Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.bitmap.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.bitmap.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -22,7 +22,7 @@ ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50); ctx.restore();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.bitmap.worker.js] [Lines 13-22]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable from `offscreenCanvas` to `canvas` for consistency or readability, without any security implications. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.twopie.2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.twopie.2.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,7 +27,7 @@ ctx.beginPath(); ctx.arc(50, 25, 50, 0, 2*Math.PI - 1e-4, false); ctx.stroke();-_assertPixel(offscreenCanvas, 50,20, 0,255,0,255, "50,20", "0,255,0,255");+_assertPixel(canvas, 50,20, 0,255,0,255, "50,20", "0,255,0,255"); t.done(); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.twopie.2.html [Lines] 17-27
[Old Code]
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ...
_assertPixel(offscreenCanvas, 50,20, 0,255,0,255, "50,20", "0,255,0,255");
```
[Fixed Code]
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ...
_assertPixel(canvas, 50,20, 0,255,0,255, "50,20", "0,255,0,255");
```
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications. The functionality remains identical, and there are no security-related patterns or vulnerabilities being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.casesensitive.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-offscreen-canvas/context.casesensitive.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var offscreenCanvas2 = new OffscreenCanvas(100, 50); assert_throws_js(TypeError, function() { offscreenCanvas2.getContext('2D'); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
2. Vulnerability Existed: no
No specific vulnerability found [File] [Line 16]
Old Code: (none, this is an addition)
Fixed Code:
var offscreenCanvas2 = new OffscreenCanvas(100, 50);
assert_throws_js(TypeError, function() { offscreenCanvas2.getContext('2D'); });
The changes appear to be:
1. A variable name change from 'offscreenCanvas' to 'canvas' (likely for consistency/readability)
2. Addition of a test case verifying that case-sensitive context types are enforced (2D vs 2d)
No security vulnerabilities are apparent in these changes. The test case addition actually improves security by verifying proper case-sensitivity enforcement in the OffscreenCanvas API.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/tokio-timer/src/throttle.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/tokio-timer/src/throttle.rs@@ -158,7 +158,7 @@ // FIXME(taiki-e): When the minimum support version of tokio reaches Rust 1.30, // replace this with Error::source. #[allow(deprecated)]- fn cause(&self) -> Option<&StdError> {+ fn cause(&self) -> Option<&dyn StdError> { match self.0 { Either::A(ref err) => Some(err), Either::B(ref err) => Some(err),
Let me analyze the provided code diff for security fixes.
Vulnerability Existed: no
[Deprecated API Usage] [third_party/rust/tokio-timer/src/throttle.rs] [Lines 158-163]
[Old Code]
fn cause(&self) -> Option<&StdError> {
[Fixed Code]
fn cause(&self) -> Option<&dyn StdError> {
Additional Details:
This change appears to be a maintenance update rather than a security fix. The modification updates the return type of the `cause()` method to use the newer `dyn` trait syntax, which was introduced in Rust 1.30. The comment in the code explicitly mentions this is preparation for when the minimum supported Rust version reaches 1.30. The change doesn't address any security vulnerability but rather updates deprecated syntax to be forward-compatible. The `#[allow(deprecated)]` attribute suggests this was a planned deprecation migration rather than a security fix.
No security vulnerabilities were identified in this diff. The change is purely related to API modernization and compatibility.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/dav1d/src/tables.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/dav1d/src/tables.c@@ -440,7 +440,7 @@ 0 };-const int8_t ALIGN(dav1d_mc_subpel_filters[5+ARCH_X86_64][15][8], 8) = {+const int8_t ALIGN(dav1d_mc_subpel_filters[6][15][8], 8) = { [DAV1D_FILTER_8TAP_REGULAR] = { { 0, 1, -3, 63, 4, -1, 0, 0 }, { 0, 1, -5, 61, 9, -2, 0, 0 },@@ -522,7 +522,6 @@ { 0, 0, 2, 20, 31, 11, 0, 0 }, { 0, 0, 2, 18, 31, 13, 0, 0 }, { 0, 0, 1, 17, 31, 15, 0, 0 }-#if ARCH_X86_64 /* Bilin scaled being very rarely used, add a new table entry * and use the put/prep_8tap_scaled code, thus acting as a * scaled bilinear filter. */@@ -542,7 +541,6 @@ { 0, 0, 0, 12, 52, 0, 0, 0 }, { 0, 0, 0, 8, 56, 0, 0, 0 }, { 0, 0, 0, 4, 60, 0, 0, 0 }-#endif } };
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
Potential Array Size Mismatch [File] third_party/dav1d/src/tables.c [Lines] 440
[Old Code]
`const int8_t ALIGN(dav1d_mc_subpel_filters[5+ARCH_X86_64][15][8], 8) = {`
[Fixed Code]
`const int8_t ALIGN(dav1d_mc_subpel_filters[6][15][8], 8) = {`
Additional Details: The change modifies the array size declaration, potentially fixing a size mismatch issue. The vulnerability type is unclear, but it could relate to memory safety.
2. Vulnerability Existed: not sure
Potential Conditional Compilation Issue [File] third_party/dav1d/src/tables.c [Lines] 522-541
[Old Code]
`#if ARCH_X86_64` ... `#endif` surrounding the bilinear filter code
[Fixed Code]
Removed conditional compilation directives
Additional Details: The removal of ARCH_X86_64 conditional compilation might indicate a fix for platform-specific behavior issues, but the exact security implication is unclear.
