS_SCROLLBAR_CONTAINER),+ ("prefer-compositor-surface", PrimitiveFlags::PREFER_COMPOSITOR_SURFACE),+ ] {+ if let Some(value) = item[key].as_bool() {+ flags.set(flag, value); } } let mut info = CommonItemProperties { clip_rect,- clip_id: space_and_clip.clip_id,- spatial_id: space_and_clip.spatial_id,+ clip_id,+ spatial_id, flags, }; match item_type {- "rect" => self.handle_rect(dl, item, &mut info),+ "rect" => self.handle_rect(dl, item, &info), "hit-test" => self.handle_hit_test(dl, item, &mut info),- "clear-rect" => self.handle_clear_rect(dl, item, &mut info),+ "clear-rect" => self.handle_clear_rect(dl, item, &info), "line" => self.handle_line(dl, item, &mut info), "image" => self.handle_image(dl, wrench, item, &mut info), "yuv-image" => self.handle_yuv_image(dl, wrench, item, &mut info),@@ -1784,7 +1621,7 @@ "box-shadow" => self.handle_box_shadow(dl, item, &mut info), "iframe" => self.handle_iframe(dl, item, &mut info), "stacking-context" => {- self.add_stacking_context_from_yaml(dl, wrench, item, false, &mut info)+ self.add_stacking_context_from_yaml(dl, wrench, item, IsRoot(false), &mut info) } "reference-frame" => self.handle_reference_frame(dl, wrench, item), "shadow" => self.handle_push_shadow(dl, item, &mut info),@@ -1820,9 +1657,14 @@ let clip_rect = yaml["bounds"] .as_rect() .expect("scroll frame must have a bounds");- let content_size = yaml["content-size"].as_size().unwrap_or(clip_rect.size());+ let content_size = yaml["content-size"].as_size().unwrap_or_else(|| clip_rect.size()); let content_rect = LayoutRect::from_origin_and_size(clip_rect.min, content_size);- let external_scroll_offset = yaml["external-scroll-offset"].as_vector().unwrap_or(LayoutVector2D::zero());+ let external_scroll_offset = yaml["external-scroll-offset"].as_vector().unwrap_or_else(LayoutVector2D::zero);+ let scroll_generation = yaml["scroll-generation"].as_i64().map_or(APZScrollGeneration::default(), |v| v as u64);+ let has_scroll_linked_effect =+ yaml["has-scroll-linked-effect"].as_bool().map_or(HasScrollLinkedEffect::default(),+ |v| if v { HasScrollLinkedEffect::Yes } else { HasScrollLinkedEffect::No }+ ); let numeric_id = yaml["id"].as_i64().map(|id| id as u64);@@ -1830,7 +1672,23 @@ self.next_external_scroll_id += 1; if let Some(vector) = yaml["scroll-offset"].as_vector() {- self.scroll_offsets.insert(external_id, vector);+ self.scroll_offsets.insert(+ external_id,+ vec![SampledScrollOffset {+ offset: vector,+ generation: APZScrollGeneration::default(),+ }],+ );+ }++ if !yaml["scroll-offsets"].is_badvalue() {+ let mut offsets = Vec::new();+ for entry in yaml["scroll-offsets"].as_vec().unwrap() {+ let offset = entry["offset"].as_vector().unwrap_or(LayoutVector2D::zero());+ let generation = entry["generation"].as_i64().map_or(APZScrollGeneration::default(), |v| v as u64);+ offsets.push(SampledScrollOffset { offset, generation });+ }+ self.scroll_offsets.insert(external_id, offsets); } let clip_to_frame = yaml["clip-to-frame"].as_bool().unwrap_or(false);@@ -1850,6 +1708,8 @@ content_rect, clip_rect, external_scroll_offset,+ scroll_generation,+ has_scroll_linked_effect, self.next_spatial_key(), ); if let Some(numeric_id) = numeric_id {@@ -1859,13 +1719,13 @@ } }- if !yaml["items"].is_badvalue() {+ if let Some(yaml_items) = yaml["items"].as_vec() { self.spatial_id_stack.push(spatial_id); if let Some(clip_id) = clip_id { self.clip_id_stack.push(clip_id); }- self.add_display_list_items_from_yaml(dl, wrench, &yaml["items"]);- if let Some(_) = clip_id {+ self.add_display_list_items_from_yaml(dl, wrench, yaml_items);+ if clip_id.is_some() { self.clip_id_stack.pop().unwrap(); } self.spatial_id_stack.pop().unwrap();@@ -1890,9 +1750,9 @@ yaml["margin-bottom"].as_f32(), yaml["margin-left"].as_f32(), ),- self.to_sticky_offset_bounds(&yaml["vertical-offset-bounds"]),- self.to_sticky_offset_bounds(&yaml["horizontal-offset-bounds"]),- yaml["previously-applied-offset"].as_vector().unwrap_or(LayoutVector2D::zero()),+ yaml["vertical-offset-bounds"].as_sticky_offset_bounds(),+ yaml["horizontal-offset-bounds"].as_sticky_offset_bounds(),+ yaml["previously-applied-offset"].as_vector().unwrap_or_else(LayoutVector2D::zero), self.next_spatial_key(), );@@ -1900,9 +1760,9 @@ self.add_spatial_id_mapping(numeric_id, real_id); }- if !yaml["items"].is_badvalue() {+ if let Some(yaml_items) = yaml["items"].as_vec() { self.spatial_id_stack.push(real_id);- self.add_display_list_items_from_yaml(dl, wrench, &yaml["items"]);+ self.add_display_list_items_from_yaml(dl, wrench, yaml_items); self.spatial_id_stack.pop().unwrap(); } }@@ -1911,12 +1771,11 @@ &'a self, yaml: &'a Yaml, ) -> &'a Yaml {- if let Some(ref keyframes) = self.keyframes {+ if let Some(keyframes) = &self.keyframes { if let Some(s) = yaml.as_str() {- let prefix: &str = "key(";- let suffix: &str = ")";- if s.starts_with(prefix) && s.ends_with(suffix) {- let key = &s[prefix.len() .. s.len() - 1];+ const PREFIX: &str = "key(";+ const SUFFIX: &str = ")";+ if let Some(key) = s.strip_prefix(PREFIX).and_then(|s| s.strip_suffix(SUFFIX)) { return &keyframes[key][self.requested_frame]; } }@@ -1928,11 +1787,9 @@ fn resolve_colorf( &self, yaml: &Yaml,- default: ColorF,- ) -> ColorF {+ ) -> Option<ColorF> { self.resolve_binding(yaml) .as_colorf()- .unwrap_or(default) } fn resolve_rect(@@ -1941,7 +1798,7 @@ ) -> LayoutRect { self.resolve_binding(yaml) .as_rect()- .expect(&format!("invalid rect {:?}", yaml))+ .unwrap_or_else(|| panic!("invalid rect {:?}", yaml)) } fn resolve_vector(@@ -1961,7 +1818,7 @@ info: &mut CommonItemProperties, ) { let blur_radius = yaml["blur-radius"].as_f32().unwrap_or(0.0);- let offset = yaml["offset"].as_vector().unwrap_or(LayoutVector2D::zero());+ let offset = yaml["offset"].as_vector().unwrap_or_else(LayoutVector2D::zero); let color = yaml["color"].as_colorf().unwrap_or(ColorF::BLACK); dl.push_shadow(@@ -2001,7 +1858,7 @@ fn handle_clip(&mut self, dl: &mut DisplayListBuilder, wrench: &mut Wrench, yaml: &Yaml) { let numeric_id = yaml["id"].as_i64();- let complex_clips = self.to_complex_clip_regions(&yaml["complex"]);+ let complex_clips = yaml["complex"].as_complex_clip_regions(); let mut space_and_clip = self.top_space_and_clip(); if let Some(clip_rect) = yaml["bounds"].as_rect() {@@ -2011,11 +1868,11 @@ ); }- if let Some(image_mask) = self.to_image_mask(&yaml["image-mask"], wrench) {+ if let Some(image_mask) = self.as_image_mask(&yaml["image-mask"], wrench) { space_and_clip.clip_id = dl.define_clip_image_mask( &space_and_clip, image_mask,- &vec![],+ &[], FillRule::Nonzero, ); }@@ -2032,9 +1889,9 @@ self.add_spatial_id_mapping(numeric_id as u64, space_and_clip.spatial_id); }- if !yaml["items"].is_badvalue() {+ if let Some(yaml_items) = yaml["items"].as_vec() { self.clip_id_stack.push(space_and_clip.clip_id);- self.add_display_list_items_from_yaml(dl, wrench, &yaml["items"]);+ self.add_display_list_items_from_yaml(dl, wrench, yaml_items); self.clip_id_stack.pop().unwrap(); } }@@ -2042,11 +1899,10 @@ fn push_reference_frame( &mut self, dl: &mut DisplayListBuilder,- wrench: &mut Wrench,+ default_bounds: impl Fn() -> LayoutRect, yaml: &Yaml, ) -> SpatialId {- let default_bounds = LayoutRect::from_size(wrench.window_size_f32());- let bounds = yaml["bounds"].as_rect().unwrap_or(default_bounds);+ let bounds = yaml["bounds"].as_rect().unwrap_or_else(default_bounds); let default_transform_origin = LayoutPoint::new( bounds.min.x + bounds.width() * 0.5, bounds.min.y + bounds.height() * 0.5,@@ -2057,10 +1913,6 @@ .unwrap_or(TransformStyle::Flat); let transform_origin = yaml["transform-origin"]- .as_point()- .unwrap_or(default_transform_origin);-- let perspective_origin = yaml["perspective-origin"] .as_point() .unwrap_or(default_transform_origin);@@ -2069,6 +1921,10 @@ yaml["perspective"].is_badvalue(), "Should have one of either transform or perspective" );++ let perspective_origin = yaml["perspective-origin"]+ .as_point()+ .unwrap_or(default_transform_origin); let reference_frame_kind = if !yaml["perspective"].is_badvalue() { ReferenceFrameKind::Perspective { scrolling_relative_to: None }@@ -2076,6 +1932,7 @@ ReferenceFrameKind::Transform { is_2d_scale_translation: false, should_snap: false,+ paired_with_perspective: yaml["paired-with-perspective"].as_bool().unwrap_or(false), } };@@ -2094,7 +1951,7 @@ bounds.min, *self.spatial_id_stack.last().unwrap(), transform_style,- transform.or_else(|| perspective).unwrap_or_default().into(),+ transform.or(perspective).unwrap_or_default().into(), reference_frame_kind, self.next_spatial_key(), );@@ -2113,11 +1970,12 @@ wrench: &mut Wrench, yaml: &Yaml, ) {- let real_id = self.push_reference_frame(dl, wrench, yaml);+ let default_bounds = || LayoutRect::from_size(wrench.window_size_f32());+ let real_id = self.push_reference_frame(dl, default_bounds, yaml); self.spatial_id_stack.push(real_id);- if !yaml["items"].is_badvalue() {- self.add_display_list_items_from_yaml(dl, wrench, &yaml["items"]);+ if let Some(yaml_items) = yaml["items"].as_vec() {+ self.add_display_list_items_from_yaml(dl, wrench, yaml_items); } self.spatial_id_stack.pop().unwrap();@@ -2129,22 +1987,22 @@ dl: &mut DisplayListBuilder, wrench: &mut Wrench, yaml: &Yaml,- is_root: bool,+ IsRoot(is_root): IsRoot, info: &mut CommonItemProperties, ) {- let default_bounds = LayoutRect::from_size(wrench.window_size_f32());- let mut bounds = yaml["bounds"].as_rect().unwrap_or(default_bounds);-- let reference_frame_id = if !yaml["transform"].is_badvalue() ||- !yaml["perspective"].is_badvalue() {- let reference_frame_id = self.push_reference_frame(dl, wrench, yaml);- self.spatial_id_stack.push(reference_frame_id);- bounds.max -= bounds.min.to_vector();- bounds.min = LayoutPoint::zero();- Some(reference_frame_id)- } else {- None- };+ let default_bounds = || LayoutRect::from_size(wrench.window_size_f32());+ let mut bounds = yaml["bounds"].as_rect().unwrap_or_else(default_bounds);++ let pushed_reference_frame =+ if !yaml["transform"].is_badvalue() || !yaml["perspective"].is_badvalue() {+ let reference_frame_id = self.push_reference_frame(dl, default_bounds, yaml);+ self.spatial_id_stack.push(reference_frame_id);+ bounds.max -= bounds.min.to_vector();+ bounds.min = LayoutPoint::zero();+ true+ } else {+ false+ }; let clip_node_id = self.to_clip_id(&yaml["clip-node"], dl.pipeline_id);@@ -2163,21 +2021,23 @@ if is_root { if let Some(vector) = yaml["scroll-offset"].as_vector() { let external_id = ExternalScrollId(0, dl.pipeline_id);- self.scroll_offsets.insert(external_id, vector);- }- }-- let filters = yaml["filters"].as_vec_filter_op().unwrap_or(vec![]);- let filter_datas = yaml["filter-datas"].as_vec_filter_data().unwrap_or(vec![]);- let filter_primitives = yaml["filter-primitives"].as_vec_filter_primitive().unwrap_or(vec![]);+ self.scroll_offsets.insert(+ external_id,+ vec![SampledScrollOffset {+ offset: vector,+ generation: APZScrollGeneration::default(),+ }],+ );+ }+ }++ let filters = yaml["filters"].as_vec_filter_op().unwrap_or_default();+ let filter_datas = yaml["filter-datas"].as_vec_filter_data().unwrap_or_default();+ let filter_primitives = yaml["filter-primitives"].as_vec_filter_primitive().unwrap_or_default(); let mut flags = StackingContextFlags::empty();- if is_backdrop_root {- flags |= StackingContextFlags::IS_BACKDROP_ROOT;- }- if is_blend_container {- flags |= StackingContextFlags::IS_BLEND_CONTAINER;- }+ flags.set(StackingContextFlags::IS_BACKDROP_ROOT, is_backdrop_root);+ flags.set(StackingContextFlags::IS_BLEND_CONTAINER, is_blend_container); dl.push_stacking_context( bounds.min,@@ -2193,13 +2053,13 @@ flags, );- if !yaml["items"].is_badvalue() {- self.add_display_list_items_from_yaml(dl, wrench, &yaml["items"]);+ if let Some(yaml_items) = yaml["items"].as_vec() {+ self.add_display_list_items_from_yaml(dl, wrench, yaml_items); } dl.pop_stacking_context();- if reference_frame_id.is_some() {+ if pushed_reference_frame { self.spatial_id_stack.pop().unwrap(); dl.pop_reference_frame(); }@@ -2216,12 +2076,12 @@ &info.clip_rect );- let filters = item["filters"].as_vec_filter_op().unwrap_or(vec![]);- let filter_datas = item["filter-datas"].as_vec_filter_data().unwrap_or(vec![]);
I'll analyze the code diff for security fixes following the specified format:
Vulnerability Existed: yes
Unsafe Memory Manipulation [File] gfx/wr/wrench/src/yaml_frame_reader.rs [Lines 273-288]
[Old Code]
let buf_size = (w * h * 4) as usize;
let mut pixels = Vec::with_capacity(buf_size);
// Unsafely filling the buffer is horrible. Unfortunately doing this idiomatically
// is terribly slow in debug builds to the point that reftests/image/very-big.yaml
// takes more than 20 seconds to run on a recent laptop.
unsafe {
pixels.set_len(buf_size);
let color: u32 = ::std::mem::transmute([b, g, r, a]);
let mut ptr: *mut u32 = ::std::mem::transmute(&mut pixels[0]);
let end = ptr.offset((w * h) as isize);
while ptr < end {
*ptr = color;
ptr = ptr.offset(1);
}
}
[Fixed Code]
let num_pixels: usize = (w * h).try_into().unwrap();
let pixels = [b, g, r, a].repeat(num_pixels);
Vulnerability Existed: yes
Potential Integer Overflow [File] gfx/wr/wrench/src/yaml_frame_reader.rs [Lines 273-288]
[Old Code]
let buf_size = (w * h * 4) as usize;
[Fixed Code]
let num_pixels: usize = (w * h).try_into().unwrap();
Vulnerability Existed: yes
Unsafe File Reading [File] gfx/wr/wrench/src/yaml_frame_reader.rs [Lines 2095-2098]
[Old Code]
let mut file = File::open(&self.yaml_path)
.unwrap_or_else(|_| panic!("YAML '{:?}' doesn't exist", self.yaml_path));
self.yaml_string.clear();
file.read_to_string(&mut self.yaml_string).unwrap();
[Fixed Code]
self.yaml_string = std::fs::read_to_string(&self.yaml_path)
.unwrap_or_else(|_| panic!("YAML '{:?}' doesn't exist", self.yaml_path));
Vulnerability Existed: not sure
Potential Path Traversal [File] gfx/wr/wrench/src/yaml_frame_reader.rs [Lines 33-36]
[Old Code]
fn rsrc_path(item: &Yaml, aux_dir: &PathBuf) -> PathBuf {
let filename = item.as_str().unwrap();
let mut file = aux_dir.clone();
file.push(filename);
file
}
[Fixed Code]
fn rsrc_path(item: &Yaml, aux_dir: &Path) -> PathBuf {
let filename = item.as_str().unwrap();
let mut file = aux_dir.to_path_buf();
file.push(filename);
file
}
The main security fixes addressed:
1. Removed unsafe memory manipulation code and replaced with safe Rust operations
2. Fixed potential integer overflow by using checked conversion
3. Replaced unsafe file reading with safer std::fs::read_to_string
4. Potentially improved path handling safety (though not confirmed to be a vulnerability)
The changes generally move from unsafe operations to safer Rust idioms, particularly around memory manipulation and file I/O.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgb-4.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgb-4.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'rgb(0 0 0 /)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring (variable renaming) rather than addressing security issues.