Note: While these changes appear to be memory-related and could potentially affect security, the exact nature of any vulnerabilities isn't clear from the diff alone. The modifications seem to standardize behavior across architectures and ensure consistent array sizing.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/shared/AtomicOperations-feeling-lucky.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/shared/AtomicOperations-feeling-lucky.h@@ -9,8 +9,6 @@ #if defined(__clang__) || defined(__GNUC__) # include "jit/shared/AtomicOperations-feeling-lucky-gcc.h"-#elif defined(_MSC_VER)-# include "jit/shared/AtomicOperations-feeling-lucky-msvc.h" #else # error "No AtomicOperations support for this platform+compiler combination" #endif
Let me analyze the provided code diff for security fixes. Vulnerability Existed: not sure [Potential Compiler-Specific Vulnerability] [js/src/jit/shared/AtomicOperations-feeling-lucky.h] [Lines 9-11] [Old Code] #elif defined(_MSC_VER) # include "jit/shared/AtomicOperations-feeling-lucky-msvc.h" [Fixed Code] [Removed] Additional Details: The diff shows removal of Microsoft Visual C++ (MSVC) specific atomic operations implementation. While this might be related to security, it's unclear without more context. Possible reasons could be: 1. The MSVC implementation had security issues that were fixed by removing it 2. The functionality was moved elsewhere 3. MSVC support was dropped for other reasons Without seeing the contents of the removed file or more context about why this change was made, I can't definitively say if this was a security fix or not. The change could be related to security, but it might also be a architectural or compatibility change. Note: Atomic operations are often security-sensitive as they deal with thread synchronization, so changes in this area should be carefully reviewed for potential race conditions or memory safety issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.lineWidth.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.lineWidth.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Test that restore() undoes any modifications var old = ctx.lineWidth;
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Notes:
- The change appears to be purely a variable name refactoring from 'offscreenCanvas' to 'canvas'
- No security implications are evident in this change
- The functionality remains identical, only the variable name was changed for better clarity/consistency
- This is likely part of code style improvements rather than security fixes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/locales/l10n-changesets.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/locales/l10n-changesets.json@@ -123,7 +123,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "d6d7ff144005751902822e5d2e522aeb0895b888"+ "revision": "897cb09ca19681ef501d1189c76c5ea615bc20ee" }, "bg": { "pin": false,@@ -141,7 +141,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "19ee7b31e0becafa054013a3c8c09844638f244c"+ "revision": "36c2b720e031299cc64ca36b8ad73405afbf15e7" }, "bn": { "pin": false,@@ -177,7 +177,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "a9e3b8ba10759c8a4f7da6b7970911ded7d04ad6"+ "revision": "858100c5ec0740e1894d1272de9a1b4e2d72b33e" }, "bs": { "pin": false,@@ -213,7 +213,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "caf5515093962f3f92c92aea68dacd4c3e520a8d"+ "revision": "ed3ceba213d7c1462f9ead5665b92c3f6ee44945" }, "ca-valencia": { "pin": false,@@ -249,7 +249,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "0bbd8b94c9c02fa5ec6a3e5fd3bf3e69b0432829"+ "revision": "c5a21feab0ea049d75d3e561ee820fd358808143" }, "cs": { "pin": false,@@ -267,7 +267,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "37ac179b678c711a0e25ef771da41d04a81274ea"+ "revision": "142eaea80044ef2c53c7986c4a2e26259d46e011" }, "cy": { "pin": false,@@ -285,7 +285,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "0eecc3c5396a7ce0ae207243a6879f559761b7a3"+ "revision": "5ec73257e61e8efec15086579949df7e74069eee" }, "da": { "pin": false,@@ -303,7 +303,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "d8f6222425ba68244150bfbc6681afbfb2ffe5fd"+ "revision": "6ccb92ba0b671548fcdb2040bf42bb21604f3d92" }, "de": { "pin": false,@@ -321,7 +321,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "d021516fc3bd2cf7c077c39a7a966e179b1f9d5c"+ "revision": "51fa7772be1a25576ed8385063e5e96b1371c127" }, "dsb": { "pin": false,@@ -339,7 +339,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "70960aa71596ad656e55cc1e49d84948e543f929"+ "revision": "a5a3284f3845e18003e88fd0b0c822dc5982a381" }, "el": { "pin": false,@@ -357,7 +357,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "4967d37f3abcff1ac87c3ec8030d857d828eef19"+ "revision": "36278602ab4250b31a91431fe3a30ba16ebb119e" }, "en-CA": { "pin": false,@@ -375,7 +375,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "d6c548e6a369de5d9b11c62a6dcb16fbd03b389a"+ "revision": "4952938ad641b86d96b0192368a205155de7e236" }, "en-GB": { "pin": false,@@ -393,7 +393,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "d2cbf84e07289b701925b083dd877e0e0a85c590"+ "revision": "85760d047ff2bb3f20073209c86aafae484a6c84" }, "eo": { "pin": false,@@ -411,7 +411,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "5b199412e63ef23ef92eb3250b7b513a256fe63d"+ "revision": "879b99194c7b241e4a68b6ea73f295c41539db01" }, "es-AR": { "pin": false,@@ -429,7 +429,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "26e4da761e45a9dbf07a154075879ef07a3272f8"+ "revision": "44975e7ce27d8d895af5c35909a9fc748eb86fd2" }, "es-CL": { "pin": false,@@ -447,7 +447,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "c994d9a22b1e43aa490a989c438fa725a8d4e51f"+ "revision": "7494321544d9a289dcdcfb687ba6ae407553694d" }, "es-ES": { "pin": false,@@ -465,7 +465,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "50ae36cca91076145fd3f5a15cdcf887842c2b59"+ "revision": "3e6d47a732b3c12395641615708ddafe5a2f2096" }, "es-MX": { "pin": false,@@ -483,7 +483,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "bf9a6d93e81f45badbafe8e9ba54d52c6330028d"+ "revision": "f43ffb5899d6af3cfd15eb17e5e37016d98caea3" }, "et": { "pin": false,@@ -501,7 +501,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "d7475edcfbfb4ddeb02caefb9fc5d399280918d4"+ "revision": "6232a1e2884cdef938578c8fa62d94a0daf5e496" }, "eu": { "pin": false,@@ -519,7 +519,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "a8df7f4a49813b6555c9c8f092562ac664a40ad7"+ "revision": "ed8fb7ed0677c4b36a5b50cfb07a1e968bb9a6d6" }, "fa": { "pin": false,@@ -537,7 +537,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "60cff0755aaf290a159cb6968c4909bf9ecae2fa"+ "revision": "fb843f2121544da95b60b20d7147be7069091be2" }, "ff": { "pin": false,@@ -573,7 +573,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "6b8b5bd168c64be1926b694089ac8faff3f5f474"+ "revision": "bde25da854ae4e6a12a9b5cb9326fd1e6428eca7" }, "fr": { "pin": false,@@ -591,7 +591,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "43ef41efa9e6ff87d6b4d0672d44c6d0d02f078c"+ "revision": "93d4e8b3d00efc349a097915333d2816c752b8ad" }, "fy-NL": { "pin": false,@@ -609,7 +609,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "9888ad5e805705a56ac037744c35542522d844c5"+ "revision": "218bf89139061fb15ad7aced1c6fb5ffc8c9dcce" }, "ga-IE": { "pin": false,@@ -681,7 +681,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "aa33a53b688bed9cedeb8a3eaf0466b9451d2e18"+ "revision": "79ecbd15280e326e1f386eecc12c17113600417a" }, "gu-IN": { "pin": false,@@ -717,7 +717,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "a1178626bd760ac054bd0fccf1b515cc22075642"+ "revision": "2aa7b17642d24e276a005793d76ba2b3bdc5facf" }, "hi-IN": { "pin": false,@@ -753,7 +753,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "a01b7ce3515d0b2f05e473625148f11a264da0a2"+ "revision": "871e4180f68eee9ac04971ff6b554e4dbc2711a2" }, "hsb": { "pin": false,@@ -771,7 +771,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "5d446c2cb85ab7fc253ec1b4fb6ed55438b0ef0f"+ "revision": "4ca8bb594b515fecca5763b2320c113472bff832" }, "hu": { "pin": false,@@ -789,7 +789,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "08ce6fff597386be51098c9d5f2ed33716277216"+ "revision": "f2ddbe0eeeef462861f509b7874b18ab3c35a0f3" }, "hy-AM": { "pin": false,@@ -807,7 +807,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "39679b7c9696a93c5aa254678e53574f433249f7"+ "revision": "72d3fa9bc851b8690a31622bd1890ba5220fee17" }, "ia": { "pin": false,@@ -825,7 +825,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "267711b89ca8ee885196dc7daac5e218ea1e88f8"+ "revision": "97b0f4d4ab1c3679263855ad61fe71279a5f138a" }, "id": { "pin": false,@@ -843,7 +843,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "4d4de9751872149e1c99dcfce2b7ce4835b65589"+ "revision": "e7c7de1a73032dad5f1768a27b7a0b07b091c6a5" }, "is": { "pin": false,@@ -861,7 +861,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "5753814cd9664948b3ac5ace293b3d46304f0cf2"+ "revision": "a79cf7156cd7743c947b782578ef4f722af27d72" }, "it": { "pin": false,@@ -879,7 +879,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "23a6bcedbdd8fe6cd5a7a51c475a5e9163a375e5"+ "revision": "998226bb25f6c295771c373f38d2ec30f63f2ce2" }, "ja": { "pin": false,@@ -895,7 +895,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "c4be75596e316966ab1dc9857a9be6b0a7bc2ef9"+ "revision": "6127a7d5900012673428cb1a7bc210fcf37a6892" }, "ja-JP-mac": { "pin": false,@@ -903,7 +903,7 @@ "macosx64", "macosx64-devedition" ],- "revision": "476eca379b8b21857655d6c23908b3e2a1b09aee"+ "revision": "f863997fc8afeaf63fd4bf34c2e32b3fc2ff83f3" }, "ka": { "pin": false,@@ -921,7 +921,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "300bd68426f1a75e754e0aceee03b0cf257524a3"+ "revision": "cf38241abced5a8b4b2f74f4ce209756355274b9" }, "kab": { "pin": false,@@ -939,7 +939,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "3c2f3430290ba1c3bb2f3ec8f961baf7e994ace9"+ "revision": "34cdd7ae3a2706650cb51cc379fb0c2b25516169" }, "kk": { "pin": false,@@ -957,7 +957,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "f34ffb08787eb336151f6218a295c218cb6f49e2"+ "revision": "3391b7f3823482b4dc7e21a0aa0181cdde4c203f" }, "km": { "pin": false,@@ -1011,7 +1011,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "456de386bdbe2ad6be7d8252db70a0a4abbc6dcf"+ "revision": "8bacee055189bee1f36ac411082bfc0ff7cc816d" }, "lij": { "pin": false,@@ -1155,7 +1155,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "490c2d401359fd2204ad7aa806a73107f3befc27"+ "revision": "0bc72f781481f50e11e9313f1baa214f8f2e73a4" }, "ne-NP": { "pin": false,@@ -1191,7 +1191,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "ce81040d4aa33f478a2b20a5762f720c94b34ae6"+ "revision": "22a4e7c33e985047132db447d7e1bb71702d374c" }, "nn-NO": { "pin": false,@@ -1209,7 +1209,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "2a97309ce5e7b626ebe73d09bd64a12753d1dc5d"+ "revision": "1c7a2571547e6008612a319f52d2ef6299c0ccdc" }, "oc": { "pin": false,@@ -1227,7 +1227,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "66c153b1c5f03e099b627ce051e5b89a4b010617"+ "revision": "c765e20c1c3eef04af44317ea8ebba476eedb1f0" }, "pa-IN": { "pin": false,@@ -1245,7 +1245,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "ead22e98f8a685dcf178b788444ab49d7f1122c3"+ "revision": "bbfc43db3f0349eff76131142d6621b1d45e21ab" }, "pl": { "pin": false,@@ -1263,7 +1263,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "9d81020a2e0830340f1c2406a3df9a252a0275e4"+ "revision": "f992dad0dacd48b7731cc8f12e8997b50a362a91" }, "pt-BR": { "pin": false,@@ -1281,7 +1281,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "f348ba8ca384b9d8180e96b85ddd53b4c45dfe9a"+ "revision": "e32caade7c8c42a28688f50e935dd6cc2a06f262" }, "pt-PT": { "pin": false,@@ -1299,7 +1299,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "e0910097929ee117291ede6675c6e0add124221b"+ "revision": "53625bcbd4d9093f325d98edc087b5f22453b821" }, "rm": { "pin": false,@@ -1317,7 +1317,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "9b3b102d05b64197026481b91024a1e318f334b3"+ "revision": "91906bb9c17686385dd1f647e1169e7136b77524" }, "ro": { "pin": false,@@ -1353,7 +1353,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "8b12b43a2525b151d4370fa61ffb734152445a18"+ "revision": "17dfd4324012d1f772bd9aa5f1118a85d0d13654" }, "sco": { "pin": false,@@ -1407,7 +1407,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "33c08c2f9769d7d41abb58526e8f4b8ee630b57c"+ "revision": "44b66c9a9eed5d3995c45104db5f4ce1337af79e" }, "sl": { "pin": false,@@ -1425,7 +1425,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "819ea5f8c4e9745892ac8753a6de167faa7b20b3"+ "revision": "b0ac3866c37118f4935171aad5c73ece39f6329e" }, "son": { "pin": false,@@ -1461,7 +1461,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "05efafdd60c5a69d6d75adf8ccb97c5b07aee239"+ "revision": "59c3b12c92b684e02fb1afeb55d6ded8dc482ea4" }, "sr": { "pin": false,@@ -1479,7 +1479,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "e7c7978d2fd74f4e2098253a41b099604b88d61b"+ "revision": "fc2038de2801930ce585dd1817c3de3367523630" }, "sv-SE": { "pin": false,@@ -1497,7 +1497,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "1724795ef994f75dbe7925425e946826ced6bf44"+ "revision": "a4fe5b2d85d36420e7e83efed62183a2cd7f9ffd" }, "szl": { "pin": false,@@ -1569,7 +1569,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "b6c8c65ece954839a983d48aa92a348b84867fa7"+ "revision": "7ee8d9f595474c988f7e73467cc50e2f92616124" }, "tl": { "pin": false,@@ -1605,7 +1605,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "43aebafc31b6eeb8b708da5429d81be954136d30"+ "revision": "2a2b9977d4fc880d77fe36fe12e32da230f2cbd6" }, "trs": { "pin": false,@@ -1641,7 +1641,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "3deee0c202358c3bec34a0d3975ef764abf223a4"+ "revision": "df036958b06b84677db002f84930357cc037013c" }, "ur": { "pin": false,@@ -1677,7 +1677,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "1aa8a6ec95bb40acbfd8569d820471d3889675e4"+ "revision": "9bf0718f3dc3c70e34fdf556c3006adde39a1635" }, "vi": { "pin": false,@@ -1695,7 +1695,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "45becdf2b63187cefc51ebb630122a99f6202bd6"+ "revision": "c323741527d8e7727991d79ed2d3dbb6aa3db5d3" }, "xh": { "pin": false,@@ -1731,7 +1731,7 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "bb339fc093bb6c2cbad758d25cdf033c1a0ff6a4"+ "revision": "413aae81fe1c8dabdd9978618d0f741318809f5f" }, "zh-TW": { "pin": false,@@ -1749,6 +1749,6 @@ "win64-aarch64-devedition", "win64-devedition" ],- "revision": "e9584ed8dad7eb1397e7bdffdb863a8f0a95d3cb"+ "revision": "05f141fae4316ba05cb4e5d5716a500e4ca112ad" } }=========testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.miterLimit.worker.js========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.miterLimit.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.miterLimit.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // Test that restore() undoes any modifications var old = ctx.miterLimit;
Based on the provided code diff, I'll analyze it for security fixes:
1. For the l10n-changesets.json file:
Vulnerability Existed: no
This appears to be routine updates to localization revision hashes. No security vulnerability is indicated by these changes.