Here's the analysis following your format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgb-4.worker.js] [Lines 13-14, 20]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable from `offscreenCanvas` to `canvas` and update all references to it. There are no security implications in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/spelling-error-002-manual.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/spelling-error-002-manual.html@@ -10,7 +10,6 @@ <link rel="help" href="https://www.w3.org/TR/css-pseudo-4/#highlight-selectors"> <link rel="help" href="https://www.w3.org/TR/css-pseudo-4/#highlight-styling">- <meta content="" name="flags"> <style> input
Based on the provided code diff, I'll analyze it for potential security vulnerabilities: 1. Vulnerability Existed: no Meta Tag Removal [testing/web-platform/tests/css/css-pseudo/spelling-error-002-manual.html] [Line 10] Old Code: `<meta content="" name="flags">` Fixed Code: (removed) Additional Details: - The change simply removes an empty meta tag with a "flags" name attribute. This doesn't appear to be security-related. - The meta tag wasn't serving any apparent purpose (empty content) and its removal doesn't indicate any security fix. - No known vulnerability is associated with this change. Note: The file appears to be a test file, and this change seems to be more about code cleanup than security fixes. No actual security vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/webgpu/ipc/WebGPUChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/webgpu/ipc/WebGPUChild.cpp@@ -164,7 +164,7 @@ return infra.client; }-WebGPUChild::WebGPUChild() : mClient(initialize()), mIPCOpen(false) {}+WebGPUChild::WebGPUChild() : mClient(initialize()) {} WebGPUChild::~WebGPUChild() { if (mClient) {@@ -202,17 +202,15 @@ }); }-Maybe<RawId> WebGPUChild::AdapterRequestDevice(+Maybe<DeviceRequest> WebGPUChild::AdapterRequestDevice( RawId aSelfId, const dom::GPUDeviceDescriptor& aDesc, ffi::WGPULimits* aLimits) {- RawId id = ffi::wgpu_client_make_device_id(mClient, aSelfId);- ffi::WGPUDeviceDescriptor desc = {}; ffi::wgpu_client_fill_default_limits(&desc.limits); const auto featureBits = Adapter::MakeFeatureBits(aDesc.mRequiredFeatures); if (!featureBits) {- return {};+ return Nothing(); } desc.features = *featureBits;@@ -283,14 +281,17 @@ } }+ RawId id = ffi::wgpu_client_make_device_id(mClient, aSelfId);+ ByteBuf bb; ffi::wgpu_client_serialize_device_descriptor(&desc, ToFFI(&bb));- if (SendAdapterRequestDevice(aSelfId, std::move(bb), id)) {- *aLimits = desc.limits;- return Some(id);- }- ffi::wgpu_client_kill_device_id(mClient, id);- return Nothing();++ DeviceRequest request;+ request.mId = id;+ request.mPromise = SendAdapterRequestDevice(aSelfId, std::move(bb), id);+ *aLimits = desc.limits;++ return Some(std::move(request)); } RawId WebGPUChild::DeviceCreateBuffer(RawId aSelfId,@@ -669,10 +670,9 @@ return id; }-RawId WebGPUChild::DeviceCreateComputePipeline(- RawId aSelfId, const dom::GPUComputePipelineDescriptor& aDesc,- RawId* const aImplicitPipelineLayoutId,- nsTArray<RawId>* const aImplicitBindGroupLayoutIds) {+RawId WebGPUChild::DeviceCreateComputePipelineImpl(+ PipelineCreationContext* const aContext,+ const dom::GPUComputePipelineDescriptor& aDesc, ByteBuf* const aByteBuf) { ffi::WGPUComputePipelineDescriptor desc = {}; nsCString label, entryPoint; if (aDesc.mLabel.WasPassed()) {@@ -686,20 +686,47 @@ LossyCopyUTF16toASCII(aDesc.mCompute.mEntryPoint, entryPoint); desc.stage.entry_point = entryPoint.get();- ByteBuf bb; RawId implicit_bgl_ids[WGPUMAX_BIND_GROUPS] = {}; RawId id = ffi::wgpu_client_create_compute_pipeline(- mClient, aSelfId, &desc, ToFFI(&bb), aImplicitPipelineLayoutId,- implicit_bgl_ids);+ mClient, aContext->mParentId, &desc, ToFFI(aByteBuf),+ &aContext->mImplicitPipelineLayoutId, implicit_bgl_ids); for (const auto& cur : implicit_bgl_ids) { if (!cur) break;- aImplicitBindGroupLayoutIds->AppendElement(cur);- }- if (!SendDeviceAction(aSelfId, std::move(bb))) {- MOZ_CRASH("IPC failure");- }- return id;+ aContext->mImplicitBindGroupLayoutIds.AppendElement(cur);+ }++ return id;+}++RawId WebGPUChild::DeviceCreateComputePipeline(+ PipelineCreationContext* const aContext,+ const dom::GPUComputePipelineDescriptor& aDesc) {+ ByteBuf bb;+ const RawId id = DeviceCreateComputePipelineImpl(aContext, aDesc, &bb);++ if (!SendDeviceAction(aContext->mParentId, std::move(bb))) {+ MOZ_CRASH("IPC failure");+ }+ return id;+}++RefPtr<PipelinePromise> WebGPUChild::DeviceCreateComputePipelineAsync(+ PipelineCreationContext* const aContext,+ const dom::GPUComputePipelineDescriptor& aDesc) {+ ByteBuf bb;+ const RawId id = DeviceCreateComputePipelineImpl(aContext, aDesc, &bb);++ return SendDeviceActionWithAck(aContext->mParentId, std::move(bb))+ ->Then(+ GetCurrentSerialEventTarget(), __func__,+ [id](bool aDummy) {+ Unused << aDummy;+ return PipelinePromise::CreateAndResolve(id, __func__);+ },+ [](const ipc::ResponseRejectReason& aReason) {+ return PipelinePromise::CreateAndReject(aReason, __func__);+ }); } static ffi::WGPUMultisampleState ConvertMultisampleState(@@ -746,10 +773,9 @@ return desc; }-RawId WebGPUChild::DeviceCreateRenderPipeline(- RawId aSelfId, const dom::GPURenderPipelineDescriptor& aDesc,- RawId* const aImplicitPipelineLayoutId,- nsTArray<RawId>* const aImplicitBindGroupLayoutIds) {+RawId WebGPUChild::DeviceCreateRenderPipelineImpl(+ PipelineCreationContext* const aContext,+ const dom::GPURenderPipelineDescriptor& aDesc, ByteBuf* const aByteBuf) { // A bunch of stack locals that we can have pointers into nsTArray<ffi::WGPUVertexBufferLayout> vertexBuffers; nsTArray<ffi::WGPUVertexAttribute> vertexAttributes;@@ -860,20 +886,47 @@ desc.depth_stencil = &depthStencilState; }- ByteBuf bb; RawId implicit_bgl_ids[WGPUMAX_BIND_GROUPS] = {}; RawId id = ffi::wgpu_client_create_render_pipeline(- mClient, aSelfId, &desc, ToFFI(&bb), aImplicitPipelineLayoutId,- implicit_bgl_ids);+ mClient, aContext->mParentId, &desc, ToFFI(aByteBuf),+ &aContext->mImplicitPipelineLayoutId, implicit_bgl_ids); for (const auto& cur : implicit_bgl_ids) { if (!cur) break;- aImplicitBindGroupLayoutIds->AppendElement(cur);- }- if (!SendDeviceAction(aSelfId, std::move(bb))) {- MOZ_CRASH("IPC failure");- }- return id;+ aContext->mImplicitBindGroupLayoutIds.AppendElement(cur);+ }++ return id;+}++RawId WebGPUChild::DeviceCreateRenderPipeline(+ PipelineCreationContext* const aContext,+ const dom::GPURenderPipelineDescriptor& aDesc) {+ ByteBuf bb;+ const RawId id = DeviceCreateRenderPipelineImpl(aContext, aDesc, &bb);++ if (!SendDeviceAction(aContext->mParentId, std::move(bb))) {+ MOZ_CRASH("IPC failure");+ }+ return id;+}++RefPtr<PipelinePromise> WebGPUChild::DeviceCreateRenderPipelineAsync(+ PipelineCreationContext* const aContext,+ const dom::GPURenderPipelineDescriptor& aDesc) {+ ByteBuf bb;+ const RawId id = DeviceCreateRenderPipelineImpl(aContext, aDesc, &bb);++ return SendDeviceActionWithAck(aContext->mParentId, std::move(bb))+ ->Then(+ GetCurrentSerialEventTarget(), __func__,+ [id](bool aDummy) {+ Unused << aDummy;+ return PipelinePromise::CreateAndResolve(id, __func__);+ },+ [](const ipc::ResponseRejectReason& aReason) {+ return PipelinePromise::CreateAndReject(aReason, __func__);+ }); } ipc::IPCResult WebGPUChild::RecvDeviceUncapturedError(@@ -882,7 +935,7 @@ if (!aDeviceId || targetIter == mDeviceMap.end()) { JsWarning(nullptr, aMessage); } else {- auto* target = targetIter->second;+ auto* target = targetIter->second.get(); MOZ_ASSERT(target); // We don't want to spam the errors to the console indefinitely if (target->CheckNewWarning(aMessage)) {@@ -927,13 +980,20 @@ SendSwapChainPresent(aExternalImageId, aTextureId, encoderId); }-void WebGPUChild::RegisterDevice(RawId aId, Device* aDevice) {- mDeviceMap.insert({aId, aDevice});+void WebGPUChild::RegisterDevice(Device* const aDevice) {+ mDeviceMap.insert({aDevice->mId, aDevice}); } void WebGPUChild::UnregisterDevice(RawId aId) { mDeviceMap.erase(aId);- SendDeviceDestroy(aId);+ if (IsOpen()) {+ SendDeviceDestroy(aId);+ }+}++void WebGPUChild::FreeUnregisteredInParentDevice(RawId aId) {+ ffi::wgpu_client_kill_device_id(mClient, aId);+ mDeviceMap.erase(aId); } } // namespace webgpu
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: yes
Double-Free or Memory Management Issue [dom/webgpu/ipc/WebGPUChild.cpp] [Lines 164, 202-281, 980]
[Old Code]
WebGPUChild::WebGPUChild() : mClient(initialize()), mIPCOpen(false) {}
...
if (!SendAdapterRequestDevice(aSelfId, std::move(bb), id)) {
ffi::wgpu_client_kill_device_id(mClient, id);
return Nothing();
}
[Fixed Code]
WebGPUChild::WebGPUChild() : mClient(initialize()) {}
...
DeviceRequest request;
request.mId = id;
request.mPromise = SendAdapterRequestDevice(aSelfId, std::move(bb), id);
*aLimits = desc.limits;
...
void WebGPUChild::FreeUnregisteredInParentDevice(RawId aId) {
ffi::wgpu_client_kill_device_id(mClient, aId);
mDeviceMap.erase(aId);
}
Details: The changes improve device ID management by centralizing cleanup in FreeUnregisteredInParentDevice and removing redundant cleanup paths. The old code could potentially lead to double-free issues if device cleanup wasn't properly coordinated between parent and child processes.
2. Vulnerability Existed: yes
Race Condition in Device Registration [dom/webgpu/ipc/WebGPUChild.cpp] [Lines 935, 980-987]
[Old Code]
void WebGPUChild::RegisterDevice(RawId aId, Device* aDevice) {
mDeviceMap.insert({aId, aDevice});
}
void WebGPUChild::UnregisterDevice(RawId aId) {
mDeviceMap.erase(aId);
SendDeviceDestroy(aId);
}
[Fixed Code]
void WebGPUChild::RegisterDevice(Device* const aDevice) {
mDeviceMap.insert({aDevice->mId, aDevice});
}
void WebGPUChild::UnregisterDevice(RawId aId) {
mDeviceMap.erase(aId);
if (IsOpen()) {
SendDeviceDestroy(aId);
}
}
void WebGPUChild::FreeUnregisteredInParentDevice(RawId aId) {
ffi::wgpu_client_kill_device_id(mClient, aId);
mDeviceMap.erase(aId);
}
Details: The changes add proper IPC state checking (IsOpen()) before sending destruction messages and separate the cleanup logic between parent and child processes, preventing potential race conditions during shutdown.
3. Vulnerability Existed: not sure
Potential Resource Leak [dom/webgpu/ipc/WebGPUChild.cpp] [Lines 202-281]
[Old Code]
if (!featureBits) {
return {};
}
[Fixed Code]
if (!featureBits) {
return Nothing();
}
Details: While this change makes the error handling more explicit by using Nothing() instead of an empty braced initializer, it's unclear if this was fixing an actual resource leak or just improving code clarity. The change occurs in a section dealing with device creation and feature validation.
4. Vulnerability Existed: yes
Improper Error Handling in Pipeline Creation [dom/webgpu/ipc/WebGPUChild.cpp] [Lines 669-737]
[Old Code]
RawId WebGPUChild::DeviceCreateComputePipeline(...) {
...
if (!SendDeviceAction(aSelfId, std::move(bb))) {
MOZ_CRASH("IPC failure");
}
}
[Fixed Code]
RefPtr<PipelinePromise> WebGPUChild::DeviceCreateComputePipelineAsync(...) {
...
return SendDeviceActionWithAck(...)->Then(...);
}
Details: The change replaces a crash-on-failure approach with proper promise-based error handling for asynchronous pipeline creation, which could prevent potential denial-of-service scenarios from IPC failures.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/glean-core/src/util.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/glean-core/src/util.rs@@ -48,8 +48,7 @@ /// /// This converts from the `Local` timezone into its fixed-offset equivalent. /// If a timezone outside of [-24h, +24h] is detected it corrects the timezone offset to UTC (+0).-/// The return value will signal if the timezone offset was corrected.-pub(crate) fn local_now_with_offset() -> (DateTime<FixedOffset>, bool) {+pub(crate) fn local_now_with_offset() -> DateTime<FixedOffset> { #[cfg(target_os = "windows")] { // `Local::now` takes the user's timezone offset@@ -84,29 +83,12 @@ ); let now: DateTime<Utc> = Utc::now(); let utc_offset = FixedOffset::east(0);- return (now.with_timezone(&utc_offset), true);+ return now.with_timezone(&utc_offset); } } let now: DateTime<Local> = Local::now();- (now.with_timezone(now.offset()), false)-}--/// Get the current date & time with a fixed-offset timezone.-///-/// This converts from the `Local` timezone into its fixed-offset equivalent.-/// If a timezone outside of [-24h, +24h] is detected it corrects the timezone offset to UTC (+0).-/// The corresponding error counter is incremented in this case.-pub(crate) fn local_now_with_offset_and_record(glean: &Glean) -> DateTime<FixedOffset> {- let (now, is_corrected) = local_now_with_offset();- if is_corrected {- glean- .additional_metrics- .invalid_timezone_offset- .add(glean, 1);- }-- now+ now.with_timezone(now.offset()) } /// Truncates a string, ensuring that it doesn't end in the middle of a codepoint.@@ -297,11 +279,7 @@ #[test] fn local_now_gets_the_time() { let now = Local::now();- let (fixed_now, is_corrected) = local_now_with_offset();-- // We explicitly test that NO invalid timezone offset was recorded.- // If it _does_ happen and fails on a developer machine or CI, we better know about it.- assert!(!is_corrected, "Timezone offset should be valid.");+ let fixed_now = local_now_with_offset(); // We can't compare across differing timezones, so we just compare the UTC timestamps. // The second timestamp should be just a few nanoseconds later.
Here's the analysis following the specified format:
Vulnerability Existed: not sure
[Potential Timezone Handling Issue] [third_party/rust/glean-core/src/util.rs] [Lines 48-83]
[Old Code]
pub(crate) fn local_now_with_offset() -> (DateTime<FixedOffset>, bool) {
// ... code that returns tuple with bool indicating correction ...
[Fixed Code]
pub(crate) fn local_now_with_offset() -> DateTime<FixedOffset> {
// ... code that just returns DateTime ...