2. For the canvas worker test file:
Vulnerability Existed: not sure
Potential Variable Naming Issue [testing/web-platform/tests/html/canvas/offscreen/the-canvas-state/2d.state.saverestore.miterLimit.worker.js] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The change appears to be a variable renaming from `offscreenCanvas` to `canvas`. While this doesn't appear to be a security fix, there's a small possibility it could relate to scope/context issues in worker environments, though I'm not certain.
No clear security vulnerabilities were identified in these changes. The most significant changes were localization hash updates and a minor variable name change in a test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/extensions/webcompat/data/injections.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/extensions/webcompat/data/injections.js@@ -137,20 +137,6 @@ }, }, {- id: "bug1570119",- platform: "desktop",- domain: "teamcoco.com",- bug: "1570119",- contentScripts: {- matches: ["*://teamcoco.com/*"],- css: [- {- file: "injections/css/bug1570119-teamcoco.com-scrollbar-width.css",- },- ],- },- },- { id: "bug1570328", platform: "android", domain: "developer.apple.com",@@ -371,6 +357,7 @@ "*://*.live.com/*", "*://*.office.com/*", "*://*.sharepoint.com/*",+ "*://*.office365.com/*", ], js: [ {@@ -431,23 +418,8 @@ }, }, {- id: "bug1714612",- platform: "all",- domain: "www.rfi.it",- bug: "1714612",- contentScripts: {- matches: ["*://www.rfi.it/*"],- js: [- {- file: "injections/js/bug1714612-www.rfi.it-outertext.js",- },- ],- allFrames: true,- },- },- { id: "bug1719870",- platform: "desktop",+ platform: "all", domain: "lcbo.com", bug: "1719870", contentScripts: {@@ -521,20 +493,6 @@ }, }, {- id: "bug1728140",- platform: "android",- domain: "air-quality.com",- bug: "1728140",- contentScripts: {- matches: ["*://air-quality.com/*"],- css: [- {- file: "injections/css/bug1728140-map-size-fix.css",- },- ],- },- },- { id: "bug1738313", platform: "desktop", domain: "curriculum.gov.bc.ca",@@ -578,20 +536,6 @@ }, }, {- id: "bug1743041",- platform: "all",- domain: "lu.ma",- bug: "1743041",- contentScripts: {- matches: ["*://lu.ma/*"],- css: [- {- file: "injections/css/bug1743041-lu.ma-display-fix.css",- },- ],- },- },- { id: "bug1740542", platform: "desktop", domain: "tesla.com",@@ -620,18 +564,60 @@ }, }, {- id: "bug1746883",- platform: "all",- domain: "zoom.us",- bug: "1746883",- contentScripts: {- matches: ["*://*.zoom.us/*"],- js: [- {- file: "injections/js/bug1746883-zoom.us-OffscreenCanvas.js",- },- ],- allFrames: true,+ id: "bug1749565",+ platform: "android",+ domain: "bonappetit.com",+ bug: "1749565",+ contentScripts: {+ matches: ["*://*.bonappetit.com/recipe/*"],+ css: [+ {+ file: "injections/css/bug1749565-bonappetit.com-grid-width-fix.css",+ },+ ],+ },+ },+ {+ id: "bug1751022",+ platform: "android",+ domain: "chotot.com",+ bug: "1751022",+ contentScripts: {+ matches: ["*://*.chotot.com/*"],+ css: [+ {+ file: "injections/css/bug1751022-chotot.com-image-width-fix.css",+ },+ ],+ },+ },+ {+ id: "bug1751065",+ platform: "android",+ domain: "chanel.com",+ bug: "1751065",+ contentScripts: {+ matches: ["*://*.chanel.com/*"],+ js: [+ {+ file: "injections/js/bug1751065-chanel.com-effectiveType-shim.js",+ },+ ],+ },+ },+ {+ id: "bug1748455",+ platform: "android",+ domain: "reddit.com",+ bug: "1748455",+ contentScripts: {+ matches: ["*://*.reddit.com/*"],+ css: [+ {+ file:+ "injections/css/bug1748455-reddit.com-gallery-image-width-fix.css",+ },+ ], }, }, ];
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Removal of TeamCoco.com injection] [browser/extensions/webcompat/data/injections.js] [Lines 137-150]
[Old Code]
```javascript
{
id: "bug1570119",
platform: "desktop",
domain: "teamcoco.com",
bug: "1570119",
contentScripts: {
matches: ["*://teamcoco.com/*"],
css: [
{
file: "injections/css/bug1570119-teamcoco.com-scrollbar-width.css",
},
],
},
},
```
[Fixed Code]
[Removed entirely]
2. Vulnerability Existed: not sure
[Removal of www.rfi.it injection] [browser/extensions/webcompat/data/injections.js] [Lines 431-443]
[Old Code]
```javascript
{
id: "bug1714612",
platform: "all",
domain: "www.rfi.it",
bug: "1714612",
contentScripts: {
matches: ["*://www.rfi.it/*"],
js: [
{
file: "injections/js/bug1714612-www.rfi.it-outertext.js",
},
],
allFrames: true,
},
},
```
[Fixed Code]
[Removed entirely]
3. Vulnerability Existed: not sure
[Removal of air-quality.com injection] [browser/extensions/webcompat/data/injections.js] [Lines 521-531]
[Old Code]
```javascript
{
id: "bug1728140",
platform: "android",
domain: "air-quality.com",
bug: "1728140",
contentScripts: {
matches: ["*://air-quality.com/*"],
css: [
{
file: "injections/css/bug1728140-map-size-fix.css",
},
],
},
},
```
[Fixed Code]
[Removed entirely]
4. Vulnerability Existed: not sure
[Removal of lu.ma injection] [browser/extensions/webcompat/data/injections.js] [Lines 578-588]
[Old Code]
```javascript
{
id: "bug1743041",
platform: "all",
domain: "lu.ma",
bug: "1743041",
contentScripts: {
matches: ["*://lu.ma/*"],
css: [
{
file: "injections/css/bug1743041-lu.ma-display-fix.css",
},
],
},
},
```
[Fixed Code]
[Removed entirely]
5. Vulnerability Existed: not sure
[Removal of zoom.us injection] [browser/extensions/webcompat/data/injections.js] [Lines 620-631]
[Old Code]
```javascript
{
id: "bug1746883",
platform: "all",
domain: "zoom.us",
bug: "1746883",
contentScripts: {
matches: ["*://*.zoom.us/*"],
js: [
{
file: "injections/js/bug1746883-zoom.us-OffscreenCanvas.js",
},
],
allFrames: true,
},
},
```
[Fixed Code]
[Removed entirely]
Note: While multiple injections were removed, the diff doesn't provide enough context to determine if these removals were due to security fixes or simply because the web compatibility issues were resolved. The additions (like the office365.com domain) appear to be feature additions rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/geckoview/src/main/java/org/mozilla/gecko/gfx/SurfaceAllocator.java+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/geckoview/src/main/java/org/mozilla/gecko/gfx/SurfaceAllocator.java@@ -5,122 +5,135 @@ package org.mozilla.gecko.gfx;-import android.content.ComponentName;-import android.content.Context;-import android.content.Intent;-import android.content.ServiceConnection; import android.os.IBinder; import android.os.RemoteException; import android.util.Log;+import android.util.SparseArray; import org.mozilla.gecko.GeckoAppShell; import org.mozilla.gecko.annotation.WrapForJNI;+import org.mozilla.gecko.process.GeckoProcessManager;+import org.mozilla.gecko.process.GeckoServiceChildProcess; /* package */ final class SurfaceAllocator { private static final String LOGTAG = "SurfaceAllocator";- private static SurfaceAllocatorConnection sConnection;+ private static ISurfaceAllocator sAllocator;- private static synchronized void ensureConnection() throws Exception {- if (sConnection != null) {+ // Keep a reference to all allocated Surfaces, so that we can release them if we lose the+ // connection to the allocator service.