Additional Details:
- The change removes the boolean return value that indicated whether timezone correction occurred
- This could potentially affect security if the calling code relied on knowing when timezone corrections happened
- However, without more context about how this function is used, it's unclear if this constitutes a security vulnerability
- The removed functionality for tracking invalid timezone offsets might have been security-relevant for logging or monitoring
Vulnerability Existed: not sure
[Removed Error Tracking] [third_party/rust/glean-core/src/util.rs] [Lines 84-97]
[Old Code]
pub(crate) fn local_now_with_offset_and_record(glean: &Glean) -> DateTime<FixedOffset> {
let (now, is_corrected) = local_now_with_offset();
if is_corrected {
glean
.additional_metrics
.invalid_timezone_offset
.add(glean, 1);
}
now
}
[Fixed Code]
[Function completely removed]
Additional Details:
- The removal of error tracking for invalid timezone offsets might affect security monitoring
- This could potentially hide issues with system timezone configurations
- However, it's unclear if this was security-critical or just for debugging/monitoring purposes
- The impact depends on how important this metric was for security monitoring
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.skew.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.skew.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -51,15 +51,15 @@ ctx.strokeStyle = '#f00'; ctx.stroke(); ctx.restore();-_assertPixel(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,0, 0,255,0,255, "50,0", "0,255,0,255");-_assertPixel(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255");-_assertPixel(offscreenCanvas, 0,25, 0,255,0,255, "0,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 99,25, 0,255,0,255, "99,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255");-_assertPixel(offscreenCanvas, 50,49, 0,255,0,255, "50,49", "0,255,0,255");-_assertPixel(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255");+_assertPixel(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255");+_assertPixel(canvas, 50,0, 0,255,0,255, "50,0", "0,255,0,255");+_assertPixel(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255");+_assertPixel(canvas, 0,25, 0,255,0,255, "0,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 99,25, 0,255,0,255, "99,25", "0,255,0,255");+_assertPixel(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255");+_assertPixel(canvas, 50,49, 0,255,0,255, "50,49", "0,255,0,255");+_assertPixel(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas` and updating all references to it. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.skew.html] [Lines 17-51]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixel(offscreenCanvas, ...)]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixel(canvas, ...)]
The changes are purely variable naming improvements without any security implications. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntime.java+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntime.java@@ -42,11 +42,13 @@ import org.mozilla.gecko.EventDispatcher; import org.mozilla.gecko.GeckoAppShell; import org.mozilla.gecko.GeckoNetworkManager;+import org.mozilla.gecko.GeckoScreenChangeListener; import org.mozilla.gecko.GeckoScreenOrientation; import org.mozilla.gecko.GeckoScreenOrientation.ScreenOrientation; import org.mozilla.gecko.GeckoSystemStateListener; import org.mozilla.gecko.GeckoThread; import org.mozilla.gecko.annotation.WrapForJNI;+import org.mozilla.gecko.process.MemoryController; import org.mozilla.gecko.util.BundleEventListener; import org.mozilla.gecko.util.DebugConfig; import org.mozilla.gecko.util.EventCallback;@@ -135,6 +137,8 @@ */ public static final String CRASHED_PROCESS_TYPE_BACKGROUND_CHILD = "BACKGROUND_CHILD";+ private final MemoryController mMemoryController = new MemoryController();+ @Retention(RetentionPolicy.SOURCE) @StringDef( value = {@@ -142,7 +146,7 @@ CRASHED_PROCESS_TYPE_FOREGROUND_CHILD, CRASHED_PROCESS_TYPE_BACKGROUND_CHILD })- /* package */ @interface CrashedProcessType {}+ public @interface CrashedProcessType {} private final class LifecycleListener implements LifecycleObserver { private boolean mPaused = false;@@ -222,12 +226,18 @@ private final ContentBlockingController mContentBlockingController; private final Autocomplete.StorageProxy mAutocompleteStorageProxy; private final ProfilerController mProfilerController;+ private final GeckoScreenChangeListener mScreenChangeListener; private GeckoRuntime() { mWebExtensionController = new WebExtensionController(this); mContentBlockingController = new ContentBlockingController(); mAutocompleteStorageProxy = new Autocomplete.StorageProxy(); mProfilerController = new ProfilerController();+ if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.JELLY_BEAN_MR1) {+ mScreenChangeListener = new GeckoScreenChangeListener();+ } else {+ mScreenChangeListener = null;+ } if (sRuntime != null) { throw new IllegalStateException("Only one GeckoRuntime instance is allowed");@@ -454,6 +464,12 @@ // Add process lifecycle listener to react to backgrounding events. ProcessLifecycleOwner.get().getLifecycle().addObserver(new LifecycleListener());++ // Add Display Manager listener to listen screen orientation change.+ if (mScreenChangeListener != null) {+ mScreenChangeListener.enable();+ }+ mProfilerController.addMarker( "GeckoView Initialization START", mProfilerController.getProfilerTime()); return true;@@ -552,6 +568,8 @@ throw new IllegalStateException("Failed to initialize GeckoRuntime"); }+ context.registerComponentCallbacks(runtime.mMemoryController);+ return runtime; }@@ -563,6 +581,11 @@ } GeckoSystemStateListener.getInstance().shutdown();++ if (mScreenChangeListener != null) {+ mScreenChangeListener.disable();+ }+ GeckoThread.forceQuit(); }@@ -873,6 +896,12 @@ return ActivityInfo.SCREEN_ORIENTATION_REVERSE_LANDSCAPE; } else if (geckoOrientation == ScreenOrientation.DEFAULT.value) { return ActivityInfo.SCREEN_ORIENTATION_UNSPECIFIED;+ } else if (geckoOrientation == ScreenOrientation.PORTRAIT.value) {+ return ActivityInfo.SCREEN_ORIENTATION_SENSOR_PORTRAIT;+ } else if (geckoOrientation == ScreenOrientation.LANDSCAPE.value) {+ return ActivityInfo.SCREEN_ORIENTATION_SENSOR_LANDSCAPE;+ } else if (geckoOrientation == ScreenOrientation.ANY.value) {+ return ActivityInfo.SCREEN_ORIENTATION_FULL_SENSOR; } return ActivityInfo.SCREEN_ORIENTATION_PORTRAIT; }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Memory Management Issue] [mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntime.java] [Lines 137, 568] [Old Code: No