+ private static final SparseArray<GeckoSurface> sSurfaces = new SparseArray<GeckoSurface>();++ private static synchronized void ensureConnection() {+ if (sAllocator != null) { return; }- sConnection = new SurfaceAllocatorConnection();- final Intent intent = new Intent();- intent.setClassName(- GeckoAppShell.getApplicationContext(), "org.mozilla.gecko.gfx.SurfaceAllocatorService");+ try {+ if (GeckoAppShell.isParentProcess()) {+ sAllocator = GeckoProcessManager.getInstance().getSurfaceAllocator();+ } else {+ sAllocator = GeckoServiceChildProcess.getSurfaceAllocator();+ }- // FIXME: may not want to auto create- if (!GeckoAppShell.getApplicationContext()- .bindService(intent, sConnection, Context.BIND_AUTO_CREATE)) {- throw new Exception("Failed to connect to surface allocator service!");+ if (sAllocator == null) {+ Log.w(LOGTAG, "Failed to connect to RemoteSurfaceAllocator");+ return;+ }+ sAllocator+ .asBinder()+ .linkToDeath(+ new IBinder.DeathRecipient() {+ @Override+ public void binderDied() {+ Log.w(LOGTAG, "RemoteSurfaceAllocator died");+ synchronized (SurfaceAllocator.class) {+ // Our connection to the remote allocator has died, so all our surfaces are+ // invalid. Release them all now. When their owners attempt to render in to+ // them they can detect they have been released and allocate new ones instead.+ for (int i = 0; i < sSurfaces.size(); i++) {+ sSurfaces.valueAt(i).release();+ }+ sSurfaces.clear();+ sAllocator = null;+ }+ }+ },+ 0);+ } catch (final RemoteException e) {+ Log.w(LOGTAG, "Failed to connect to RemoteSurfaceAllocator", e);+ sAllocator = null; } } @WrapForJNI- public static GeckoSurface acquireSurface(+ public static synchronized GeckoSurface acquireSurface( final int width, final int height, final boolean singleBufferMode) { try { ensureConnection();+ if (sAllocator == null) {+ Log.w(LOGTAG, "Failed to acquire GeckoSurface: not connected");+ return null;+ }+ if (singleBufferMode && !GeckoSurfaceTexture.isSingleBufferSupported()) { return null; }- final ISurfaceAllocator allocator = sConnection.getAllocator();- final GeckoSurface surface = allocator.acquireSurface(width, height, singleBufferMode);- if (surface != null && !surface.inProcess()) {- allocator.configureSync(surface.initSyncSurface(width, height));++ final GeckoSurface surface = sAllocator.acquireSurface(width, height, singleBufferMode);+ if (surface == null) {+ Log.w(LOGTAG, "Failed to acquire GeckoSurface: RemoteSurfaceAllocator returned null");+ return null;+ }+ sSurfaces.put(surface.getHandle(), surface);++ if (!surface.inProcess()) {+ sAllocator.configureSync(surface.initSyncSurface(width, height)); } return surface;- } catch (final Exception e) {+ } catch (final RemoteException e) { Log.w(LOGTAG, "Failed to acquire GeckoSurface", e); return null; } } @WrapForJNI- public static void disposeSurface(final GeckoSurface surface) {- try {- ensureConnection();- } catch (final Exception e) {- Log.w(LOGTAG, "Failed to dispose surface, no connection");+ public static synchronized void disposeSurface(final GeckoSurface surface) {+ // If the surface has already been released (probably due to losing connection to the remote+ // allocator) then there is nothing to do here.+ if (surface.isReleased()) { return; }- // Release the SurfaceTexture on the other side+ sSurfaces.remove(surface.getHandle());++ // Release our Surface+ surface.release();++ if (sAllocator == null) {+ return;+ }++ // Release the SurfaceTexture on the other side. If we have lost connection then do nothing, as+ // there is nothing on the other side to release. try {- sConnection.getAllocator().releaseSurface(surface.getHandle());+ if (sAllocator != null) {+ sAllocator.releaseSurface(surface.getHandle());+ } } catch (final RemoteException e) { Log.w(LOGTAG, "Failed to release surface texture", e); }-- // And now our Surface- try {- surface.release();- } catch (final Exception e) {- Log.w(LOGTAG, "Failed to release surface", e);- } }- public static void sync(final int upstream) {+ public static synchronized void sync(final int upstream) {+ // Sync from the SurfaceTexture on the other side. If we have lost connection then do nothing,+ // as there is nothing on the other side to sync from. try {- ensureConnection();- } catch (final Exception e) {- Log.w(LOGTAG, "Failed to sync texture, no connection");- return;- }-- // Release the SurfaceTexture on the other side- try {- sConnection.getAllocator().sync(upstream);+ if (sAllocator != null) {+ sAllocator.sync(upstream);+ } } catch (final RemoteException e) { Log.w(LOGTAG, "Failed to sync texture", e); } }-- private static final class SurfaceAllocatorConnection implements ServiceConnection {- private ISurfaceAllocator mAllocator;-- public synchronized ISurfaceAllocator getAllocator() {- while (mAllocator == null) {- try {- this.wait();- } catch (final InterruptedException e) {- }- }-- return mAllocator;- }-- @Override- public synchronized void onServiceConnected(final ComponentName name, final IBinder service) {- mAllocator = ISurfaceAllocator.Stub.asInterface(service);- this.notifyAll();- }-- @Override- public synchronized void onServiceDisconnected(final ComponentName name) {- mAllocator = null;- }- } }
Here's the analysis of the code diff for security fixes: 1. Vulnerability Existed: yes Resource Leak Vulnerability [File] [Lines 5-122 -> 5-135] [Old Code] The old implementation didn't properly handle surface cleanup when the connection to the allocator service was lost. Surfaces could remain allocated even after the service connection died. [Fixed Code] The new implementation adds a SparseArray to track all allocated surfaces and implements a DeathRecipient to clean up all surfaces when the connection dies. It also makes surface operations synchronized to prevent race conditions. 2. Vulnerability Existed: yes Race Condition Vulnerability [File] [Throughout file] [Old Code] The old code had potential race conditions as methods weren't synchronized and the connection handling wasn't thread-safe. [Fixed Code] The new implementation makes key methods (acquireSurface, disposeSurface, sync) synchronized and improves thread safety through better connection management. 3. Vulnerability Existed: yes Null Pointer Dereference Vulnerability [File] [Lines 71-73, 107-109] [Old Code] The old code could potentially dereference null if the connection failed but the code continued execution. [Fixed Code] The new implementation adds null checks for sAllocator before using it and better error handling. 4. Vulnerability Existed: not sure Potential Memory Leak [File] [Lines 107-109] [Old Code] The old implementation might leak surfaces if disposeSurface was called after connection loss. [Fixed Code] The new implementation checks surface.isReleased() and handles connection loss cases better, but it's unclear if all edge cases are covered. The main improvements focus on better resource management, thread safety, and error handling when dealing with remote surface allocation. The addition of the DeathRecipient mechanism and surface tracking significantly improves the robustness of the implementation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/service-workers/service-worker/resources/fetch-event-handled-worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/service-workers/service-worker/resources/fetch-event-handled-worker.js@@ -1,25 +1,19 @@ // This worker reports back the final state of FetchEvent.handled (RESOLVED or // REJECTED) to the test.-// Send a message to the client with the client id.-function send_message_to_client(message, clientId) {- clients.get(clientId).then((client) => {- client.postMessage(message);- });-}+self.addEventListener('message', function(event) {+ self.port = event.data.port;+}); self.addEventListener('fetch', function(event) {- const clientId = (event.request.mode === 'navigate') ?- event.resultingClientId : event.clientId;- try { event.handled.then(() => {- send_message_to_client('RESOLVED', clientId);+ self.port.postMessage('RESOLVED'); }, () => {- send_message_to_client('REJECTED', clientId);+ self.port.postMessage('REJECTED'); }); } catch (e) {- send_message_to_client('FAILED', clientId);+ self.port.postMessage('FAILED'); return; }
Here's the analysis following the requested format: 1. Vulnerability Existed: not sure [Potential Information Leak] [testing/web-platform/tests/service-workers/service-worker/resources/fetch-event-handled-worker.js] [Lines modified in entire diff] [Old Code: Used clients.get(clientId) to send messages back to specific clients] [Fixed Code: Uses self.port.postMessage() for communication] Additional Details: - The change appears to modify how the service worker communicates with clients, switching from client-specific messaging (using clientId) to a more direct port-based communication - While not clearly a security vulnerability, the old approach could potentially leak information about client IDs if not properly secured - The new version using MessagePort (self.port) might be more secure as it establishes a direct communication channel - Without more context about the overall system, it's hard to determine if this was an actual security fix or just an architectural improvement Note: The diff shows a significant change in how messages are communicated between the service worker and clients, but no clear, standard vulnerability name applies here. The change appears to be more about improving the reliability of message passing rather than fixing a specific security flaw.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/gecko_taskgraph/actions/registry.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/gecko_taskgraph/actions/registry.py@@ -9,13 +9,13 @@ from collections import namedtuple from mozbuild.util import memoize+from taskgraph.parameters import Parameters from taskgraph.util import yaml from gecko_taskgraph import create from gecko_taskgraph.config import load_graph_config from gecko_taskgraph.util import taskcluster, hash from gecko_taskgraph.util.python_path import import_sibling_modules-from gecko_taskgraph.parameters import Parameters actions = []@@ -69,7 +69,7 @@ parameters as follows: ``parameters``:- Decision task parameters, see ``gecko_taskgraph.parameters.Parameters``.+ Decision task parameters, see ``taskgraph.parameters.Parameters``. ``input``: Input matching specified JSON schema, ``None`` if no ``schema`` parameter is given to ``register_callback_action``.@@ -274,7 +274,7 @@ Parameters ----------- parameters : gecko_taskgraph.parameters.Parameters+ parameters : taskgraph.parameters.Parameters Decision task parameters. Returns
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily import reorganization and documentation updates. Here's the analysis: 1. Vulnerability Existed: no [No vulnerability found] [taskcluster/gecko_taskgraph/actions/registry.py] [Lines 9-13, 69, 274] [Old Code: Various imports and references to gecko_taskgraph.parameters.Parameters] [Fixed Code: Changed to use taskgraph.parameters.Parameters] The changes consist of: 1. Moving the Parameters import from gecko_taskgraph.parameters to taskgraph.parameters 2. Updating documentation references to point to taskgraph.parameters.Parameters instead of gecko_taskgraph.parameters.Parameters These appear to be refactoring changes rather than security fixes. The functionality remains the same, just the import location and documentation references were updated to reflect a more canonical path. No actual security vulnerabilities were identified in this diff. The changes seem to be part of code organization/cleanup rather than addressing any security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/glean/docs/user/new_definitions_file.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/glean/docs/user/new_definitions_file.md@@ -81,7 +81,7 @@ * `expired` - For marking a metric as manually expired. Not usually used, but sometimes helpful for internal tests. * `never` - For marking a metric as part of a permanent data collection.- Metrics marked with `never` must have [instrumentation tests](testing.md).+ Metrics marked with `never` must have [instrumentation tests](../dev/testing.md). For more information on what expiry means and the `metrics.yaml` format, see
Based on the provided diff, this appears to be a documentation update rather than a security fix. Here's the analysis following your requested format: Vulnerability Existed: no Documentation Link Correction [File] [Lines 81] [Old Code] Metrics marked with `never` must have [instrumentation tests](testing.md). [Fixed Code] Metrics marked with `never` must have [instrumentation tests](../dev/testing.md). Additional Details: - This is simply correcting a relative path in documentation - No security vulnerability was addressed - The change improves documentation accuracy but doesn't relate to any security issue - The file is a markdown documentation file (new_definitions_file.md)
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd12/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd12/mod.rs@@ -478,7 +478,8 @@ cfg_if! { if #[cfg(any(target_arch = "x86_64",- target_arch = "aarch64"))] {+ target_arch = "aarch64",+ target_arch = "riscv64"))] { mod b64; pub use self::b64::*; }
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
Vulnerability Existed: no
[Architecture Support Update] [third_party/rust/libc/src/unix/bsd/freebsdlike/freebsd/freebsd12/mod.rs] [Lines 478-481]
[Old Code]
if #[cfg(any(target_arch = "x86_64",
target_arch = "aarch64"))] {
[Fixed Code]
if #[cfg(any(target_arch = "x86_64",
target_arch = "aarch64",
target_arch = "riscv64"))] {
This change appears to be adding support for the RISC-V 64-bit architecture (riscv64) to the conditional compilation. There's no indication of a security vulnerability being fixed here - it's simply extending platform support. The modification follows the same pattern as the existing architecture checks and doesn't involve any security-sensitive operations or data handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.invalid.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowBlur.invalid.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.shadowBlur = 1; ctx.shadowBlur = -2;
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 17-18]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas`
- No security implications are evident in this change
- The modification seems to be for consistency or readability rather than security
- The test continues to check the same shadowBlur functionality with invalid values (-2)
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit-test/tests/wasm/simd/splat-x64-ion-codegen.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit-test/tests/wasm/simd/splat-x64-ion-codegen.js@@ -7,7 +7,7 @@ codegenTestX64_PTYPE_v128( [['f32x4.splat', 'f32', `0f c6 c0 00 shufps \\$0x00, %xmm0, %xmm0`],- ['f64x2.splat', 'f64', `66 0f c6 c0 00 shufpd \\$0x00, %xmm0, %xmm0`]] );+ ['f64x2.splat', 'f64', `f2 0f 12 c0 movddup %xmm0, %xmm0`]] , {log:true}); // Skip these on Win64 because the ABI differs and there's a different parameter // register, this changes not just the name slightly but the binary encoding in