MemoryController instance] [Fixed Code: Added MemoryController instance and registered it as component callback] 2. Vulnerability Existed: not sure [Potential Screen Orientation Handling Issue] [mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntime.java] [Lines 226, 228-234, 464-466, 581-583] [Old Code: No screen change listener handling] [Fixed Code: Added GeckoScreenChangeListener with proper initialization and cleanup] 3. Vulnerability Existed: not sure [Potential Annotation Visibility Issue] [mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntime.java] [Lines 146] [Old Code: package-private annotation] [Fixed Code: public annotation] 4. Vulnerability Existed: not sure [Potential Screen Orientation Mapping Issue] [mobile/android/geckoview/src/main/java/org/mozilla/geckoview/GeckoRuntime.java] [Lines 896-902] [Old Code: Limited screen orientation mapping] [Fixed Code: Added more complete screen orientation mapping cases] Note: While these changes appear to be improvements in functionality and potentially security-related, I cannot definitively identify specific vulnerabilities being fixed without more context about the security issues they address. The changes seem to focus on: 1. Better memory management 2. More robust screen orientation handling 3. Improved API visibility 4. More complete screen orientation mapping However, without specific vulnerability reports or CVE references, I can't confirm these were direct security fixes versus general improvements.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-1.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-1.xml@@ -5,7 +5,6 @@ <style type="text/css"><![CDATA[li,p { background-color : lime }]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <ul>
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/selectors/old-tests/css3-modsel-1.xml [Lines] 5 [Old Code] <meta name="flags" content="" /> [Fixed Code] (line removed) Additional notes: - The diff shows only the removal of an empty meta tag with a "flags" attribute, which doesn't appear to be security-related - This change seems to be more about cleanup or test configuration rather than addressing a security vulnerability - The empty flags attribute wasn't serving any apparent security purpose, and its removal doesn't indicate a security fix - No known vulnerability is associated with this type of change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/vm/JSAtom.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/vm/JSAtom.h@@ -47,15 +47,30 @@ template <typename CharT> extern JSAtom* AtomizeChars(JSContext* cx, const CharT* chars, size_t length);+/*+ * Optimized entry points for atomization.+ *+ * The meaning of suffix:+ * * "NonStatic": characters don't match StaticStrings+ * * "ValidLength": length fits JSString::MAX_LENGTH+ */+ /* Atomize characters when the value of HashString is already known. */ template <typename CharT>-extern JSAtom* AtomizeChars(JSContext* cx, mozilla::HashNumber hash,- const CharT* chars, size_t length);+extern JSAtom* AtomizeCharsNonStaticValidLength(JSContext* cx,+ mozilla::HashNumber hash,+ const CharT* chars,+ size_t length);-template <typename CharT>-extern JSAtom* PermanentlyAtomizeChars(JSContext* cx, AtomSet& atomSet,- mozilla::HashNumber hash,- const CharT* chars, size_t length);+/**+ * Permanently atomize characters.+ *+ * `chars` shouldn't match any of StaticStrings entry.+ * `length` should be validated by JSString::validateLength.+ */+extern JSAtom* PermanentlyAtomizeCharsNonStaticValidLength(+ JSContext* cx, AtomSet& atomSet, mozilla::HashNumber hash,+ const Latin1Char* chars, size_t length); /** * Create an atom whose contents are those of the |utf8ByteLength| code units
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Integer Overflow/Validation Issue] [js/src/vm/JSAtom.h] [Lines 47-60]
[Old Code]
```cpp
template <typename CharT>
extern JSAtom* AtomizeChars(JSContext* cx, mozilla::HashNumber hash,
const CharT* chars, size_t length);
```
[Fixed Code]
```cpp
template <typename CharT>
extern JSAtom* AtomizeCharsNonStaticValidLength(JSContext* cx,
mozilla::HashNumber hash,
const CharT* chars,
size_t length);
```
Additional Details: The function was renamed to explicitly indicate it requires valid length (fitting JSString::MAX_LENGTH), suggesting previous version might have lacked proper length validation.
2. Vulnerability Existed: not sure
[Potential Static String Collision] [js/src/vm/JSAtom.h] [Lines 60-70]
[Old Code]
```cpp
template <typename CharT>
extern JSAtom* PermanentlyAtomizeChars(JSContext* cx, AtomSet& atomSet,
mozilla::HashNumber hash,
const CharT* chars, size_t length);
```
[Fixed Code]
```cpp
extern JSAtom* PermanentlyAtomizeCharsNonStaticValidLength(
JSContext* cx, AtomSet& atomSet, mozilla::HashNumber hash,
const Latin1Char* chars, size_t length);
```
Additional Details: The function was modified to explicitly require non-static strings and valid length, and was specialized for Latin1Char only. This suggests previous version might have had issues with static string collisions or type safety.
The changes appear to be hardening measures rather than fixing specific known vulnerabilities, with added validation requirements and more specific function signatures. The explicit naming and documentation suggests these were potential security concerns being proactively addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.start.ltr.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.align.start.ltr.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var f = new FontFace("CanvasTest", "url('/fonts/CanvasTest.ttf')"); let fonts = (self.fonts ? self.fonts : document.fonts);@@ -32,12 +32,12 @@ ctx.fillStyle = '#0f0'; ctx.textAlign = 'start'; ctx.fillText('DD', 0, 37.5);- _assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,5, 0,255,0,255, "95,5", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 95,45, 0,255,0,255, "95,45", "0,255,0,255", 2); }).then(t_pass, t_fail); });
Based on the provided code diff, I don't see any security-related fixes. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding references in the assertions. Here's the analysis:
1. Vulnerability Existed: no
No vulnerability found [File] [Lines 17-18, 32-37]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ...
_assertPixelApprox(offscreenCanvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ...
_assertPixelApprox(canvas, 5,5, 0,255,0,255, "5,5", "0,255,0,255", 2);
```
The changes are purely cosmetic/refactoring in nature and don't address any security vulnerabilities. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.