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
Instruction Change Optimization [File] [Lines 7-8]
[Old Code]
`['f64x2.splat', 'f64', `66 0f c6 c0 00 shufpd \\$0x00, %xmm0, %xmm0`]] );`
[Fixed Code]
`['f64x2.splat', 'f64', `f2 0f 12 c0 movddup %xmm0, %xmm0`]] , {log:true});`
Additional Details:
- The change appears to be an optimization from using `shufpd` to `movddup` instruction for the f64x2.splat operation
- While this could potentially affect performance or correctness, I don't see clear evidence of a security vulnerability
- The change might be related to better instruction selection for SIMD operations
- The addition of `{log:true}` suggests this might be part of test instrumentation rather than a security fix
No clear vulnerability name is apparent from this change, and it appears to be more of an optimization or test improvement rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/extensions/test/xpcshell/test_ext_persistent_events.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/extensions/test/xpcshell/test_ext_persistent_events.js@@ -72,11 +72,8 @@ eventtest: { onEvent1: new EventManager({ context,- name: "test.event1",- persistent: {- module: "eventtest",- event: "onEvent1",- },+ module: "eventtest",+ event: "onEvent1", register: (fire, ...params) => { let data = { event: "onEvent1", params }; Services.obs.notifyObservers(data, "register-event-listener");@@ -88,11 +85,8 @@ onEvent2: new EventManager({ context,- name: "test.event1",- persistent: {- module: "eventtest",- event: "onEvent2",- },+ module: "eventtest",+ event: "onEvent2", register: (fire, ...params) => { let data = { event: "onEvent2", params }; Services.obs.notifyObservers(data, "register-event-listener");@@ -113,6 +107,7 @@ schema: `data:,${JSON.stringify(SCHEMA)}`, scopes: ["addon_parent"], paths: [["eventtest"]],+ startupBlocking: true, url: URL.createObjectURL(new Blob([API_SCRIPT])), }, };@@ -153,6 +148,15 @@ return results; }+function trackEvents(wrapper) {+ let events = new Map();+ for (let event of ["background-script-event", "start-background-script"]) {+ events.set(event, false);+ wrapper.extension.once(event, () => events.set(event, true));+ }+ return events;+}+ add_task(async function setup() { Services.prefs.setBoolPref( "extensions.webextensions.background-delayed-startup",@@ -526,3 +530,159 @@ await AddonTestUtils.promiseShutdownManager(); });++// This test checks whether primed listeners are correctly primed to+// restart the background once the background has been shutdown or+// put to sleep.+add_task(async function test_background_restarted() {+ await AddonTestUtils.promiseStartupManager();+ // ensure normal delayed startup notification had already happened at some point+ Services.obs.notifyObservers(null, "browser-delayed-startup-finished");++ let extension = ExtensionTestUtils.loadExtension({+ useAddonManager: "permanent",+ background() {+ let listener = arg => browser.test.sendMessage("triggered", arg);+ browser.eventtest.onEvent1.addListener(listener, "triggered");+ browser.test.sendMessage("bg_started");+ },+ });+ await Promise.all([+ promiseObservable("register-event-listener", 1),+ extension.startup(),+ ]);+ await extension.awaitMessage("bg_started");+ assertPersistentListeners(extension, "eventtest", "onEvent1", {+ primed: false,+ });++ // Shutdown the background page+ await Promise.all([+ promiseObservable("unregister-event-listener", 1),+ extension.terminateBackground(),+ ]);+ // When sleeping the background, its events should become persisted+ assertPersistentListeners(extension, "eventtest", "onEvent1", {+ primed: true,+ });++ info("Triggering persistent event to force the background page to start");+ Services.obs.notifyObservers({ listenerArgs: 123 }, "fire-onEvent1");+ await extension.awaitMessage("bg_started");+ equal(await extension.awaitMessage("triggered"), 123, "triggered event");++ await extension.unload();+ await AddonTestUtils.promiseShutdownManager();+});++// This test checks whether primed listeners are correctly primed to+// restart the background once the background has been shutdown or+// put to sleep.+add_task(+ { prefs_set: [["extensions.eventPages.enabled", true]] },+ async function test_eventpage_startup() {+ await AddonTestUtils.promiseStartupManager();+ // ensure normal delayed startup notification had already happened at some point+ Services.obs.notifyObservers(null, "browser-delayed-startup-finished");++ let extension = ExtensionTestUtils.loadExtension({+ useAddonManager: "permanent",+ manifest: {+ applications: { gecko: { id: "eventpage@test" } },+ background: { persistent: false },+ },+ background() {+ let listener = arg => browser.test.sendMessage("triggered", arg);+ browser.eventtest.onEvent1.addListener(listener, "triggered");+ browser.test.onMessage.addListener(() => {+ let listener = arg => browser.test.sendMessage("triggered2", arg);+ browser.eventtest.onEvent2.addListener(listener, "triggered2");+ browser.test.sendMessage("async-registered-listener");+ });+ browser.test.sendMessage("bg_started");+ },+ });+ await Promise.all([+ promiseObservable("register-event-listener", 1),+ extension.startup(),+ ]);+ await extension.awaitMessage("bg_started");+ extension.sendMessage("async-register-listener");+ await extension.awaitMessage("async-registered-listener");++ async function testAfterRestart() {+ assertPersistentListeners(extension, "eventtest", "onEvent1", {+ primed: true,+ });+ // async registration should not be primed or persisted+ assertPersistentListeners(extension, "eventtest", "onEvent2", {+ primed: false,+ persisted: false,+ });++ let events = trackEvents(extension);+ ok(+ !events.get("background-script-event"),+ "Should not have received a background script event"+ );+ ok(+ !events.get("start-background-script"),+ "Background script should not be started"+ );++ info("Triggering persistent event to force the background page to start");+ let converted = promiseObservable("convert-event-listener", 1);+ Services.obs.notifyObservers({ listenerArgs: 123 }, "fire-onEvent1");+ await extension.awaitMessage("bg_started");+ await converted;+ equal(await extension.awaitMessage("triggered"), 123, "triggered event");+ ok(+ events.get("background-script-event"),+ "Should have received a background script event"+ );+ ok(+ events.get("start-background-script"),+ "Background script should be started"+ );+ }++ // Shutdown the background page+ await Promise.all([+ promiseObservable("unregister-event-listener", 2),+ new Promise(resolve => extension.extension.once("shutdown", resolve)),+ AddonTestUtils.promiseShutdownManager(),+ ]);+ await AddonTestUtils.promiseStartupManager();+ await extension.awaitStartup();+ await testAfterRestart();++ extension.sendMessage("async-register-listener");+ await extension.awaitMessage("async-registered-listener");++ // We sleep twice to ensure startup and shutdown work correctly+ info("test event listener registration during termination");+ let registrationEvents = Promise.all([+ promiseObservable("unregister-event-listener", 1),+ promiseObservable("unregister-primed-listener", 1),+ promiseObservable("prime-event-listener", 1),+ ]);+ await extension.terminateBackground();+ await registrationEvents;++ // Ensure onEvent2 does not fire, testAfterRestart will fail otherwise.+ Services.obs.notifyObservers({ listenerArgs: 123 }, "fire-onEvent2");+ await testAfterRestart();++ registrationEvents = Promise.all([+ promiseObservable("unregister-primed-listener", 1),+ promiseObservable("prime-event-listener", 1),+ ]);+ await extension.terminateBackground();+ await registrationEvents;+ await testAfterRestart();++ await extension.unload();+ await AddonTestUtils.promiseShutdownManager();+ Services.prefs.setBoolPref("extensions.eventPages.enabled", false);+ }+);
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: not sure
[Potential Event Listener Handling Issue] [toolkit/components/extensions/test/xpcshell/test_ext_persistent_events.js] [Lines 72-88]
[Old Code]
name: "test.event1",
persistent: {
module: "eventtest",
event: "onEvent1",
},
[Fixed Code]
module: "eventtest",
event: "onEvent1",
Additional Details:
- The change simplifies the event listener registration structure by removing the nested `persistent` object
- The vulnerability impact is unclear as this appears to be test code
- The change might relate to more consistent event handling, but without more context about the actual implementation, it's hard to determine if this fixed a security issue
Vulnerability Existed: not sure
[Potential Background Script Control Issue] [toolkit/components/extensions/test/xpcshell/test_ext_persistent_events.js] [Lines 113-116]
[Old Code]
paths: [["eventtest"]],
url: URL.createObjectURL(new Blob([API_SCRIPT])),
[Fixed Code]
paths: [["eventtest"]],
startupBlocking: true,
url: URL.createObjectURL(new Blob([API_SCRIPT])),
Additional Details:
- The addition of `startupBlocking: true` suggests better control over extension startup timing
- This could potentially prevent race conditions during extension initialization
- Without more context about the extension system's behavior, it's unclear if this fixed a specific security vulnerability
Note: Since this is test code, many of these changes might be test-related improvements rather than direct security fixes. The actual security implications would depend on how these patterns are used in the production code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/svg/SVGTextFrame.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/svg/SVGTextFrame.h@@ -179,6 +179,7 @@ using DrawTarget = gfx::DrawTarget; using Path = gfx::Path; using Point = gfx::Point;+ using Rect = gfx::Rect; protected: explicit SVGTextFrame(ComputedStyle* aStyle, nsPresContext* aPresContext)@@ -330,6 +331,14 @@ gfxRect TransformFrameRectFromTextChild(const nsRect& aRect, const nsIFrame* aChildFrame);+ /** As above, but taking and returning a device px rect. */+ Rect TransformFrameRectFromTextChild(const Rect& aRect,+ const nsIFrame* aChildFrame);++ /** As above, but with a single point */+ Point TransformFramePointFromTextChild(const Point& aPoint,+ const nsIFrame* aChildFrame);+ // Return our ::-moz-svg-text anonymous box. void AppendDirectlyOwnedAnonBoxes(nsTArray<OwnedAnonBox>& aResult) override;
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Missing Type Definition] [layout/svg/SVGTextFrame.h] [Lines 179-179]
[Old Code: No Rect type defined]
[Fixed Code: Added 'using Rect = gfx::Rect;']
2. Vulnerability Existed: not sure
[Potential Missing Transformation Functions] [layout/svg/SVGTextFrame.h] [Lines 330-337]
[Old Code: Only had gfxRect version of TransformFrameRectFromTextChild]
[Fixed Code: Added Rect and Point versions of transformation functions]
Additional Details:
- The changes appear to be adding type definitions and new transformation methods, which could be related to security hardening by providing more precise coordinate transformations.
- Without more context about how these functions are used, it's difficult to determine if these changes fix specific vulnerabilities.
- The additions could potentially prevent issues like coordinate miscalculations or type mismatches that might lead to security problems, but there's no clear evidence of a specific vulnerability being fixed.
No clear vulnerability names can be assigned as these appear to be general improvements rather than fixes for specific known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.negative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.negative.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); assert_throws_dom("INDEX_SIZE_ERR", function() { ctx.arcTo(0, 0, 0, 0, -1); }); t.done();
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.negative.html] [Lines 17-18]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas`. There's no indication of any security vulnerability being fixed in this change. The test's purpose (testing negative radius in arcTo) remains unchanged, and the change doesn't affect any security-related functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/reader/test/browser_readerMode_with_anchor.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/reader/test/browser_readerMode_with_anchor.js@@ -24,6 +24,10 @@ let foo = content.document.getElementById("foo"); ok(foo, "foo element should be in document"); let { scrollTop } = content.document.documentElement;+ if (scrollTop == 0) {+ await ContentTaskUtils.waitForEvent(content.document, "scroll");+ ({ scrollTop } = content.document.documentElement);+ } let { offsetTop } = foo; Assert.lessOrEqual( Math.abs(scrollTop - offsetTop),@@ -43,9 +47,14 @@ browser, "AboutReaderContentReady" );+ let pageLoadedPromise = BrowserTestUtils.waitForContentEvent(+ browser,+ "load",+ true+ ); let readerButton = document.getElementById("reader-mode-button"); readerButton.click();- await pageShownPromise;+ await Promise.all([pageShownPromise, pageLoadedPromise]); await SpecialPowers.spawn(gBrowser.selectedBrowser, [], async () => { Assert.equal( content.document.documentElement.scrollTop,@@ -53,11 +62,17 @@ "scrollTop should be 0" ); });+ let scrollEventPromise = BrowserTestUtils.waitForContentEvent(+ browser,+ "scroll",+ true+ ); await BrowserTestUtils.synthesizeMouseAtCenter( "#foo-anchor", {}, browser );+ await scrollEventPromise; await SpecialPowers.spawn(browser, [], async function() { let foo = content.document.getElementById("foo"); ok(foo, "foo element should be in document");
Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be test reliability improvements rather than security fixes. Here's my analysis: 1. Vulnerability Existed: no No security vulnerability [toolkit/components/reader/test/browser_readerMode_with_anchor.js] [Lines 24-28] Old Code: No check for scrollTop == 0 Fixed Code: Added check for scrollTop == 0 and wait for scroll event 2. Vulnerability Existed: no No security vulnerability [toolkit/components/reader/test/browser_readerMode_with_anchor.js] [Lines 43-53] Old Code: Only waiting for pageShownPromise Fixed Code: Added pageLoadedPromise and using Promise.all 3. Vulnerability Existed: no No security vulnerability [toolkit/components/reader/test/browser_readerMode_with_anchor.js] [Lines 62-72] Old Code: No scroll event waiting Fixed Code: Added scrollEventPromise before mouse synthesis The changes are focused on making the tests more reliable by: 1. Adding proper waiting for scroll events 2. Ensuring both page shown and loaded events are handled 3. Adding proper synchronization before checking element positions These are test infrastructure improvements rather than security fixes. No vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.